-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Add
db_instance_role_association
functionality (#508)
Co-authored-by: magreenbaum <magreenbaum>
- Loading branch information
1 parent
8b2f5c5
commit ed027d7
Showing
16 changed files
with
503 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -27,3 +27,6 @@ override.tf.json | |
# Ignore CLI configuration files | ||
.terraformrc | ||
terraform.rc | ||
|
||
# Lambda directories | ||
builds/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
# RDS DB instance role association example for PostgreSQL | ||
|
||
Configuration in this directory creates a DB instance role association to invoke a lambda function. | ||
|
||
Further database configurations for creating extension and invoking from postgres: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL-Lambda.html | ||
|
||
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK --> | ||
## Requirements | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 | | ||
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 | | ||
|
||
## Providers | ||
|
||
| Name | Version | | ||
|------|---------| | ||
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 | | ||
|
||
## Modules | ||
|
||
| Name | Source | Version | | ||
|------|--------|---------| | ||
| <a name="module_db"></a> [db](#module\_db) | ../../ | n/a | | ||
| <a name="module_lambda"></a> [lambda](#module\_lambda) | terraform-aws-modules/lambda/aws | ~> 6.0 | | ||
| <a name="module_rds_invoke_lambda_policy"></a> [rds\_invoke\_lambda\_policy](#module\_rds\_invoke\_lambda\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | ~> 5.28.0 | | ||
| <a name="module_rds_invoke_lambda_role"></a> [rds\_invoke\_lambda\_role](#module\_rds\_invoke\_lambda\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role | ~> 5.28.0 | | ||
| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.0 | | ||
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 | | ||
|
||
## Resources | ||
|
||
| Name | Type | | ||
|------|------| | ||
| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | | ||
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | ||
| [aws_iam_policy_document.rds_invoke_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | ||
| [aws_iam_policy_document.rds_invoke_lambda_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | ||
|
||
## Inputs | ||
|
||
No inputs. | ||
|
||
## Outputs | ||
|
||
| Name | Description | | ||
|------|-------------| | ||
| <a name="output_db_enhanced_monitoring_iam_role_arn"></a> [db\_enhanced\_monitoring\_iam\_role\_arn](#output\_db\_enhanced\_monitoring\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the monitoring role | | ||
| <a name="output_db_instance_address"></a> [db\_instance\_address](#output\_db\_instance\_address) | The address of the RDS instance | | ||
| <a name="output_db_instance_arn"></a> [db\_instance\_arn](#output\_db\_instance\_arn) | The ARN of the RDS instance | | ||
| <a name="output_db_instance_availability_zone"></a> [db\_instance\_availability\_zone](#output\_db\_instance\_availability\_zone) | The availability zone of the RDS instance | | ||
| <a name="output_db_instance_cloudwatch_log_groups"></a> [db\_instance\_cloudwatch\_log\_groups](#output\_db\_instance\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes | | ||
| <a name="output_db_instance_endpoint"></a> [db\_instance\_endpoint](#output\_db\_instance\_endpoint) | The connection endpoint | | ||
| <a name="output_db_instance_engine"></a> [db\_instance\_engine](#output\_db\_instance\_engine) | The database engine | | ||
| <a name="output_db_instance_engine_version_actual"></a> [db\_instance\_engine\_version\_actual](#output\_db\_instance\_engine\_version\_actual) | The running version of the database | | ||
| <a name="output_db_instance_hosted_zone_id"></a> [db\_instance\_hosted\_zone\_id](#output\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) | | ||
| <a name="output_db_instance_identifier"></a> [db\_instance\_identifier](#output\_db\_instance\_identifier) | The RDS instance identifier | | ||
| <a name="output_db_instance_master_user_secret_arn"></a> [db\_instance\_master\_user\_secret\_arn](#output\_db\_instance\_master\_user\_secret\_arn) | The ARN of the master user secret (Only available when manage\_master\_user\_password is set to true) | | ||
| <a name="output_db_instance_name"></a> [db\_instance\_name](#output\_db\_instance\_name) | The database name | | ||
| <a name="output_db_instance_port"></a> [db\_instance\_port](#output\_db\_instance\_port) | The database port | | ||
| <a name="output_db_instance_resource_id"></a> [db\_instance\_resource\_id](#output\_db\_instance\_resource\_id) | The RDS Resource ID of this instance | | ||
| <a name="output_db_instance_role_associations"></a> [db\_instance\_role\_associations](#output\_db\_instance\_role\_associations) | The outputs for the role associations | | ||
| <a name="output_db_instance_status"></a> [db\_instance\_status](#output\_db\_instance\_status) | The RDS instance status | | ||
| <a name="output_db_instance_username"></a> [db\_instance\_username](#output\_db\_instance\_username) | The master username for the database | | ||
| <a name="output_db_parameter_group_arn"></a> [db\_parameter\_group\_arn](#output\_db\_parameter\_group\_arn) | The ARN of the db parameter group | | ||
| <a name="output_db_parameter_group_id"></a> [db\_parameter\_group\_id](#output\_db\_parameter\_group\_id) | The db parameter group id | | ||
| <a name="output_db_subnet_group_arn"></a> [db\_subnet\_group\_arn](#output\_db\_subnet\_group\_arn) | The ARN of the db subnet group | | ||
| <a name="output_db_subnet_group_id"></a> [db\_subnet\_group\_id](#output\_db\_subnet\_group\_id) | The db subnet group name | | ||
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK --> |
3 changes: 3 additions & 0 deletions
3
examples/role-association-postgres/fixtures/lambda_function.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
def lambda_handler(event, context): | ||
|
||
return "Triggered by RDS Lambda!" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,195 @@ | ||
provider "aws" { | ||
region = local.region | ||
} | ||
|
||
data "aws_caller_identity" "current" {} | ||
data "aws_availability_zones" "available" {} | ||
|
||
locals { | ||
name = "role-association-invoke-lambda" | ||
region = "eu-west-1" | ||
|
||
vpc_cidr = "10.0.0.0/16" | ||
azs = slice(data.aws_availability_zones.available.names, 0, 3) | ||
|
||
tags = { | ||
Name = local.name | ||
Example = local.name | ||
Repository = "https://github.com/terraform-aws-modules/terraform-aws-rds" | ||
} | ||
} | ||
|
||
################################################################################ | ||
# RDS Module | ||
################################################################################ | ||
|
||
module "db" { | ||
source = "../../" | ||
|
||
identifier = local.name | ||
|
||
# All available versions: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts | ||
engine = "postgres" | ||
engine_version = "14" | ||
family = "postgres14" # DB parameter group | ||
major_engine_version = "14" # DB option group | ||
instance_class = "db.t4g.large" | ||
|
||
allocated_storage = 20 | ||
|
||
# NOTE: Do NOT use 'user' as the value for 'username' as it throws: | ||
# "Error creating DB Instance: InvalidParameterValue: MasterUsername | ||
# user cannot be used as it is a reserved word used by the engine" | ||
db_name = "RoleAssociationInvokeLambda" | ||
username = "role_association_invoke_lambda" | ||
port = 5432 | ||
|
||
multi_az = true | ||
db_subnet_group_name = module.vpc.database_subnet_group | ||
vpc_security_group_ids = [module.security_group.security_group_id] | ||
|
||
maintenance_window = "Mon:00:00-Mon:03:00" | ||
backup_window = "03:00-06:00" | ||
backup_retention_period = 0 | ||
|
||
deletion_protection = false | ||
|
||
# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL-Lambda.html | ||
db_instance_role_associations = { | ||
Lambda = module.rds_invoke_lambda_role.iam_role_arn | ||
} | ||
|
||
parameters = [ | ||
{ | ||
name = "rds.custom_dns_resolution" | ||
value = 1 | ||
apply_method = "pending-reboot" | ||
}, | ||
] | ||
|
||
tags = local.tags | ||
} | ||
|
||
################################################################################ | ||
# Supporting Resources | ||
################################################################################ | ||
|
||
module "vpc" { | ||
source = "terraform-aws-modules/vpc/aws" | ||
version = "~> 5.0" | ||
|
||
name = local.name | ||
cidr = local.vpc_cidr | ||
|
||
azs = local.azs | ||
public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)] | ||
private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 3)] | ||
database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 6)] | ||
|
||
create_database_subnet_group = true | ||
enable_nat_gateway = true | ||
|
||
tags = local.tags | ||
} | ||
|
||
module "security_group" { | ||
source = "terraform-aws-modules/security-group/aws" | ||
version = "~> 4.0" | ||
|
||
name = local.name | ||
description = "Complete PostgreSQL example security group" | ||
vpc_id = module.vpc.vpc_id | ||
|
||
# ingress | ||
ingress_with_cidr_blocks = [ | ||
{ | ||
from_port = 5432 | ||
to_port = 5432 | ||
protocol = "tcp" | ||
description = "PostgreSQL access from within VPC" | ||
cidr_blocks = module.vpc.vpc_cidr_block | ||
}, | ||
] | ||
|
||
# egress | ||
egress_with_cidr_blocks = [ | ||
{ | ||
from_port = 443 | ||
to_port = 443 | ||
protocol = "tcp" | ||
description = "Egress to AWS Lambda VPC" | ||
cidr_blocks = "0.0.0.0/0" | ||
} | ||
] | ||
|
||
tags = local.tags | ||
} | ||
|
||
module "rds_invoke_lambda_role" { | ||
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" | ||
version = "~> 5.28.0" | ||
|
||
create_role = true | ||
role_requires_mfa = false | ||
|
||
role_name_prefix = local.name | ||
|
||
custom_role_policy_arns = [ | ||
module.rds_invoke_lambda_policy.arn | ||
] | ||
custom_role_trust_policy = data.aws_iam_policy_document.rds_invoke_lambda_assume_role.json | ||
} | ||
|
||
module "rds_invoke_lambda_policy" { | ||
source = "terraform-aws-modules/iam/aws//modules/iam-policy" | ||
version = "~> 5.28.0" | ||
|
||
name = "${local.name}-policy" | ||
path = "/" | ||
description = "Invoke Lambda from RDS Postgresql policy" | ||
|
||
policy = data.aws_iam_policy_document.rds_invoke_lambda.json | ||
} | ||
|
||
data "aws_iam_policy_document" "rds_invoke_lambda" { | ||
statement { | ||
sid = "InvokeLambda" | ||
actions = [ | ||
"lambda:InvokeFunction" | ||
] | ||
resources = [ | ||
module.lambda.lambda_function_arn | ||
] | ||
} | ||
} | ||
|
||
data "aws_iam_policy_document" "rds_invoke_lambda_assume_role" { | ||
statement { | ||
sid = "AssumeRole" | ||
|
||
principals { | ||
type = "Service" | ||
identifiers = ["rds.amazonaws.com"] | ||
} | ||
|
||
condition { | ||
test = "StringEquals" | ||
values = [data.aws_caller_identity.current.id] | ||
variable = "aws:SourceAccount" | ||
} | ||
|
||
effect = "Allow" | ||
|
||
actions = ["sts:AssumeRole"] | ||
} | ||
} | ||
|
||
module "lambda" { | ||
source = "terraform-aws-modules/lambda/aws" | ||
version = "~> 6.0" | ||
|
||
function_name = local.name | ||
handler = "lambda_function.lambda_handler" | ||
runtime = "python3.10" | ||
source_path = "${path.module}/fixtures/lambda_function.py" | ||
} |
Oops, something went wrong.