Skip to content

Latest commit

 

History

History
80 lines (68 loc) · 8.79 KB

README.md

File metadata and controls

80 lines (68 loc) · 8.79 KB

RDS Aurora Module

Terraform module which creates Aurora RDS resources with an opinionated configuration targeting Camunda 8.

Usage

Following is a simple example configuration and should be adjusted as required.

See inputs for further configuration options and how they affect the RDS creation.

module "postgresql" {
  source                     = "github.com/camunda/camunda-tf-eks-module/modules/aurora"
  engine_version             = "15.4"
  auto_minor_version_upgrade = false
  cluster_name               = "cluster-name-postgresql"

  username         = "username"
  password         = "password"
  vpc_id           = module.eks_cluster.vpc_id
  subnet_ids       = module.eks_cluster.private_subnet_ids
  cidr_blocks      = concat(module.eks_cluster.private_vpc_cidr_blocks, module.eks_cluster.public_vpc_cidr_blocks)
  instance_class   = "db.t3.medium"
  iam_auth_enabled = true

  depends_on = [module.eks_cluster]
}

Modules

No modules.

Resources

Name Type
aws_db_subnet_group.this resource
aws_iam_policy.access_policies resource
aws_iam_role.roles resource
aws_iam_role_policy_attachment.attach_policies resource
aws_kms_key.this resource
aws_rds_cluster.aurora_cluster resource
aws_rds_cluster_instance.aurora_instance resource
aws_security_group.this resource
aws_security_group_rule.allow_egress resource
aws_security_group_rule.allow_ingress resource

Inputs

Name Description Type Default Required
auto_minor_version_upgrade If true, minor engine upgrades will be applied automatically to the DB instance during the maintenance window bool true no
availability_zones Array of availability zones to use for the Aurora cluster list(string) 
[
  "eu-central-1a",
  "eu-central-1b",
  "eu-central-1c"
]
 no
ca_cert_identifier Specifies the identifier of the CA certificate for the DB instance string "rds-ca-rsa2048-g1" no
cidr_blocks The CIDR blocks to allow acces from and to. list(string) n/a yes
cluster_name Name of the cluster, also used to prefix dependent resources. Format: /[[:lower:][:digit:]-]/ any n/a yes
default_database_name The name for the automatically created database on cluster creation. string "camunda" no
engine The engine type e.g. aurora, aurora-mysql, aurora-postgresql, ... string "aurora-postgresql" no
engine_version The DB engine version for Postgres to use. string "15.4" no
iam_auth_enabled Determines whether IAM auth should be activated for IRSA usage bool false no
iam_roles Allows propagating additional IAM roles to the Aurora cluster to allow e.g. access to S3 list(string) [] no
iam_roles_with_policies List of roles with their trust and access policies 
list(object({
    # Name of the Role to create
    role_name = string

    # Assume role trust policy for this Aurora role as a json string
    trust_policy = string

    # Access policy for Aurora allowing access as a json string
    # see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
    # Since the DbiResourceId may be unknown during the apply process, and because each instance of the RDS cluster contains its own DbiResourceId,
    # we use the wildcard dbuser:* to apply to all database instances.
    # Example:
    #   [
    #     {
    #     role_name      = "AuroraRole"
    #     trust_policy   =
    #           {
    #             "Version": "2012-10-17",
    #             "Statement": [
    #               {
    #                 "Effect": "Allow",
    #                 "Principal": {
    #                   "Federated": "arn:aws:iam:::oidc-provider/oidc.eks..amazonaws.com/id/"
    #                 },
    #                 "Action": "sts:AssumeRoleWithWebIdentity",
    #                 "Condition": {
    #                   "StringEquals": {
    #                     "oidc.eks..amazonaws.com/id/:sub": "system:serviceaccount::"
    #                   }
    #                 }
    #               }
    #             ]
    #           }
    #
    #     access_policy  =
    #             {
    #               "Version": "2012-10-17",
    #               "Statement": [
    #                 {
    #                   "Effect": "Allow",
    #                   "Action": [
    #                     "rds-db:connect"
    #                   ],
    #                   "Resource": "arn:aws:rds-db:::dbuser:*/"
    #                 }
    #               ]
    #             }
    #
    #   }
    #   ]
    access_policy = string
  }))
 [] no
instance_class The instance type of the Aurora instances string "db.t3.medium" no
num_instances Number of instances string "1" no
password The password for the postgres admin user. Important: secret value! string n/a yes
subnet_ids The subnet IDs to create the cluster in. For easier usage we are passing through the subnet IDs from the AWS EKS Cluster module. list(string) n/a yes
tags Additional tags to add to the resources map {} no
username The username for the postgres admin user. Important: secret value! string n/a yes
vpc_id The VPC ID to create the cluster in. For easier usage we are passing through the VPC ID from the AWS EKS Cluster module. any n/a yes

Outputs

Name Description
aurora_cluster_identifier RDS Cluster Identifier
aurora_cluster_resource_id RDS Cluster Resource ID
aurora_endpoint The endpoint of the Aurora cluster
aurora_iam_role_access_policy_arns Map of IAM role names to their access policy ARNs
aurora_iam_role_arns Map of IAM role names to their ARNs
aurora_id RDS Cluster Identifier