Skip to content

Commit

Permalink
refa: removed exported SecretsManager policy
Browse files Browse the repository at this point in the history
  • Loading branch information
@kfc-manager
kfc-manager committed Mar 4, 2024
1 parent 48ea7a9 commit d34d815
Show file tree
Hide file tree
Showing 5 changed files with 28 additions and 137 deletions.
19 changes: 5 additions & 14 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ This module provides a PostgreSQL RDS instance, an optional RDS proxy and a Secr
| db_username | Username of the master user in the RDS instance. | `string` | "postgres" | no |
| db_password | Password of the master user in the RDS instance. | `string` | random 32 character string | no |
| proxy | An object for the definition of a RDS proxy for the RDS instance. | `object` | null | no |
| tags | A map of tags to add to all resources. Name is always set as tag and the other tags will be appended. | `map(string)` | {} | no |
| tags | A map of tags to add to all resources. | `map(string)` | {} | no |

### `proxy`

Expand All @@ -50,18 +50,10 @@ This module provides a PostgreSQL RDS instance, an optional RDS proxy and a Secr

## Outputs

| Name | Description |
| ------------------ | ----------------------------------------------------------------------------------------- |
| security_group | The ID of the security group to allow services access to the RDS instance. |
| secrets_arn | The ARN of the SecretsManager which holds secrets for the connection to the RDS instance. |
| get_secrets_policy | An object of IAM policy to allow read access of the SecretsManager. |

### `get_secrets_policy`

| Name | Description |
| ------ | --------------------------------------------------------------------------------- |
| name | The Name of the IAM policy for reference in `inline_plolicy` blocks of IAM roles. |
| policy | The IAM policy JSON encoded. |
| Name | Description |
| -------------- | ----------------------------------------------------------------------------------------- |
| security_group | The ID of the security group to allow services access to the RDS instance. |
| secrets_arn | The ARN of the SecretsManager which holds secrets for the connection to the RDS instance. |

## Example

Expand All @@ -70,7 +62,6 @@ module "database" {
source = "github.com/custom-terraform-aws-modules/database"
identifier = "example-database-dev"
name = "example-database"
instance_class = "db.t3.micro"
engine_version = "16.1"
allocated_storage = 20
Expand Down
60 changes: 9 additions & 51 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,32 +22,23 @@ resource "aws_security_group" "proxy" {
description = "Allows RDS proxy to access the RDS instance and other services to access the RDS proxy"
vpc_id = var.vpc_id

tags = merge(
{ "Name" = var.name },
var.tags
)
tags = var.tags
}

resource "aws_security_group" "rds" {
name = "${var.identifier}-rds"
description = var.proxy != null ? "Allows RDS instance to be accessed by RDS proxy" : "Allows RDS instance to be accessed by services"
vpc_id = var.vpc_id

tags = merge(
{ "Name" = var.name },
var.tags
)
tags = var.tags
}

resource "aws_security_group" "external" {
name = "${var.identifier}-external"
description = var.proxy != null ? "Allows services to access the RDS proxy" : "Allows services to access the RDS instance"
vpc_id = var.vpc_id

tags = merge(
{ "Name" = var.name },
var.tags
)
tags = var.tags
}

resource "aws_vpc_security_group_egress_rule" "proxy" {
Expand Down Expand Up @@ -93,10 +84,7 @@ resource "aws_db_subnet_group" "main" {
description = "Groups subnets for RDS instance"
subnet_ids = var.subnets

tags = merge(
{ "Name" = var.name },
var.tags
)
tags = var.tags
}

resource "aws_db_instance" "main" {
Expand All @@ -113,10 +101,7 @@ resource "aws_db_instance" "main" {
db_subnet_group_name = aws_db_subnet_group.main.name
vpc_security_group_ids = [aws_security_group.rds.id]

tags = merge(
{ "Name" = var.name },
var.tags
)
tags = var.tags
}

################################
Expand All @@ -128,10 +113,7 @@ resource "aws_secretsmanager_secret" "proxy" {
name = "${var.identifier}-rds-proxy"
recovery_window_in_days = 0

tags = merge(
{ "Name" = var.name },
var.tags
)
tags = var.tags
}

# RDS Proxy uses these secrets with exact key match to connect to the RDS instance
Expand Down Expand Up @@ -187,10 +169,7 @@ resource "aws_iam_role" "proxy" {
policy = data.aws_iam_policy_document.proxy[0].json
}

tags = merge(
{ "Name" = var.name },
var.tags
)
tags = var.tags
}

resource "aws_db_proxy" "main" {
Expand All @@ -211,10 +190,7 @@ resource "aws_db_proxy" "main" {
secret_arn = aws_secretsmanager_secret.proxy[0].arn
}

tags = merge(
{ "Name" = var.name },
var.tags
)
tags = var.tags
}

resource "aws_db_proxy_default_target_group" "main" {
Expand Down Expand Up @@ -243,10 +219,7 @@ resource "aws_secretsmanager_secret" "rds" {
name = "${var.identifier}-rds"
recovery_window_in_days = 0

tags = merge(
{ "Name" = var.name },
var.tags
)
tags = var.tags
}

resource "aws_secretsmanager_secret_version" "rds" {
Expand All @@ -259,18 +232,3 @@ resource "aws_secretsmanager_secret_version" "rds" {
DB_PASS = local.db_password
})
}

# IAM policy document which is exported from this module through outputs.tf
locals {
policy_name = "${var.identifier}-GetRDSSecrets"
}

data "aws_iam_policy_document" "secrets" {
statement {
effect = "Allow"

actions = ["secretsmanager:GetSecretValue"]

resources = [aws_secretsmanager_secret.rds.arn]
}
}
12 changes: 2 additions & 10 deletions outputs.tf
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,9 @@
output "security_group" {
description = "The ID of the security group to allow services access to the RDS instance"
description = "The ID of the security group to allow services access to the RDS instance."
value = try(aws_security_group.external.id, null)
}

output "secrets_arn" {
description = "The ARN of the SecretsManager which holds secrets for the connection to the RDS instance"
description = "The ARN of the SecretsManager which holds secrets for the connection to the RDS instance."
value = try(aws_secretsmanager_secret.rds.arn, null)
}

output "get_secrets_policy" {
description = "An object of IAM policy to allow read access of the SecretsManager"
value = {
name = local.policy_name
policy = data.aws_iam_policy_document.secrets.json
}
}
40 changes: 0 additions & 40 deletions tests/tags.tftest.hcl
View file

This file was deleted.

34 changes: 12 additions & 22 deletions variables.tf
View file
Original file line number Diff line number Diff line change
@@ -1,34 +1,28 @@
variable "identifier" {
description = "Unique identifier to differentiate global resources"
description = "Unique identifier to differentiate global resources."
type = string
}

variable "name" {
description = "Name of this module which is used as identifier on all resources"
type = string
default = ""
}

variable "instance_class" {
description = "The instance class of the RDS instance"
description = "The instance class of the RDS instance."
type = string
default = "db.t3.micro"
}

variable "engine_version" {
description = "The PostgreSQL engine version for the RDS instance"
description = "The PostgreSQL engine version for the RDS instance."
type = string
default = "16.1"
}

variable "allocated_storage" {
description = "Storage capacity of the RDS instance in GigiBytes"
description = "Storage capacity of the RDS instance in GigiBytes."
type = number
default = 20
}

variable "vpc_id" {
description = "ID of the subnets' VPC"
description = "ID of the subnets' VPC."
type = string
validation {
condition = startswith(var.vpc_id, "vpc-")
Expand All @@ -37,7 +31,7 @@ variable "vpc_id" {
}

variable "subnets" {
description = "A list of IDs of subnets for the subnet group and potentially the RDS proxy"
description = "A list of IDs of subnets for the subnet group and potentially the RDS proxy."
type = list(string)
validation {
condition = length(var.subnets) > 1
Expand All @@ -50,13 +44,13 @@ variable "subnets" {
}

variable "skip_final_snapshot" {
description = "A flag for wether or not skipping the creation of a final snapshot befor deletion of the RDS instance"
description = "A flag for wether or not skipping the creation of a final snapshot befor deletion of the RDS instance."
type = bool
default = true
}

variable "db_name" {
description = "Name of the database initially created in the RDS instance"
description = "Name of the database initially created in the RDS instance."
type = string
default = "postgres"
validation {
Expand All @@ -66,7 +60,7 @@ variable "db_name" {
}

variable "db_username" {
description = "Username of the master user in the RDS instance"
description = "Username of the master user in the RDS instance."
type = string
default = "postgres"
validation {
Expand All @@ -76,7 +70,7 @@ variable "db_username" {
}

variable "db_password" {
description = "Password of the master user in the RDS instance"
description = "Password of the master user in the RDS instance."
type = string
default = null
validation {
Expand All @@ -86,7 +80,7 @@ variable "db_password" {
}

variable "proxy" {
description = "An object for the definition of a RDS proxy for the RDS instance"
description = "An object for the definition of a RDS proxy for the RDS instance."
type = object({
debug_logging = bool
idle_client_timeout = number
Expand All @@ -98,11 +92,7 @@ variable "proxy" {
}

variable "tags" {
description = "A map of tags to add to all resources"
description = "A map of tags to add to all resources."
type = map(string)
default = {}
validation {
condition = !contains(keys(var.tags), "Name")
error_message = "Name tag is reserved and will be used automatically"
}
}

0 comments on commit d34d815

Please sign in to comment.