From d34d8158575bcd5081e72da4cf08772239c7eca0 Mon Sep 17 00:00:00 2001 From: Kilian Date: Mon, 4 Mar 2024 19:35:12 +0100 Subject: [PATCH] refa: removed exported SecretsManager policy --- README.md | 19 ++++---------- main.tf | 60 +++++++------------------------------------ outputs.tf | 12 ++------- tests/tags.tftest.hcl | 40 ----------------------------- variables.tf | 34 +++++++++--------------- 5 files changed, 28 insertions(+), 137 deletions(-) delete mode 100644 tests/tags.tftest.hcl diff --git a/README.md b/README.md index f3c84c0..fd99deb 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ This module provides a PostgreSQL RDS instance, an optional RDS proxy and a Secr | db_username | Username of the master user in the RDS instance. | `string` | "postgres" | no | | db_password | Password of the master user in the RDS instance. | `string` | random 32 character string | no | | proxy | An object for the definition of a RDS proxy for the RDS instance. | `object` | null | no | -| tags | A map of tags to add to all resources. Name is always set as tag and the other tags will be appended. | `map(string)` | {} | no | +| tags | A map of tags to add to all resources. | `map(string)` | {} | no | ### `proxy` @@ -50,18 +50,10 @@ This module provides a PostgreSQL RDS instance, an optional RDS proxy and a Secr ## Outputs -| Name | Description | -| ------------------ | ----------------------------------------------------------------------------------------- | -| security_group | The ID of the security group to allow services access to the RDS instance. | -| secrets_arn | The ARN of the SecretsManager which holds secrets for the connection to the RDS instance. | -| get_secrets_policy | An object of IAM policy to allow read access of the SecretsManager. | - -### `get_secrets_policy` - -| Name | Description | -| ------ | --------------------------------------------------------------------------------- | -| name | The Name of the IAM policy for reference in `inline_plolicy` blocks of IAM roles. | -| policy | The IAM policy JSON encoded. | +| Name | Description | +| -------------- | ----------------------------------------------------------------------------------------- | +| security_group | The ID of the security group to allow services access to the RDS instance. | +| secrets_arn | The ARN of the SecretsManager which holds secrets for the connection to the RDS instance. | ## Example @@ -70,7 +62,6 @@ module "database" { source = "github.com/custom-terraform-aws-modules/database" identifier = "example-database-dev" - name = "example-database" instance_class = "db.t3.micro" engine_version = "16.1" allocated_storage = 20 diff --git a/main.tf b/main.tf index 79ba9b6..68ef2de 100644 --- a/main.tf +++ b/main.tf @@ -22,10 +22,7 @@ resource "aws_security_group" "proxy" { description = "Allows RDS proxy to access the RDS instance and other services to access the RDS proxy" vpc_id = var.vpc_id - tags = merge( - { "Name" = var.name }, - var.tags - ) + tags = var.tags } resource "aws_security_group" "rds" { @@ -33,10 +30,7 @@ resource "aws_security_group" "rds" { description = var.proxy != null ? "Allows RDS instance to be accessed by RDS proxy" : "Allows RDS instance to be accessed by services" vpc_id = var.vpc_id - tags = merge( - { "Name" = var.name }, - var.tags - ) + tags = var.tags } resource "aws_security_group" "external" { @@ -44,10 +38,7 @@ resource "aws_security_group" "external" { description = var.proxy != null ? "Allows services to access the RDS proxy" : "Allows services to access the RDS instance" vpc_id = var.vpc_id - tags = merge( - { "Name" = var.name }, - var.tags - ) + tags = var.tags } resource "aws_vpc_security_group_egress_rule" "proxy" { @@ -93,10 +84,7 @@ resource "aws_db_subnet_group" "main" { description = "Groups subnets for RDS instance" subnet_ids = var.subnets - tags = merge( - { "Name" = var.name }, - var.tags - ) + tags = var.tags } resource "aws_db_instance" "main" { @@ -113,10 +101,7 @@ resource "aws_db_instance" "main" { db_subnet_group_name = aws_db_subnet_group.main.name vpc_security_group_ids = [aws_security_group.rds.id] - tags = merge( - { "Name" = var.name }, - var.tags - ) + tags = var.tags } ################################ @@ -128,10 +113,7 @@ resource "aws_secretsmanager_secret" "proxy" { name = "${var.identifier}-rds-proxy" recovery_window_in_days = 0 - tags = merge( - { "Name" = var.name }, - var.tags - ) + tags = var.tags } # RDS Proxy uses these secrets with exact key match to connect to the RDS instance @@ -187,10 +169,7 @@ resource "aws_iam_role" "proxy" { policy = data.aws_iam_policy_document.proxy[0].json } - tags = merge( - { "Name" = var.name }, - var.tags - ) + tags = var.tags } resource "aws_db_proxy" "main" { @@ -211,10 +190,7 @@ resource "aws_db_proxy" "main" { secret_arn = aws_secretsmanager_secret.proxy[0].arn } - tags = merge( - { "Name" = var.name }, - var.tags - ) + tags = var.tags } resource "aws_db_proxy_default_target_group" "main" { @@ -243,10 +219,7 @@ resource "aws_secretsmanager_secret" "rds" { name = "${var.identifier}-rds" recovery_window_in_days = 0 - tags = merge( - { "Name" = var.name }, - var.tags - ) + tags = var.tags } resource "aws_secretsmanager_secret_version" "rds" { @@ -259,18 +232,3 @@ resource "aws_secretsmanager_secret_version" "rds" { DB_PASS = local.db_password }) } - -# IAM policy document which is exported from this module through outputs.tf -locals { - policy_name = "${var.identifier}-GetRDSSecrets" -} - -data "aws_iam_policy_document" "secrets" { - statement { - effect = "Allow" - - actions = ["secretsmanager:GetSecretValue"] - - resources = [aws_secretsmanager_secret.rds.arn] - } -} diff --git a/outputs.tf b/outputs.tf index 42e4d1d..6b973b2 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,17 +1,9 @@ output "security_group" { - description = "The ID of the security group to allow services access to the RDS instance" + description = "The ID of the security group to allow services access to the RDS instance." value = try(aws_security_group.external.id, null) } output "secrets_arn" { - description = "The ARN of the SecretsManager which holds secrets for the connection to the RDS instance" + description = "The ARN of the SecretsManager which holds secrets for the connection to the RDS instance." value = try(aws_secretsmanager_secret.rds.arn, null) } - -output "get_secrets_policy" { - description = "An object of IAM policy to allow read access of the SecretsManager" - value = { - name = local.policy_name - policy = data.aws_iam_policy_document.secrets.json - } -} diff --git a/tests/tags.tftest.hcl b/tests/tags.tftest.hcl deleted file mode 100644 index a3f9d7b..0000000 --- a/tests/tags.tftest.hcl +++ /dev/null @@ -1,40 +0,0 @@ -provider "aws" { - region = "eu-central-1" - default_tags { - tags = { - Environment = "Test" - } - } -} - -run "invalid_tags" { - command = plan - - variables { - identifier = "test" - vpc_id = "vpc-01234567890abcdef" - subnets = ["subnet-1242421", "subnet-2344898"] - db_password = "password" - - tags = { - Name = "Foo" - } - } - - expect_failures = [var.tags] -} - -run "valid_tags" { - command = plan - - variables { - identifier = "test" - vpc_id = "vpc-01234567890abcdef" - subnets = ["subnet-1242421", "subnet-2344898"] - db_password = "password" - - tags = { - Project = "Foo" - } - } -} diff --git a/variables.tf b/variables.tf index a129269..dbbe8ce 100644 --- a/variables.tf +++ b/variables.tf @@ -1,34 +1,28 @@ variable "identifier" { - description = "Unique identifier to differentiate global resources" + description = "Unique identifier to differentiate global resources." type = string } -variable "name" { - description = "Name of this module which is used as identifier on all resources" - type = string - default = "" -} - variable "instance_class" { - description = "The instance class of the RDS instance" + description = "The instance class of the RDS instance." type = string default = "db.t3.micro" } variable "engine_version" { - description = "The PostgreSQL engine version for the RDS instance" + description = "The PostgreSQL engine version for the RDS instance." type = string default = "16.1" } variable "allocated_storage" { - description = "Storage capacity of the RDS instance in GigiBytes" + description = "Storage capacity of the RDS instance in GigiBytes." type = number default = 20 } variable "vpc_id" { - description = "ID of the subnets' VPC" + description = "ID of the subnets' VPC." type = string validation { condition = startswith(var.vpc_id, "vpc-") @@ -37,7 +31,7 @@ variable "vpc_id" { } variable "subnets" { - description = "A list of IDs of subnets for the subnet group and potentially the RDS proxy" + description = "A list of IDs of subnets for the subnet group and potentially the RDS proxy." type = list(string) validation { condition = length(var.subnets) > 1 @@ -50,13 +44,13 @@ variable "subnets" { } variable "skip_final_snapshot" { - description = "A flag for wether or not skipping the creation of a final snapshot befor deletion of the RDS instance" + description = "A flag for wether or not skipping the creation of a final snapshot befor deletion of the RDS instance." type = bool default = true } variable "db_name" { - description = "Name of the database initially created in the RDS instance" + description = "Name of the database initially created in the RDS instance." type = string default = "postgres" validation { @@ -66,7 +60,7 @@ variable "db_name" { } variable "db_username" { - description = "Username of the master user in the RDS instance" + description = "Username of the master user in the RDS instance." type = string default = "postgres" validation { @@ -76,7 +70,7 @@ variable "db_username" { } variable "db_password" { - description = "Password of the master user in the RDS instance" + description = "Password of the master user in the RDS instance." type = string default = null validation { @@ -86,7 +80,7 @@ variable "db_password" { } variable "proxy" { - description = "An object for the definition of a RDS proxy for the RDS instance" + description = "An object for the definition of a RDS proxy for the RDS instance." type = object({ debug_logging = bool idle_client_timeout = number @@ -98,11 +92,7 @@ variable "proxy" { } variable "tags" { - description = "A map of tags to add to all resources" + description = "A map of tags to add to all resources." type = map(string) default = {} - validation { - condition = !contains(keys(var.tags), "Name") - error_message = "Name tag is reserved and will be used automatically" - } }