From 7b8d16841e6444831aaf65c1ef447e86f3ccf0d9 Mon Sep 17 00:00:00 2001 From: jshre898 Date: Wed, 13 Nov 2024 15:54:51 +0530 Subject: [PATCH] AD-442 | Update Aws-aurora module to resolve provider's issue (#7) * AD-442| Provider updated to use Assume role along with Aws creds * AD-442| Provider updated to use Assume role along with Aws creds * AD-442| Provider updated to use Assume role along with Aws creds * update root readme.md * updated source and version --------- Co-authored-by: ankush-sqops Co-authored-by: Monachawla1712 --- README.md | 34 +++++++++++++++++++------------- examples/aurora-global/README.md | 2 +- examples/aurora-global/main.tf | 3 ++- examples/aurora/README.md | 2 +- examples/aurora/main.tf | 26 ++++++++++++++---------- examples/aurora/provider.tf | 8 ++++++++ main.tf | 14 +++++++++++-- variables.tf | 12 +++++++++++ 8 files changed, 72 insertions(+), 29 deletions(-) diff --git a/README.md b/README.md index 8e6fe6a..855991b 100644 --- a/README.md +++ b/README.md @@ -23,26 +23,28 @@ Features ## Usage Example ```hcl module "aurora" { - source = "git@github.com:sq-ia/terraform-aws-rds-aurora.git" - environment = "production" - port = "5432/3306" ## port for MySQL/postgreSQL - vpc_id = "vpc-xyz5ed733e273skaf" - family = "aurora-postgresql15/aurora-mysql5.7" #family - subnets = ["subnet-0d9a8dd2a6e", "subnet-0fd2c9e73d"] - engine = "aurora-postgresql/aurora-mysql" - engine_version = "15.2/5.7" - rds_instance_name = "skaf" + source = "squareops/rds-aurora/aws" + version = "2.1.1" + role_arn = local.role_arn + external_id = local.external_id + environment = local.environment + port = local.port + vpc_id = module.vpc.vpc_id + family = local.family + subnets = module.vpc.database_subnets + engine = local.engine + engine_version = local.db_engine_version + rds_instance_name = local.name create_security_group = true - allowed_security_groups = ["sg-0a68018afd35"] - instance_type = "db.r5.large" + instance_type = local.db_instance_class storage_encrypted = true - kms_key_arn = "arn:aws:kms:us-east-2:27122222228:key/73ff9e84-83e1-623338a9" + kms_key_arn = module.kms.key_arn publicly_accessible = false master_username = "devuser" database_name = "devdb" apply_immediately = true create_random_password = true - skip_final_snapshot = true + skip_final_snapshot = true # Keeping final snapshot results in retention of DB options group and hence creates problems during destroy. So use this option wisely. snapshot_identifier = null preferred_backup_window = "03:00-06:00" preferred_maintenance_window = "Mon:00:00-Mon:03:00" @@ -58,6 +60,8 @@ Features autoscaling_target_connections = 40 autoscaling_scale_in_cooldown = 60 autoscaling_scale_out_cooldown = 30 + allowed_cidr_blocks = local.allowed_cidr_blocks + allowed_security_groups = local.allowed_security_groups } ``` ## Security & Compliance [](https://prowler.pro/) @@ -133,13 +137,14 @@ Security scanning is graciously provided by Prowler. Proowler is the leading ful | [engine\_mode](#input\_engine\_mode) | The database engine mode. Valid values: global, parallelquery, provisioned, serverless, multimaster | `string` | `"provisioned"` | no | | [engine\_version](#input\_engine\_version) | The database engine version. Updating this argument results in an outage. | `string` | `""` | no | | [environment](#input\_environment) | Select enviroment type: dev, demo, prod | `string` | `"demo"` | no | +| [external\_id](#input\_external\_id) | External ID for assuming role. | `string` | `""` | no | | [family](#input\_family) | Version of aurora DB family being created | `string` | `"aurora-mysql5.7"` | no | | [final\_snapshot\_identifier\_prefix](#input\_final\_snapshot\_identifier\_prefix) | The prefix name to use when creating a final snapshot on cluster destroy, appends a random 8 digits to name to ensure it's unique too. | `string` | `"final"` | no | | [global\_cluster\_enable](#input\_global\_cluster\_enable) | Whether enable global cluster then set it to true | `bool` | `false` | no | | [global\_cluster\_identifier](#input\_global\_cluster\_identifier) | Global RDS Cluster Identifier name | `string` | `null` | no | | [iam\_database\_authentication\_enabled](#input\_iam\_database\_authentication\_enabled) | Specifies whether or mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled | `bool` | `null` | no | | [instance\_type](#input\_instance\_type) | Instance type | `string` | `"db.m5.large"` | no | -| [instances\_config](#input\_instances\_config) | Map of cluster instances and any specific/overriding attributes to be created | `map(any)` | 
{
  "one": {}
}
| no | +| [instances\_config](#input\_instances\_config) | Map of cluster instances and any specific/overriding attributes to be created | `map(any)` | 
{
  "one": {}
}
| no | | [kms\_key\_arn](#input\_kms\_key\_arn) | The ARN for the KMS encryption key. If creating an encrypted replica, set this to the destination KMS ARN. If storage\_encrypted is set to true and kms\_key\_id is not specified the default KMS key created in your account will be used | `string` | `null` | no | | [long\_query\_time](#input\_long\_query\_time) | To prevent fast-running queries from being logged in the slow query log, specify a value for the shortest query runtime to be logged, in seconds | `number` | `10` | no | | [manage\_master\_user\_password](#input\_manage\_master\_user\_password) | Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if `master_password` is provided | `bool` | `false` | no | @@ -156,6 +161,7 @@ Security scanning is graciously provided by Prowler. Proowler is the leading ful | [random\_password\_length](#input\_random\_password\_length) | The length of the randomly generated password. (default: 10) | `number` | `16` | no | | [rds\_instance\_name](#input\_rds\_instance\_name) | The name of the RDS instance | `string` | `""` | no | | [region](#input\_region) | AWS region name where the primary RDS resources will be deployed | `string` | `null` | no | +| [role\_arn](#input\_role\_arn) | The ARN of the role to assume. Leave empty if not using assume role. | `string` | `""` | no | | [scaling\_configuration](#input\_scaling\_configuration) | Map of nested attributes with scaling properties. Only valid when engine\_mode is set to `serverless` | `map(string)` | `{}` | no | | [secondary\_kms\_key\_arn](#input\_secondary\_kms\_key\_arn) | The ARN for the secondary region KMS encryption key. If creating an encrypted replica, set this to the destination KMS ARN. If storage\_encrypted is set to true and kms\_key\_id is not specified the default KMS key created in your account will be used | `string` | `null` | no | | [secondary\_region](#input\_secondary\_region) | Secondary AWS region name where the Secondary RDS and VPC resources will be deployed | `string` | `null` | no | diff --git a/examples/aurora-global/README.md b/examples/aurora-global/README.md index e913344..d767c4d 100644 --- a/examples/aurora-global/README.md +++ b/examples/aurora-global/README.md @@ -17,7 +17,7 @@ | Name | Source | Version | |------|--------|---------| -| [aurora](#module\_aurora) | ../.. | n/a | +| [aurora](#module\_aurora) | squareops/rds-aurora/aws | n/a | | [kms](#module\_kms) | terraform-aws-modules/kms/aws | n/a | | [secondary\_vpc](#module\_secondary\_vpc) | squareops/vpc/aws | n/a | | [vpc](#module\_vpc) | squareops/vpc/aws | n/a | diff --git a/examples/aurora-global/main.tf b/examples/aurora-global/main.tf index 7d00797..5c11532 100644 --- a/examples/aurora-global/main.tf +++ b/examples/aurora-global/main.tf @@ -102,7 +102,8 @@ module "secondary_vpc" { module "aurora" { - source = "../.." + source = "squareops/rds-aurora/aws" + version = "2.1.1" environment = local.environment global_cluster_enable = true port = local.port diff --git a/examples/aurora/README.md b/examples/aurora/README.md index 0f7fe2f..3772d22 100644 --- a/examples/aurora/README.md +++ b/examples/aurora/README.md @@ -16,7 +16,7 @@ | Name | Source | Version | |------|--------|---------| -| [aurora](#module\_aurora) | ../.. | n/a | +| [aurora](#module\_aurora) | squareops/rds-aurora/aws | n/a | | [kms](#module\_kms) | terraform-aws-modules/kms/aws | n/a | | [vpc](#module\_vpc) | squareops/vpc/aws | n/a | diff --git a/examples/aurora/main.tf b/examples/aurora/main.tf index 5629b8e..c99b05d 100644 --- a/examples/aurora/main.tf +++ b/examples/aurora/main.tf @@ -1,14 +1,17 @@ locals { - name = "skaf" - region = "us-east-2" - port = 5432 #/3306 - family = "aurora-postgresql15" #/aurora-mysql5.7" - engine = "aurora-postgresql" #/aurora-mysql" - vpc_cidr = "10.0.0.0/16" - environment = "production" - db_engine_version = "15.2" #/5.7" - db_instance_class = "db.r5.large" + role_arn = "" # Pass role arn of another aws account in which you want to create RDS, make sure to add required policies in role. + external_id = "" # Define your external ID here + assume_role_config = length(local.role_arn) > 0 ? { role_arn = local.role_arn } : null + name = "skaf" + region = "us-east-2" + port = 5432 #/3306 + family = "aurora-postgresql15" #/aurora-mysql5.7" + engine = "aurora-postgresql" #/aurora-mysql" + vpc_cidr = "10.0.0.0/16" + environment = "production" + db_engine_version = "15.2" #/5.7" + db_instance_class = "db.r5.large" additional_aws_tags = { Owner = "Organization_Name" Expires = "Never" @@ -82,7 +85,10 @@ module "vpc" { module "aurora" { - source = "../.." #"git@github.com:sq-ia/terraform-aws-rds-aurora.git" + source = "squareops/rds-aurora/aws" + version = "2.1.1" + role_arn = local.role_arn + external_id = local.external_id environment = local.environment port = local.port vpc_id = module.vpc.vpc_id diff --git a/examples/aurora/provider.tf b/examples/aurora/provider.tf index c291cce..67b50fa 100644 --- a/examples/aurora/provider.tf +++ b/examples/aurora/provider.tf @@ -1,3 +1,11 @@ provider "aws" { region = local.region + dynamic "assume_role" { + for_each = local.assume_role_config != null ? [1] : [] + content { + role_arn = local.assume_role_config["role_arn"] + # Conditionally add external_id if role_arn is provided + external_id = local.role_arn != "" ? local.external_id : null + } + } } diff --git a/main.tf b/main.tf index 88196aa..19e22e1 100644 --- a/main.tf +++ b/main.tf @@ -3,12 +3,22 @@ locals { Automation = "true" Environment = var.environment } - region = var.region - secondary_region = var.secondary_region + region = var.region + secondary_region = var.secondary_region + role_arn = var.role_arn + external_id = var.external_id + assume_role_config = length(var.role_arn) > 0 ? { role_arn = var.role_arn } : null } provider "aws" { region = local.region + dynamic "assume_role" { + for_each = local.assume_role_config != null ? [1] : [] + content { + role_arn = local.assume_role_config["role_arn"] + external_id = local.external_id + } + } } provider "aws" { diff --git a/variables.tf b/variables.tf index 460ea5e..1128769 100644 --- a/variables.tf +++ b/variables.tf @@ -371,3 +371,15 @@ variable "global_cluster_identifier" { default = null type = string } + +variable "role_arn" { + description = "The ARN of the role to assume. Leave empty if not using assume role." + type = string + default = "" # Default to empty string if not provided +} + +variable "external_id" { + description = "External ID for assuming role." + type = string + default = "" # Default to empty string if not provided +}