terraform-modules/rds/postgres/main.tf at a6a84248fd6048c88a2b1b62a23aefae5ae3ff1d · codequest-eu/terraform-modules · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
locals {
  name = "${var.project}-${var.environment}"
  db   = var.db != null ? var.db : replace(var.project, "-", "_")

  default_tags = {
    Name        = local.name
    Project     = var.project
    Environment = var.environment
  }

  tags = merge(local.default_tags, var.tags)
}

resource "aws_db_subnet_group" "db" {
  count = var.create ? 1 : 0

  name       = local.name
  subnet_ids = var.subnet_ids
  tags       = local.tags
}

resource "aws_security_group" "db" {
  count = var.create ? 1 : 0

  name   = "${local.name}-db"
  vpc_id = var.vpc_id
  tags = merge(
    local.tags,
    {
      "Name" = "${local.name}-db"
    },
  )
}

resource "aws_security_group_rule" "private" {
  count = var.create ? length(var.security_group_ids) : 0

  security_group_id        = aws_security_group.db[0].id
  type                     = "ingress"
  from_port                = 0
  to_port                  = 0
  protocol                 = "-1"
  source_security_group_id = element(var.security_group_ids, count.index)
}

resource "aws_security_group_rule" "public" {
  count = var.create && var.public ? 1 : 0

  security_group_id = aws_security_group.db[0].id
  type              = "ingress"
  from_port         = 0
  to_port           = 0
  protocol          = "-1"
  cidr_blocks       = ["0.0.0.0/0"]
}

resource "aws_db_instance" "db" {
  count = var.create ? 1 : 0

  identifier = local.name

  engine                              = "postgres"
  engine_version                      = var.postgres_version
  storage_type                        = "gp2"
  allocated_storage                   = var.storage
  instance_class                      = var.instance_type
  db_subnet_group_name                = aws_db_subnet_group.db[0].name
  multi_az                            = var.multi_az
  deletion_protection                 = var.prevent_destroy
  final_snapshot_identifier           = "${local.name}-final"
  vpc_security_group_ids              = [aws_security_group.db[0].id]
  publicly_accessible                 = var.public
  backup_retention_period             = var.backup_retention_period
  copy_tags_to_snapshot               = true
  auto_minor_version_upgrade          = false
  iam_database_authentication_enabled = true

  port     = var.port
  name     = local.db
  username = var.username
  password = var.password

  tags = local.tags
}

locals {
  host   = var.create ? aws_db_instance.db[0].address : ""
  port   = var.create ? aws_db_instance.db[0].port : ""
  db_url = var.create ? "postgres://${var.username}:${var.password}@${local.host}:${local.port}/${local.db}" : ""
}

resource "aws_ssm_parameter" "master_url" {
  count = var.create && var.create_management_lambda ? 1 : 0

  name  = "/${local.name}/MASTER_DB_URL"
  tags  = local.tags
  type  = "SecureString"
  value = local.db_url
}

module "management_lambda" {
  source = "./management_lambda"
  create = var.create && var.create_management_lambda

  name               = "${local.name}-db-management"
  tags               = var.tags
  database_url_param = aws_ssm_parameter.master_url[0].name

  vpc        = !var.public
  vpc_id     = !var.public ? var.vpc_id : null
  subnet_ids = !var.public ? var.subnet_ids : null
}

resource "aws_security_group_rule" "management_lambda" {
  count = var.create && !var.public && var.create_management_lambda ? 1 : 0

  security_group_id        = aws_security_group.db[0].id
  type                     = "ingress"
  from_port                = 0
  to_port                  = 0
  protocol                 = "-1"
  source_security_group_id = module.management_lambda.security_group_id
}

data "aws_iam_policy_document" "management_lambda_master_url" {
  count = var.create && var.create_management_lambda ? 1 : 0

  statement {
    actions   = ["ssm:GetParameter"]
    resources = [aws_ssm_parameter.master_url[0].arn]
  }
}

resource "aws_iam_role_policy" "management_lambda_master_url" {
  count = var.create && var.create_management_lambda ? 1 : 0

  role   = module.management_lambda.role_name
  policy = data.aws_iam_policy_document.management_lambda_master_url[0].json
}