-
Notifications
You must be signed in to change notification settings - Fork 0
/
rds.tf
116 lines (107 loc) · 3.28 KB
/
rds.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
resource "aws_db_instance" "rds_db" {
count = 1
db_name = "tracking"
allocated_storage = 20
engine = "postgres"
instance_class = "db.t3.micro"
username = "thesis"
password = var.db_pwd
db_subnet_group_name = module.vpc.database_subnet_group_name
skip_final_snapshot = true // inserted solely to allow immediate destruction
vpc_security_group_ids = [aws_security_group.db_plane_sg.id]
backup_retention_period = 5
iam_database_authentication_enabled = true
storage_encrypted = true
#tfsec:ignore:aws-rds-enable-deletion-protection
deletion_protection = false //inserted solely to allow immediate destruction
performance_insights_enabled = true
performance_insights_kms_key_id = aws_kms_key.rds_performance_insights.arn
performance_insights_retention_period = 7
multi_az = true
tags = {
LAB = "thesis"
infra = "terraform"
db_name = "rds_db"
}
}
resource "aws_kms_key" "rds_performance_insights" {
enable_key_rotation = true
deletion_window_in_days = 7
policy = data.aws_iam_policy_document.insight.json
}
data "aws_iam_policy_document" "insight" {
policy_id = "key-policy-insight"
statement {
sid = "Enable IAM User Permissions"
actions = [
"kms:*",
]
effect = "Allow"
principals {
type = "AWS"
identifiers = [
format(
"arn:%s:iam::%s:root",
data.aws_partition.current.partition,
data.aws_caller_identity.current.account_id
)
]
}
resources = ["*"]
}
statement {
sid = "Allow viewing RDS Performance Insights"
actions = [
"kms:Decrypt",
"kms:GenerateDataKey"
]
effect = "Allow"
principals {
type = "AWS"
identifiers = [
format(
"arn:aws:iam::%s:user/admin",
data.aws_caller_identity.current.account_id
)
]
}
resources = ["*"]
condition {
test = "StringEquals"
variable = "kms:ViaService"
values = ["rds.${data.aws_region.current.name}.amazonaws.com"]
}
condition {
test = "ForAnyValue:StringEquals"
variable = "kms:EncryptionContext:aws:pi:service"
values = ["rds"]
}
condition {
test = "ForAnyValue:StringEquals"
variable = "kms:EncryptionContext:service"
values = ["pi"]
}
}
}
resource "aws_security_group" "db_plane_sg" {
name = "db-plane-sg"
vpc_id = module.vpc.vpc_id
description = "Security group for dbs"
tags = {
Name = "db-plane-sg"
LAB = "thesis"
infra = "terraform"
}
}
resource "aws_security_group_rule" "node_ingress" {
description = "DB ingress rule"
type = "ingress"
security_group_id = aws_security_group.db_plane_sg.id
from_port = 5432
to_port = 5432
protocol = "tcp"
source_security_group_id = module.eks.node_security_group_id
}
output "rds_instance_address" {
value = aws_db_instance.rds_db[0].address
}