[Issue 1119] Finish deploying DMS resources 🎉 (#1132)

## Summary Closes #1119 ### Time to review: __3 mins__ ## Changes proposed Random changes needed in order to get the terraform-created DMS configuration working I've tested in the console and can confirm it to be full functional now!
HHS · Feb 2, 2024 · a1b836e · a1b836e
1 parent 4b36a90
commit a1b836e
Show file tree

Hide file tree

Showing 6 changed files with 65 additions and 16 deletions.
diff --git a/infra/api/database/main.tf b/infra/api/database/main.tf
@@ -98,4 +98,5 @@ module "database" {
   private_subnet_ids             = data.aws_subnets.database.ids
   aws_services_security_group_id = data.aws_security_groups.aws_services.ids[0]
   db_subnet_group_name           = var.environment_name
+  environment_name               = var.environment_name
 }
diff --git a/infra/modules/database/dms-instance.tf b/infra/modules/database/dms-instance.tf
@@ -1,6 +1,22 @@
 # DMS replication instance and endpoint connections
 
-resource "aws_dms_replication_instance" "simpler_db" {
+# docs: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets
+data "aws_subnets" "all" {
+  filter {
+    name   = "vpc-id"
+    values = [var.vpc_id]
+  }
+}
+
+# docs: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dms_replication_subnet_group
+resource "aws_dms_replication_subnet_group" "subnet" {
+  replication_subnet_group_description = "${var.environment_name} replication subnet group"
+  replication_subnet_group_id          = "${var.environment_name}-replication-subnet-group"
+  subnet_ids                           = data.aws_subnets.all.ids
+}
+
+# docs: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dms_replication_instance
+resource "aws_dms_replication_instance" "instance" {
   # checkov:skip=CKV_AWS_212:Not sure how this triggered, EBS volumes are a seperate resource.
   allocated_storage          = 50
   apply_immediately          = true
@@ -12,43 +28,54 @@ resource "aws_dms_replication_instance" "simpler_db" {
   preferred_maintenance_window = "sun:10:30-sun:14:30"
   publicly_accessible          = false
   replication_instance_class   = "dms.t3.small"
-  replication_instance_id      = "db-replication-instance"
+  replication_instance_id      = "${var.environment_name}-db-replication-instance"
+  replication_subnet_group_id  = aws_dms_replication_subnet_group.subnet.id
 
   vpc_security_group_ids = [
-    data.aws_security_group.source_db.id
+    data.aws_security_group.dms.id
   ]
-
 }
 
+# docs: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dms_endpoint
 resource "aws_dms_endpoint" "target_endpoint" {
+  endpoint_id                     = "${var.environment_name}-simpler-grants-target"
   certificate_arn                 = "arn:aws:dms:us-east-1:315341936575:cert:GWOIQRTIVQVRBL5ERMCKTUPHMM33MMDGIP57J4I"
   database_name                   = "app"
-  endpoint_id                     = "api-dev-primary"
   endpoint_type                   = "target"
   engine_name                     = "aurora-postgresql"
   kms_key_arn                     = aws_kms_key.dms_endpoints.arn
   secrets_manager_access_role_arn = aws_iam_role.dms_access.arn
   ssl_mode                        = "verify-ca"
-  secrets_manager_arn             = data.aws_secretsmanager_secret.db_password.arn
+  secrets_manager_arn             = data.aws_secretsmanager_secret.target_db.id
 }
 
+# docs: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dms_endpoint
 resource "aws_dms_endpoint" "source_endpoint" {
   # checkov:skip=CKV2_AWS_49: This endpoint doesn't need SSL
+  endpoint_id                     = "${var.environment_name}-grants-gov-source"
   database_name                   = "tstgrnts"
-  endpoint_id                     = "hhs-source"
   endpoint_type                   = "source"
   engine_name                     = "oracle"
   kms_key_arn                     = aws_kms_key.dms_endpoints.arn
   ssl_mode                        = "none"
   secrets_manager_access_role_arn = aws_iam_role.dms_access.arn
-  secrets_manager_arn             = data.aws_secretsmanager_secret.source_db.arn
+  secrets_manager_arn             = data.aws_secretsmanager_secret.source_db.id
 }
 
 resource "aws_kms_key" "dms_endpoints" {
   description         = "KMS key for endpoints associated with DMS"
   enable_key_rotation = true
 }
 
+# These credentails were provided to us by MicroHealth.
+# docs: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret
 data "aws_secretsmanager_secret" "source_db" {
-  name = "dev/grants_gov_source_db"
+  name = "${var.environment_name}/grants_gov_source_db"
+}
+
+# Unfortunatly, the secret auto-generated by AWS RDS does not include the host and the port.
+# So here we have created a new secret with the host and the port.
+# docs: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret
+data "aws_secretsmanager_secret" "target_db" {
+  name = "${var.environment_name}/simpler_grants_target_db"
 }
diff --git a/infra/modules/database/dms-role.tf b/infra/modules/database/dms-role.tf
@@ -40,9 +40,15 @@ data "aws_iam_policy_document" "dms_access" {
     # TODO! arn for the actual dms service goes here
   }
   statement {
-    effect    = "Allow"
-    actions   = ["secretsmanager:GetSecretValue"]
-    resources = [data.aws_secretsmanager_secret.db_password.arn]
+    effect = "Allow"
+    actions = [
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:DescribeSecret",
+    ]
+    resources = [
+      data.aws_secretsmanager_secret.target_db.arn,
+      data.aws_secretsmanager_secret.source_db.arn,
+    ]
   }
   statement {
     # Allows DMS to create the roles it needs if not created beforehand

diff --git a/infra/modules/database/networking.tf b/infra/modules/database/networking.tf
@@ -60,12 +60,11 @@ resource "aws_vpc_security_group_ingress_rule" "db_ingress_from_dms" {
   from_port                    = 5432
   to_port                      = 5432
   ip_protocol                  = "tcp"
-  referenced_security_group_id = data.aws_security_group.source_db.id
+  referenced_security_group_id = data.aws_security_group.dms.id
 }
 
-# security group for the source DB
-data "aws_security_group" "source_db" {
+# security group for the DMS
+data "aws_security_group" "dms" {
   name   = "dms"
   vpc_id = var.vpc_id
 }
-
diff --git a/infra/modules/database/variables.tf b/infra/modules/database/variables.tf
@@ -7,6 +7,11 @@ variable "name" {
   }
 }
 
+variable "environment_name" {
+  type        = string
+  description = "name of the application environment"
+}
+
 variable "db_subnet_group_name" {
   description = "name of the database subnet group to create that will be used by the database cluster."
   type        = string

diff --git a/infra/modules/dms-networking/security.tf b/infra/modules/dms-networking/security.tf
@@ -8,6 +8,17 @@ resource "aws_security_group" "dms" {
   vpc_id      = var.vpc_id
 }
 
+# Allow all egrees traffic from DMS instance, which allows it to (for example)
+# request secrets from AWS Secrets Manager.
+resource "aws_vpc_security_group_egress_rule" "all_egress" {
+  description       = "Allow all egress"
+  from_port         = 0
+  to_port           = 0
+  ip_protocol       = "-1"
+  cidr_ipv4         = "0.0.0.0/0"
+  security_group_id = aws_security_group.dms.id
+}
+
 resource "aws_vpc_security_group_egress_rule" "postgres_egress_from_dms" {
   description       = "Allow outbound requests to database from DMS"
   cidr_ipv4         = local.our_target_cidr_block