forked from cloudposse/terraform-aws-documentdb-cluster
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
153 lines (135 loc) · 6.03 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
resource "aws_security_group" "default" {
count = module.this.enabled ? 1 : 0
name = module.this.id
description = "Security Group for DocumentDB cluster"
vpc_id = var.vpc_id
tags = module.this.tags
}
resource "aws_security_group_rule" "egress" {
count = module.this.enabled ? 1 : 0
type = "egress"
description = "Allow all egress traffic"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = join("", aws_security_group.default[*].id)
}
resource "aws_security_group_rule" "allow_ingress_from_self" {
count = module.this.enabled && var.allow_ingress_from_self ? 1 : 0
type = "ingress"
description = "Allow traffic within the security group"
from_port = var.db_port
to_port = var.db_port
protocol = "tcp"
security_group_id = join("", aws_security_group.default[*].id)
self = true
}
resource "aws_security_group_rule" "ingress_security_groups" {
count = module.this.enabled ? length(var.allowed_security_groups) : 0
type = "ingress"
description = "Allow inbound traffic from existing Security Groups"
from_port = var.db_port
to_port = var.db_port
protocol = "tcp"
source_security_group_id = element(var.allowed_security_groups, count.index)
security_group_id = join("", aws_security_group.default[*].id)
}
resource "aws_security_group_rule" "ingress_cidr_blocks" {
type = "ingress"
count = module.this.enabled && length(var.allowed_cidr_blocks) > 0 ? 1 : 0
description = "Allow inbound traffic from CIDR blocks"
from_port = var.db_port
to_port = var.db_port
protocol = "tcp"
cidr_blocks = var.allowed_cidr_blocks
security_group_id = join("", aws_security_group.default[*].id)
}
resource "random_password" "password" {
count = module.this.enabled && var.master_password != "" ? 0 : 1
length = 16
special = false
}
resource "aws_docdb_cluster" "default" {
count = module.this.enabled ? 1 : 0
cluster_identifier = module.this.id
master_username = var.master_username
master_password = var.master_password != "" ? var.master_password : random_password.password[0].result
backup_retention_period = var.retention_period
preferred_backup_window = var.preferred_backup_window
preferred_maintenance_window = var.preferred_maintenance_window
final_snapshot_identifier = lower(module.this.id)
skip_final_snapshot = var.skip_final_snapshot
deletion_protection = var.deletion_protection
apply_immediately = var.apply_immediately
storage_encrypted = var.storage_encrypted
kms_key_id = var.kms_key_id
port = var.db_port
snapshot_identifier = var.snapshot_identifier
vpc_security_group_ids = [join("", aws_security_group.default[*].id)]
db_subnet_group_name = join("", aws_docdb_subnet_group.default[*].name)
db_cluster_parameter_group_name = join("", aws_docdb_cluster_parameter_group.default[*].name)
engine = var.engine
engine_version = var.engine_version
enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports
tags = module.this.tags
}
resource "aws_docdb_cluster_instance" "default" {
count = module.this.enabled ? var.cluster_size : 0
identifier = "${module.this.id}-${count.index + 1}"
cluster_identifier = join("", aws_docdb_cluster.default[*].id)
apply_immediately = var.apply_immediately
preferred_maintenance_window = var.preferred_maintenance_window
instance_class = var.instance_class
engine = var.engine
auto_minor_version_upgrade = var.auto_minor_version_upgrade
enable_performance_insights = var.enable_performance_insights
tags = module.this.tags
}
resource "aws_docdb_subnet_group" "default" {
count = module.this.enabled ? 1 : 0
name = module.this.id
description = "Allowed subnets for DB cluster instances"
subnet_ids = var.subnet_ids
tags = module.this.tags
}
# https://docs.aws.amazon.com/documentdb/latest/developerguide/db-cluster-parameter-group-create.html
resource "aws_docdb_cluster_parameter_group" "default" {
count = module.this.enabled ? 1 : 0
name = module.this.id
description = "DB cluster parameter group"
family = var.cluster_family
dynamic "parameter" {
for_each = var.cluster_parameters
content {
apply_method = lookup(parameter.value, "apply_method", null)
name = parameter.value.name
value = parameter.value.value
}
}
tags = module.this.tags
}
locals {
cluster_dns_name_default = "master.${module.this.name}"
cluster_dns_name = var.cluster_dns_name != "" ? var.cluster_dns_name : local.cluster_dns_name_default
replicas_dns_name_default = "replicas.${module.this.name}"
replicas_dns_name = var.reader_dns_name != "" ? var.reader_dns_name : local.replicas_dns_name_default
}
module "dns_master" {
source = "cloudposse/route53-cluster-hostname/aws"
version = "0.12.2"
enabled = module.this.enabled && var.zone_id != "" ? true : false
dns_name = local.cluster_dns_name
zone_id = var.zone_id
records = coalescelist(aws_docdb_cluster.default[*].endpoint, [""])
context = module.this.context
}
module "dns_replicas" {
source = "cloudposse/route53-cluster-hostname/aws"
version = "0.12.2"
enabled = module.this.enabled && var.zone_id != "" ? true : false
dns_name = local.replicas_dns_name
zone_id = var.zone_id
records = coalescelist(aws_docdb_cluster.default[*].reader_endpoint, [""])
context = module.this.context
}