From 3f911aa4ec2823b288d55108fca5026d74bee9f6 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Tue, 5 Dec 2023 11:36:30 +0000 Subject: [PATCH 01/12] add RDS --- .../cdpt-chaps/application_variables.json | 10 +++++- terraform/environments/cdpt-chaps/database.tf | 35 +++++++++++++++++++ terraform/environments/cdpt-chaps/locals.tf | 9 +++++ 3 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 terraform/environments/cdpt-chaps/database.tf diff --git a/terraform/environments/cdpt-chaps/application_variables.json b/terraform/environments/cdpt-chaps/application_variables.json index 6b52bfe9b30..b7ba4f8cf3b 100644 --- a/terraform/environments/cdpt-chaps/application_variables.json +++ b/terraform/environments/cdpt-chaps/application_variables.json @@ -1,7 +1,15 @@ { "accounts": { "development": { - "example_var": "dev-data" + "db_enabled": true, + "db_instance_class": "db.t3.small", + "db_user": "admin", + "db_allocated_storage": "75", + "db_name": "chaps-dev", + "env_name": "development", + "friendly_name": "Chaps development", + "container_instance_type": "windows", + "container_version": "preproduction", }, "test": { "example_var": "test-data" diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf new file mode 100644 index 00000000000..967b3a94f54 --- /dev/null +++ b/terraform/environments/cdpt-chaps/database.tf @@ -0,0 +1,35 @@ +#------------------------------------------------------------------------------ +# Database +#------------------------------------------------------------------------------ + +resource "aws_db_instance" "database" { + identifier = local.application_name + allocated_storage = local.app_data.accounts[local.environment].db_allocated_storage + storage_type = "gp2" + engine = "sqlserver-web" + engine_version = "14.00.3381.3.v1" + instance_class = local.app_data.accounts[local.environment].db_instance_class + name = local.app_data.accounts[local.environment].db_name + username = local.app_data.accounts[local.environment].db_user + #password = aws_secretsmanager_secret_version.db_password.arn +} + +resource "aws_security_group" "db" { + name = "db" + description = "Allow DB inbound traffic" + + ingress { + from_port = 1433 + to_port = 1433 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + diff --git a/terraform/environments/cdpt-chaps/locals.tf b/terraform/environments/cdpt-chaps/locals.tf index a7454414911..dd6fa15b334 100644 --- a/terraform/environments/cdpt-chaps/locals.tf +++ b/terraform/environments/cdpt-chaps/locals.tf @@ -1 +1,10 @@ #### This file can be used to store locals specific to the member account #### + + +locals { + +app_data = jsondecode(file("./application_variables.json")) + +application_name = "Chaps" + +} \ No newline at end of file From 26b07c146ddd6854dde5755d044a9beca842ec78 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Tue, 5 Dec 2023 11:46:39 +0000 Subject: [PATCH 02/12] remove app name locals --- terraform/environments/cdpt-chaps/locals.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/terraform/environments/cdpt-chaps/locals.tf b/terraform/environments/cdpt-chaps/locals.tf index dd6fa15b334..2dc3ec57c65 100644 --- a/terraform/environments/cdpt-chaps/locals.tf +++ b/terraform/environments/cdpt-chaps/locals.tf @@ -1,10 +1,7 @@ #### This file can be used to store locals specific to the member account #### - locals { app_data = jsondecode(file("./application_variables.json")) -application_name = "Chaps" - } \ No newline at end of file From 6d21f1a7b2c642cf3924f37eaa4940a0308ad286 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Tue, 5 Dec 2023 13:38:19 +0000 Subject: [PATCH 03/12] remove comma app_vars --- terraform/environments/cdpt-chaps/application_variables.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/cdpt-chaps/application_variables.json b/terraform/environments/cdpt-chaps/application_variables.json index b7ba4f8cf3b..24957d66d72 100644 --- a/terraform/environments/cdpt-chaps/application_variables.json +++ b/terraform/environments/cdpt-chaps/application_variables.json @@ -9,7 +9,7 @@ "env_name": "development", "friendly_name": "Chaps development", "container_instance_type": "windows", - "container_version": "preproduction", + "container_version": "preproduction" }, "test": { "example_var": "test-data" From f41583d1ef01e7f73f69d3a92719b1288017ff56 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Tue, 5 Dec 2023 19:17:26 +0000 Subject: [PATCH 04/12] revise db_name --- terraform/environments/cdpt-chaps/database.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index 967b3a94f54..88e3bd52307 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -8,10 +8,10 @@ resource "aws_db_instance" "database" { storage_type = "gp2" engine = "sqlserver-web" engine_version = "14.00.3381.3.v1" - instance_class = local.app_data.accounts[local.environment].db_instance_class + instance_class = local.app_data.accounts[local.environment].db_instance_identifier + identifier = local.app_data.accounts[local.environment].db_instance_class name = local.app_data.accounts[local.environment].db_name username = local.app_data.accounts[local.environment].db_user - #password = aws_secretsmanager_secret_version.db_password.arn } resource "aws_security_group" "db" { From d9c205dd24bb06c2dc075ef2a69d2140f6f01949 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Tue, 5 Dec 2023 19:19:07 +0000 Subject: [PATCH 05/12] remove extra identifier --- terraform/environments/cdpt-chaps/database.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index 88e3bd52307..04080937c2b 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -3,7 +3,6 @@ #------------------------------------------------------------------------------ resource "aws_db_instance" "database" { - identifier = local.application_name allocated_storage = local.app_data.accounts[local.environment].db_allocated_storage storage_type = "gp2" engine = "sqlserver-web" From b3963a56d821b0fc3dfc191f12359e264c69b6e6 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Tue, 5 Dec 2023 19:29:37 +0000 Subject: [PATCH 06/12] remove name argument --- terraform/environments/cdpt-chaps/database.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index 04080937c2b..bd996de8884 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -9,7 +9,6 @@ resource "aws_db_instance" "database" { engine_version = "14.00.3381.3.v1" instance_class = local.app_data.accounts[local.environment].db_instance_identifier identifier = local.app_data.accounts[local.environment].db_instance_class - name = local.app_data.accounts[local.environment].db_name username = local.app_data.accounts[local.environment].db_user } From 48b8d24cff8f4528386e80e80054b2504502713f Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Thu, 7 Dec 2023 09:01:22 +0000 Subject: [PATCH 07/12] fix database.tf --- terraform/environments/cdpt-chaps/application_variables.json | 1 + terraform/environments/cdpt-chaps/database.tf | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/terraform/environments/cdpt-chaps/application_variables.json b/terraform/environments/cdpt-chaps/application_variables.json index 24957d66d72..04dbda96653 100644 --- a/terraform/environments/cdpt-chaps/application_variables.json +++ b/terraform/environments/cdpt-chaps/application_variables.json @@ -7,6 +7,7 @@ "db_allocated_storage": "75", "db_name": "chaps-dev", "env_name": "development", + "db_instance_identifier": "chaps-dev-instance", "friendly_name": "Chaps development", "container_instance_type": "windows", "container_version": "preproduction" diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index bd996de8884..b96a7617805 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -7,8 +7,8 @@ resource "aws_db_instance" "database" { storage_type = "gp2" engine = "sqlserver-web" engine_version = "14.00.3381.3.v1" - instance_class = local.app_data.accounts[local.environment].db_instance_identifier - identifier = local.app_data.accounts[local.environment].db_instance_class + instance_class = local.app_data.accounts[local.environment].db_instance_class + identifier = local.app_data.accounts[local.environment].db_instance_identifier username = local.app_data.accounts[local.environment].db_user } From 30d22de3ba832de15f3e07faeb7f371cc15acee4 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Fri, 8 Dec 2023 10:50:53 +0000 Subject: [PATCH 08/12] add s3 access for RDS --- terraform/environments/cdpt-chaps/database.tf | 76 +++++++++++++++++-- 1 file changed, 69 insertions(+), 7 deletions(-) diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index b96a7617805..c73153db908 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -3,13 +3,21 @@ #------------------------------------------------------------------------------ resource "aws_db_instance" "database" { - allocated_storage = local.app_data.accounts[local.environment].db_allocated_storage - storage_type = "gp2" - engine = "sqlserver-web" - engine_version = "14.00.3381.3.v1" - instance_class = local.app_data.accounts[local.environment].db_instance_class - identifier = local.app_data.accounts[local.environment].db_instance_identifier - username = local.app_data.accounts[local.environment].db_user + allocated_storage = local.app_data.accounts[local.environment].db_allocated_storage + storage_type = "gp2" + engine = "sqlserver-web" + engine_version = "14.00.3381.3.v1" + instance_class = local.app_data.accounts[local.environment].db_instance_class + identifier = local.app_data.accounts[local.environment].db_instance_identifier + username = local.app_data.accounts[local.environment].db_user + iam_database_authentication_enabled = true + iam_roles = ["arn:aws:iam::613903586696:role/RDS-S3-CrossAccountAccess"] + s3_import { + bucket_name = tp-dbbackups + bucket-prefix = chap-dev + ingestion_role = aws_iam_role.rds_s3_access.arn + source_engine = "sqlserver-web" +} } resource "aws_security_group" "db" { @@ -31,3 +39,57 @@ resource "aws_security_group" "db" { } } +resource "aws_iam_role" "rds_s3_access" { + assume_role_policy = jsonencode({ + Version = "2017-10-17", + Statement = [ + { + Action = "sts:AssumeRole", + Effect = "Allow", + Principal = { + Service = "rds.amazonaws.com" + }, + }, + ] + }) +} + + + + +#------------------------------------------------------------------------------ +# S3 Bucket for Database backup files +#------------------------------------------------------------------------------ + + + + + + + +#------------------------------------------------------------------------------ +# KMS setup for RDS +#------------------------------------------------------------------------------ + +resource "aws_kms_key" "rds" { + description = "Encryption key for rds" + enable_key_rotation = true + policy = data.aws_iam_policy_document.rds-kms.json +} + +resource "aws_kms_alias" "rds-kms-alias" { + name = "alias/rds" + target_key_id = aws_kms_key.rds.arn +} + +data "aws_iam_policy_document" "rds-kms" { + statement { + effect = "Allow" + actions = ["kms:*"] + resources = ["*"] + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + } + } +} From bda9ff20aa87e99d20a2fcc132ca3aa8fb0ca0f2 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Fri, 8 Dec 2023 11:01:31 +0000 Subject: [PATCH 09/12] add s3 access for RDS --- terraform/environments/cdpt-chaps/locals.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/terraform/environments/cdpt-chaps/locals.tf b/terraform/environments/cdpt-chaps/locals.tf index 968e78d3f1a..33482177713 100644 --- a/terraform/environments/cdpt-chaps/locals.tf +++ b/terraform/environments/cdpt-chaps/locals.tf @@ -1,5 +1,8 @@ #### This file can be used to store locals specific to the member account #### locals { + + app_data = jsondecode(file("./application_variables.json")) + domain_types = { for dvo in aws_acm_certificate.external.domain_validation_options : dvo.domain_name => { name = dvo.resource_record_name record = dvo.resource_record_value From a21d36960d46c5fccc0f605d0288732f0da78470 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Fri, 8 Dec 2023 11:09:24 +0000 Subject: [PATCH 10/12] removed s3 info from rds instance --- .../environments/cdpt-chaps/application_variables.json | 1 - terraform/environments/cdpt-chaps/database.tf | 6 ------ 2 files changed, 7 deletions(-) diff --git a/terraform/environments/cdpt-chaps/application_variables.json b/terraform/environments/cdpt-chaps/application_variables.json index 3265756f9ce..03af1a3aeae 100644 --- a/terraform/environments/cdpt-chaps/application_variables.json +++ b/terraform/environments/cdpt-chaps/application_variables.json @@ -1,7 +1,6 @@ { "accounts": { "development": { - "db_enabled": true, "db_instance_class": "db.t3.small", "db_user": "admin", diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index c73153db908..6fdcda30372 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -12,12 +12,6 @@ resource "aws_db_instance" "database" { username = local.app_data.accounts[local.environment].db_user iam_database_authentication_enabled = true iam_roles = ["arn:aws:iam::613903586696:role/RDS-S3-CrossAccountAccess"] - s3_import { - bucket_name = tp-dbbackups - bucket-prefix = chap-dev - ingestion_role = aws_iam_role.rds_s3_access.arn - source_engine = "sqlserver-web" -} } resource "aws_security_group" "db" { From e5064a421bb7dc6eae73921af8264d07b47c8e1c Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Fri, 8 Dec 2023 11:27:49 +0000 Subject: [PATCH 11/12] fixed typo --- terraform/environments/cdpt-chaps/application_variables.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/cdpt-chaps/application_variables.json b/terraform/environments/cdpt-chaps/application_variables.json index 03af1a3aeae..2679c1eba41 100644 --- a/terraform/environments/cdpt-chaps/application_variables.json +++ b/terraform/environments/cdpt-chaps/application_variables.json @@ -13,7 +13,7 @@ "container_version": "preproduction" }, "test": { - "example_var": "test-data" + "example_var": "test-data", "region": "eu-west-2", "docker_image_tag": "development" }, From 848698328fd541f4bda69ad48f7f9a351e1be1e3 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Fri, 8 Dec 2023 11:45:17 +0000 Subject: [PATCH 12/12] fixed typo --- terraform/environments/cdpt-chaps/database.tf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index 6fdcda30372..11604afb426 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -11,7 +11,12 @@ resource "aws_db_instance" "database" { identifier = local.app_data.accounts[local.environment].db_instance_identifier username = local.app_data.accounts[local.environment].db_user iam_database_authentication_enabled = true - iam_roles = ["arn:aws:iam::613903586696:role/RDS-S3-CrossAccountAccess"] +} + +resource "aws_db_instance_role_association" "rds_s3_role_association" { + db_instance_identifier = aws_db_instance.database.identifier + feature_name = "S3_INTEGRATION" + role_arn = "arn:aws:iam::613903586696:role/RDS-S3-CrossAccountAccess" } resource "aws_security_group" "db" {