From bac7bd865960acfe66f93ef2548c0a8b6f6eb1d3 Mon Sep 17 00:00:00 2001 From: roncitrus Date: Tue, 9 Jan 2024 16:35:17 +0000 Subject: [PATCH 1/7] remove rds --- terraform/environments/cdpt-chaps/database.tf | 92 ------------------- 1 file changed, 92 deletions(-) diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index a9de5f9d3a0..8b137891791 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -1,93 +1 @@ -#----------------------------------------------------------------------------- -# Database -#------------------------------------------------------------------------------ -resource "aws_db_instance" "database" { - allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage - storage_type = "gp2" - engine = "sqlserver-web" - engine_version = "14.00.3381.3.v1" - instance_class = local.application_data.accounts[local.environment].db_instance_class - identifier = local.application_data.accounts[local.environment].db_instance_identifier - username = local.application_data.accounts[local.environment].db_user - password = data.aws_secretsmanager_secret_version.db_password.secret_string - vpc_security_group_ids = [aws_security_group.db.id] - depends_on = [aws_security_group.db] - snapshot_identifier = "arn:aws:rds:eu-west-2:613903586696:snapshot:dev-modplatform-snapshot" - skip_final_snapshot = true - db_subnet_group_name = aws_db_subnet_group.db.id -} - -resource "aws_db_instance_role_association" "database" { - db_instance_identifier = aws_db_instance.database.identifier - feature_name = "S3_INTEGRATION" - role_arn = aws_iam_role.S3_db_backup_restore_access.arn -} - -output "s3_db_backup_restore_access_role_arn" { - value = aws_iam_role.S3_db_backup_restore_access.arn -} - -resource "aws_db_subnet_group" "db" { - name = "${local.application_name}-db-subnet-group" - subnet_ids = sort(data.aws_subnets.shared-data.ids) - tags = merge( - local.tags, - { - Name = "${local.application_name}-db-subnet-group" - } - ) -} - -resource "aws_security_group" "db" { - name = "${local.application_name}-db-sg" - description = "Allow DB inbound traffic" - vpc_id = data.aws_vpc.shared.id - ingress { - from_port = 1433 - to_port = 1433 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } -} - -data "aws_secretsmanager_secret" "db_password" { - name = aws_secretsmanager_secret.chaps_secret.name -} - -data "aws_secretsmanager_secret_version" "db_password" { - secret_id = data.aws_secretsmanager_secret.db_password.id -} - -#------------------------------------------------------------------------------ -# KMS setup for RDS -#------------------------------------------------------------------------------ - -resource "aws_kms_key" "rds" { - description = "Encryption key for rds" - enable_key_rotation = true - policy = data.aws_iam_policy_document.rds-kms.json -} - -resource "aws_kms_alias" "rds-kms-alias" { - name = "alias/rds" - target_key_id = aws_kms_key.rds.arn -} - -data "aws_iam_policy_document" "rds-kms" { - statement { - effect = "Allow" - actions = ["kms:*"] - resources = ["*"] - principals { - type = "AWS" - identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] - } - } -} From 5d498b7d7f5f3e7d2d4d47fb8009b59504037d48 Mon Sep 17 00:00:00 2001 From: roncitrus Date: Tue, 9 Jan 2024 17:08:01 +0000 Subject: [PATCH 2/7] restore rds from snapshot --- terraform/environments/cdpt-chaps/database.tf | 93 +++++++++++++++++++ 1 file changed, 93 insertions(+) diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index 8b137891791..1a98583ffe1 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -1 +1,94 @@ +#----------------------------------------------------------------------------- +# Database +#------------------------------------------------------------------------------ + +resource "aws_db_instance" "database" { + allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage + storage_type = "gp2" + engine = "sqlserver-web" + engine_version = "14.00.3381.3.v1" + instance_class = local.application_data.accounts[local.environment].db_instance_class + identifier = local.application_data.accounts[local.environment].db_instance_identifier + username = local.application_data.accounts[local.environment].db_user + password = data.aws_secretsmanager_secret_version.db_password.secret_string + vpc_security_group_ids = [aws_security_group.db.id] + depends_on = [aws_security_group.db] + snapshot_identifier = "arn:aws:rds:eu-west-2:613903586696:snapshot:cdpt-dev-staging-snapshot-9-1-24" + skip_final_snapshot = true + db_subnet_group_name = aws_db_subnet_group.db.id +} + +resource "aws_db_instance_role_association" "database" { + db_instance_identifier = aws_db_instance.database.identifier + feature_name = "S3_INTEGRATION" + role_arn = aws_iam_role.S3_db_backup_restore_access.arn +} + +output "s3_db_backup_restore_access_role_arn" { + value = aws_iam_role.S3_db_backup_restore_access.arn +} + +resource "aws_db_subnet_group" "db" { + name = "${local.application_name}-db-subnet-group" + subnet_ids = sort(data.aws_subnets.shared-data.ids) + tags = merge( + local.tags, + { + Name = "${local.application_name}-db-subnet-group" + } + ) +} + +resource "aws_security_group" "db" { + name = "${local.application_name}-db-sg" + description = "Allow DB inbound traffic" + vpc_id = data.aws_vpc.shared.id + ingress { + from_port = 1433 + to_port = 1433 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + +data "aws_secretsmanager_secret" "db_password" { + name = aws_secretsmanager_secret.chaps_secret.name +} + +data "aws_secretsmanager_secret_version" "db_password" { + secret_id = data.aws_secretsmanager_secret.db_password.id +} + +#------------------------------------------------------------------------------ +# KMS setup for RDS +#------------------------------------------------------------------------------ + +resource "aws_kms_key" "rds" { + description = "Encryption key for rds" + enable_key_rotation = true + policy = data.aws_iam_policy_document.rds-kms.json +} + +resource "aws_kms_alias" "rds-kms-alias" { + name = "alias/rds" + target_key_id = aws_kms_key.rds.arn +} + +data "aws_iam_policy_document" "rds-kms" { + statement { + effect = "Allow" + actions = ["kms:*"] + resources = ["*"] + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + } + } +} From b09aeb42d91344dc30ef669df80b790fe5ed07fe Mon Sep 17 00:00:00 2001 From: roncitrus Date: Tue, 9 Jan 2024 17:19:20 +0000 Subject: [PATCH 3/7] RDS restore from snapshot --- terraform/environments/cdpt-chaps/database.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index 1a98583ffe1..33847f23d9a 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -1,5 +1,5 @@ #----------------------------------------------------------------------------- -# Database +# Database #------------------------------------------------------------------------------ resource "aws_db_instance" "database" { From 82407f6ed18e93ec6f9bb7614a9e00049718b70c Mon Sep 17 00:00:00 2001 From: roncitrus Date: Wed, 10 Jan 2024 11:13:02 +0000 Subject: [PATCH 4/7] publicly accessible --- terraform/environments/cdpt-chaps/database.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index 33847f23d9a..73718c1d075 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -16,6 +16,7 @@ resource "aws_db_instance" "database" { snapshot_identifier = "arn:aws:rds:eu-west-2:613903586696:snapshot:cdpt-dev-staging-snapshot-9-1-24" skip_final_snapshot = true db_subnet_group_name = aws_db_subnet_group.db.id + publicly_accessible = true } resource "aws_db_instance_role_association" "database" { From f21bf795b77c1c1180120fc3bcf23e5206cc33be Mon Sep 17 00:00:00 2001 From: roncitrus Date: Wed, 10 Jan 2024 11:24:17 +0000 Subject: [PATCH 5/7] publicly accessible --- terraform/environments/cdpt-chaps/application_variables.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/cdpt-chaps/application_variables.json b/terraform/environments/cdpt-chaps/application_variables.json index 2fbd06769a9..8e48b01e6ef 100644 --- a/terraform/environments/cdpt-chaps/application_variables.json +++ b/terraform/environments/cdpt-chaps/application_variables.json @@ -4,7 +4,7 @@ "db_enabled": true, "db_instance_class": "db.t3.small", "db_user": "dbadmin", - "db_allocated_storage": "75", + "db_allocated_storage": "100", "db_name": "chaps-dev", "env_name": "development", "db_instance_identifier": "db-chaps-dev", From 34b95fecffa993ff8daca28cfe45bc1373624c82 Mon Sep 17 00:00:00 2001 From: roncitrus Date: Wed, 10 Jan 2024 12:11:01 +0000 Subject: [PATCH 6/7] publicly accessible From fe0cae1a648ab36253ca9a19f8be4c6331639f5a Mon Sep 17 00:00:00 2001 From: roncitrus Date: Wed, 10 Jan 2024 12:27:07 +0000 Subject: [PATCH 7/7] amend rds --- terraform/environments/cdpt-chaps/database.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index 73718c1d075..79344537afe 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -1,5 +1,5 @@ #----------------------------------------------------------------------------- -# Database +# Database #------------------------------------------------------------------------------ resource "aws_db_instance" "database" { @@ -92,4 +92,3 @@ data "aws_iam_policy_document" "rds-kms" { } } } -