From dd88fda3fadf4ffc894d1f13dacee97464e76595 Mon Sep 17 00:00:00 2001 From: Robin Bowes Date: Sat, 30 Sep 2017 20:42:19 +0100 Subject: [PATCH 1/3] Add enhanced monitoring --- README.md | 4 ++++ examples/complete/main.tf | 6 +---- examples/enhanced_monitoring/README.md | 5 ++++ examples/enhanced_monitoring/main.tf | 33 ++++++++++++++++++++++++++ main.tf | 3 +++ modules/db_instance/main.tf | 1 + modules/db_instance/variables.tf | 7 +++++- variables.tf | 12 +++++++++- 8 files changed, 64 insertions(+), 7 deletions(-) create mode 100644 examples/enhanced_monitoring/README.md create mode 100644 examples/enhanced_monitoring/main.tf diff --git a/README.md b/README.md index e140b76d..bc938275 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,10 @@ module "db" { maintenance_window = "Mon:00:00-Mon:03:00" backup_window = "03:00-06:00" + + # Enhanced Monitoring + monitoring_interval = "${var.monitoring_interval} + monitoring_role_arn = "${var.monitoring_interval == "0" ? "" : aws_iam_role.rds_monitoring.arn}" tags = { Owner = "user" diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 3ffbffdc..5f4df516 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -31,27 +31,23 @@ module "db" { instance_class = "db.t2.large" allocated_storage = 5 storage_encrypted = false + # kms_key_id = "arm:aws:kms:::key/" name = "demodb" username = "user" password = "YourPwdShouldBeLongAndSecure!" port = "3306" - vpc_security_group_ids = ["${data.aws_security_group.default.id}"] - maintenance_window = "Mon:00:00-Mon:03:00" backup_window = "03:00-06:00" backup_retention_period = 0 // disable backups to create DB faster - tags = { Owner = "user" Environment = "dev" } - # DB subnet group subnet_ids = ["${data.aws_subnet_ids.all.ids}"] - # DB parameter group family = "mysql5.7" } diff --git a/examples/enhanced_monitoring/README.md b/examples/enhanced_monitoring/README.md new file mode 100644 index 00000000..a0496ebe --- /dev/null +++ b/examples/enhanced_monitoring/README.md @@ -0,0 +1,5 @@ +Enhanced Monitoring example +=========================== + +Configuration in this directory creates the additional resources required to use Enhanced Monitoring. + diff --git a/examples/enhanced_monitoring/main.tf b/examples/enhanced_monitoring/main.tf new file mode 100644 index 00000000..a97eb085 --- /dev/null +++ b/examples/enhanced_monitoring/main.tf @@ -0,0 +1,33 @@ +resource "aws_iam_role" "rds_enhanced_monitoring" { + name = "rds-enhanced_monitoring-role" + assume_role_policy = "${data.aws_iam_policy_document.rds_enhanced_monitoring.json}" +} + +resource "aws_iam_role_policy_attachment" "rds_enhanced_monitoring" { + role = "${aws_iam_role.rds_enhanced_monitoring.name}" + policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole" +} + +data "aws_iam_policy_document" "rds_enhanced_monitoring" { + statement { + actions = [ + "sts:AssumeRole", + ] + + effect = "Allow" + + principals { + type = "Service" + identifiers = ["monitoring.rds.amazonaws.com"] + } + } +} + +module "db" { + source = "../../" + + # rest of params here as per complete example + + monitoring_interval = "${var.monitoring_interval}" + monitoring_role_arn = "${aws_iam_role.rds_enhanced_monitoring.arn}" +} diff --git a/main.tf b/main.tf index c0cdd872..37e2a288 100644 --- a/main.tf +++ b/main.tf @@ -65,5 +65,8 @@ module "db_instance" { backup_retention_period = "${var.backup_retention_period}" backup_window = "${var.backup_window}" + monitoring_interval = "${var.monitoring_interval}" + monitoring_role_arn = "${var.monitoring_role_arn}" + tags = "${var.tags}" } diff --git a/modules/db_instance/main.tf b/modules/db_instance/main.tf index c839596b..0d9a6688 100644 --- a/modules/db_instance/main.tf +++ b/modules/db_instance/main.tf @@ -25,6 +25,7 @@ resource "aws_db_instance" "this" { iops = "${var.iops}" publicly_accessible = "${var.publicly_accessible}" monitoring_interval = "${var.monitoring_interval}" + monitoring_role_arn = "${var.monitoring_role_arn}" allow_major_version_upgrade = "${var.allow_major_version_upgrade}" auto_minor_version_upgrade = "${var.auto_minor_version_upgrade}" diff --git a/modules/db_instance/variables.tf b/modules/db_instance/variables.tf index 3d8b0d83..6e854c05 100644 --- a/modules/db_instance/variables.tf +++ b/modules/db_instance/variables.tf @@ -18,7 +18,7 @@ variable "storage_encrypted" { variable "kms_key_id" { description = "The ARN for the KMS encryption key. If creating an encrypted replica, set this to the destination KMS ARN. If storage_encrypted is set to true and kms_key_id is not specified the default KMS key created in your account will be used" - default = "" + default = "" } variable "engine" { @@ -84,6 +84,11 @@ variable "monitoring_interval" { default = 0 } +variable "monitoring_role_arn" { + description = "The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to CloudWatch Logs. Must be specified if monitoring_interval is non-zero." + default = "" +} + variable "allow_major_version_upgrade" { description = "Indicates that major version upgrades are allowed. Changing this parameter does not result in an outage and the change is asynchronously applied as soon as possible" default = false diff --git a/variables.tf b/variables.tf index febf08bd..7b787289 100644 --- a/variables.tf +++ b/variables.tf @@ -18,7 +18,7 @@ variable "storage_encrypted" { variable "kms_key_id" { description = "The ARN for the KMS encryption key. If creating an encrypted replica, set this to the destination KMS ARN. If storage_encrypted is set to true and kms_key_id is not specified the default KMS key created in your account will be used" - default = "" + default = "" } variable "engine" { @@ -79,6 +79,16 @@ variable "publicly_accessible" { default = false } +variable "monitoring_interval" { + description = "The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. The default is 0. Valid Values: 0, 1, 5, 10, 15, 30, 60." + default = 0 +} + +variable "monitoring_role_arn" { + description = "The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to CloudWatch Logs. Must be specified if monitoring_interval is non-zero." + default = "" +} + variable "allow_major_version_upgrade" { description = "Indicates that major version upgrades are allowed. Changing this parameter does not result in an outage and the change is asynchronously applied as soon as possible" default = false From 71521914542fe00217ce7f6d114043f1448ba60f Mon Sep 17 00:00:00 2001 From: Robin Bowes Date: Sat, 30 Sep 2017 22:10:05 +0100 Subject: [PATCH 2/3] Add complete enhanced monitoring example --- README.md | 6 +-- examples/complete/main.tf | 12 +++--- examples/enhanced_monitoring/README.md | 14 +++++++ examples/enhanced_monitoring/main.tf | 54 +++++++++++++++++++++++++- 4 files changed, 75 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index bc938275..ef5a96fc 100644 --- a/README.md +++ b/README.md @@ -39,9 +39,9 @@ module "db" { maintenance_window = "Mon:00:00-Mon:03:00" backup_window = "03:00-06:00" - # Enhanced Monitoring - monitoring_interval = "${var.monitoring_interval} - monitoring_role_arn = "${var.monitoring_interval == "0" ? "" : aws_iam_role.rds_monitoring.arn}" + # Enhanced Monitoring - see example for details on how to create the role + # monitoring_interval = "10" + # monitoring_role_arn = "aws_iam_role.rds_enhanced_monitoring.arn" tags = { Owner = "user" diff --git a/examples/complete/main.tf b/examples/complete/main.tf index 5f4df516..cd60d927 100644 --- a/examples/complete/main.tf +++ b/examples/complete/main.tf @@ -34,14 +34,14 @@ module "db" { # kms_key_id = "arm:aws:kms:::key/" - name = "demodb" - username = "user" - password = "YourPwdShouldBeLongAndSecure!" - port = "3306" - vpc_security_group_ids = ["${data.aws_security_group.default.id}"] + name = "demodb" + username = "user" + password = "YourPwdShouldBeLongAndSecure!" + port = "3306" + vpc_security_group_ids = ["${data.aws_security_group.default.id}"] maintenance_window = "Mon:00:00-Mon:03:00" backup_window = "03:00-06:00" - backup_retention_period = 0 // disable backups to create DB faster + backup_retention_period = 0 // disable backups to create DB faster tags = { Owner = "user" Environment = "dev" diff --git a/examples/enhanced_monitoring/README.md b/examples/enhanced_monitoring/README.md index a0496ebe..7545ba0b 100644 --- a/examples/enhanced_monitoring/README.md +++ b/examples/enhanced_monitoring/README.md @@ -3,3 +3,17 @@ Enhanced Monitoring example Configuration in this directory creates the additional resources required to use Enhanced Monitoring. +Data sources are used to discover existing VPC resources (VPC, subnet and security group). + +Usage +===== + +To run this example you need to execute: + +```bash +$ terraform init +$ terraform plan +$ terraform apply +``` + +Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources. diff --git a/examples/enhanced_monitoring/main.tf b/examples/enhanced_monitoring/main.tf index a97eb085..c2fa518a 100644 --- a/examples/enhanced_monitoring/main.tf +++ b/examples/enhanced_monitoring/main.tf @@ -1,3 +1,26 @@ +provider "aws" { + region = "eu-west-1" +} + +############################################################## +# Data sources to get VPC, subnets and security group details +############################################################## +data "aws_vpc" "default" { + default = true +} + +data "aws_subnet_ids" "all" { + vpc_id = "${data.aws_vpc.default.id}" +} + +data "aws_security_group" "default" { + vpc_id = "${data.aws_vpc.default.id}" + name = "default" +} + +################################################## +# Create an IAM role to allow enhanced monitoring +################################################## resource "aws_iam_role" "rds_enhanced_monitoring" { name = "rds-enhanced_monitoring-role" assume_role_policy = "${data.aws_iam_policy_document.rds_enhanced_monitoring.json}" @@ -23,11 +46,38 @@ data "aws_iam_policy_document" "rds_enhanced_monitoring" { } } +##### +# DB +##### module "db" { source = "../../" - # rest of params here as per complete example + identifier = "demodb" + + engine = "mysql" + engine_version = "5.7.11" + instance_class = "db.t2.large" + allocated_storage = 5 + storage_encrypted = false - monitoring_interval = "${var.monitoring_interval}" + # kms_key_id = "arm:aws:kms:::key/" + + name = "demodb" + username = "user" + password = "YourPwdShouldBeLongAndSecure!" + port = "3306" + vpc_security_group_ids = ["${data.aws_security_group.default.id}"] + maintenance_window = "Mon:00:00-Mon:03:00" + backup_window = "03:00-06:00" + backup_retention_period = 0 // disable backups to create DB faster + tags = { + Owner = "user" + Environment = "dev" + } + # DB subnet group + subnet_ids = ["${data.aws_subnet_ids.all.ids}"] + # DB parameter group + family = "mysql5.7" + monitoring_interval = "30" monitoring_role_arn = "${aws_iam_role.rds_enhanced_monitoring.arn}" } From 13b6d867dd072cb1c436c1998ea86e74db39e9a1 Mon Sep 17 00:00:00 2001 From: Robin Bowes Date: Sat, 30 Sep 2017 22:52:56 +0100 Subject: [PATCH 3/3] Tweak README.md examples --- README.md | 4 ++-- examples/enhanced_monitoring/README.md | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ef5a96fc..fc40f8d3 100644 --- a/README.md +++ b/README.md @@ -40,8 +40,8 @@ module "db" { backup_window = "03:00-06:00" # Enhanced Monitoring - see example for details on how to create the role - # monitoring_interval = "10" - # monitoring_role_arn = "aws_iam_role.rds_enhanced_monitoring.arn" + monitoring_interval = "30" + monitoring_role_arn = "arn:aws:iam::123456789012:role/rds-monitoring-role" tags = { Owner = "user" diff --git a/examples/enhanced_monitoring/README.md b/examples/enhanced_monitoring/README.md index 7545ba0b..f6ccd170 100644 --- a/examples/enhanced_monitoring/README.md +++ b/examples/enhanced_monitoring/README.md @@ -3,6 +3,8 @@ Enhanced Monitoring example Configuration in this directory creates the additional resources required to use Enhanced Monitoring. +See http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Monitoring.OS.html for details + Data sources are used to discover existing VPC resources (VPC, subnet and security group). Usage