From d10711d08bb0b8bf8a7c9e0424d4abd7ba273631 Mon Sep 17 00:00:00 2001 From: Alan Santos Date: Mon, 12 Aug 2024 11:05:29 +1000 Subject: [PATCH 1/2] Adding allow_cidrs for replica instance --- _variables.tf | 16 ++++++++++++++++ rds.tf | 2 +- sg.tf | 44 +++++++++++++++++++++++++++++++++++++++++++- 3 files changed, 60 insertions(+), 2 deletions(-) diff --git a/_variables.tf b/_variables.tf index bb8dbba..e0f3034 100644 --- a/_variables.tf +++ b/_variables.tf @@ -28,12 +28,28 @@ variable "allow_security_group_ids" { default = [] } +variable "allow_security_group_ids_replica" { + type = list(object({ + security_group_id = string + description = string + name = string + })) + description = "List of Security Group IDs to allow connection to this DB Replica" + default = [] +} + variable "allow_cidrs" { type = list(string) default = [] description = "List of CIDRs to allow connection to this DB" } +variable "allow_cidrs_replica" { + type = list(string) + default = [] + description = "List of CIDRs to allow connection to this DB Replica" +} + variable "user" { type = string description = "DB User" diff --git a/rds.tf b/rds.tf index fd702a0..dabbe32 100644 --- a/rds.tf +++ b/rds.tf @@ -126,7 +126,7 @@ resource "aws_db_instance" "rds_replica" { parameter_group_name = var.create_db_parameter_group == true ? aws_db_parameter_group.rds_custom_db_pg[count.index].name : "" skip_final_snapshot = var.skip_final_snapshot replicate_source_db = aws_db_instance.rds_db[0].arn - vpc_security_group_ids = [aws_security_group.rds_db.id] + vpc_security_group_ids = [aws_security_group.rds_db_replica.id] storage_encrypted = var.storage_encrypted db_subnet_group_name = try(var.db_subnet_group_replica_id, null) publicly_accessible = var.publicly_accessible_replica diff --git a/sg.tf b/sg.tf index 004c1f9..830a051 100644 --- a/sg.tf +++ b/sg.tf @@ -8,6 +8,15 @@ resource "aws_security_group" "rds_db" { } } +resource "aws_security_group" "rds_db_replica" { + name = "rds-${var.environment_name}-${var.name}-replica" + vpc_id = var.vpc_id + + lifecycle { + create_before_destroy = true + } +} + resource "aws_security_group_rule" "rds_db_inbound_cidrs" { count = length(var.allow_cidrs) != 0 ? 1 : 0 type = "ingress" @@ -16,7 +25,7 @@ resource "aws_security_group_rule" "rds_db_inbound_cidrs" { protocol = "tcp" cidr_blocks = var.allow_cidrs security_group_id = aws_security_group.rds_db.id - description = "From CIDR ${join(", ", slice(var.allow_cidrs, 0, 10))}" + description = "From CIDR ${join(", ", var.allow_cidrs)}" } resource "aws_security_group_rule" "rds_db_inbound_from_sg" { @@ -37,4 +46,37 @@ resource "aws_security_group_rule" "egress_rule" { protocol = "-1" security_group_id = aws_security_group.rds_db.id cidr_blocks = ["0.0.0.0/0"] +} + +##SG for Replica + +resource "aws_security_group_rule" "rds_db_inbound_cidrs_replica" { + count = length(var.allow_cidrs_replica) != 0 ? 1 : 0 + type = "ingress" + from_port = var.port + to_port = var.port + protocol = "tcp" + cidr_blocks = var.allow_cidrs_replica + security_group_id = aws_security_group.rds_db_replica.id + description = "From CIDR ${join(", ", var.allow_cidrs_replica)}" +} + +resource "aws_security_group_rule" "rds_db_inbound_from_sg_replica" { + for_each = { for security_group_id in var.allow_security_group_ids_replica : security_group_id.name => security_group_id } + type = "ingress" + from_port = var.port + to_port = var.port + protocol = "tcp" + source_security_group_id = each.value.security_group_id + security_group_id = aws_security_group.rds_db_replica.id + description = try(each.value.description, "From ${each.value.security_group_id}") +} + +resource "aws_security_group_rule" "egress_rule_replica" { + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + security_group_id = aws_security_group.rds_db_replica.id + cidr_blocks = ["0.0.0.0/0"] } \ No newline at end of file From 64adc830f2b9bd10c7495d1d155048414c789b55 Mon Sep 17 00:00:00 2001 From: alandavid Date: Mon, 12 Aug 2024 01:08:43 +0000 Subject: [PATCH 2/2] terraform-docs: automated update action --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 140e704..789318a 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,9 @@ |------|-------------|------|---------|:--------:| | allocated\_storage | Storage size in GB | `number` | `null` | no | | allow\_cidrs | List of CIDRs to allow connection to this DB | `list(string)` | `[]` | no | +| allow\_cidrs\_replica | List of CIDRs to allow connection to this DB Replica | `list(string)` | `[]` | no | | allow\_security\_group\_ids | List of Security Group IDs to allow connection to this DB | 
list(object({
    security_group_id = string
    description       = string
    name              = string
  }))
| `[]` | no | +| allow\_security\_group\_ids\_replica | List of Security Group IDs to allow connection to this DB Replica | 
list(object({
    security_group_id = string
    description       = string
    name              = string
  }))
| `[]` | no | | apply\_immediately | Apply changes immediately or wait for the maintainance window | `bool` | `true` | no | | auto\_minor\_version\_upgrade | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window | `bool` | `true` | no | | backup | Enables automatic backup with AWS Backup | `bool` | n/a | yes |