fix db obj (#302)

* fix db variables * fix db obj * add secretsmanager conditional * use ah/tf-8609-fdo-6 for troubleshooting
hashicorp · Sep 22, 2023 · 9580333 · 9580333
1 parent a66a3e7
commit 9580333
Show file tree

Hide file tree

Showing 8 changed files with 67 additions and 43 deletions.
diff --git a/.github/workflows/handler-test.yml b/.github/workflows/handler-test.yml
@@ -10,7 +10,7 @@ env:
 
 jobs:
   active_active_rhel7_proxy:
-    uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@main
+    uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@ah/tf-8609-fdo-6
     secrets: inherit
     name: Test AWS Active/Active RHEL7 Proxy Scenario
     if: ${{ contains(github.event.client_payload.slash_command.args.unnamed.all, 'all') || contains(github.event.client_payload.slash_command.args.unnamed.all, 'active-active-rhel7-proxy') }}
@@ -34,7 +34,7 @@ jobs:
         }\n/'
 
   public_active_active:
-    uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@main
+    uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@ah/tf-8609-fdo-6
     secrets: inherit
     name: Test AWS Public Active/Active Scenario
     if: ${{ contains(github.event.client_payload.slash_command.args.unnamed.all, 'all') || contains(github.event.client_payload.slash_command.args.unnamed.all, 'public-active-active') }}
@@ -51,7 +51,7 @@ jobs:
       TFC_token_secret_name: PUBLIC_ACTIVE_ACTIVE_TFC_TOKEN
 
   private_active_active:
-    uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@main
+    uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@ah/tf-8609-fdo-6
     secrets: inherit
     name: Test AWS Private Active/Active Scenario
     if: ${{ contains(github.event.client_payload.slash_command.args.unnamed.all, 'all') || contains(github.event.client_payload.slash_command.args.unnamed.all, 'private-active-active') }}
@@ -69,7 +69,7 @@ jobs:
       TFC_token_secret_name: PRIVATE_ACTIVE_ACTIVE_TFC_TOKEN
 
   private_tcp_active_active:
-    uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@main
+    uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@ah/tf-8609-fdo-6
     secrets: inherit
     name: Test AWS Private TCP Active/Active Scenario
     if: ${{ contains(github.event.client_payload.slash_command.args.unnamed.all, 'all') || contains(github.event.client_payload.slash_command.args.unnamed.all, 'private-tcp-active-active') }}
@@ -87,7 +87,7 @@ jobs:
       TFC_token_secret_name: PRIVATE_TCP_ACTIVE_ACTIVE_TFC_TOKEN
 
   standalone_vault:
-    uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@main
+    uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@ah/tf-8609-fdo-6
     secrets: inherit
     name: Test AWS Standalone Vault Scenario
     if: ${{ contains(github.event.client_payload.slash_command.args.unnamed.all, 'all') || contains(github.event.client_payload.slash_command.args.unnamed.all, 'standalone-vault') }}
@@ -112,7 +112,7 @@ jobs:
         }\n/'
 
   active_active_rhel7_proxy_replicated:
-    uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@main
+    uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@ah/tf-8609-fdo-6
     secrets: inherit
     name: Test AWS Active/Active RHEL7 Proxy (Replicated) Scenario
     if: ${{ contains(github.event.client_payload.slash_command.args.unnamed.all, 'all') || contains(github.event.client_payload.slash_command.args.unnamed.all, 'active-active-rhel7-proxy-replicated') }}
@@ -136,7 +136,7 @@ jobs:
         }\n/'
 
   public_active_active_replicated:
-    uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@main
+    uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@ah/tf-8609-fdo-6
     secrets: inherit
     name: Test AWS Public Active/Active (Replicated) Scenario
     if: ${{ contains(github.event.client_payload.slash_command.args.unnamed.all, 'all') || contains(github.event.client_payload.slash_command.args.unnamed.all, 'public-active-active-replicated') }}
@@ -154,7 +154,7 @@ jobs:
       TFC_workspace_substitution_pattern: s/aws-public-active-active/aws-public-active-active-replicated/
 
   private_active_active_replicated:
-    uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@main
+    uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@ah/tf-8609-fdo-6
     secrets: inherit
     name: Test AWS Private Active/Active (Replicated) Scenario
     if: ${{ contains(github.event.client_payload.slash_command.args.unnamed.all, 'all') || contains(github.event.client_payload.slash_command.args.unnamed.all, 'private-active-active-replicated') }}
@@ -173,7 +173,7 @@ jobs:
       TFC_workspace_substitution_pattern: s/aws-private-active-active/aws-private-active-active-replicated/
 
   private_tcp_active_active_replicated:
-    uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@main
+    uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@ah/tf-8609-fdo-6
     secrets: inherit
     name: Test AWS Private TCP Active/Active (Replicated) Scenario
     if: ${{ contains(github.event.client_payload.slash_command.args.unnamed.all, 'all') || contains(github.event.client_payload.slash_command.args.unnamed.all, 'private-tcp-active-active-replicated') }}
@@ -192,7 +192,7 @@ jobs:
       TFC_workspace_substitution_pattern: s/aws-private-tcp-active-active/aws-private-tcp-active-active-replicated/
 
   standalone_vault_replicated:
-    uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@main
+    uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@ah/tf-8609-fdo-6
     secrets: inherit
     name: Test AWS Standalone Vault (Replicated) Scenario
     if: ${{ contains(github.event.client_payload.slash_command.args.unnamed.all, 'all') || contains(github.event.client_payload.slash_command.args.unnamed.all, 'public-active-active-replicated') }}

diff --git a/locals.tf b/locals.tf
@@ -24,8 +24,8 @@ locals {
     {
       name       = null
       password   = null
-      host       = null
-      user       = null
+      endpoint   = null
+      username   = null
       parameters = null
     }
   )

diff --git a/main.tf b/main.tf
@@ -101,6 +101,9 @@ module "database" {
   db_size                      = var.db_size
   db_backup_retention          = var.db_backup_retention
   db_backup_window             = var.db_backup_window
+  db_name                      = var.db_name
+  db_parameters                = var.db_parameters
+  db_username                  = var.db_username
   engine_version               = var.postgres_engine_version
   friendly_name_prefix         = var.friendly_name_prefix
   network_id                   = local.network_id
@@ -135,9 +138,9 @@ module "docker_compose_config" {
   iact_time_limit           = var.iact_subnet_time_limit
 
   database_name       = local.database.name
-  database_user       = local.database.user
+  database_user       = local.database.username
   database_password   = local.database.password
-  database_host       = local.database.host
+  database_host       = local.database.endpoint
   database_parameters = local.database.parameters
 
   storage_type                         = "s3"

diff --git a/modules/database/main.tf b/modules/database/main.tf
@@ -59,7 +59,7 @@ resource "aws_db_instance" "postgresql" {
   instance_class    = var.db_size
   password          = random_string.postgresql_password.result
   # no special characters allowed
-  username = "espdtfe"
+  username = var.db_username
 
   allow_major_version_upgrade = false
   apply_immediately           = true
@@ -74,7 +74,7 @@ resource "aws_db_instance" "postgresql" {
   max_allocated_storage       = 0
   multi_az                    = true
   # no special characters allowed
-  db_name                = "espdtfe"
+  db_name                = var.db_name
   port                   = 5432
   publicly_accessible    = false
   skip_final_snapshot    = true

diff --git a/modules/database/outputs.tf b/modules/database/outputs.tf
@@ -2,25 +2,26 @@
 # SPDX-License-Identifier: MPL-2.0
 
 output "endpoint" {
-  value = aws_db_instance.postgresql.endpoint
-
+  value       = aws_db_instance.postgresql.endpoint
   description = "The connection endpoint of the PostgreSQL RDS instance in address:port format."
 }
 
 output "name" {
-  value = aws_db_instance.postgresql.name
-
+  value       = aws_db_instance.postgresql.name
   description = "The name of the PostgreSQL RDS instance."
 }
 
 output "password" {
-  value = aws_db_instance.postgresql.password
-
+  value       = aws_db_instance.postgresql.password
   description = "The password of the main PostgreSQL user."
 }
 
 output "username" {
-  value = aws_db_instance.postgresql.username
-
+  value       = aws_db_instance.postgresql.username
   description = "The name of the main PostgreSQL user."
 }
+
+output "parameters" {
+  value       = var.db_parameters
+  description = "PostgreSQL server parameters for the connection URI."
+}
diff --git a/modules/database/variables.tf b/modules/database/variables.tf
@@ -2,28 +2,38 @@
 # SPDX-License-Identifier: MPL-2.0
 
 variable "network_id" {
-  description = <<-EOD
-  The identity of the VPC in which the security group attached to the PostgreSQL RDS instance will be deployed.
-  EOD
+  description = "The identity of the VPC in which the security group attached to the PostgreSQL RDS instance will be deployed."
   type        = string
 }
 
+variable "db_name" {
+  type        = string
+  description = "PostgreSQL instance name. No special characters."
+}
+
+variable "db_username" {
+  type        = string
+  description = "PostgreSQL instance username. No special characters."
+}
+
 variable "db_size" {
   type        = string
-  default     = "db.m4.xlarge"
   description = "PostgreSQL instance size."
 }
 
 variable "db_backup_retention" {
   type        = number
   description = "The days to retain backups for. Must be between 0 and 35"
-  default     = 0
 }
 
 variable "db_backup_window" {
   type        = string
   description = "The daily time range (in UTC) during which automated backups are created if they are enabled"
-  default     = null
+}
+
+variable "db_parameters" {
+  type        = string
+  description = "PostgreSQL server parameters for the connection URI. Used to configure the PostgreSQL connection (e.g. sslmode=require)."
 }
 
 variable "engine_version" {
@@ -32,16 +42,12 @@ variable "engine_version" {
 }
 
 variable "network_subnets_private" {
-  description = <<-EOD
-  A list of the identities of the private subnetworks in which the PostgreSQL RDS instance will be deployed.
-  EOD
+  description = "A list of the identities of the private subnetworks in which the PostgreSQL RDS instance will be deployed."
   type        = list(string)
 }
 
 variable "tfe_instance_sg" {
-  description = <<-EOD
-  The identity of the security group attached to the TFE EC2 instance(s), which will be authorized for communication with the PostgreSQL RDS instance.
-  EOD
+  description = "The identity of the security group attached to the TFE EC2 instance(s), which will be authorized for communication with the PostgreSQL RDS instance."
   type        = string
 }
 
@@ -53,13 +59,9 @@ variable "friendly_name_prefix" {
 variable "network_private_subnet_cidrs" {
   type        = list(string)
   description = "(Optional) List of private subnet CIDR ranges to create in VPC."
-  default     = ["10.0.32.0/20", "10.0.48.0/20"]
 }
 
 variable "kms_key_arn" {
-  description = <<-EOD
-  The Amazon Resource Name of the KMS key which will be used by the Redis Elasticache replication group to encrypt data 
-  at rest.
-  EOD
+  description = "The Amazon Resource Name of the KMS key which will be used by the Redis Elasticache replication group to encrypt data at rest."
   type        = string
-}
+}
diff --git a/modules/service_accounts/main.tf b/modules/service_accounts/main.tf
@@ -32,7 +32,7 @@ data "aws_iam_policy_document" "instance_role" {
 }
 
 resource "aws_iam_role_policy" "secretsmanager" {
-  count = var.existing_iam_instance_profile_name == null && !var.enable_airgap ? 1 : 0
+  count = var.existing_iam_instance_profile_name == null && !var.enable_airgap && local.secret_arns != [] ? 1 : 0
 
   policy = data.aws_iam_policy_document.secretsmanager[0].json
   role   = local.iam_instance_role.id

diff --git a/variables.tf b/variables.tf
@@ -128,6 +128,18 @@ variable "redis_use_password_auth" {
 
 # Postgres
 # --------
+variable "db_name" {
+  default     = "hashicorp"
+  type        = string
+  description = "PostgreSQL instance name."
+}
+
+variable "db_username" {
+  default     = "hashicorp"
+  type        = string
+  description = "PostgreSQL instance username. No special characters."
+}
+
 variable "db_backup_retention" {
   type        = number
   description = "The days to retain backups for. Must be between 0 and 35"
@@ -140,6 +152,12 @@ variable "db_backup_window" {
   default     = null
 }
 
+variable "db_parameters" {
+  type        = string
+  description = "PostgreSQL server parameters for the connection URI. Used to configure the PostgreSQL connection."
+  default     = "sslmode=require"
+}
+
 variable "db_size" {
   type        = string
   default     = "db.m4.xlarge"