diff --git a/.github/workflows/handler-test.yml b/.github/workflows/handler-test.yml index 65b6b579..628dda52 100644 --- a/.github/workflows/handler-test.yml +++ b/.github/workflows/handler-test.yml @@ -10,7 +10,7 @@ env: jobs: active_active_rhel7_proxy: - uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@main + uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@ah/tf-8609-fdo-6 secrets: inherit name: Test AWS Active/Active RHEL7 Proxy Scenario if: ${{ contains(github.event.client_payload.slash_command.args.unnamed.all, 'all') || contains(github.event.client_payload.slash_command.args.unnamed.all, 'active-active-rhel7-proxy') }} @@ -34,7 +34,7 @@ jobs: }\n/' public_active_active: - uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@main + uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@ah/tf-8609-fdo-6 secrets: inherit name: Test AWS Public Active/Active Scenario if: ${{ contains(github.event.client_payload.slash_command.args.unnamed.all, 'all') || contains(github.event.client_payload.slash_command.args.unnamed.all, 'public-active-active') }} @@ -51,7 +51,7 @@ jobs: TFC_token_secret_name: PUBLIC_ACTIVE_ACTIVE_TFC_TOKEN private_active_active: - uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@main + uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@ah/tf-8609-fdo-6 secrets: inherit name: Test AWS Private Active/Active Scenario if: ${{ contains(github.event.client_payload.slash_command.args.unnamed.all, 'all') || contains(github.event.client_payload.slash_command.args.unnamed.all, 'private-active-active') }} @@ -69,7 +69,7 @@ jobs: TFC_token_secret_name: PRIVATE_ACTIVE_ACTIVE_TFC_TOKEN private_tcp_active_active: - uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@main + uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@ah/tf-8609-fdo-6 secrets: inherit name: Test AWS Private TCP Active/Active Scenario if: ${{ contains(github.event.client_payload.slash_command.args.unnamed.all, 'all') || contains(github.event.client_payload.slash_command.args.unnamed.all, 'private-tcp-active-active') }} @@ -87,7 +87,7 @@ jobs: TFC_token_secret_name: PRIVATE_TCP_ACTIVE_ACTIVE_TFC_TOKEN standalone_vault: - uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@main + uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@ah/tf-8609-fdo-6 secrets: inherit name: Test AWS Standalone Vault Scenario if: ${{ contains(github.event.client_payload.slash_command.args.unnamed.all, 'all') || contains(github.event.client_payload.slash_command.args.unnamed.all, 'standalone-vault') }} @@ -112,7 +112,7 @@ jobs: }\n/' active_active_rhel7_proxy_replicated: - uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@main + uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@ah/tf-8609-fdo-6 secrets: inherit name: Test AWS Active/Active RHEL7 Proxy (Replicated) Scenario if: ${{ contains(github.event.client_payload.slash_command.args.unnamed.all, 'all') || contains(github.event.client_payload.slash_command.args.unnamed.all, 'active-active-rhel7-proxy-replicated') }} @@ -136,7 +136,7 @@ jobs: }\n/' public_active_active_replicated: - uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@main + uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@ah/tf-8609-fdo-6 secrets: inherit name: Test AWS Public Active/Active (Replicated) Scenario if: ${{ contains(github.event.client_payload.slash_command.args.unnamed.all, 'all') || contains(github.event.client_payload.slash_command.args.unnamed.all, 'public-active-active-replicated') }} @@ -154,7 +154,7 @@ jobs: TFC_workspace_substitution_pattern: s/aws-public-active-active/aws-public-active-active-replicated/ private_active_active_replicated: - uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@main + uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@ah/tf-8609-fdo-6 secrets: inherit name: Test AWS Private Active/Active (Replicated) Scenario if: ${{ contains(github.event.client_payload.slash_command.args.unnamed.all, 'all') || contains(github.event.client_payload.slash_command.args.unnamed.all, 'private-active-active-replicated') }} @@ -173,7 +173,7 @@ jobs: TFC_workspace_substitution_pattern: s/aws-private-active-active/aws-private-active-active-replicated/ private_tcp_active_active_replicated: - uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@main + uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@ah/tf-8609-fdo-6 secrets: inherit name: Test AWS Private TCP Active/Active (Replicated) Scenario if: ${{ contains(github.event.client_payload.slash_command.args.unnamed.all, 'all') || contains(github.event.client_payload.slash_command.args.unnamed.all, 'private-tcp-active-active-replicated') }} @@ -192,7 +192,7 @@ jobs: TFC_workspace_substitution_pattern: s/aws-private-tcp-active-active/aws-private-tcp-active-active-replicated/ standalone_vault_replicated: - uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@main + uses: hashicorp/terraform-random-tfe-utility/.github/workflows/aws-tests.yml@ah/tf-8609-fdo-6 secrets: inherit name: Test AWS Standalone Vault (Replicated) Scenario if: ${{ contains(github.event.client_payload.slash_command.args.unnamed.all, 'all') || contains(github.event.client_payload.slash_command.args.unnamed.all, 'public-active-active-replicated') }} diff --git a/locals.tf b/locals.tf index 8b1bdb11..762ce9f9 100644 --- a/locals.tf +++ b/locals.tf @@ -24,8 +24,8 @@ locals { { name = null password = null - host = null - user = null + endpoint = null + username = null parameters = null } ) diff --git a/main.tf b/main.tf index c8fb8af6..c8b09e50 100644 --- a/main.tf +++ b/main.tf @@ -101,6 +101,9 @@ module "database" { db_size = var.db_size db_backup_retention = var.db_backup_retention db_backup_window = var.db_backup_window + db_name = var.db_name + db_parameters = var.db_parameters + db_username = var.db_username engine_version = var.postgres_engine_version friendly_name_prefix = var.friendly_name_prefix network_id = local.network_id @@ -135,9 +138,9 @@ module "docker_compose_config" { iact_time_limit = var.iact_subnet_time_limit database_name = local.database.name - database_user = local.database.user + database_user = local.database.username database_password = local.database.password - database_host = local.database.host + database_host = local.database.endpoint database_parameters = local.database.parameters storage_type = "s3" diff --git a/modules/database/main.tf b/modules/database/main.tf index 6dffa3c1..d7b632b7 100644 --- a/modules/database/main.tf +++ b/modules/database/main.tf @@ -59,7 +59,7 @@ resource "aws_db_instance" "postgresql" { instance_class = var.db_size password = random_string.postgresql_password.result # no special characters allowed - username = "espdtfe" + username = var.db_username allow_major_version_upgrade = false apply_immediately = true @@ -74,7 +74,7 @@ resource "aws_db_instance" "postgresql" { max_allocated_storage = 0 multi_az = true # no special characters allowed - db_name = "espdtfe" + db_name = var.db_name port = 5432 publicly_accessible = false skip_final_snapshot = true diff --git a/modules/database/outputs.tf b/modules/database/outputs.tf index 9e74e904..89e3060c 100644 --- a/modules/database/outputs.tf +++ b/modules/database/outputs.tf @@ -2,25 +2,26 @@ # SPDX-License-Identifier: MPL-2.0 output "endpoint" { - value = aws_db_instance.postgresql.endpoint - + value = aws_db_instance.postgresql.endpoint description = "The connection endpoint of the PostgreSQL RDS instance in address:port format." } output "name" { - value = aws_db_instance.postgresql.name - + value = aws_db_instance.postgresql.name description = "The name of the PostgreSQL RDS instance." } output "password" { - value = aws_db_instance.postgresql.password - + value = aws_db_instance.postgresql.password description = "The password of the main PostgreSQL user." } output "username" { - value = aws_db_instance.postgresql.username - + value = aws_db_instance.postgresql.username description = "The name of the main PostgreSQL user." } + +output "parameters" { + value = var.db_parameters + description = "PostgreSQL server parameters for the connection URI." +} diff --git a/modules/database/variables.tf b/modules/database/variables.tf index 05612436..27b696ed 100644 --- a/modules/database/variables.tf +++ b/modules/database/variables.tf @@ -2,28 +2,38 @@ # SPDX-License-Identifier: MPL-2.0 variable "network_id" { - description = <<-EOD - The identity of the VPC in which the security group attached to the PostgreSQL RDS instance will be deployed. - EOD + description = "The identity of the VPC in which the security group attached to the PostgreSQL RDS instance will be deployed." type = string } +variable "db_name" { + type = string + description = "PostgreSQL instance name. No special characters." +} + +variable "db_username" { + type = string + description = "PostgreSQL instance username. No special characters." +} + variable "db_size" { type = string - default = "db.m4.xlarge" description = "PostgreSQL instance size." } variable "db_backup_retention" { type = number description = "The days to retain backups for. Must be between 0 and 35" - default = 0 } variable "db_backup_window" { type = string description = "The daily time range (in UTC) during which automated backups are created if they are enabled" - default = null +} + +variable "db_parameters" { + type = string + description = "PostgreSQL server parameters for the connection URI. Used to configure the PostgreSQL connection (e.g. sslmode=require)." } variable "engine_version" { @@ -32,16 +42,12 @@ variable "engine_version" { } variable "network_subnets_private" { - description = <<-EOD - A list of the identities of the private subnetworks in which the PostgreSQL RDS instance will be deployed. - EOD + description = "A list of the identities of the private subnetworks in which the PostgreSQL RDS instance will be deployed." type = list(string) } variable "tfe_instance_sg" { - description = <<-EOD - The identity of the security group attached to the TFE EC2 instance(s), which will be authorized for communication with the PostgreSQL RDS instance. - EOD + description = "The identity of the security group attached to the TFE EC2 instance(s), which will be authorized for communication with the PostgreSQL RDS instance." type = string } @@ -53,13 +59,9 @@ variable "friendly_name_prefix" { variable "network_private_subnet_cidrs" { type = list(string) description = "(Optional) List of private subnet CIDR ranges to create in VPC." - default = ["10.0.32.0/20", "10.0.48.0/20"] } variable "kms_key_arn" { - description = <<-EOD - The Amazon Resource Name of the KMS key which will be used by the Redis Elasticache replication group to encrypt data - at rest. - EOD + description = "The Amazon Resource Name of the KMS key which will be used by the Redis Elasticache replication group to encrypt data at rest." type = string -} \ No newline at end of file +} diff --git a/modules/service_accounts/main.tf b/modules/service_accounts/main.tf index d7c7b8ed..b6c75c65 100644 --- a/modules/service_accounts/main.tf +++ b/modules/service_accounts/main.tf @@ -32,7 +32,7 @@ data "aws_iam_policy_document" "instance_role" { } resource "aws_iam_role_policy" "secretsmanager" { - count = var.existing_iam_instance_profile_name == null && !var.enable_airgap ? 1 : 0 + count = var.existing_iam_instance_profile_name == null && !var.enable_airgap && local.secret_arns != [] ? 1 : 0 policy = data.aws_iam_policy_document.secretsmanager[0].json role = local.iam_instance_role.id diff --git a/variables.tf b/variables.tf index 0b3a5d3c..e20127a3 100644 --- a/variables.tf +++ b/variables.tf @@ -128,6 +128,18 @@ variable "redis_use_password_auth" { # Postgres # -------- +variable "db_name" { + default = "hashicorp" + type = string + description = "PostgreSQL instance name." +} + +variable "db_username" { + default = "hashicorp" + type = string + description = "PostgreSQL instance username. No special characters." +} + variable "db_backup_retention" { type = number description = "The days to retain backups for. Must be between 0 and 35" @@ -140,6 +152,12 @@ variable "db_backup_window" { default = null } +variable "db_parameters" { + type = string + description = "PostgreSQL server parameters for the connection URI. Used to configure the PostgreSQL connection." + default = "sslmode=require" +} + variable "db_size" { type = string default = "db.m4.xlarge"