forked from schubergphilis/terraform-aws-mcaf-aurora
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
153 lines (137 loc) · 6.23 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
data "aws_subnet" "selected" {
id = var.subnet_ids[0]
}
resource "aws_security_group" "default" {
name = "${var.stack}-aurora"
description = "Access to Aurora"
vpc_id = data.aws_subnet.selected.vpc_id
tags = var.tags
}
resource "aws_security_group_rule" "ingress_cidrs" {
count = var.cidr_blocks != null ? 1 : 0
security_group_id = aws_security_group.default.id
type = "ingress"
description = "Aurora ingress"
from_port = aws_rds_cluster.default.port
to_port = aws_rds_cluster.default.port
protocol = "tcp"
cidr_blocks = var.cidr_blocks
}
resource "aws_security_group_rule" "ingress_groups" {
count = length(var.security_group_ids)
security_group_id = aws_security_group.default.id
type = "ingress"
description = "Aurora ingress"
from_port = aws_rds_cluster.default.port
to_port = aws_rds_cluster.default.port
protocol = "tcp"
source_security_group_id = var.security_group_ids[count.index]
}
resource "aws_db_subnet_group" "default" {
name = var.stack
subnet_ids = var.subnet_ids
tags = var.tags
}
resource "aws_rds_cluster_parameter_group" "default" {
name = var.stack
description = "RDS default cluster parameter group"
family = var.cluster_family
tags = var.tags
dynamic "parameter" {
for_each = var.cluster_parameters
content {
apply_method = parameter.value.apply_method
name = parameter.value.name
value = parameter.value.value
}
}
}
resource "aws_rds_cluster" "default" {
apply_immediately = var.apply_immediately
backup_retention_period = var.backup_retention_period
cluster_identifier = var.stack
copy_tags_to_snapshot = true
database_name = var.database
db_cluster_parameter_group_name = aws_rds_cluster_parameter_group.default.name
db_subnet_group_name = aws_db_subnet_group.default.name
deletion_protection = var.deletion_protection
enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports
enable_http_endpoint = var.enable_http_endpoint
engine = var.engine
engine_mode = var.engine_mode == "serverlessv2" ? "provisioned" : var.engine_mode
engine_version = var.engine_version
final_snapshot_identifier = var.final_snapshot_identifier
iam_database_authentication_enabled = var.iam_database_authentication_enabled
iam_roles = var.iam_roles
preferred_backup_window = var.preferred_backup_window
preferred_maintenance_window = var.preferred_maintenance_window
kms_key_id = var.kms_key_id
master_password = var.password
master_username = var.username
skip_final_snapshot = var.skip_final_snapshot
snapshot_identifier = var.snapshot_identifier
storage_encrypted = var.storage_encrypted #tfsec:ignore:AWS051
tags = var.tags
vpc_security_group_ids = [aws_security_group.default.id]
dynamic "scaling_configuration" {
for_each = var.engine_mode == "serverless" ? { create : null } : {}
content {
auto_pause = var.auto_pause
max_capacity = var.max_capacity
min_capacity = var.min_capacity
seconds_until_auto_pause = 1800
timeout_action = var.timeout_action
}
}
dynamic "serverlessv2_scaling_configuration" {
for_each = var.engine_mode == "serverlessv2" ? { create : null } : {}
content {
max_capacity = var.max_capacity
min_capacity = var.min_capacity
}
}
}
resource "aws_db_parameter_group" "default" {
count = var.database_parameters != null ? 1 : 0
name = "${var.stack}-aurora"
description = "RDS default database parameter group"
family = var.cluster_family
tags = var.tags
dynamic "parameter" {
for_each = var.database_parameters
content {
apply_method = parameter.value.apply_method
name = parameter.value.name
value = parameter.value.value
}
}
}
module "rds_enhanced_monitoring_role" {
count = var.monitoring_interval != null ? 1 : 0
source = "github.com/schubergphilis/terraform-aws-mcaf-role?ref=v0.3.2"
name = "RDSEnhancedMonitoringRole-${var.stack}"
principal_type = "Service"
principal_identifiers = ["monitoring.rds.amazonaws.com"]
policy_arns = ["arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"]
postfix = false
tags = var.tags
}
resource "aws_rds_cluster_instance" "cluster_instances" {
count = var.engine_mode == "serverless" ? 0 : var.instance_count
apply_immediately = var.apply_immediately
cluster_identifier = aws_rds_cluster.default.id
copy_tags_to_snapshot = true
db_parameter_group_name = try(aws_db_parameter_group.default[0].name, null)
db_subnet_group_name = aws_db_subnet_group.default.name
engine = var.engine
engine_version = var.engine_version
identifier = "${var.stack}-${count.index}"
instance_class = var.engine_mode == "serverlessv2" ? "db.serverless" : var.instance_class
monitoring_interval = var.monitoring_interval
monitoring_role_arn = try(module.rds_enhanced_monitoring_role[0].arn, null)
performance_insights_enabled = var.performance_insights
performance_insights_kms_key_id = var.performance_insights ? var.kms_key_id : null
performance_insights_retention_period = var.performance_insights ? var.performance_insights_retention_period : null
publicly_accessible = var.publicly_accessible
tags = var.tags
}