From b975fcbea9d4f3fd6d91aff7d3056073e14d4e60 Mon Sep 17 00:00:00 2001 From: Mehmet Gungoren Date: Mon, 12 Feb 2024 19:23:08 +0300 Subject: [PATCH 1/5] add domain support --- README.md | 6 ++++-- main.tf | 2 ++ variables.tf | 12 ++++++++++++ versions.tf | 2 +- 4 files changed, 19 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 910bcc0..abe8dc9 100644 --- a/README.md +++ b/README.md @@ -224,13 +224,13 @@ Terraform documentation is generated automatically using [pre-commit hooks](http | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.26 | +| [aws](#requirement\_aws) | >= 5.37 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.26 | +| [aws](#provider\_aws) | >= 5.37 | ## Modules @@ -311,6 +311,8 @@ No modules. | [db\_subnet\_group\_name](#input\_db\_subnet\_group\_name) | The name of the subnet group name (existing or created) | `string` | `""` | no | | [delete\_automated\_backups](#input\_delete\_automated\_backups) | Specifies whether to remove automated backups immediately after the DB cluster is deleted | `bool` | `null` | no | | [deletion\_protection](#input\_deletion\_protection) | If the DB instance should have deletion protection enabled. The database can't be deleted when this value is set to `true`. The default is `false` | `bool` | `null` | no | +| [domain](#input\_domain) | The ID of the Directory Service Active Directory domain to create the instance in | `string` | `null` | no | +| [domain\_iam\_role\_name](#input\_domain\_iam\_role\_name) | (Required if domain is provided) The name of the IAM role to be used when making API calls to the Directory Service | `string` | `null` | no | | [enable\_global\_write\_forwarding](#input\_enable\_global\_write\_forwarding) | Whether cluster should forward writes to an associated global cluster. Applied to secondary clusters to enable them to forward writes to an `aws_rds_global_cluster`'s primary cluster | `bool` | `null` | no | | [enable\_http\_endpoint](#input\_enable\_http\_endpoint) | Enable HTTP endpoint (data API). Only valid when engine\_mode is set to `serverless` | `bool` | `null` | no | | [enabled\_cloudwatch\_logs\_exports](#input\_enabled\_cloudwatch\_logs\_exports) | Set of log types to export to cloudwatch. If omitted, no logs will be exported. The following log types are supported: `audit`, `error`, `general`, `slowquery`, `postgresql` | `list(string)` | `[]` | no | diff --git a/main.tf b/main.tf index 68c0438..6ceb600 100644 --- a/main.tf +++ b/main.tf @@ -64,6 +64,8 @@ resource "aws_rds_cluster" "this" { engine_version = var.engine_version final_snapshot_identifier = var.final_snapshot_identifier global_cluster_identifier = var.global_cluster_identifier + domain = var.domain + domain_iam_role_name = var.domain_iam_role_name iam_database_authentication_enabled = var.iam_database_authentication_enabled # iam_roles has been removed from this resource and instead will be used with aws_rds_cluster_role_association below to avoid conflicts per docs iops = var.iops diff --git a/variables.tf b/variables.tf index 4d29776..ad5746f 100644 --- a/variables.tf +++ b/variables.tf @@ -186,6 +186,18 @@ variable "iam_database_authentication_enabled" { default = null } +variable "domain" { + description = "The ID of the Directory Service Active Directory domain to create the instance in" + type = string + default = null +} + +variable "domain_iam_role_name" { + description = "(Required if domain is provided) The name of the IAM role to be used when making API calls to the Directory Service" + type = string + default = null +} + variable "iops" { description = "The amount of Provisioned IOPS (input/output operations per second) to be initially allocated for each DB instance in the Multi-AZ DB cluster" type = number diff --git a/versions.tf b/versions.tf index 34a8016..0b1e951 100644 --- a/versions.tf +++ b/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.26" + version = ">= 5.37" } } } From 0bd91455a209c20028e8bed26721afca99c0f55a Mon Sep 17 00:00:00 2001 From: Mehmet Gungoren Date: Fri, 16 Feb 2024 02:25:28 +0300 Subject: [PATCH 2/5] add domain support example Signed-off-by: Mehmet Gungoren --- examples/postgresql-kerberos/README.md | 78 +++++++++ examples/postgresql-kerberos/main.tf | 204 ++++++++++++++++++++++ examples/postgresql-kerberos/outputs.tf | 168 ++++++++++++++++++ examples/postgresql-kerberos/variables.tf | 0 examples/postgresql-kerberos/versions.tf | 10 ++ 5 files changed, 460 insertions(+) create mode 100644 examples/postgresql-kerberos/README.md create mode 100644 examples/postgresql-kerberos/main.tf create mode 100644 examples/postgresql-kerberos/outputs.tf create mode 100644 examples/postgresql-kerberos/variables.tf create mode 100644 examples/postgresql-kerberos/versions.tf diff --git a/examples/postgresql-kerberos/README.md b/examples/postgresql-kerberos/README.md new file mode 100644 index 0000000..2395b31 --- /dev/null +++ b/examples/postgresql-kerberos/README.md @@ -0,0 +1,78 @@ +# PostgreSQL Example + +Configuration in this directory creates a PostgreSQL Aurora cluster. + +## Usage + +To run this example you need to execute: + +```bash +$ terraform init +$ terraform plan +$ terraform apply +``` + +Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 5.37 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 5.37 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aurora](#module\_aurora) | ../../ | n/a | +| [kms](#module\_kms) | terraform-aws-modules/kms/aws | ~> 2.0 | +| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 | + +## Resources + +| Name | Type | +|------|------| +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | + +## Inputs + +No inputs. + +## Outputs + +| Name | Description | +|------|-------------| +| [additional\_cluster\_endpoints](#output\_additional\_cluster\_endpoints) | A map of additional cluster endpoints and their attributes | +| [cluster\_arn](#output\_cluster\_arn) | Amazon Resource Name (ARN) of cluster | +| [cluster\_database\_name](#output\_cluster\_database\_name) | Name for an automatically created database on cluster creation | +| [cluster\_endpoint](#output\_cluster\_endpoint) | Writer endpoint for the cluster | +| [cluster\_engine\_version\_actual](#output\_cluster\_engine\_version\_actual) | The running version of the cluster database | +| [cluster\_hosted\_zone\_id](#output\_cluster\_hosted\_zone\_id) | The Route53 Hosted Zone ID of the endpoint | +| [cluster\_id](#output\_cluster\_id) | The RDS Cluster Identifier | +| [cluster\_instances](#output\_cluster\_instances) | A map of cluster instances and their attributes | +| [cluster\_master\_user\_secret](#output\_cluster\_master\_user\_secret) | The generated database master user secret when `manage_master_user_password` is set to `true` | +| [cluster\_members](#output\_cluster\_members) | List of RDS Instances that are a part of this cluster | +| [cluster\_port](#output\_cluster\_port) | The database port | +| [cluster\_reader\_endpoint](#output\_cluster\_reader\_endpoint) | A read-only endpoint for the cluster, automatically load-balanced across replicas | +| [cluster\_resource\_id](#output\_cluster\_resource\_id) | The RDS Cluster Resource ID | +| [cluster\_role\_associations](#output\_cluster\_role\_associations) | A map of IAM roles associated with the cluster and their attributes | +| [db\_cluster\_activity\_stream\_kinesis\_stream\_name](#output\_db\_cluster\_activity\_stream\_kinesis\_stream\_name) | The name of the Amazon Kinesis data stream to be used for the database activity stream | +| [db\_cluster\_cloudwatch\_log\_groups](#output\_db\_cluster\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes | +| [db\_cluster\_parameter\_group\_arn](#output\_db\_cluster\_parameter\_group\_arn) | The ARN of the DB cluster parameter group created | +| [db\_cluster\_parameter\_group\_id](#output\_db\_cluster\_parameter\_group\_id) | The ID of the DB cluster parameter group created | +| [db\_parameter\_group\_arn](#output\_db\_parameter\_group\_arn) | The ARN of the DB parameter group created | +| [db\_parameter\_group\_id](#output\_db\_parameter\_group\_id) | The ID of the DB parameter group created | +| [db\_subnet\_group\_name](#output\_db\_subnet\_group\_name) | The db subnet group name | +| [enhanced\_monitoring\_iam\_role\_arn](#output\_enhanced\_monitoring\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the enhanced monitoring role | +| [enhanced\_monitoring\_iam\_role\_name](#output\_enhanced\_monitoring\_iam\_role\_name) | The name of the enhanced monitoring role | +| [enhanced\_monitoring\_iam\_role\_unique\_id](#output\_enhanced\_monitoring\_iam\_role\_unique\_id) | Stable and unique string identifying the enhanced monitoring role | +| [security\_group\_id](#output\_security\_group\_id) | The security group ID of the cluster | + diff --git a/examples/postgresql-kerberos/main.tf b/examples/postgresql-kerberos/main.tf new file mode 100644 index 0000000..3c1d6f3 --- /dev/null +++ b/examples/postgresql-kerberos/main.tf @@ -0,0 +1,204 @@ +provider "aws" { + region = local.region +} + +data "aws_availability_zones" "available" {} +data "aws_partition" "current" {} + +locals { + name = "ex-${basename(path.cwd)}" + region = "eu-west-1" + + vpc_cidr = "10.0.0.0/16" + azs = slice(data.aws_availability_zones.available.names, 0, 3) + + tags = { + Example = local.name + GithubRepo = "terraform-aws-rds-aurora" + GithubOrg = "terraform-aws-modules" + } +} + +################################################################################ +# RDS Aurora Module +################################################################################ + +module "aurora" { + source = "../../" + + name = local.name + engine = "aurora-postgresql" + engine_version = "14.7" + master_username = "root" + storage_type = "aurora-iopt1" + instances = { + 1 = { + instance_class = "db.r5.2xlarge" + publicly_accessible = true + db_parameter_group_name = "default.aurora-postgresql14" + } + 2 = { + identifier = "static-member-1" + instance_class = "db.r5.2xlarge" + } + 3 = { + identifier = "excluded-member-1" + instance_class = "db.r5.large" + promotion_tier = 15 + } + } + + endpoints = { + static = { + identifier = "static-custom-endpt" + type = "ANY" + static_members = ["static-member-1"] + tags = { Endpoint = "static-members" } + } + excluded = { + identifier = "excluded-custom-endpt" + type = "READER" + excluded_members = ["excluded-member-1"] + tags = { Endpoint = "excluded-members" } + } + } + + vpc_id = module.vpc.vpc_id + db_subnet_group_name = module.vpc.database_subnet_group_name + security_group_rules = { + vpc_ingress = { + cidr_blocks = module.vpc.private_subnets_cidr_blocks + } + egress_example = { + cidr_blocks = ["10.33.0.0/28"] + description = "Egress to corporate printer closet" + } + } + + apply_immediately = true + skip_final_snapshot = true + + create_db_cluster_parameter_group = true + db_cluster_parameter_group_name = local.name + db_cluster_parameter_group_family = "aurora-postgresql14" + db_cluster_parameter_group_description = "${local.name} example cluster parameter group" + db_cluster_parameter_group_parameters = [ + { + name = "log_min_duration_statement" + value = 4000 + apply_method = "immediate" + }, { + name = "rds.force_ssl" + value = 1 + apply_method = "immediate" + } + ] + + create_db_parameter_group = true + db_parameter_group_name = local.name + db_parameter_group_family = "aurora-postgresql14" + db_parameter_group_description = "${local.name} example DB parameter group" + db_parameter_group_parameters = [ + { + name = "log_min_duration_statement" + value = 4000 + apply_method = "immediate" + } + ] + + enabled_cloudwatch_logs_exports = ["postgresql"] + create_cloudwatch_log_group = true + + create_db_cluster_activity_stream = true + db_cluster_activity_stream_kms_key_id = module.kms.key_id + db_cluster_activity_stream_mode = "async" + + domain = aws_directory_service_directory.demo.id + domain_iam_role_name = aws_iam_role.rds_ad_auth.name + + tags = local.tags +} + +################################################################################ +# IAM Role for Windows Authentication +################################################################################ + +data "aws_iam_policy_document" "rds_assume_role" { + statement { + actions = [ + "sts:AssumeRole", + ] + + principals { + type = "Service" + identifiers = [ + "directoryservice.rds.amazonaws.com", + "rds.amazonaws.com" + ] + } + } +} + +resource "aws_iam_role" "rds_ad_auth" { + name = "${local.name}-directory-service-role" + description = "Role used by RDS for Active Directory authentication and authorization" + assume_role_policy = data.aws_iam_policy_document.rds_assume_role.json +} + +resource "aws_iam_role_policy_attachment" "rds_directory_services" { + role = aws_iam_role.rds_ad_auth.name + policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSDirectoryServiceAccess" +} + +################################################################################ +# AWS Directory Service (Acitve Directory) +################################################################################ + +resource "aws_directory_service_directory" "demo" { + name = "corp.demo.com" + password = "SuperSecretPassw0rd" + edition = "Standard" + type = "MicrosoftAD" + + vpc_settings { + vpc_id = module.vpc.vpc_id + # Only 2 subnets, must be in different AZs + subnet_ids = slice(tolist(module.vpc.database_subnets), 0, 2) + } + + tags = local.tags +} + +################################################################################ +# Supporting Resources +################################################################################ + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "~> 5.0" + + name = local.name + cidr = local.vpc_cidr + + azs = local.azs + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)] + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 3)] + database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 6)] + + tags = local.tags +} + +module "kms" { + source = "terraform-aws-modules/kms/aws" + version = "~> 2.0" + + deletion_window_in_days = 7 + description = "KMS key for ${local.name} cluster activity stream." + enable_key_rotation = true + is_enabled = true + key_usage = "ENCRYPT_DECRYPT" + + aliases = [local.name] + + tags = local.tags +} diff --git a/examples/postgresql-kerberos/outputs.tf b/examples/postgresql-kerberos/outputs.tf new file mode 100644 index 0000000..f882e4e --- /dev/null +++ b/examples/postgresql-kerberos/outputs.tf @@ -0,0 +1,168 @@ +################################################################################ +# DB Subnet Group +################################################################################ + +output "db_subnet_group_name" { + description = "The db subnet group name" + value = module.aurora.db_subnet_group_name +} + +################################################################################ +# Cluster +################################################################################ + +output "cluster_arn" { + description = "Amazon Resource Name (ARN) of cluster" + value = module.aurora.cluster_arn +} + +output "cluster_id" { + description = "The RDS Cluster Identifier" + value = module.aurora.cluster_id +} + +output "cluster_resource_id" { + description = "The RDS Cluster Resource ID" + value = module.aurora.cluster_resource_id +} + +output "cluster_members" { + description = "List of RDS Instances that are a part of this cluster" + value = module.aurora.cluster_members +} + +output "cluster_endpoint" { + description = "Writer endpoint for the cluster" + value = module.aurora.cluster_endpoint +} + +output "cluster_reader_endpoint" { + description = "A read-only endpoint for the cluster, automatically load-balanced across replicas" + value = module.aurora.cluster_reader_endpoint +} + +output "cluster_engine_version_actual" { + description = "The running version of the cluster database" + value = module.aurora.cluster_engine_version_actual +} + +output "cluster_database_name" { + description = "Name for an automatically created database on cluster creation" + value = module.aurora.cluster_database_name +} + +output "cluster_port" { + description = "The database port" + value = module.aurora.cluster_port +} + +output "cluster_master_user_secret" { + description = "The generated database master user secret when `manage_master_user_password` is set to `true`" + value = module.aurora.cluster_master_user_secret +} + +output "cluster_hosted_zone_id" { + description = "The Route53 Hosted Zone ID of the endpoint" + value = module.aurora.cluster_hosted_zone_id +} + +################################################################################ +# Cluster Instance(s) +################################################################################ + +output "cluster_instances" { + description = "A map of cluster instances and their attributes" + value = module.aurora.cluster_instances +} + +################################################################################ +# Cluster Endpoint(s) +################################################################################ + +output "additional_cluster_endpoints" { + description = "A map of additional cluster endpoints and their attributes" + value = module.aurora.additional_cluster_endpoints +} + +################################################################################ +# Cluster IAM Roles +################################################################################ + +output "cluster_role_associations" { + description = "A map of IAM roles associated with the cluster and their attributes" + value = module.aurora.cluster_role_associations +} + +################################################################################ +# Enhanced Monitoring +################################################################################ + +output "enhanced_monitoring_iam_role_name" { + description = "The name of the enhanced monitoring role" + value = module.aurora.enhanced_monitoring_iam_role_name +} + +output "enhanced_monitoring_iam_role_arn" { + description = "The Amazon Resource Name (ARN) specifying the enhanced monitoring role" + value = module.aurora.enhanced_monitoring_iam_role_arn +} + +output "enhanced_monitoring_iam_role_unique_id" { + description = "Stable and unique string identifying the enhanced monitoring role" + value = module.aurora.enhanced_monitoring_iam_role_unique_id +} + +################################################################################ +# Security Group +################################################################################ + +output "security_group_id" { + description = "The security group ID of the cluster" + value = module.aurora.security_group_id +} + +################################################################################ +# Cluster Parameter Group +################################################################################ + +output "db_cluster_parameter_group_arn" { + description = "The ARN of the DB cluster parameter group created" + value = module.aurora.db_cluster_parameter_group_arn +} + +output "db_cluster_parameter_group_id" { + description = "The ID of the DB cluster parameter group created" + value = module.aurora.db_cluster_parameter_group_id +} + +################################################################################ +# DB Parameter Group +################################################################################ + +output "db_parameter_group_arn" { + description = "The ARN of the DB parameter group created" + value = module.aurora.db_parameter_group_arn +} + +output "db_parameter_group_id" { + description = "The ID of the DB parameter group created" + value = module.aurora.db_parameter_group_id +} + +################################################################################ +# CloudWatch Log Group +################################################################################ + +output "db_cluster_cloudwatch_log_groups" { + description = "Map of CloudWatch log groups created and their attributes" + value = module.aurora.db_cluster_cloudwatch_log_groups +} + +################################################################################ +# Cluster Activity Stream +################################################################################ + +output "db_cluster_activity_stream_kinesis_stream_name" { + description = "The name of the Amazon Kinesis data stream to be used for the database activity stream" + value = module.aurora.db_cluster_activity_stream_kinesis_stream_name +} diff --git a/examples/postgresql-kerberos/variables.tf b/examples/postgresql-kerberos/variables.tf new file mode 100644 index 0000000..e69de29 diff --git a/examples/postgresql-kerberos/versions.tf b/examples/postgresql-kerberos/versions.tf new file mode 100644 index 0000000..0b1e951 --- /dev/null +++ b/examples/postgresql-kerberos/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.37" + } + } +} From f5d49355736ba2468e05c28e535cb2da19c92f97 Mon Sep 17 00:00:00 2001 From: Mehmet Gungoren Date: Fri, 16 Feb 2024 02:27:29 +0300 Subject: [PATCH 3/5] fmt --- examples/postgresql-kerberos/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/postgresql-kerberos/main.tf b/examples/postgresql-kerberos/main.tf index 3c1d6f3..49a06ad 100644 --- a/examples/postgresql-kerberos/main.tf +++ b/examples/postgresql-kerberos/main.tf @@ -130,7 +130,7 @@ data "aws_iam_policy_document" "rds_assume_role" { ] principals { - type = "Service" + type = "Service" identifiers = [ "directoryservice.rds.amazonaws.com", "rds.amazonaws.com" @@ -140,7 +140,7 @@ data "aws_iam_policy_document" "rds_assume_role" { } resource "aws_iam_role" "rds_ad_auth" { - name = "${local.name}-directory-service-role" + name = "${local.name}-directory-service-role" description = "Role used by RDS for Active Directory authentication and authorization" assume_role_policy = data.aws_iam_policy_document.rds_assume_role.json } From cb08f5e9bfc2adeb30781d5dab6f75ceed271492 Mon Sep 17 00:00:00 2001 From: Mehmet Gungoren Date: Fri, 16 Feb 2024 02:41:56 +0300 Subject: [PATCH 4/5] fixed of pre-commit checks Signed-off-by: Mehmet Gungoren --- examples/postgresql-kerberos/README.md | 4 ++++ examples/postgresql-kerberos/main.tf | 1 - 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/examples/postgresql-kerberos/README.md b/examples/postgresql-kerberos/README.md index 2395b31..dd57587 100644 --- a/examples/postgresql-kerberos/README.md +++ b/examples/postgresql-kerberos/README.md @@ -40,7 +40,11 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Type | |------|------| +| [aws_directory_service_directory.demo](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/directory_service_directory) | resource | +| [aws_iam_role.rds_ad_auth](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.rds_directory_services](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | +| [aws_iam_policy_document.rds_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs diff --git a/examples/postgresql-kerberos/main.tf b/examples/postgresql-kerberos/main.tf index 49a06ad..ba95124 100644 --- a/examples/postgresql-kerberos/main.tf +++ b/examples/postgresql-kerberos/main.tf @@ -3,7 +3,6 @@ provider "aws" { } data "aws_availability_zones" "available" {} -data "aws_partition" "current" {} locals { name = "ex-${basename(path.cwd)}" From 434f394526c0ca17398416539c4fccea4a9ab198 Mon Sep 17 00:00:00 2001 From: Mehmet Gungoren Date: Fri, 16 Feb 2024 17:14:51 +0300 Subject: [PATCH 5/5] remove kerberos examples Signed-off-by: Mehmet Gungoren --- examples/postgresql-kerberos/README.md | 82 --------- examples/postgresql-kerberos/main.tf | 203 ---------------------- examples/postgresql-kerberos/outputs.tf | 168 ------------------ examples/postgresql-kerberos/variables.tf | 0 examples/postgresql-kerberos/versions.tf | 10 -- 5 files changed, 463 deletions(-) delete mode 100644 examples/postgresql-kerberos/README.md delete mode 100644 examples/postgresql-kerberos/main.tf delete mode 100644 examples/postgresql-kerberos/outputs.tf delete mode 100644 examples/postgresql-kerberos/variables.tf delete mode 100644 examples/postgresql-kerberos/versions.tf diff --git a/examples/postgresql-kerberos/README.md b/examples/postgresql-kerberos/README.md deleted file mode 100644 index dd57587..0000000 --- a/examples/postgresql-kerberos/README.md +++ /dev/null @@ -1,82 +0,0 @@ -# PostgreSQL Example - -Configuration in this directory creates a PostgreSQL Aurora cluster. - -## Usage - -To run this example you need to execute: - -```bash -$ terraform init -$ terraform plan -$ terraform apply -``` - -Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources. - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.37 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 5.37 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [aurora](#module\_aurora) | ../../ | n/a | -| [kms](#module\_kms) | terraform-aws-modules/kms/aws | ~> 2.0 | -| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_directory_service_directory.demo](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/directory_service_directory) | resource | -| [aws_iam_role.rds_ad_auth](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.rds_directory_services](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | -| [aws_iam_policy_document.rds_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | - -## Inputs - -No inputs. - -## Outputs - -| Name | Description | -|------|-------------| -| [additional\_cluster\_endpoints](#output\_additional\_cluster\_endpoints) | A map of additional cluster endpoints and their attributes | -| [cluster\_arn](#output\_cluster\_arn) | Amazon Resource Name (ARN) of cluster | -| [cluster\_database\_name](#output\_cluster\_database\_name) | Name for an automatically created database on cluster creation | -| [cluster\_endpoint](#output\_cluster\_endpoint) | Writer endpoint for the cluster | -| [cluster\_engine\_version\_actual](#output\_cluster\_engine\_version\_actual) | The running version of the cluster database | -| [cluster\_hosted\_zone\_id](#output\_cluster\_hosted\_zone\_id) | The Route53 Hosted Zone ID of the endpoint | -| [cluster\_id](#output\_cluster\_id) | The RDS Cluster Identifier | -| [cluster\_instances](#output\_cluster\_instances) | A map of cluster instances and their attributes | -| [cluster\_master\_user\_secret](#output\_cluster\_master\_user\_secret) | The generated database master user secret when `manage_master_user_password` is set to `true` | -| [cluster\_members](#output\_cluster\_members) | List of RDS Instances that are a part of this cluster | -| [cluster\_port](#output\_cluster\_port) | The database port | -| [cluster\_reader\_endpoint](#output\_cluster\_reader\_endpoint) | A read-only endpoint for the cluster, automatically load-balanced across replicas | -| [cluster\_resource\_id](#output\_cluster\_resource\_id) | The RDS Cluster Resource ID | -| [cluster\_role\_associations](#output\_cluster\_role\_associations) | A map of IAM roles associated with the cluster and their attributes | -| [db\_cluster\_activity\_stream\_kinesis\_stream\_name](#output\_db\_cluster\_activity\_stream\_kinesis\_stream\_name) | The name of the Amazon Kinesis data stream to be used for the database activity stream | -| [db\_cluster\_cloudwatch\_log\_groups](#output\_db\_cluster\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes | -| [db\_cluster\_parameter\_group\_arn](#output\_db\_cluster\_parameter\_group\_arn) | The ARN of the DB cluster parameter group created | -| [db\_cluster\_parameter\_group\_id](#output\_db\_cluster\_parameter\_group\_id) | The ID of the DB cluster parameter group created | -| [db\_parameter\_group\_arn](#output\_db\_parameter\_group\_arn) | The ARN of the DB parameter group created | -| [db\_parameter\_group\_id](#output\_db\_parameter\_group\_id) | The ID of the DB parameter group created | -| [db\_subnet\_group\_name](#output\_db\_subnet\_group\_name) | The db subnet group name | -| [enhanced\_monitoring\_iam\_role\_arn](#output\_enhanced\_monitoring\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the enhanced monitoring role | -| [enhanced\_monitoring\_iam\_role\_name](#output\_enhanced\_monitoring\_iam\_role\_name) | The name of the enhanced monitoring role | -| [enhanced\_monitoring\_iam\_role\_unique\_id](#output\_enhanced\_monitoring\_iam\_role\_unique\_id) | Stable and unique string identifying the enhanced monitoring role | -| [security\_group\_id](#output\_security\_group\_id) | The security group ID of the cluster | - diff --git a/examples/postgresql-kerberos/main.tf b/examples/postgresql-kerberos/main.tf deleted file mode 100644 index ba95124..0000000 --- a/examples/postgresql-kerberos/main.tf +++ /dev/null @@ -1,203 +0,0 @@ -provider "aws" { - region = local.region -} - -data "aws_availability_zones" "available" {} - -locals { - name = "ex-${basename(path.cwd)}" - region = "eu-west-1" - - vpc_cidr = "10.0.0.0/16" - azs = slice(data.aws_availability_zones.available.names, 0, 3) - - tags = { - Example = local.name - GithubRepo = "terraform-aws-rds-aurora" - GithubOrg = "terraform-aws-modules" - } -} - -################################################################################ -# RDS Aurora Module -################################################################################ - -module "aurora" { - source = "../../" - - name = local.name - engine = "aurora-postgresql" - engine_version = "14.7" - master_username = "root" - storage_type = "aurora-iopt1" - instances = { - 1 = { - instance_class = "db.r5.2xlarge" - publicly_accessible = true - db_parameter_group_name = "default.aurora-postgresql14" - } - 2 = { - identifier = "static-member-1" - instance_class = "db.r5.2xlarge" - } - 3 = { - identifier = "excluded-member-1" - instance_class = "db.r5.large" - promotion_tier = 15 - } - } - - endpoints = { - static = { - identifier = "static-custom-endpt" - type = "ANY" - static_members = ["static-member-1"] - tags = { Endpoint = "static-members" } - } - excluded = { - identifier = "excluded-custom-endpt" - type = "READER" - excluded_members = ["excluded-member-1"] - tags = { Endpoint = "excluded-members" } - } - } - - vpc_id = module.vpc.vpc_id - db_subnet_group_name = module.vpc.database_subnet_group_name - security_group_rules = { - vpc_ingress = { - cidr_blocks = module.vpc.private_subnets_cidr_blocks - } - egress_example = { - cidr_blocks = ["10.33.0.0/28"] - description = "Egress to corporate printer closet" - } - } - - apply_immediately = true - skip_final_snapshot = true - - create_db_cluster_parameter_group = true - db_cluster_parameter_group_name = local.name - db_cluster_parameter_group_family = "aurora-postgresql14" - db_cluster_parameter_group_description = "${local.name} example cluster parameter group" - db_cluster_parameter_group_parameters = [ - { - name = "log_min_duration_statement" - value = 4000 - apply_method = "immediate" - }, { - name = "rds.force_ssl" - value = 1 - apply_method = "immediate" - } - ] - - create_db_parameter_group = true - db_parameter_group_name = local.name - db_parameter_group_family = "aurora-postgresql14" - db_parameter_group_description = "${local.name} example DB parameter group" - db_parameter_group_parameters = [ - { - name = "log_min_duration_statement" - value = 4000 - apply_method = "immediate" - } - ] - - enabled_cloudwatch_logs_exports = ["postgresql"] - create_cloudwatch_log_group = true - - create_db_cluster_activity_stream = true - db_cluster_activity_stream_kms_key_id = module.kms.key_id - db_cluster_activity_stream_mode = "async" - - domain = aws_directory_service_directory.demo.id - domain_iam_role_name = aws_iam_role.rds_ad_auth.name - - tags = local.tags -} - -################################################################################ -# IAM Role for Windows Authentication -################################################################################ - -data "aws_iam_policy_document" "rds_assume_role" { - statement { - actions = [ - "sts:AssumeRole", - ] - - principals { - type = "Service" - identifiers = [ - "directoryservice.rds.amazonaws.com", - "rds.amazonaws.com" - ] - } - } -} - -resource "aws_iam_role" "rds_ad_auth" { - name = "${local.name}-directory-service-role" - description = "Role used by RDS for Active Directory authentication and authorization" - assume_role_policy = data.aws_iam_policy_document.rds_assume_role.json -} - -resource "aws_iam_role_policy_attachment" "rds_directory_services" { - role = aws_iam_role.rds_ad_auth.name - policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSDirectoryServiceAccess" -} - -################################################################################ -# AWS Directory Service (Acitve Directory) -################################################################################ - -resource "aws_directory_service_directory" "demo" { - name = "corp.demo.com" - password = "SuperSecretPassw0rd" - edition = "Standard" - type = "MicrosoftAD" - - vpc_settings { - vpc_id = module.vpc.vpc_id - # Only 2 subnets, must be in different AZs - subnet_ids = slice(tolist(module.vpc.database_subnets), 0, 2) - } - - tags = local.tags -} - -################################################################################ -# Supporting Resources -################################################################################ - -module "vpc" { - source = "terraform-aws-modules/vpc/aws" - version = "~> 5.0" - - name = local.name - cidr = local.vpc_cidr - - azs = local.azs - public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)] - private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 3)] - database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 6)] - - tags = local.tags -} - -module "kms" { - source = "terraform-aws-modules/kms/aws" - version = "~> 2.0" - - deletion_window_in_days = 7 - description = "KMS key for ${local.name} cluster activity stream." - enable_key_rotation = true - is_enabled = true - key_usage = "ENCRYPT_DECRYPT" - - aliases = [local.name] - - tags = local.tags -} diff --git a/examples/postgresql-kerberos/outputs.tf b/examples/postgresql-kerberos/outputs.tf deleted file mode 100644 index f882e4e..0000000 --- a/examples/postgresql-kerberos/outputs.tf +++ /dev/null @@ -1,168 +0,0 @@ -################################################################################ -# DB Subnet Group -################################################################################ - -output "db_subnet_group_name" { - description = "The db subnet group name" - value = module.aurora.db_subnet_group_name -} - -################################################################################ -# Cluster -################################################################################ - -output "cluster_arn" { - description = "Amazon Resource Name (ARN) of cluster" - value = module.aurora.cluster_arn -} - -output "cluster_id" { - description = "The RDS Cluster Identifier" - value = module.aurora.cluster_id -} - -output "cluster_resource_id" { - description = "The RDS Cluster Resource ID" - value = module.aurora.cluster_resource_id -} - -output "cluster_members" { - description = "List of RDS Instances that are a part of this cluster" - value = module.aurora.cluster_members -} - -output "cluster_endpoint" { - description = "Writer endpoint for the cluster" - value = module.aurora.cluster_endpoint -} - -output "cluster_reader_endpoint" { - description = "A read-only endpoint for the cluster, automatically load-balanced across replicas" - value = module.aurora.cluster_reader_endpoint -} - -output "cluster_engine_version_actual" { - description = "The running version of the cluster database" - value = module.aurora.cluster_engine_version_actual -} - -output "cluster_database_name" { - description = "Name for an automatically created database on cluster creation" - value = module.aurora.cluster_database_name -} - -output "cluster_port" { - description = "The database port" - value = module.aurora.cluster_port -} - -output "cluster_master_user_secret" { - description = "The generated database master user secret when `manage_master_user_password` is set to `true`" - value = module.aurora.cluster_master_user_secret -} - -output "cluster_hosted_zone_id" { - description = "The Route53 Hosted Zone ID of the endpoint" - value = module.aurora.cluster_hosted_zone_id -} - -################################################################################ -# Cluster Instance(s) -################################################################################ - -output "cluster_instances" { - description = "A map of cluster instances and their attributes" - value = module.aurora.cluster_instances -} - -################################################################################ -# Cluster Endpoint(s) -################################################################################ - -output "additional_cluster_endpoints" { - description = "A map of additional cluster endpoints and their attributes" - value = module.aurora.additional_cluster_endpoints -} - -################################################################################ -# Cluster IAM Roles -################################################################################ - -output "cluster_role_associations" { - description = "A map of IAM roles associated with the cluster and their attributes" - value = module.aurora.cluster_role_associations -} - -################################################################################ -# Enhanced Monitoring -################################################################################ - -output "enhanced_monitoring_iam_role_name" { - description = "The name of the enhanced monitoring role" - value = module.aurora.enhanced_monitoring_iam_role_name -} - -output "enhanced_monitoring_iam_role_arn" { - description = "The Amazon Resource Name (ARN) specifying the enhanced monitoring role" - value = module.aurora.enhanced_monitoring_iam_role_arn -} - -output "enhanced_monitoring_iam_role_unique_id" { - description = "Stable and unique string identifying the enhanced monitoring role" - value = module.aurora.enhanced_monitoring_iam_role_unique_id -} - -################################################################################ -# Security Group -################################################################################ - -output "security_group_id" { - description = "The security group ID of the cluster" - value = module.aurora.security_group_id -} - -################################################################################ -# Cluster Parameter Group -################################################################################ - -output "db_cluster_parameter_group_arn" { - description = "The ARN of the DB cluster parameter group created" - value = module.aurora.db_cluster_parameter_group_arn -} - -output "db_cluster_parameter_group_id" { - description = "The ID of the DB cluster parameter group created" - value = module.aurora.db_cluster_parameter_group_id -} - -################################################################################ -# DB Parameter Group -################################################################################ - -output "db_parameter_group_arn" { - description = "The ARN of the DB parameter group created" - value = module.aurora.db_parameter_group_arn -} - -output "db_parameter_group_id" { - description = "The ID of the DB parameter group created" - value = module.aurora.db_parameter_group_id -} - -################################################################################ -# CloudWatch Log Group -################################################################################ - -output "db_cluster_cloudwatch_log_groups" { - description = "Map of CloudWatch log groups created and their attributes" - value = module.aurora.db_cluster_cloudwatch_log_groups -} - -################################################################################ -# Cluster Activity Stream -################################################################################ - -output "db_cluster_activity_stream_kinesis_stream_name" { - description = "The name of the Amazon Kinesis data stream to be used for the database activity stream" - value = module.aurora.db_cluster_activity_stream_kinesis_stream_name -} diff --git a/examples/postgresql-kerberos/variables.tf b/examples/postgresql-kerberos/variables.tf deleted file mode 100644 index e69de29..0000000 diff --git a/examples/postgresql-kerberos/versions.tf b/examples/postgresql-kerberos/versions.tf deleted file mode 100644 index 0b1e951..0000000 --- a/examples/postgresql-kerberos/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 1.0" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 5.37" - } - } -}