From 19e981ee8c9d552b9ce99e535aaf8798b1432bfd Mon Sep 17 00:00:00 2001 From: magreenbaum Date: Thu, 11 Jul 2024 20:58:53 -0400 Subject: [PATCH 1/3] multi-az rds cluster ca cert identifier --- README.md | 7 +++++-- examples/autoscaling/README.md | 4 ++-- examples/autoscaling/versions.tf | 2 +- examples/global-cluster/README.md | 6 +++--- examples/global-cluster/versions.tf | 2 +- examples/multi-az/README.md | 6 ++++-- examples/multi-az/main.tf | 5 ++++- examples/multi-az/outputs.tf | 10 ++++++++++ examples/multi-az/versions.tf | 2 +- examples/mysql/README.md | 4 ++-- examples/mysql/versions.tf | 2 +- examples/postgresql/README.md | 4 ++-- examples/postgresql/versions.tf | 2 +- examples/s3-import/README.md | 4 ++-- examples/s3-import/versions.tf | 2 +- examples/serverless/README.md | 4 ++-- examples/serverless/versions.tf | 2 +- main.tf | 1 + outputs.tf | 10 ++++++++++ variables.tf | 6 ++++++ versions.tf | 2 +- 21 files changed, 61 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index b53aa74..40f59b8 100644 --- a/README.md +++ b/README.md @@ -224,13 +224,13 @@ Terraform documentation is generated automatically using [pre-commit hooks](http | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.42 | +| [aws](#requirement\_aws) | >= 5.58 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.42 | +| [aws](#provider\_aws) | >= 5.58 | ## Modules @@ -283,6 +283,7 @@ No modules. | [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data | `string` | `null` | no | | [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | The number of days to retain CloudWatch logs for the DB instance | `number` | `7` | no | | [cloudwatch\_log\_group\_skip\_destroy](#input\_cloudwatch\_log\_group\_skip\_destroy) | Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state | `bool` | `null` | no | +| [cluster\_ca\_cert\_identifier](#input\_cluster\_ca\_cert\_identifier) | The CA certificate identifier to use for the DB cluster's server certificate | `string` | `null` | no | | [cluster\_members](#input\_cluster\_members) | List of RDS Instances that are a part of this cluster | `list(string)` | `null` | no | | [cluster\_tags](#input\_cluster\_tags) | A map of tags to add to only the cluster. Used for AWS Instance Scheduler tagging | `map(string)` | `{}` | no | | [cluster\_timeouts](#input\_cluster\_timeouts) | Create, update, and delete timeout configurations for the cluster | `map(string)` | `{}` | no | @@ -392,6 +393,8 @@ No modules. |------|-------------| | [additional\_cluster\_endpoints](#output\_additional\_cluster\_endpoints) | A map of additional cluster endpoints and their attributes | | [cluster\_arn](#output\_cluster\_arn) | Amazon Resource Name (ARN) of cluster | +| [cluster\_ca\_certificate\_identifier](#output\_cluster\_ca\_certificate\_identifier) | CA identifier of the CA certificate used for the DB instance's server certificate | +| [cluster\_ca\_certificate\_valid\_till](#output\_cluster\_ca\_certificate\_valid\_till) | Expiration date of the DB instance’s server certificate | | [cluster\_database\_name](#output\_cluster\_database\_name) | Name for an automatically created database on cluster creation | | [cluster\_endpoint](#output\_cluster\_endpoint) | Writer endpoint for the cluster | | [cluster\_engine\_version\_actual](#output\_cluster\_engine\_version\_actual) | The running version of the cluster database | diff --git a/examples/autoscaling/README.md b/examples/autoscaling/README.md index 0520010..e5ef334 100644 --- a/examples/autoscaling/README.md +++ b/examples/autoscaling/README.md @@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.42 | +| [aws](#requirement\_aws) | >= 5.58 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.42 | +| [aws](#provider\_aws) | >= 5.58 | ## Modules diff --git a/examples/autoscaling/versions.tf b/examples/autoscaling/versions.tf index 4cda07e..2c346da 100644 --- a/examples/autoscaling/versions.tf +++ b/examples/autoscaling/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.42" + version = ">= 5.58" } } } diff --git a/examples/global-cluster/README.md b/examples/global-cluster/README.md index 4e81f24..d926ce7 100644 --- a/examples/global-cluster/README.md +++ b/examples/global-cluster/README.md @@ -20,15 +20,15 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.42 | +| [aws](#requirement\_aws) | >= 5.58 | | [random](#requirement\_random) | >= 2.2 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.42 | -| [aws.secondary](#provider\_aws.secondary) | >= 5.42 | +| [aws](#provider\_aws) | >= 5.58 | +| [aws.secondary](#provider\_aws.secondary) | >= 5.58 | | [random](#provider\_random) | >= 2.2 | ## Modules diff --git a/examples/global-cluster/versions.tf b/examples/global-cluster/versions.tf index 954c03a..eb5aea8 100644 --- a/examples/global-cluster/versions.tf +++ b/examples/global-cluster/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.42" + version = ">= 5.58" } random = { diff --git a/examples/multi-az/README.md b/examples/multi-az/README.md index 83f95e4..0dc02a7 100644 --- a/examples/multi-az/README.md +++ b/examples/multi-az/README.md @@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.42 | +| [aws](#requirement\_aws) | >= 5.58 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.42 | +| [aws](#provider\_aws) | >= 5.58 | ## Modules @@ -51,6 +51,8 @@ No inputs. |------|-------------| | [additional\_cluster\_endpoints](#output\_additional\_cluster\_endpoints) | A map of additional cluster endpoints and their attributes | | [cluster\_arn](#output\_cluster\_arn) | Amazon Resource Name (ARN) of cluster | +| [cluster\_ca\_certificate\_identifier](#output\_cluster\_ca\_certificate\_identifier) | CA identifier of the CA certificate used for the DB instance's server certificate | +| [cluster\_ca\_certificate\_valid\_till](#output\_cluster\_ca\_certificate\_valid\_till) | Expiration date of the DB instance’s server certificate | | [cluster\_database\_name](#output\_cluster\_database\_name) | Name for an automatically created database on cluster creation | | [cluster\_endpoint](#output\_cluster\_endpoint) | Writer endpoint for the cluster | | [cluster\_engine\_version\_actual](#output\_cluster\_engine\_version\_actual) | The running version of the cluster database | diff --git a/examples/multi-az/main.tf b/examples/multi-az/main.tf index 35c58a1..74655fe 100644 --- a/examples/multi-az/main.tf +++ b/examples/multi-az/main.tf @@ -27,7 +27,7 @@ module "aurora" { name = local.name engine = "postgres" # This uses RDS engine, not Aurora - engine_version = "14.5" + engine_version = "15.7" master_username = "root" vpc_id = module.vpc.vpc_id @@ -45,7 +45,10 @@ module "aurora" { iops = 2500 storage_type = "io1" + cluster_ca_cert_identifier = "rds-ca-rsa4096-g1" + skip_final_snapshot = true + apply_immediately = true tags = local.tags } diff --git a/examples/multi-az/outputs.tf b/examples/multi-az/outputs.tf index bc39159..e29199a 100644 --- a/examples/multi-az/outputs.tf +++ b/examples/multi-az/outputs.tf @@ -66,6 +66,16 @@ output "cluster_hosted_zone_id" { value = module.aurora.cluster_hosted_zone_id } +output "cluster_ca_certificate_identifier" { + description = "CA identifier of the CA certificate used for the DB instance's server certificate" + value = module.aurora.cluster_ca_certificate_identifier +} + +output "cluster_ca_certificate_valid_till" { + description = "Expiration date of the DB instance’s server certificate" + value = module.aurora.cluster_ca_certificate_valid_till +} + ################################################################################ # Cluster Instance(s) ################################################################################ diff --git a/examples/multi-az/versions.tf b/examples/multi-az/versions.tf index 4cda07e..2c346da 100644 --- a/examples/multi-az/versions.tf +++ b/examples/multi-az/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.42" + version = ">= 5.58" } } } diff --git a/examples/mysql/README.md b/examples/mysql/README.md index 0a14403..288bc8b 100644 --- a/examples/mysql/README.md +++ b/examples/mysql/README.md @@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.42 | +| [aws](#requirement\_aws) | >= 5.58 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.42 | +| [aws](#provider\_aws) | >= 5.58 | ## Modules diff --git a/examples/mysql/versions.tf b/examples/mysql/versions.tf index 4cda07e..2c346da 100644 --- a/examples/mysql/versions.tf +++ b/examples/mysql/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.42" + version = ">= 5.58" } } } diff --git a/examples/postgresql/README.md b/examples/postgresql/README.md index 5708aca..a15949a 100644 --- a/examples/postgresql/README.md +++ b/examples/postgresql/README.md @@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.42 | +| [aws](#requirement\_aws) | >= 5.58 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.42 | +| [aws](#provider\_aws) | >= 5.58 | ## Modules diff --git a/examples/postgresql/versions.tf b/examples/postgresql/versions.tf index 4cda07e..2c346da 100644 --- a/examples/postgresql/versions.tf +++ b/examples/postgresql/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.42" + version = ">= 5.58" } } } diff --git a/examples/s3-import/README.md b/examples/s3-import/README.md index 3582f9b..793f18a 100644 --- a/examples/s3-import/README.md +++ b/examples/s3-import/README.md @@ -49,13 +49,13 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.42 | +| [aws](#requirement\_aws) | >= 5.58 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.42 | +| [aws](#provider\_aws) | >= 5.58 | ## Modules diff --git a/examples/s3-import/versions.tf b/examples/s3-import/versions.tf index 4cda07e..2c346da 100644 --- a/examples/s3-import/versions.tf +++ b/examples/s3-import/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.42" + version = ">= 5.58" } } } diff --git a/examples/serverless/README.md b/examples/serverless/README.md index b3a6ba1..4a128b9 100644 --- a/examples/serverless/README.md +++ b/examples/serverless/README.md @@ -20,14 +20,14 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 5.42 | +| [aws](#requirement\_aws) | >= 5.58 | | [random](#requirement\_random) | >= 3.5 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 5.42 | +| [aws](#provider\_aws) | >= 5.58 | | [random](#provider\_random) | >= 3.5 | ## Modules diff --git a/examples/serverless/versions.tf b/examples/serverless/versions.tf index 9f1d544..bc79575 100644 --- a/examples/serverless/versions.tf +++ b/examples/serverless/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.42" + version = ">= 5.58" } random = { source = "hashicorp/random" diff --git a/main.tf b/main.tf index 755cfae..5e34179 100644 --- a/main.tf +++ b/main.tf @@ -45,6 +45,7 @@ resource "aws_rds_cluster" "this" { availability_zones = var.availability_zones backup_retention_period = var.backup_retention_period backtrack_window = local.backtrack_window + ca_certificate_identifier = var.cluster_ca_cert_identifier cluster_identifier = var.cluster_use_name_prefix ? null : var.name cluster_identifier_prefix = var.cluster_use_name_prefix ? "${var.name}-" : null cluster_members = var.cluster_members diff --git a/outputs.tf b/outputs.tf index ec24ee8..f755d00 100644 --- a/outputs.tf +++ b/outputs.tf @@ -79,6 +79,16 @@ output "cluster_hosted_zone_id" { value = try(aws_rds_cluster.this[0].hosted_zone_id, null) } +output "cluster_ca_certificate_identifier" { + description = "CA identifier of the CA certificate used for the DB instance's server certificate" + value = try(aws_rds_cluster.this[0].ca_certificate_identifier, null) +} + +output "cluster_ca_certificate_valid_till" { + description = "Expiration date of the DB instance’s server certificate" + value = try(aws_rds_cluster.this[0].ca_certificate_valid_till, null) +} + ################################################################################ # Cluster Instance(s) ################################################################################ diff --git a/variables.tf b/variables.tf index 3019fc5..0e952d2 100644 --- a/variables.tf +++ b/variables.tf @@ -90,6 +90,12 @@ variable "backtrack_window" { default = null } +variable "cluster_ca_cert_identifier" { + description = "The CA certificate identifier to use for the DB cluster's server certificate" + type = string + default = null +} + variable "cluster_members" { description = "List of RDS Instances that are a part of this cluster" type = list(string) diff --git a/versions.tf b/versions.tf index 4cda07e..2c346da 100644 --- a/versions.tf +++ b/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 5.42" + version = ">= 5.58" } } } From b4459dbf24435bb0dac17e8703d5f8d6d0d87420 Mon Sep 17 00:00:00 2001 From: magreenbaum Date: Thu, 11 Jul 2024 21:02:12 -0400 Subject: [PATCH 2/3] update variable description --- README.md | 2 +- variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 40f59b8..6448898 100644 --- a/README.md +++ b/README.md @@ -283,7 +283,7 @@ No modules. | [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data | `string` | `null` | no | | [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | The number of days to retain CloudWatch logs for the DB instance | `number` | `7` | no | | [cloudwatch\_log\_group\_skip\_destroy](#input\_cloudwatch\_log\_group\_skip\_destroy) | Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state | `bool` | `null` | no | -| [cluster\_ca\_cert\_identifier](#input\_cluster\_ca\_cert\_identifier) | The CA certificate identifier to use for the DB cluster's server certificate | `string` | `null` | no | +| [cluster\_ca\_cert\_identifier](#input\_cluster\_ca\_cert\_identifier) | The CA certificate identifier to use for the DB cluster's server certificate. Currently only supported for multi-az DB clusters | `string` | `null` | no | | [cluster\_members](#input\_cluster\_members) | List of RDS Instances that are a part of this cluster | `list(string)` | `null` | no | | [cluster\_tags](#input\_cluster\_tags) | A map of tags to add to only the cluster. Used for AWS Instance Scheduler tagging | `map(string)` | `{}` | no | | [cluster\_timeouts](#input\_cluster\_timeouts) | Create, update, and delete timeout configurations for the cluster | `map(string)` | `{}` | no | diff --git a/variables.tf b/variables.tf index 0e952d2..3967ae0 100644 --- a/variables.tf +++ b/variables.tf @@ -91,7 +91,7 @@ variable "backtrack_window" { } variable "cluster_ca_cert_identifier" { - description = "The CA certificate identifier to use for the DB cluster's server certificate" + description = "The CA certificate identifier to use for the DB cluster's server certificate. Currently only supported for multi-az DB clusters" type = string default = null } From 25ed2df95972554586d8fe5afe28e2a8aca0995f Mon Sep 17 00:00:00 2001 From: magreenbaum Date: Fri, 12 Jul 2024 06:42:09 -0400 Subject: [PATCH 3/3] remove param for testing --- examples/multi-az/main.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/examples/multi-az/main.tf b/examples/multi-az/main.tf index 74655fe..ea772ce 100644 --- a/examples/multi-az/main.tf +++ b/examples/multi-az/main.tf @@ -48,7 +48,6 @@ module "aurora" { cluster_ca_cert_identifier = "rds-ca-rsa4096-g1" skip_final_snapshot = true - apply_immediately = true tags = local.tags }