Adds rds instances to the legacy accounts for encryption at rest

prod/aws/legacy-mdr-prod/210-rds-jira/.tfswitch.toml

@@ -0,0 +1 @@
+../../../../.tfswitch.toml

prod/aws/legacy-mdr-prod/210-rds-jira/terragrunt.hcl

@@ -0,0 +1,38 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/jira/rds_jira?ref=v1.10.11"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  identifier = "jira2"
+  instance_type = local.account_vars.locals.instance_types["jira-rds"]
+  vpc_id = local.account_vars.locals.legacy_vpcs["main_infrastructure"]["id"]
+  subnets = local.account_vars.locals.legacy_vpcs["main_infrastructure"]["private_subnets"]
+}

prod/aws/legacy-mdr-prod/account.hcl

@@ -15,9 +15,14 @@ locals {
   # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
   vpc_info = { } # TODO
 
+  # Instance Configuration
+  instance_types = {
+    "jira-rds" = "db.t3.medium",  # legacy: db.t2.medium
+  }
+  jira_rds_storage = 50
+
   # For testing
   create_test_instance = false
-  test_instance_key_name = "TODO" # They with which to provision the test instance
 
   aws_waf_logs_hec_token = "FA38B8DD-1398-46D0-BD79-BA046C6064B0"
   portal_data_sync_hec_token = "eb79bb2d-b27d-455d-bc5c-e8cf3165b294"

prod/env.hcl

@@ -20,24 +20,26 @@ locals {
   # When there are multiples, put govcloud first, then commercial, and alternate if there are more than 2.
   # Put any standalone IPs at the end.
   cidr_map = {
-    "vpc-splunk"           = [ "10.40.16.0/22",                   # Splunk -- **MOOSE**
+    "vpc-splunk"           = [ "10.40.16.0/22",  # Splunk -- **MOOSE**
                                "10.80.0.0/16",   # legacy moose subnet
                              ],
-    "vpc-access"           = [ "10.40.20.0/22",                   # VPN, bastions (if any), etc.
+    "vpc-access"           = [ "10.40.20.0/22",    # VPN, bastions (if any), etc.
                                "10.80.101.133/32", # legacy bastion
                                "10.80.101.126/32", # legacy openvpn
                              ],
-    "vpc-public"           = [ "10.40.24.0/22" ],                 # Public sites (github, ghe-backup, jira, ...)
-    "vpc-scanners"         = [ "10.40.12.0/22" ],                 # Qualys, etc.
-    "vpc-system-services"  = [ "10.32.0.0/22",                    # Internal services such as dns, mailrelay, etc.
+    "vpc-public"           = [ "10.40.24.0/22",    # Public sites (github, ghe-backup, jira, ...) 
+                               "10.80.101.250/32", # legacy jira
+                             ],
+    "vpc-scanners"         = [ "10.40.12.0/22" ],  # Qualys, etc.
+    "vpc-system-services"  = [ "10.32.0.0/22",     # Internal services such as dns, mailrelay, etc.
                                "10.40.0.0/22",
-                               "10.80.101.230/32",  # legacy sensu
+                               "10.80.101.230/32", # legacy sensu
                                "10.80.101.170/32", # legacy salt master
                                "10.80.101.166/32", # legacy proxy
                                "10.80.101.197/32", # legacy repo
                                "10.80.1.107/32",   # legacy smtp
                              ],
-    "vpc-private-services" = [ "10.40.28.0/22" ],                 # Private Services - fm-shared-search, qcompliance, phantom, etc.
+    "vpc-private-services" = [ "10.40.28.0/22" ],  # Private Services - fm-shared-search, qcompliance, phantom, etc.
 
     # "old" mappings before architecture planning... we should eliminate these.
     "bastions" = [ "10.80.101.133/32", "10.40.20.0/22" ], # vpc-access in mdr-prod-c2-gov

test/aws/legacy-mdr-test/210-rds-jira/.tfswitch.toml

@@ -0,0 +1 @@
+../../../../.tfswitch.toml

test/aws/legacy-mdr-test/210-rds-jira/terragrunt.hcl

@@ -0,0 +1,38 @@
+locals {
+  # If you want to use any of the variables in _this_ file, you have to load them here.
+  # However, they will all be available as inputs to the module loaded in terraform.source
+  # below.
+
+  # e.g. inherited variables:
+  environment_vars = read_terragrunt_config(find_in_parent_folders("env.hcl"))
+  partition_vars = read_terragrunt_config(find_in_parent_folders("partition.hcl"))
+  region_vars = read_terragrunt_config(find_in_parent_folders("region.hcl"))
+  account_vars = read_terragrunt_config(find_in_parent_folders("account.hcl"))
+  global_vars = read_terragrunt_config(find_in_parent_folders("globals.hcl"))
+}
+
+# Terragrunt will copy the Terraform configurations specified by the source parameter, along with any files in the
+# working directory, into a temporary folder, and execute your Terraform commands in that folder.
+terraform {
+  # Double slash is intentional and required to show root of modules
+  source = "git@github.mdr.defpoint.com:mdr-engineering/xdr-terraform-modules.git//base/jira/rds_jira?ref=v1.10.11"
+}
+
+# Include all settings from the root terragrunt.hcl file
+include {
+  path = find_in_parent_folders()
+}
+
+# These are the variables we have to pass in to use the module specified in the terragrunt source above
+inputs = {
+  # All of the inputs from the inherited hcl files are available automatically
+  # (via the `inputs` section of the root `terragrunt.hcl`). However, modules
+  # will be more flexible if you specify particular input values.
+  tags = {
+    Terraform = "aws/${basename(get_parent_terragrunt_dir())}/${path_relative_to_include()}/"
+  }
+  identifier = "jira2"
+  instance_type = local.account_vars.locals.instance_types["jira-rds"]
+  vpc_id = local.account_vars.locals.legacy_vpcs["main_infrastructure"]["id"]
+  subnets = local.account_vars.locals.legacy_vpcs["main_infrastructure"]["private_subnets"]
+}

test/aws/legacy-mdr-test/account.hcl

@@ -4,7 +4,7 @@ locals {
   account_name   = "legacy-mdr-test"
   account_alias  = "" # No alias for legacy
   aws_account_id = "527700175026"
-  instance_termination_protection = true # set to true for production!
+  instance_termination_protection = false # set to true for production!
   splunk_prefix = "moose"
 
   account_tags = {
@@ -15,6 +15,12 @@ locals {
   # For CIDR assignment, see https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation
   vpc_info = {} # "TODO"
 
+  # Instance Configuration
+  instance_types = {
+    "jira-rds" = "db.t3.medium",  # legacy: db.t2.medium
+  }
+  jira_rds_storage = 50
+
   # For testing
   create_test_instance = false
   test_instance_key_name = "TODO" # They with which to provision the test instance

test/env.hcl

@@ -21,16 +21,18 @@ locals {
   # Put any standalone IPs at the end.
   cidr_map = {
     # See infrastructure_notes/Architecture_Notes.md and https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/wiki/IP-Address-Allocation for more information
-    "vpc-splunk"           = [ "10.20.16.0/22",                   # Splunk -- **MOOSE**
-                               "10.96.100.0/22",   # legacy moose subnet
+    "vpc-splunk"           = [ "10.20.16.0/22",  # Splunk -- **MOOSE**
+                               "10.96.100.0/22", # legacy moose subnet
                              ],
-    "vpc-access"           = [ "10.20.20.0/22",                   # VPN, bastions (if any), etc.
+    "vpc-access"           = [ "10.20.20.0/22",    # VPN, bastions (if any), etc.
                                "10.96.101.218/32", # legacy bastion
                                "10.96.101.249/32", # legacy openvpn
                              ],
-    "vpc-public"           = [ "10.20.24.0/22" ],                 # Public sites (github, ghe-backup, jira, ...)
-    "vpc-scanners"         = [ "10.20.12.0/22" ],                 # Qualys, etc.
-    "vpc-system-services"  = [ "10.16.0.0/22",                    # Internal services such as dns, mailrelay, etc.
+    "vpc-public"           = [ "10.20.24.0/22",    # Public sites (github, ghe-backup, jira, ...) 
+                               "10.96.101.193/32", # legacy jira
+                             ],
+    "vpc-scanners"         = [ "10.20.12.0/22" ],  # Qualys, etc.
+    "vpc-system-services"  = [ "10.16.0.0/22",     # Internal services such as dns, mailrelay, etc.
                                "10.20.0.0/22",
                                "10.96.101.43/32",  # legacy sensu
                                "10.96.101.161/32", # legacy salt master
@@ -38,7 +40,8 @@ locals {
                                "10.96.101.160/32", # legacy repo
                                "10.96.1.160/32",   # legacy smtp
                              ],
-    "vpc-private-services" = [ "10.20.28.0/22" ],                 # Private Services - fm-shared-search, qcompliance, phantom, etc.
+    "vpc-private-services" = [ "10.20.28.0/22",    # Private Services - fm-shared-search, qcompliance, phantom, etc. 
+                             ],
 
     # "old" mappings before architecture planning... we should eliminate these.
     "bastions" = [ "10.96.101.218/32", "10.20.20.0/22" ], # vpc-access in mdr-test-c2-gov