Merge pull request #124 from mdr-engineering/feature/ftd_MSOCI-1238_PostgresEncryptandUpgrade

Adds rds_jira module

base/jira/rds_jira/kms-key.tf

@@ -0,0 +1,20 @@
+locals {
+  # For the default EBS key, we allow the entire account access
+  root_arn = "arn:${var.aws_partition}:iam::${var.aws_account_id}:root"
+}
+
+module "jira_key" {
+  source = "../../../submodules/kms/ebs-key"
+
+  name = "${var.identifier}_key"
+  alias = "alias/${var.identifier}"
+  description = "encrypt and decrypt the ${var.identifier} RDS" # updated to match legacy
+  tags = merge(var.standard_tags, var.tags)
+  key_admin_arns = [ ]
+  key_user_arns = concat([ local.root_arn ], var.extra_key_users)
+  key_attacher_arns = concat([ local.root_arn ], var.extra_key_attachers)
+  standard_tags = var.standard_tags
+  aws_account_id = var.aws_account_id
+  aws_partition = var.aws_partition
+  is_legacy = var.is_legacy
+}

base/jira/rds_jira/main.tf

@@ -0,0 +1,52 @@
+module "jira_db" {
+  source = "terraform-aws-modules/rds/aws"
+  version = "~> v2.0"
+
+  identifier = var.identifier # this is the RDS identifier, not the DB name
+  name = "jira" # the DB name
+
+  engine             = "postgres"
+  engine_version     = "11.8"
+  instance_class     = var.instance_type
+  allocated_storage  = var.jira_rds_storage
+  storage_encrypted  = true
+  kms_key_id = module.jira_key.key_arn
+  ca_cert_identifier = "rds-ca-2019"
+
+
+  # NOTE: Do NOT use 'user' as the value for 'username' as it throws:
+  # "Error creating DB Instance: InvalidParameterValue: MasterUsername
+  # user cannot be used as it is a reserved word used by the engine"
+  username = "jira"
+
+  password = "YourPwdShouldBeLongAndSecure!"
+  port     = "5432"
+
+  vpc_security_group_ids = [ aws_security_group.jira_rds_sg.id ]
+
+  # FTD: Should these be reversed? Backup _before_ maintenance?
+  maintenance_window = "Mon:00:00-Mon:03:00"
+  backup_window      = "03:00-06:00"
+
+  # disable backups to create DB faster
+  backup_retention_period = 0
+
+  tags = merge(var.standard_tags, var.tags)
+
+  enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"]
+
+  # DB subnet group
+  subnet_ids = var.subnets
+
+  # DB parameter group
+  family = "postgres11"
+
+  # DB option group
+  major_engine_version = "11"
+
+  # Snapshot name upon DB deletion
+  final_snapshot_identifier = "${var.identifier}-final-snapshot"
+
+  # Database Deletion Protection
+  deletion_protection = var.instance_termination_protection
+}

base/jira/rds_jira/outputs.tf

@@ -0,0 +1,31 @@
+output "kms_key_id" {
+  value = module.jira_key.key_arn
+}
+
+output "vpc_id" {
+  value = var.vpc_id
+}
+
+output "subnet_group" {
+  value = module.jira_db.this_db_subnet_group_id
+}
+
+output "security_group" {
+  value = aws_security_group.jira_rds_sg.name
+}
+
+output "instance_type" {
+  value = var.instance_type
+}
+
+output "allocated_storage" {
+  value = var.jira_rds_storage
+}
+
+output "kms_key" {
+  value = module.jira_key.key_name
+}
+
+output "database_url" {
+  value = "jdbc:postgresql://${module.jira_db.this_db_instance_endpoint}:5432/${var.identifier}"
+}

base/jira/rds_jira/security-groups.tf

@@ -0,0 +1,16 @@
+resource "aws_security_group" "jira_rds_sg" {
+  name = "${var.identifier}_rds_sg"
+  description = "Security Group for Jira RDS"
+  vpc_id = var.vpc_id
+  tags = merge(var.standard_tags, var.tags)
+}
+
+resource "aws_security_group_rule" "jira_rds_in" {
+  description = "Inbound Postgres"
+  type = "ingress"
+  from_port = 5432
+  to_port = 5432
+  protocol = "tcp"
+  cidr_blocks = var.cidr_map["vpc-public"]
+  security_group_id = aws_security_group.jira_rds_sg.id
+}

base/jira/rds_jira/vars.tf

@@ -0,0 +1,50 @@
+variable "tags" {
+  type = map
+  default = { } 
+}
+
+variable extra_key_users {
+  description = "Extra Jira encryption key users."
+  type = list
+  default = [ ]
+}
+
+variable extra_key_attachers {
+  description = "Extra Jira encryption key attachers."
+  type = list
+  default = [ ]
+}
+
+variable identifier {
+  description = "RDS Identifier"
+  type = string
+  default = "jira"
+}
+
+variable instance_type {
+  type = string
+  default = "db.t3.medium"
+}
+
+variable jira_rds_storage {
+  type = number
+  default = 50
+}
+
+variable subnets {
+  type = list(string)
+}
+
+# ----------------------------------
+# Below this line are variables inherited from higher levels, so they
+# do not need to be explicitly passed to this module.
+variable "is_legacy" { type = bool }
+variable "common_services_account" { type = string }
+variable "standard_tags" { type = map }
+variable "account_list" { type = list }
+variable "aws_account_id" { type = string }
+variable "aws_partition" { type = string }
+variable "vpc_id" { type = string }
+variable "environment" { type = string }
+variable "cidr_map" { type = map }
+variable "instance_termination_protection" { type = bool }

base/jira/rds_jira/version.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = "~> 0.13"
+}

submodules/kms/ebs-key/outputs.tf

@@ -1,3 +1,7 @@
 output "key_arn" {
   value = aws_kms_key.key.arn
 }
+
+output "key_name" {
+  value = var.name
+}