Skip to content
GitLab
Commit d203ae61 authored by Mark Antony's avatar Mark Antony
Browse files

modifying properties

parents
Pipeline #53882 canceled with stages
in 32 seconds
Expand all Hide whitespace changes
Inline Side-by-side
.gitignore 0 → 100644
View file @ d203ae61
### Terraform
terraform/*/.terraform.lock.hcl
terraform/*/.terraform/
terraform/develop/terraform.*
terraform/develop/.terraform.*
terraform/develop/plan.terraform
terraform/develop/checkov.json
terraform/develop/checkov.test.xml
terraform/develop/TFCompliance-Report.xml
terraform/develop/TFCompliance-Report-public.xml
checkov.json
checkov.test.xml
TFCompliance-Report.xml
TFCompliance-Report-public.xml
plan.terraform
plan.json
terraform.tfstate*
terraform.tfstate
.terraform/*
.terraform.lock.hcl
.setenv
.test-data
terraform.jq
checkov.test.xml
tflint.test.xml
# Local .terraform directories
**/.terraform/*
# .tfstate files
*.tfstate
*.tfstate.*
# Crash log files
crash.log
# Ignore override files as they are usually used to override resources locally and so
# are not checked in
override.tf
override.tf.json
*_override.tf
*_override.tf.json
# Ignore CLI configuration files
.terraformrc
terraform.rc
# Ignored Terraform files
*gitignore*.tf
# Ignore Any Generated JSON Files
operations/automation-script/apply.json
operations/automation-script/configversion.json
operations/automation-script/run.template.json
operations/automation-script/run.json
operations/automation-script/variable.template.json
operations/automation-script/variable.json
operations/automation-script/workspace.template.json
operations/automation-script/workspace.json
operations/sentinel-policies-scripts/create-policy.template.json
operations/sentinel-policies-scripts/create-policy.json
operations/variable-scripts/variable.template.json
operations/variable-scripts/variable.json
# Sentinel runtime directory
.sentinel
#############
###General###
#############
##OS - Windows
# Windows thumbnail cache files
Thumbs.db
Thumbs.db:encryptable
ehthumbs.db
ehthumbs_vista.db
# Dump file
*.stackdump
# Folder config file
[Dd]esktop.ini
# Recycle Bin used on file shares
$RECYCLE.BIN/
# Windows Installer files
*.cab
*.msi
*.msix
*.msm
*.msp
# Windows shortcuts
*.lnk
## OS - MacOS
# General
.DS_Store
.AppleDouble
.LSOverride
# Icon must end with two \r
Icon
# Thumbnails
._*
# Files that might appear in the root of a volume
.DocumentRevisions-V100
.fseventsd
.Spotlight-V100
.TemporaryItems
.Trashes
.VolumeIcon.icns
.com.apple.timemachine.donotpresent
# Directories potentially created on remote AFP share
.AppleDB
.AppleDesktop
Network Trash Folder
Temporary Items
.apdisk
## OS - Linux
*~
# temporary files which can be created if a process still has a handle open of a deleted file
.fuse_hidden*
# KDE directory preferences
.directory
# Linux trash folder which might appear on any partition or disk
.Trash-*
# .nfs files are created when an open file is removed but is still being accessed
.nfs*
## Tool - Vim
# Swap
[._]*.s[a-v][a-z]
!*.svg # comment out if you don't need vector files
[._]*.sw[a-p]
[._]s[a-rt-v][a-z]
[._]ss[a-gi-z]
[._]sw[a-p]
# Session
Session.vim
Sessionx.vim
# Temporary
.netrwhist
*~
# Auto-generated tag files
tags
# Persistent undo
[._]*.un~
## Tool - Emacs
# -*- mode: gitignore; -*-
*~
\#*\#
/.emacs.desktop
/.emacs.desktop.lock
*.elc
auto-save-list
tramp
.\#*
# Org-mode
.org-id-locations
*_archive
# flymake-mode
*_flymake.*
# eshell files
/eshell/history
/eshell/lastdir
# elpa packages
/elpa/
# reftex files
*.rel
# AUCTeX auto folder
/auto/
# cask packages
.cask/
dist/
# Flycheck
flycheck_*.el
# server auth directory
/server/
# projectiles files
.projectile
# directory configuration
.dir-locals.el
# network security
/network-security.data
## Tool - Vagrant
# General
.vagrant/
# Log files (if you are creating logs in debug mode, uncomment this)
*.log
## Tools - Tags
# Ignore tags created by etags, ctags, gtags (GNU global) and cscope
TAGS
.TAGS
!TAGS/
tags
.tags
!tags/
gtags.files
GTAGS
GRTAGS
GPATH
GSYMS
cscope.files
cscope.out
cscope.in.out
cscope.po.out
## IDE - NetBeans
**/nbproject/private/
**/nbproject/Makefile-*.mk
**/nbproject/Package-*.bash
build/
nbbuild/
dist/
nbdist/
.nb-gradle/
## IDE - VSCode
.vscode/*
!.vscode/settings.json
!.vscode/tasks.json
!.vscode/launch.json
!.vscode/extensions.json
*.code-workspace
# Local History for Visual Studio Code
.history/
## IDE - Jetbrains
# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
# User-specific stuff
.idea/**/workspace.xml
.idea/**/tasks.xml
.idea/**/usage.statistics.xml
.idea/**/dictionaries
.idea/**/shelf
# AWS User-specific
.idea/**/aws.xml
# Generated files
.idea/**/contentModel.xml
# Sensitive or high-churn files
.idea/**/dataSources/
.idea/**/dataSources.ids
.idea/**/dataSources.local.xml
.idea/**/sqlDataSources.xml
.idea/**/dynamic.xml
.idea/**/uiDesigner.xml
.idea/**/dbnavigator.xml
# Gradle
.idea/**/gradle.xml
.idea/**/libraries
# Gradle and Maven with auto-import
# When using Gradle or Maven with auto-import, you should exclude module files,
# since they will be recreated, and may cause churn. Uncomment if using
# auto-import.
.idea/artifacts
.idea/compiler.xml
.idea/jarRepositories.xml
.idea/modules.xml
.idea/*.iml
.idea/modules
*.iml
*.ipr
# CMake
cmake-build-*/
# Mongo Explorer plugin
.idea/**/mongoSettings.xml
# File-based project format
*.iws
# IntelliJ
out/
# mpeltonen/sbt-idea plugin
.idea_modules/
# JIRA plugin
atlassian-ide-plugin.xml
# Cursive Clojure plugin
.idea/replstate.xml
# Crashlytics plugin (for Android Studio and IntelliJ)
com_crashlytics_export_strings.xml
crashlytics.properties
crashlytics-build.properties
fabric.properties
# Editor-based Rest Client
.idea/httpRequests
# Android studio 3.1+ serialized cache file
.idea/caches/build_file_checksums.ser
## IDE - JDeveloper
# default application storage directory used by the IDE Performance Cache feature
.data/
# used for ADF styles caching
temp/
# default output directories
classes/
deploy/
javadoc/
# lock file, a part of Oracle Credential Store Framework
cwallet.sso.lck
## IDE - Eclipse
.metadata
bin/
tmp/
*.tmp
*.bak
*.swp
*~.nib
local.properties
.settings/
.loadpath
.recommenders
# External tool builders
.externalToolBuilders/
# Locally stored "Eclipse launch configurations"
*.launch
# PyDev specific (Python IDE for Eclipse)
*.pydevproject
# CDT-specific (C/C++ Development Tooling)
.cproject
# CDT- autotools
.autotools
# Java annotation processor (APT)
.factorypath
# PDT-specific (PHP Development Tools)
.buildpath
# sbteclipse plugin
.target
# Tern plugin
.tern-project
# TeXlipse plugin
.texlipse
# STS (Spring Tool Suite)
.springBeans
# Code Recommenders
.recommenders/
# Annotation Processing
.apt_generated/
.apt_generated_test/
# Scala IDE specific (Scala & Java development for Eclipse)
.cache-main
.scala_dependencies
.worksheet
# Uncomment this line if you wish to ignore the project description file.
# Typically, this file would be tracked if it contains build/dependency configurations:
#.project
## IDE - Cloud9
# Cloud9 IDE - http://c9.io
.c9revisions
.c9
## MISC - backup
*.bak
*.gho
*.ori
*.orig
*.tmp
## MISC - Archives
# It's better to unpack these files and commit the raw source because
# git has its own built in compression methods.
*.7z
*.jar
*.rar
*.zip
*.gz
*.gzip
*.tgz
*.bzip
*.bzip2
*.bz2
*.xz
*.lzma
*.cab
*.xar
# Packing-only formats
*.iso
*.tar
# Package management formats
*.dmg
*.xpi
*.gem
*.egg
*.deb
*.rpm
*.msi
*.msm
*.msp
*.txz
\ No newline at end of file
.gitlab-ci.yml 0 → 100644
View file @ d203ae61
include:
- project: 'datateam/ecdp-infra/aws/pipeline'
ref: master
file: '.tf_with_lint_template.yml'
variables:
TF_ROOT: ${CI_PROJECT_DIR}/
TF_STATE_NAME: test
\ No newline at end of file
.secrets.env 0 → 100644
View file @ d203ae61
export DATATEAM_GROUP_DEPLOY_TOKEN="$digit_d1_datateam_test_DATATEAM_GROUP_DEPLOY_TOKEN"
export AWS_SECRET_ACCESS_KEY="$digit_d1_datateam_test_AWS_SECRET_ACCESS_KEY"
export AWS_ACCESS_KEY_ID="$digit_d1_datateam_test_AWS_ACCESS_KEY_ID"
export AWS_DEFAULT_REGION="$AWS_DEFAULT_REGION"
\ No newline at end of file
.terraform-docs.yml 0 → 100644
View file @ d203ae61
formatter: markdown table
header-from: main.tf
sections:
hide:
show-all: true
output-values:
enabled: false
from: ""
sort:
enabled: true
by:
- required
settings:
color: true
escape: true
indent: 3
required: false
sensitive: true
\ No newline at end of file
LICENSE.md 0 → 100644
View file @ d203ae61
MIT License
Copyright © 2021, Mark Antony Lisle - EC Datateam
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
\ No newline at end of file
README.md 0 → 100644
View file @ d203ae61
This diff is collapsed.
backend.tf 0 → 100644
View file @ d203ae61
terraform {
backend "local" {
}
}
\ No newline at end of file
main.tf 0 → 100644
View file @ d203ae61
locals {
port = var.port == "" ? (var.engine == "aurora-postgresql" ? 5432 : 3306) : var.port
db_subnet_group_name = var.db_subnet_group_name == "" ? join("", aws_db_subnet_group.this.*.name) : var.db_subnet_group_name
master_password = var.create_cluster && var.create_random_password && var.is_primary_cluster ? random_password.master_password[0].result : var.password
backtrack_window = (var.engine == "aurora-mysql" || var.engine == "aurora") && var.engine_mode != "serverless" ? var.backtrack_window : 0
rds_enhanced_monitoring_arn = var.create_monitoring_role ? join("", aws_iam_role.rds_enhanced_monitoring.*.arn) : var.monitoring_role_arn
rds_security_group_id = join("", aws_security_group.this.*.id)
# TODO - remove coalesce() at next breaking change - adding existing name as fallback to maintain backwards compatibility
iam_role_name = var.iam_role_use_name_prefix ? null : coalesce(var.iam_role_name, "rds-enhanced-monitoring-${var.name}")
iam_role_name_prefix = var.iam_role_use_name_prefix ? "${var.iam_role_name}-" : null
name = "aurora-${var.name}"
}
# Ref. https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#genref-aws-service-namespaces
data "aws_partition" "current" {}
# Random string to use as master password
resource "random_password" "master_password" {
count = var.create_cluster && var.create_random_password ? 1 : 0
length = 10
special = false
}
resource "random_id" "snapshot_identifier" {
count = var.create_cluster ? 1 : 0
keepers = {
id = var.name
}
byte_length = 4
}
resource "aws_db_subnet_group" "this" {
count = var.create_cluster && var.db_subnet_group_name == "" ? 1 : 0
name = var.name
description = "For Aurora cluster ${var.name}"
subnet_ids = var.subnets
tags = merge(var.tags, {
Name = local.name
})
}
resource "aws_rds_cluster" "this" {
count = var.create_cluster ? 1 : 0
global_cluster_identifier = var.global_cluster_identifier
cluster_identifier = var.name
replication_source_identifier = var.replication_source_identifier
source_region = var.source_region
engine = var.engine
engine_mode = var.engine_mode
engine_version = var.engine_mode == "serverless" ? null : var.engine_version
allow_major_version_upgrade = var.allow_major_version_upgrade
enable_http_endpoint = var.enable_http_endpoint
kms_key_id = var.kms_key_id
database_name = var.database_name
master_username = var.username
master_password = local.master_password
final_snapshot_identifier = "${var.final_snapshot_identifier_prefix}-${var.name}-${element(concat(random_id.snapshot_identifier.*.hex, [""]), 0)}"
skip_final_snapshot = var.skip_final_snapshot
deletion_protection = var.deletion_protection
backup_retention_period = var.backup_retention_period
preferred_backup_window = var.engine_mode == "serverless" ? null : var.preferred_backup_window
preferred_maintenance_window = var.engine_mode == "serverless" ? null : var.preferred_maintenance_window
port = local.port
db_subnet_group_name = local.db_subnet_group_name
vpc_security_group_ids = compact(concat(aws_security_group.this.*.id, var.vpc_security_group_ids))
snapshot_identifier = var.snapshot_identifier
storage_encrypted = var.storage_encrypted
apply_immediately = var.apply_immediately
db_cluster_parameter_group_name = var.db_cluster_parameter_group_name
iam_database_authentication_enabled = var.iam_database_authentication_enabled
backtrack_window = local.backtrack_window
copy_tags_to_snapshot = var.copy_tags_to_snapshot
iam_roles = var.iam_roles
enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports
dynamic "scaling_configuration" {
for_each = length(keys(var.scaling_configuration)) == 0 ? [] : [var.scaling_configuration]
content {
auto_pause = lookup(scaling_configuration.value, "auto_pause", null)
max_capacity = lookup(scaling_configuration.value, "max_capacity", null)
min_capacity = lookup(scaling_configuration.value, "min_capacity", null)
seconds_until_auto_pause = lookup(scaling_configuration.value, "seconds_until_auto_pause", null)
timeout_action = lookup(scaling_configuration.value, "timeout_action", null)
}
}
dynamic "s3_import" {
for_each = var.s3_import != null ? [var.s3_import] : []
content {
source_engine = "mysql"
source_engine_version = s3_import.value.source_engine_version
bucket_name = s3_import.value.bucket_name
bucket_prefix = lookup(s3_import.value, "bucket_prefix", null)
ingestion_role = s3_import.value.ingestion_role
}
}
tags = merge(var.tags, var.cluster_tags)
}
resource "aws_rds_cluster_instance" "this" {
count = var.create_cluster ? (var.replica_scale_enabled ? var.replica_scale_min : var.replica_count) : 0
identifier = try(lookup(var.instances_parameters[count.index], "instance_name"), "${var.name}-${count.index + 1}")
cluster_identifier = element(concat(aws_rds_cluster.this.*.id, [""]), 0)
engine = var.engine
engine_version = var.engine_version
instance_class = try(lookup(var.instances_parameters[count.index], "instance_type"), count.index > 0 ? coalesce(var.instance_type_replica, var.instance_type) : var.instance_type)
publicly_accessible = try(lookup(var.instances_parameters[count.index], "publicly_accessible"), var.publicly_accessible)
db_subnet_group_name = local.db_subnet_group_name
db_parameter_group_name = var.db_parameter_group_name
preferred_maintenance_window = var.preferred_maintenance_window
apply_immediately = var.apply_immediately
monitoring_role_arn = local.rds_enhanced_monitoring_arn
monitoring_interval = var.monitoring_interval
auto_minor_version_upgrade = var.auto_minor_version_upgrade
promotion_tier = try(lookup(var.instances_parameters[count.index], "instance_promotion_tier"), count.index + 1)
performance_insights_enabled = var.performance_insights_enabled
performance_insights_kms_key_id = var.performance_insights_kms_key_id
ca_cert_identifier = var.ca_cert_identifier
# Updating engine version forces replacement of instances, and they shouldn't be replaced
# because cluster will update them if engine version is changed
lifecycle {
ignore_changes = [
engine_version
]
}
tags = var.tags
}
################################################################################
# Enhanced Monitoring
################################################################################
data "aws_iam_policy_document" "monitoring_rds_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["monitoring.rds.amazonaws.com"]
}
}
}
resource "aws_iam_role" "rds_enhanced_monitoring" {
count = var.create_cluster && var.create_monitoring_role && var.monitoring_interval > 0 ? 1 : 0
name = local.iam_role_name
name_prefix = local.iam_role_name_prefix
description = var.iam_role_description
path = var.iam_role_path
assume_role_policy = data.aws_iam_policy_document.monitoring_rds_assume_role.json
managed_policy_arns = var.iam_role_managed_policy_arns
permissions_boundary = var.iam_role_permissions_boundary
force_detach_policies = var.iam_role_force_detach_policies
max_session_duration = var.iam_role_max_session_duration
tags = merge(var.tags, {
Name = local.name
})
}
resource "aws_iam_role_policy_attachment" "rds_enhanced_monitoring" {
count = var.create_cluster && var.create_monitoring_role && var.monitoring_interval > 0 ? 1 : 0
role = aws_iam_role.rds_enhanced_monitoring[0].name
policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
}
################################################################################
# Autoscaling
################################################################################
resource "aws_appautoscaling_target" "read_replica_count" {