From a88fe8fd8a23e65fb04ebd4990de15b95e950860 Mon Sep 17 00:00:00 2001 From: Unknown Date: Thu, 25 Jul 2019 14:20:51 +0200 Subject: [PATCH 01/12] updating data sources to shared vpcs --- apps/api_gateway_resource/main.tf | 9 --------- apps/cloudwatch_lambda/main.tf | 11 ----------- .../main.tf | 7 ++++--- apps/lambda_function_vpc/main.tf | 3 ++- data_providers/shared-vpc-data/data.tf | 6 ++++++ data_providers/shared-vpc-data/outputs.tf | 15 +++++++++++++++ 6 files changed, 27 insertions(+), 24 deletions(-) diff --git a/apps/api_gateway_resource/main.tf b/apps/api_gateway_resource/main.tf index c568ad90..e69de29b 100644 --- a/apps/api_gateway_resource/main.tf +++ b/apps/api_gateway_resource/main.tf @@ -1,9 +0,0 @@ -provider "aws" { -} - -module "aws_core_data" { - source = "../../data_providers/aws_account_core_data" - providers = { - aws = "aws" - } -} diff --git a/apps/cloudwatch_lambda/main.tf b/apps/cloudwatch_lambda/main.tf index f1e68a56..e69de29b 100644 --- a/apps/cloudwatch_lambda/main.tf +++ b/apps/cloudwatch_lambda/main.tf @@ -1,11 +0,0 @@ -provider "aws" { -} - - -module "aws_core_data" { - //source = "git@github.com:albumprinter/eops_tf_modules.git//data_providers/aws_account_core_data" - source = "../../data_providers/aws_account_core_data" - providers = { - aws = "aws" - } -} \ No newline at end of file diff --git a/apps/lambda_function_api_gateway_all_methods_passthrough/main.tf b/apps/lambda_function_api_gateway_all_methods_passthrough/main.tf index 16a6a3eb..fa39af91 100644 --- a/apps/lambda_function_api_gateway_all_methods_passthrough/main.tf +++ b/apps/lambda_function_api_gateway_all_methods_passthrough/main.tf @@ -3,8 +3,9 @@ provider "aws" { module "aws_core_data" { //source = "git@github.com:albumprinter/eops_tf_modules.git//data_providers/aws_account_core_data" - source = "../../data_providers/aws_account_core_data" + source = "../../data_providers/shared-vpc-data" + account_type = "${var.account_type}" providers = { - aws = "aws" + aws = "aws" } -} \ No newline at end of file +} diff --git a/apps/lambda_function_vpc/main.tf b/apps/lambda_function_vpc/main.tf index fc27f6a2..1b52cca4 100644 --- a/apps/lambda_function_vpc/main.tf +++ b/apps/lambda_function_vpc/main.tf @@ -3,7 +3,8 @@ provider "aws" { module "aws_core_data" { //source = "git@github.com:albumprinter/eops_tf_modules.git//data_providers/aws_account_core_data" - source = "../../data_providers/aws_account_core_data" + source = "../../data_providers/shared-vpc-data" + account_type = "${var.account_type}" providers = { aws = "aws" } diff --git a/data_providers/shared-vpc-data/data.tf b/data_providers/shared-vpc-data/data.tf index 6c3193d2..0f92feb8 100644 --- a/data_providers/shared-vpc-data/data.tf +++ b/data_providers/shared-vpc-data/data.tf @@ -33,3 +33,9 @@ data "aws_subnet" "private" { count = "${length(data.aws_subnet_ids.private.ids)}" id = "${data.aws_subnet_ids.private.ids[count.index]}" } +data "aws_caller_identity" "current" {} +data "aws_availability_zones" "available" {} + +data "aws_vpc_endpoint_service" "s3" { + service = "s3" +} diff --git a/data_providers/shared-vpc-data/outputs.tf b/data_providers/shared-vpc-data/outputs.tf index 12d36326..5ef2cfe1 100644 --- a/data_providers/shared-vpc-data/outputs.tf +++ b/data_providers/shared-vpc-data/outputs.tf @@ -13,3 +13,18 @@ output "public_subnet_ids" { output "private_subnet_ids" { value = ["${data.aws_subnet_ids.private.ids}"] } +output "account_id" { + value = "${data.aws_caller_identity.current.account_id}" +} + +output "availability_zones" { + value = "${data.aws_availability_zones.available.names}" +} + +output "public_subnets" { + value = "${data.aws_subnet_ids.public.ids}" +} + +output "private_subnets" { + value = "${data.aws_subnet_ids.private.ids}" +} From 01a652f90704b3c2643c45a43c39156badb8f310 Mon Sep 17 00:00:00 2001 From: Jeroen de Vroede Date: Thu, 25 Jul 2019 14:34:25 +0200 Subject: [PATCH 02/12] removing provider from module --- .../main.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/apps/lambda_function_api_gateway_all_methods_passthrough/main.tf b/apps/lambda_function_api_gateway_all_methods_passthrough/main.tf index fa39af91..6686b8cb 100644 --- a/apps/lambda_function_api_gateway_all_methods_passthrough/main.tf +++ b/apps/lambda_function_api_gateway_all_methods_passthrough/main.tf @@ -1,6 +1,3 @@ -provider "aws" { -} - module "aws_core_data" { //source = "git@github.com:albumprinter/eops_tf_modules.git//data_providers/aws_account_core_data" source = "../../data_providers/shared-vpc-data" From 9688104fedd86deb58341402ad44bc7ab3c2d34a Mon Sep 17 00:00:00 2001 From: Jeroen de Vroede Date: Thu, 25 Jul 2019 15:48:22 +0200 Subject: [PATCH 03/12] restoring provisioners and removing unused data source mmodule references --- apps/api_gateway_resource/main.tf | 1 + apps/cloudwatch_lambda/main.tf | 1 + .../main.tf | 3 +++ apps/sns_topic/main.tf | 11 +---------- apps/sqs_consume_sns/main.tf | 11 +---------- 5 files changed, 7 insertions(+), 20 deletions(-) diff --git a/apps/api_gateway_resource/main.tf b/apps/api_gateway_resource/main.tf index e69de29b..b21d3b6a 100644 --- a/apps/api_gateway_resource/main.tf +++ b/apps/api_gateway_resource/main.tf @@ -0,0 +1 @@ +provider "aws" {} diff --git a/apps/cloudwatch_lambda/main.tf b/apps/cloudwatch_lambda/main.tf index e69de29b..b21d3b6a 100644 --- a/apps/cloudwatch_lambda/main.tf +++ b/apps/cloudwatch_lambda/main.tf @@ -0,0 +1 @@ +provider "aws" {} diff --git a/apps/lambda_function_api_gateway_all_methods_passthrough/main.tf b/apps/lambda_function_api_gateway_all_methods_passthrough/main.tf index 6686b8cb..1704a243 100644 --- a/apps/lambda_function_api_gateway_all_methods_passthrough/main.tf +++ b/apps/lambda_function_api_gateway_all_methods_passthrough/main.tf @@ -1,3 +1,6 @@ +provider "aws" {} + + module "aws_core_data" { //source = "git@github.com:albumprinter/eops_tf_modules.git//data_providers/aws_account_core_data" source = "../../data_providers/shared-vpc-data" diff --git a/apps/sns_topic/main.tf b/apps/sns_topic/main.tf index 916861e9..b21d3b6a 100644 --- a/apps/sns_topic/main.tf +++ b/apps/sns_topic/main.tf @@ -1,10 +1 @@ -provider "aws" { -} - -module "aws_core_data" { - //source = "git@github.com:albumprinter/eops_tf_modules.git//data_providers/aws_account_core_data" - source = "../../data_providers/aws_account_core_data" - providers = { - aws = "aws" - } -} \ No newline at end of file +provider "aws" {} diff --git a/apps/sqs_consume_sns/main.tf b/apps/sqs_consume_sns/main.tf index cf9246ea..b21d3b6a 100644 --- a/apps/sqs_consume_sns/main.tf +++ b/apps/sqs_consume_sns/main.tf @@ -1,10 +1 @@ -provider "aws" { -} - -module "aws_core_data" { - //source = "git@github.com:albumprinter/eops_tf_modules.git//data_providers/aws_account_core_data" - source = "../../data_providers/aws_account_core_data" - providers = { - aws = "aws" - } -} \ No newline at end of file +provider "aws" {} From 162e9a48e558b3613d84ebad127668a9339d91cd Mon Sep 17 00:00:00 2001 From: Jeroen de Vroede Date: Thu, 25 Jul 2019 16:26:47 +0200 Subject: [PATCH 04/12] updating all vpc references --- apps/cloudwatch_lambda_schedule/main.tf | 11 +- apps/cluster/main.tf | 17 +-- apps/cluster/variables.tf | 20 ++- apps/ec2/main.tf | 16 +- apps/ec2/variables.tf | 10 +- apps/ec2_standalone/main.tf | 13 +- apps/elasticache_redis/main.tf | 11 +- apps/lambda_function/cloudwatch.tf | 31 ++-- apps/lambda_function/main.tf | 11 +- .../api_gateway_resource.tf | 29 ++-- .../cloudwatch.tf | 29 ++-- .../main.tf | 2 - .../variables.tf | 10 +- .../api_gateway_resource.tf | 29 ++-- .../cloudwatch.tf | 31 ++-- .../main.tf | 11 +- .../variables.tf | 18 +-- .../api_gateway_resource.tf | 29 ++-- .../main.tf | 11 +- .../variables.tf | 20 ++- .../api_gateway_resource.tf | 29 ++-- .../cloudwatch.tf | 31 ++-- .../main.tf | 11 +- .../variables.tf | 10 +- apps/lambda_function_event_pattern/main.tf | 9 +- apps/lambda_function_scheduled/main.tf | 11 +- .../cloudwatch.tf | 30 ++-- apps/lambda_function_scheduled_vpc/lambda.tf | 26 ++-- apps/lambda_function_scheduled_vpc/main.tf | 11 +- .../variables.tf | 5 +- apps/lambda_function_sns/cloudwatch.tf | 29 ++-- apps/lambda_function_sns/lambda.tf | 26 ++-- apps/lambda_function_sns/locals.tf | 2 +- apps/lambda_function_sns/main.tf | 13 +- apps/lambda_function_sns/sns.tf | 26 ++-- apps/lambda_function_sns/sqs.tf | 4 +- apps/lambda_function_sns/variables.tf | 6 +- apps/lambda_function_sns_no_vpc/cloudwatch.tf | 31 ++-- apps/lambda_function_sns_no_vpc/lambda.tf | 24 +-- apps/lambda_function_sns_no_vpc/locals.tf | 2 +- apps/lambda_function_sns_no_vpc/main.tf | 11 +- apps/lambda_function_sns_no_vpc/sns.tf | 26 ++-- apps/lambda_function_sns_no_vpc/sqs.tf | 4 +- apps/lambda_function_sns_no_vpc/variables.tf | 12 +- apps/lambda_function_sqs_no_vpc/cloudwatch.tf | 123 ++++++++-------- apps/lambda_function_sqs_no_vpc/lambda.tf | 30 ++-- apps/lambda_function_sqs_no_vpc/main.tf | 11 +- apps/lambda_function_sqs_no_vpc/variables.tf | 12 +- apps/lambda_function_sqs_vpc/cloudwatch.tf | 123 ++++++++-------- apps/lambda_function_sqs_vpc/lambda.tf | 34 ++--- apps/lambda_function_sqs_vpc/main.tf | 9 +- apps/lambda_function_sqs_vpc/sqs.tf | 30 ++-- apps/lambda_function_sqs_vpc/variables.tf | 12 +- apps/lambda_function_vpc/cloudwatch.tf | 27 ++-- apps/lambda_function_vpc/lambda.tf | 40 ++--- apps/lambda_function_vpc/main.tf | 4 +- apps/lambda_function_vpc/variables.tf | 20 ++- apps/rds_cluster/main.tf | 5 +- apps/rds_cluster/rds.tf | 112 +++++++------- apps/rds_cluster/variables.tf | 28 ++-- apps/rds_mysql/main.tf | 4 +- apps/rds_mysql/variables.tf | 20 ++- apps/sample_loadbalanced_application/main.tf | 4 +- .../variables.tf | 2 + apps/sns_topic/sns-topic.tf | 2 +- apps/sns_topic_subscription/main.tf | 11 +- apps/sns_topic_subscription/variables.tf | 6 +- apps/sqs_consume_sns/cloudwatch.tf | 138 +++++++++--------- apps/sqs_consume_sns/sns.tf | 6 +- apps/sqs_consume_sns/sqs.tf | 24 +-- apps/sqs_consume_sns/variables.tf | 4 +- apps/sqs_queue/cloudwatch.tf | 138 +++++++++--------- apps/sqs_queue/locals.tf | 2 +- apps/sqs_queue/main.tf | 10 +- apps/sqs_queue/sqs.tf | 24 +-- apps/vpc_peering/README.md | 1 + apps/vpc_peering/main.tf | 21 +-- 77 files changed, 819 insertions(+), 966 deletions(-) diff --git a/apps/cloudwatch_lambda_schedule/main.tf b/apps/cloudwatch_lambda_schedule/main.tf index 7c6fd567..05821dd8 100644 --- a/apps/cloudwatch_lambda_schedule/main.tf +++ b/apps/cloudwatch_lambda_schedule/main.tf @@ -1,11 +1,2 @@ -providers = { - aws = "aws" - } +provider "aws" {} -module "aws_core_data" { - //source = "git@github.com:albumprinter/eops_tf_modules.git//data_providers/aws_account_core_data" - source = "../../data_providers/aws_account_core_data" - providers = { - aws = "aws" - } -} diff --git a/apps/cluster/main.tf b/apps/cluster/main.tf index fa7977c0..0ba4da65 100644 --- a/apps/cluster/main.tf +++ b/apps/cluster/main.tf @@ -1,16 +1,9 @@ -provider "aws" { -} +provider "aws" {} module "aws_core_data" { -// source = "git@github.com:albumprinter/eops_tf_modules.git//data_providers/aws_account_core_data" - source = "../../data_providers/aws_account_core_data" + source = "../../data_providers/shared-vpc-data" + account_type = "${var.account_type}" providers = { - aws = "aws" - } + aws = "aws" + } } - -// For local development use instead: -//module "aws_core_data" { -// source = "../../data_providers/aws_account_core_data" -//} - diff --git a/apps/cluster/variables.tf b/apps/cluster/variables.tf index 8b1a1cef..45386935 100644 --- a/apps/cluster/variables.tf +++ b/apps/cluster/variables.tf @@ -1,9 +1,7 @@ variable "region" { default = "eu-west-1" } -variable "account_type" { - default = "sandbox" -} +variable "account_type" {} variable "tags_business_unit" { default = "Albumprinter" } @@ -33,7 +31,7 @@ variable "private" { variable "response_template" { type = "map" - default ={ + default = { "application/json" = "" } } @@ -42,7 +40,7 @@ variable "instance_count" { default = 1 } variable "iam_policy_document" { - default =<USAGE: Module will peer the "Main" VPC from the source account with the target "Main" VPC. +This module will not work with the Shared VPCs

Required Parameters:

These must be set in your call to this module: diff --git a/apps/vpc_peering/main.tf b/apps/vpc_peering/main.tf index 7e29a4fd..f8b71d4e 100644 --- a/apps/vpc_peering/main.tf +++ b/apps/vpc_peering/main.tf @@ -1,27 +1,14 @@ # Data sources module "local_data" { - //source = "git@github.com:albumprinter/eops_tf_modules.git//data_providers/local-get-data" source = "../../data_providers/local-get-data" # See repo for possible outputs } -//data "aws_caller_identity" "current" {} - -//data "terraform_remote_state" "terraform-ap" { -// backend = "s3" -// -// config { -// bucket = "${var.tf-remote-state-bucket-name}" -// key = "${data.aws_caller_identity.current.account_id}/vpcPeering_DB-ecom1/terraform.tfstate" -// region = "eu-west-1" -// acl = "bucket-owner-full-control" -// } -//} provider "aws" { - region = "eu-west-1" - alias = "source_provider" + region = "eu-west-1" + alias = "source_provider" version = "~> 0.1" assume_role { role_arn = "arn:aws:iam::${var.peer_source_account_id}:role/main_provisioner" @@ -40,8 +27,8 @@ data "aws_caller_identity" "source_account" { } provider "aws" { - region = "eu-west-1" - alias = "target_provider" + region = "eu-west-1" + alias = "target_provider" version = "~> 0.1" assume_role { role_arn = "arn:aws:iam::${var.peer_target_account_id}:role/main_provisioner" From f18c0c319c4cd7db05a4c74aa5e2182bb9e4d082 Mon Sep 17 00:00:00 2001 From: Jeroen de Vroede Date: Thu, 25 Jul 2019 16:27:21 +0200 Subject: [PATCH 05/12] updating data source to shared vpc --- apps/rds_cluster/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/apps/rds_cluster/main.tf b/apps/rds_cluster/main.tf index 0ba4da65..3ccb5090 100644 --- a/apps/rds_cluster/main.tf +++ b/apps/rds_cluster/main.tf @@ -1,5 +1,6 @@ provider "aws" {} + module "aws_core_data" { source = "../../data_providers/shared-vpc-data" account_type = "${var.account_type}" From 7eaabd2f4151b7d69845d0a446486493b92597a2 Mon Sep 17 00:00:00 2001 From: Unknown Date: Wed, 14 Aug 2019 13:56:27 +0200 Subject: [PATCH 06/12] Add data source for shared vpc --- apps/elasticache_redis/main.tf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/apps/elasticache_redis/main.tf b/apps/elasticache_redis/main.tf index b21d3b6a..0ba4da65 100644 --- a/apps/elasticache_redis/main.tf +++ b/apps/elasticache_redis/main.tf @@ -1 +1,9 @@ provider "aws" {} + +module "aws_core_data" { + source = "../../data_providers/shared-vpc-data" + account_type = "${var.account_type}" + providers = { + aws = "aws" + } +} From 0bcb627cc46f44cc3e742d825f7a603fb482e449 Mon Sep 17 00:00:00 2001 From: Unknown Date: Fri, 16 Aug 2019 13:02:03 +0200 Subject: [PATCH 07/12] Move sg rules outside of sg, so additional rules can be added. --- apps/elasticache_redis/redis.tf | 42 +++++++++------- apps/elasticache_redis/variables.tf | 10 ++-- apps/rds_mysql/outputs.tf | 2 +- apps/rds_mysql/rds.tf | 78 ++++++++++++++++------------- apps/rds_mysql/variables.tf | 4 ++ 5 files changed, 79 insertions(+), 57 deletions(-) diff --git a/apps/elasticache_redis/redis.tf b/apps/elasticache_redis/redis.tf index fac2950b..4d0068d3 100644 --- a/apps/elasticache_redis/redis.tf +++ b/apps/elasticache_redis/redis.tf @@ -2,23 +2,10 @@ # Security group resources # resource "aws_security_group" "redis" { - vpc_id = "${module.aws_core_data.vpc_id}" + vpc_id = "${module.aws_core_data.vpc_id}" description = "Allow all inbound traffic for the scheduled lambda function" - ingress { - from_port = 6379 - to_port = 6379 - protocol = "tcp" - cidr_blocks = ["192.168.0.0/16"] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - tags { + tags = { Domain = "${var.tags_domain}" Name = "${var.app_name}" "Business Unit" = "${var.tags_business_unit}" @@ -30,8 +17,29 @@ resource "aws_security_group" "redis" { } } +resource "aws_security_group_rule" "redis_ingress" { + type = "ingress" + security_group_id = "${aws_security_group.redis.id}" + description = "Allow access to Redis" + from_port = 6379 + to_port = 6379 + protocol = "tcp" + cidr_blocks = ["${var.redis_cidr}"] +} +resource "aws_security_group_rule" "redis_egress" { + security_group_id = "${aws_security_group.redis.id}" + description = "Allow all outgoing" + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] +} + + + resource "aws_elasticache_subnet_group" "redis" { - name = "${var.app_name}" + name = "${var.app_name}" subnet_ids = ["${split(",", join(",", module.aws_core_data.private_subnets))}"] } @@ -52,7 +60,7 @@ resource "aws_elasticache_replication_group" "redis" { notification_topic_arn = "${var.notification_topic_arn}" port = 6379 - tags { + tags = { Domain = "${var.tags_domain}" Name = "${var.app_name}" "Business Unit" = "${var.tags_business_unit}" diff --git a/apps/elasticache_redis/variables.tf b/apps/elasticache_redis/variables.tf index 1e86c1ba..0f634cca 100644 --- a/apps/elasticache_redis/variables.tf +++ b/apps/elasticache_redis/variables.tf @@ -7,6 +7,10 @@ variable "account_type" { variable "tags_business_unit" { default = "Albumprinter" } +variable "redis_cidr" { + description = "cidr range that has access to Redis. By default all the shared VPC ranges" + default = "10.96.0.0/12" +} variable "tags_cost_center" {} variable "tags_team" {} variable "tags_domain" {} @@ -30,8 +34,8 @@ variable "costcenter" { variable "cache_identifier" {} variable "parameter_group" { - description= "For cluster mode override with: default.redis3.2.cluster.on" - default = "default.redis3.2" + description = "For cluster mode override with: default.redis3.2.cluster.on" + default = "default.redis3.2" } variable "maintenance_window" {} @@ -65,4 +69,4 @@ variable "alarm_memory_threshold" { variable "alarm_actions" { type = "list" -} \ No newline at end of file +} diff --git a/apps/rds_mysql/outputs.tf b/apps/rds_mysql/outputs.tf index 671bad09..0a7af185 100644 --- a/apps/rds_mysql/outputs.tf +++ b/apps/rds_mysql/outputs.tf @@ -16,5 +16,5 @@ output "db_admin_username" { output "db_admin_password" { sensitive = true - value = "${aws_db_instance.database.password}" + value = "${aws_db_instance.database.password}" } \ No newline at end of file diff --git a/apps/rds_mysql/rds.tf b/apps/rds_mysql/rds.tf index 2139931a..4d90114c 100644 --- a/apps/rds_mysql/rds.tf +++ b/apps/rds_mysql/rds.tf @@ -1,22 +1,8 @@ resource "aws_security_group" "database" { - name = "${var.environment}-${var.app_name}" + name = "${var.environment}-${var.app_name}" description = "RDS database security group" - ingress { - from_port = 3306 - to_port = 3306 - protocol = "tcp" - cidr_blocks = ["192.168.0.0/16", "77.60.83.148/32"] - } - - egress { - from_port = 0 - to_port = 65535 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - - tags { + tags = { Domain = "${var.tags_domain}" Name = "${var.app_name}" "Business Unit" = "${var.tags_business_unit}" @@ -30,36 +16,56 @@ resource "aws_security_group" "database" { vpc_id = "${module.aws_core_data.vpc_id}" } +resource "aws_security_group_rule" "db_ingress" { + type = "ingress" + security_group_id = "${aws_security_group.database.id}" + description = "Allow access to the database" + from_port = 3306 + to_port = 3306 + protocol = "tcp" + cidr_blocks = ["${var.db_cidr}"] +} +resource "aws_security_group_rule" "db_egress" { + security_group_id = "${aws_security_group.database.id}" + description = "Allow all outgoing" + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] +} + + resource "aws_db_subnet_group" "database" { - name = "${var.environment}-${var.app_name}" + name = "${var.environment}-${var.app_name}" description = "RDS subnet group" - subnet_ids = ["${split( ",", join(",", module.aws_core_data.private_subnets))}"] + subnet_ids = ["${split(",", join(",", module.aws_core_data.private_subnets))}"] } resource "aws_db_instance" "database" { name = "${var.app_name}" -// depends_on = ["aws_db_subnet_group.database", "aws_security_group.database"] - identifier = "${var.environment}-${var.app_name}" - allocated_storage = "${var.db_storage_size}" - engine = "mysql" - engine_version = "${var.db_engine_version}" - instance_class = "${var.db_instance_size}" - username = "${var.db_admin_username}" - password = "${var.db_admin_password}" - db_subnet_group_name = "${aws_db_subnet_group.database.name}" - parameter_group_name = "${var.db_parameter_group}" + // depends_on = ["aws_db_subnet_group.database", "aws_security_group.database"] + identifier = "${var.environment}-${var.app_name}" + allocated_storage = "${var.db_storage_size}" + engine = "mysql" + engine_version = "${var.db_engine_version}" + instance_class = "${var.db_instance_size}" + username = "${var.db_admin_username}" + password = "${var.db_admin_password}" + db_subnet_group_name = "${aws_db_subnet_group.database.name}" + parameter_group_name = "${var.db_parameter_group}" final_snapshot_identifier = "${var.environment}-${var.app_name}" - backup_retention_period = "${var.db_backup_retention_period}" - backup_window = "${var.db_backup_window}" - maintenance_window = "${var.db_maintenance_window}" - multi_az = "${var.db_multi_az}" - vpc_security_group_ids = ["${aws_security_group.database.id}"] - publicly_accessible = false + backup_retention_period = "${var.db_backup_retention_period}" + backup_window = "${var.db_backup_window}" + maintenance_window = "${var.db_maintenance_window}" + multi_az = "${var.db_multi_az}" + vpc_security_group_ids = ["${aws_security_group.database.id}"] + publicly_accessible = false lifecycle { prevent_destroy = true } - tags { + tags = { Domain = "${var.tags_domain}" Name = "${var.app_name}" "Business Unit" = "${var.tags_business_unit}" @@ -69,4 +75,4 @@ resource "aws_db_instance" "database" { Description = "${var.description}" Environment = "${var.environment}" } -} \ No newline at end of file +} diff --git a/apps/rds_mysql/variables.tf b/apps/rds_mysql/variables.tf index b675a74a..5e839a73 100644 --- a/apps/rds_mysql/variables.tf +++ b/apps/rds_mysql/variables.tf @@ -19,6 +19,10 @@ variable "app_name" { description = "A value to append to the RDS identifer to create a unique name" default = "rds-database" } +variable "db_cidr" { + description = "cidr range that has access to the database. By default all the shared VPC ranges" + default = "10.96.0.0/12" +} variable "enabled" { default = 1 From 31faef7558031e9798eb67c81136894272a07459 Mon Sep 17 00:00:00 2001 From: Unknown Date: Fri, 16 Aug 2019 13:13:28 +0200 Subject: [PATCH 08/12] Adhere to Markdown standard --- apps/elasticache_redis/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/elasticache_redis/README.md b/apps/elasticache_redis/README.md index b834e452..a8d11956 100644 --- a/apps/elasticache_redis/README.md +++ b/apps/elasticache_redis/README.md @@ -1,4 +1,5 @@ # Description + An example terraform module to build simple application as aws lambda function triggered by cloudwatch event scheduleder. ## Code Example @@ -26,4 +27,4 @@ module "cache" { project = "Unknown" environment = "Unknown" } -``` \ No newline at end of file +``` From 743da4a17c79a7ebe8cf98676d61ec9826d36e09 Mon Sep 17 00:00:00 2001 From: Stig Woxholt Date: Wed, 21 Aug 2019 09:53:51 +0200 Subject: [PATCH 09/12] Activated copy of tags from resource to snapshot --- apps/rds_mysql/rds.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/apps/rds_mysql/rds.tf b/apps/rds_mysql/rds.tf index 4d90114c..83b1f5f3 100644 --- a/apps/rds_mysql/rds.tf +++ b/apps/rds_mysql/rds.tf @@ -65,6 +65,7 @@ resource "aws_db_instance" "database" { prevent_destroy = true } + copy_tags_to_snapshot = true tags = { Domain = "${var.tags_domain}" Name = "${var.app_name}" From 5123c617fdff5bbdfdc36e10ac477982c1e13877 Mon Sep 17 00:00:00 2001 From: Stig Woxholt Date: Wed, 21 Aug 2019 14:51:17 +0200 Subject: [PATCH 10/12] Added support for shared vpc in lambda module --- apps/lambda_function/lambda.tf | 38 ++++++++++++++++++++++++++++--- apps/lambda_function/main.tf | 8 +++++++ apps/lambda_function/variables.tf | 4 ++++ 3 files changed, 47 insertions(+), 3 deletions(-) diff --git a/apps/lambda_function/lambda.tf b/apps/lambda_function/lambda.tf index cfb188b6..1955e06e 100644 --- a/apps/lambda_function/lambda.tf +++ b/apps/lambda_function/lambda.tf @@ -14,6 +14,11 @@ resource "aws_lambda_function" "app" { } count = "${var.enabled}" tags = "${local.tags}" + + vpc_config = { + subnet_ids = ["${split( ",", var.private == 1 ? join(",", module.aws_core_data.private_subnets) : join(",", concat(module.aws_core_data.private_subnets,module.aws_core_data.public_subnets)))}"] + security_group_ids = ["${aws_security_group.sg_for_app.id}"] + } } resource "aws_iam_role" "iam_for_app" { @@ -21,8 +26,35 @@ resource "aws_iam_role" "iam_for_app" { assume_role_policy = "${var.assume_role_policy_document}" } -resource "aws_iam_role_policy" "iam_policy_for_app" { +resource "aws_security_group" "sg_for_app" { name = "${var.app_name}" - role = "${aws_iam_role.iam_for_app.id}" - policy = "${var.iam_policy_document}" + description = "Allow all inbound traffic for the scheduled lambda function" + vpc_id = "${module.aws_core_data.vpc_id}" + + ingress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = [ + "185.184.204.70/32", + "62.97.245.10/32", + "185.184.204.74/32", + "62.102.226.22/32", + "213.41.124.76/32", + "77.60.83.148/32", + "62.21.226.193/32", + "192.168.0.0/16", + "10.0.0.0/8", + "172.16.0.0/12" + ] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = "${local.tags}" } \ No newline at end of file diff --git a/apps/lambda_function/main.tf b/apps/lambda_function/main.tf index cbf61a70..72524fe2 100644 --- a/apps/lambda_function/main.tf +++ b/apps/lambda_function/main.tf @@ -1 +1,9 @@ provider "aws" {} + +module "aws_core_data" { + source = "../../data_providers/shared-vpc-data" + account_type = "${var.account_type}" + providers = { + aws = "aws" + } +} \ No newline at end of file diff --git a/apps/lambda_function/variables.tf b/apps/lambda_function/variables.tf index 9f6dd59f..b1a58f07 100644 --- a/apps/lambda_function/variables.tf +++ b/apps/lambda_function/variables.tf @@ -47,6 +47,10 @@ variable "enabled" { default = 1 } +variable "private" { + default = false +} + variable "iam_policy_document" { default =< Date: Thu, 22 Aug 2019 10:48:41 +0200 Subject: [PATCH 11/12] Added iam_role_policy --- apps/lambda_function/lambda.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/apps/lambda_function/lambda.tf b/apps/lambda_function/lambda.tf index 1955e06e..9817b99a 100644 --- a/apps/lambda_function/lambda.tf +++ b/apps/lambda_function/lambda.tf @@ -26,6 +26,12 @@ resource "aws_iam_role" "iam_for_app" { assume_role_policy = "${var.assume_role_policy_document}" } +resource "aws_iam_role_policy" "iam_policy_for_app" { + name = "${var.app_name}" + role = "${aws_iam_role.iam_for_app.id}" + policy = "${var.iam_policy_document}" +} + resource "aws_security_group" "sg_for_app" { name = "${var.app_name}" description = "Allow all inbound traffic for the scheduled lambda function" From e897892ba5beeb15f8ebe2108f17207de56f743f Mon Sep 17 00:00:00 2001 From: Stig Woxholt Date: Fri, 23 Aug 2019 11:10:02 +0200 Subject: [PATCH 12/12] revert changes , covered by lambda_function_vpc --- apps/lambda_function/lambda.tf | 38 ------------------------------- apps/lambda_function/main.tf | 8 ------- apps/lambda_function/variables.tf | 4 ---- 3 files changed, 50 deletions(-) diff --git a/apps/lambda_function/lambda.tf b/apps/lambda_function/lambda.tf index 9817b99a..cfb188b6 100644 --- a/apps/lambda_function/lambda.tf +++ b/apps/lambda_function/lambda.tf @@ -14,11 +14,6 @@ resource "aws_lambda_function" "app" { } count = "${var.enabled}" tags = "${local.tags}" - - vpc_config = { - subnet_ids = ["${split( ",", var.private == 1 ? join(",", module.aws_core_data.private_subnets) : join(",", concat(module.aws_core_data.private_subnets,module.aws_core_data.public_subnets)))}"] - security_group_ids = ["${aws_security_group.sg_for_app.id}"] - } } resource "aws_iam_role" "iam_for_app" { @@ -30,37 +25,4 @@ resource "aws_iam_role_policy" "iam_policy_for_app" { name = "${var.app_name}" role = "${aws_iam_role.iam_for_app.id}" policy = "${var.iam_policy_document}" -} - -resource "aws_security_group" "sg_for_app" { - name = "${var.app_name}" - description = "Allow all inbound traffic for the scheduled lambda function" - vpc_id = "${module.aws_core_data.vpc_id}" - - ingress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = [ - "185.184.204.70/32", - "62.97.245.10/32", - "185.184.204.74/32", - "62.102.226.22/32", - "213.41.124.76/32", - "77.60.83.148/32", - "62.21.226.193/32", - "192.168.0.0/16", - "10.0.0.0/8", - "172.16.0.0/12" - ] - } - - egress { - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - } - - tags = "${local.tags}" } \ No newline at end of file diff --git a/apps/lambda_function/main.tf b/apps/lambda_function/main.tf index 72524fe2..cbf61a70 100644 --- a/apps/lambda_function/main.tf +++ b/apps/lambda_function/main.tf @@ -1,9 +1 @@ provider "aws" {} - -module "aws_core_data" { - source = "../../data_providers/shared-vpc-data" - account_type = "${var.account_type}" - providers = { - aws = "aws" - } -} \ No newline at end of file diff --git a/apps/lambda_function/variables.tf b/apps/lambda_function/variables.tf index b1a58f07..9f6dd59f 100644 --- a/apps/lambda_function/variables.tf +++ b/apps/lambda_function/variables.tf @@ -47,10 +47,6 @@ variable "enabled" { default = 1 } -variable "private" { - default = false -} - variable "iam_policy_document" { default =<