Merge branch 'add-rds-db-instance' into add-rds

kms.tf

@@ -3,7 +3,6 @@ resource "aws_kms_key" "encryption_rds" {
   enable_key_rotation     = true
   description             = "Key to encrypt secret"
   deletion_window_in_days = 7
-  #checkov:skip=CKV2_AWS_64: Not including a KMS Key policy
 }
 #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias
 resource "aws_kms_alias" "encryption_rds" {
@@ -19,8 +18,12 @@ data "aws_iam_policy_document" "encryption_rds_policy" {
       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
     }
     actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey",
       "kms:Create*",
-      "kms:Describe*",
       "kms:Enable*",
       "kms:List*",
       "kms:Put*",

rds.tf

@@ -8,38 +8,52 @@ resource "aws_db_subnet_group" "rds" {
 resource "aws_db_parameter_group" "postgres" {
   name   = var.name
   family = "postgres16"
+  parameter {
+    name  = "log_statement"
+    value = "all"
+  }
+  parameter {
+    name  = "log_min_duration_statement"
+    value = "1"
+  }
+  parameter {
+    name  = "rds.force_ssl"
+    value = "1"
+  }
 }
 #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
 resource "aws_db_instance" "postgresql" {
-  allocated_storage = 100
-  storage_type      = "gp3"
-  engine            = "postgres"
-  engine_version    = "16.3"
-  instance_class    = "db.t3.large"
-  identifier        = var.name
-  username          = "postgres"
-  # password             = aws_secretsmanager_secret_version.secure_one_version.secret_string
-  skip_final_snapshot        = true # Change to false if you want a final snapshot
-  db_subnet_group_name       = aws_db_subnet_group.rds.id
-  storage_encrypted          = true
-  parameter_group_name       = aws_db_parameter_group.postgres.name
-  multi_az                   = true
-  vpc_security_group_ids     = [aws_security_group.rds.id]
+  allocated_storage                   = 100
+  storage_type                        = "gp3"
+  engine                              = "postgres"
+  engine_version                      = "16.3"
+  instance_class                      = "db.t3.large"
+  identifier                          = var.name
+  username                            = "postgres"
+  skip_final_snapshot                 = true # Change to false if you want a final snapshot
+  db_subnet_group_name                = aws_db_subnet_group.rds.id
+  storage_encrypted                   = true
+  parameter_group_name                = aws_db_parameter_group.postgres.name
+  multi_az                            = true
+  vpc_security_group_ids              = [aws_security_group.rds.id]
+  iam_database_authentication_enabled = true
+  #checkov: CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
   auto_minor_version_upgrade = true
-  #checkov: Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
+  #checkov: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
   enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"]
-  # CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
-  #monitoring_interval  = 5
-  # CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
-  deletion_protection = false
-  #CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
-  copy_tags_to_snapshot       = true
-  manage_master_user_password = true
-  # master_user_secret_kms_key_id = aws_kms_key.encryption_rds.arn
-  kms_key_id = aws_kms_key.encryption_rds.arn
-  # performance_insights_enabled          = true
-  # performance_insights_kms_key_id       = aws_kms_key.encryption_rds.arn
-  # performance_insights_retention_period = 31
-  ca_cert_identifier = "rds-ca-rsa2048-g1"
-  apply_immediately  = true
+  #checkov: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
+  monitoring_interval = 10
+  monitoring_role_arn = aws_iam_role.rds_monitoring_role.arn
+  #checkov: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
+  deletion_protection = true
+  #checkov: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
+  copy_tags_to_snapshot                 = true
+  manage_master_user_password           = true
+  master_user_secret_kms_key_id         = aws_kms_key.encryption_rds.arn
+  kms_key_id                            = aws_kms_key.encryption_rds.arn
+  performance_insights_enabled          = true
+  performance_insights_retention_period = 31
+  performance_insights_kms_key_id       = aws_kms_key.encryption_rds.arn
+  ca_cert_identifier                    = "rds-ca-rsa2048-g1"
+  apply_immediately                     = true
 }

rds_iam_role.tf

@@ -0,0 +1,22 @@
+##https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role
+resource "aws_iam_role" "rds_monitoring_role" {
+  name = "${var.name}-rds-monitoring-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Action = "sts:AssumeRole",
+        Effect = "Allow",
+        Principal = {
+          Service = "monitoring.rds.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment
+resource "aws_iam_role_policy_attachment" "managed_rds_monitoring_policy_attachement" {
+  role       = aws_iam_role.rds_monitoring_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
+}

security_group.tf

@@ -11,8 +11,6 @@ resource "aws_security_group" "rds" {
   tags = {
     "Name" = "${var.name}-rds-sg"
   }
-  # checkov:skip=CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
-  # This security group is attached to the Amazon RDS DB resource
 }
 #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
 resource "aws_security_group_rule" "ingress_rds_sg" {