From def3331c6ed351dafe41dc5c8381a78846b334b4 Mon Sep 17 00:00:00 2001 From: Sourav Kundu Date: Sat, 24 Aug 2024 22:01:37 -0500 Subject: [PATCH] #5 add rds for postgresql --- rds.tf | 48 +++++++++++++++++++++++++++++++++++------------- 1 file changed, 35 insertions(+), 13 deletions(-) diff --git a/rds.tf b/rds.tf index 01d5b21..24a729a 100644 --- a/rds.tf +++ b/rds.tf @@ -1,23 +1,45 @@ #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group resource "aws_db_subnet_group" "rds" { name = "${var.name}-subnet-group" - subnet_ids = [for subnet in aws_subnet.private : subnet.id] + subnet_ids = [for subnet in aws_subnet.db : subnet.id] } -#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret -resource "aws_secretsmanager_secret" "rds_password" { - name = var.name - recovery_window_in_days = 0 - kms_key_id = aws_kms_key.encryption_secret.id - #checkov:skip=CKV2_AWS_57: Disabled Secrets Manager secrets automatic rotation -} -#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version -resource "aws_secretsmanager_secret_version" "rds_password" { - secret_id = aws_secretsmanager_secret.rds_password.id - secret_string = random_password.password.result -} #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_parameter_group resource "aws_db_parameter_group" "postgres" { name = var.name family = "postgres16" +} +#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance +resource "aws_db_instance" "postgresql" { + allocated_storage = 100 + storage_type = "gp3" + engine = "postgres" + engine_version = "16.3" + instance_class = "db.t3.large" + identifier = var.name + username = "postgres" + # password = aws_secretsmanager_secret_version.secure_one_version.secret_string + skip_final_snapshot = true # Change to false if you want a final snapshot + db_subnet_group_name = aws_db_subnet_group.rds.id + storage_encrypted = true + parameter_group_name = aws_db_parameter_group.postgres.name + multi_az = true + vpc_security_group_ids = [aws_security_group.rds.id] + auto_minor_version_upgrade = true + #checkov: Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically" + enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"] + # CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled" + #monitoring_interval = 5 + # CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances" + deletion_protection = false + #CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled" + copy_tags_to_snapshot = true + performance_insights_enabled = true + manage_master_user_password = true + master_user_secret_kms_key_id = aws_kms_key.encryption_secret.arn + # master_user_secret_kms_key_id = aws_kms_key.example.arn + # kms_key_id = aws_kms_key.example.arn + # performance_insights_kms_key_id = aws_kms_key.example.arn + ca_cert_identifier = "rds-ca-rsa2048-g1" + apply_immediately = true } \ No newline at end of file