From 4bd1edb5412d1fb94b1be244a76e3624e4df8775 Mon Sep 17 00:00:00 2001
From: Sourav Kundu <skundu.dev@gmail.com>
Date: Fri, 23 Aug 2024 22:24:08 -0500
Subject: [PATCH 1/8] add resources to deploy rds #5

---
 kms.tf    | 12 ++++++++++++
 random.tf |  6 ++++++
 rds.tf    | 23 +++++++++++++++++++++++
 3 files changed, 41 insertions(+)
 create mode 100644 kms.tf
 create mode 100644 random.tf
 create mode 100644 rds.tf

diff --git a/kms.tf b/kms.tf
new file mode 100644
index 0000000..930a29f
--- /dev/null
+++ b/kms.tf
@@ -0,0 +1,12 @@
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key
+resource "aws_kms_key" "encryption_secret" {
+  enable_key_rotation     = true
+  description             = "Key to encrypt secret"
+  deletion_window_in_days = 7
+  #checkov:skip=CKV2_AWS_64: Not including a KMS Key policy
+}
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias
+resource "aws_kms_alias" "encryption_secret" {
+  name          = "alias/${var.name}"
+  target_key_id = aws_kms_key.encryption_secret.key_id
+}
\ No newline at end of file
diff --git a/random.tf b/random.tf
new file mode 100644
index 0000000..1d1c945
--- /dev/null
+++ b/random.tf
@@ -0,0 +1,6 @@
+#https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password
+resource "random_password" "password" {
+  length           = 128
+  special          = true
+  override_special = "~!#$%^&*()-_=+[]{}\\|;:<>.?"
+}
\ No newline at end of file
diff --git a/rds.tf b/rds.tf
new file mode 100644
index 0000000..01d5b21
--- /dev/null
+++ b/rds.tf
@@ -0,0 +1,23 @@
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group
+resource "aws_db_subnet_group" "rds" {
+  name       = "${var.name}-subnet-group"
+  subnet_ids = [for subnet in aws_subnet.private : subnet.id]
+}
+
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret
+resource "aws_secretsmanager_secret" "rds_password" {
+  name                    = var.name
+  recovery_window_in_days = 0
+  kms_key_id              = aws_kms_key.encryption_secret.id
+  #checkov:skip=CKV2_AWS_57: Disabled Secrets Manager secrets automatic rotation
+}
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version
+resource "aws_secretsmanager_secret_version" "rds_password" {
+  secret_id     = aws_secretsmanager_secret.rds_password.id
+  secret_string = random_password.password.result
+}
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_parameter_group
+resource "aws_db_parameter_group" "postgres" {
+  name   = var.name
+  family = "postgres16"
+}
\ No newline at end of file

From 143720b7efc77e8e9a8e334f02b34e6eb7351253 Mon Sep 17 00:00:00 2001
From: Sourav Kundu <skundu.dev@gmail.com>
Date: Fri, 23 Aug 2024 22:27:40 -0500
Subject: [PATCH 2/8] updated provider

---
 provider.tf | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/provider.tf b/provider.tf
index 8e7da10..717180f 100644
--- a/provider.tf
+++ b/provider.tf
@@ -3,6 +3,10 @@ terraform {
     aws = {
       source  = "hashicorp/aws"
       version = "5.63.1"
+    }
+        random = {
+      source  = "hashicorp/random"
+      version = "3.6.2"
     }
   }
 }
@@ -16,4 +20,8 @@ provider "aws" {
       Source = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform"
     }
   }
+}
+#https://registry.terraform.io/providers/hashicorp/random/latest/docs
+provider "random" {
+  # Configuration options
 }
\ No newline at end of file

From 1230cf915f0abb5e36eb6c360126df92eacdfa0a Mon Sep 17 00:00:00 2001
From: Sourav Kundu <skundu.dev@gmail.com>
Date: Sat, 24 Aug 2024 21:06:57 -0500
Subject: [PATCH 3/8] updated ignore file

---
 .gitignore | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 2faf43d..28dc60f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,7 +25,7 @@ override.tf.json
 
 # Ignore transient lock info files created by terraform apply
 .terraform.tfstate.lock.info
-
+.terraform.lock.hcl
 # Include override files you do wish to add to version control using negated pattern
 # !example_override.tf
 

From 32e67d3470c3c4cbde162ba136846dd87e1d6c4c Mon Sep 17 00:00:00 2001
From: Sourav Kundu <skundu.dev@gmail.com>
Date: Sat, 24 Aug 2024 21:08:54 -0500
Subject: [PATCH 4/8] #5 security group for rds

---
 security_group.tf | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/security_group.tf b/security_group.tf
index 2ae94b1..ede42d9 100644
--- a/security_group.tf
+++ b/security_group.tf
@@ -1,4 +1,36 @@
 #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group
 resource "aws_default_security_group" "default" {
   vpc_id = aws_vpc.this.id
+}
+
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
+resource "aws_security_group" "rds" {
+  name        = "${var.name}-rds-sg"
+  description = "Security group for RDS in ${var.name}"
+  vpc_id      = aws_vpc.this.id
+  tags = {
+    "Name" = "${var.name}-sg"
+  }
+  # checkov:skip=CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
+  # This security group is attached to the Amazon ElastiCache Serverless resource
+}
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
+resource "aws_security_group_rule" "ingress_rds_sg" {
+  description       = "allow traffic to RDS"
+  type              = "ingress"
+  from_port         = 5432
+  to_port           = 5432
+  protocol          = "tcp"
+  cidr_blocks       = [var.vpc_cidr]
+  security_group_id = aws_security_group.rds.id
+}
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
+resource "aws_security_group_rule" "egress_rds_sg" {
+  description       = "allow traffic to reach outside the vpc"
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = [var.vpc_cidr]
+  security_group_id = aws_security_group.rds.id
 }
\ No newline at end of file

From 21e960aaa8e2e2593d6f0782c37540fd565646c2 Mon Sep 17 00:00:00 2001
From: Sourav Kundu <skundu.dev@gmail.com>
Date: Sat, 24 Aug 2024 21:44:48 -0500
Subject: [PATCH 5/8] remove random provider since password is managed via rds

---
 provider.tf | 8 --------
 random.tf   | 6 ------
 2 files changed, 14 deletions(-)
 delete mode 100644 random.tf

diff --git a/provider.tf b/provider.tf
index 717180f..8e7da10 100644
--- a/provider.tf
+++ b/provider.tf
@@ -3,10 +3,6 @@ terraform {
     aws = {
       source  = "hashicorp/aws"
       version = "5.63.1"
-    }
-        random = {
-      source  = "hashicorp/random"
-      version = "3.6.2"
     }
   }
 }
@@ -20,8 +16,4 @@ provider "aws" {
       Source = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform"
     }
   }
-}
-#https://registry.terraform.io/providers/hashicorp/random/latest/docs
-provider "random" {
-  # Configuration options
 }
\ No newline at end of file
diff --git a/random.tf b/random.tf
deleted file mode 100644
index 1d1c945..0000000
--- a/random.tf
+++ /dev/null
@@ -1,6 +0,0 @@
-#https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password
-resource "random_password" "password" {
-  length           = 128
-  special          = true
-  override_special = "~!#$%^&*()-_=+[]{}\\|;:<>.?"
-}
\ No newline at end of file

From def3331c6ed351dafe41dc5c8381a78846b334b4 Mon Sep 17 00:00:00 2001
From: Sourav Kundu <skundu.dev@gmail.com>
Date: Sat, 24 Aug 2024 22:01:37 -0500
Subject: [PATCH 6/8] #5 add rds for postgresql

---
 rds.tf | 48 +++++++++++++++++++++++++++++++++++-------------
 1 file changed, 35 insertions(+), 13 deletions(-)

diff --git a/rds.tf b/rds.tf
index 01d5b21..24a729a 100644
--- a/rds.tf
+++ b/rds.tf
@@ -1,23 +1,45 @@
 #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group
 resource "aws_db_subnet_group" "rds" {
   name       = "${var.name}-subnet-group"
-  subnet_ids = [for subnet in aws_subnet.private : subnet.id]
+  subnet_ids = [for subnet in aws_subnet.db : subnet.id]
 }
 
-#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret
-resource "aws_secretsmanager_secret" "rds_password" {
-  name                    = var.name
-  recovery_window_in_days = 0
-  kms_key_id              = aws_kms_key.encryption_secret.id
-  #checkov:skip=CKV2_AWS_57: Disabled Secrets Manager secrets automatic rotation
-}
-#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version
-resource "aws_secretsmanager_secret_version" "rds_password" {
-  secret_id     = aws_secretsmanager_secret.rds_password.id
-  secret_string = random_password.password.result
-}
 #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_parameter_group
 resource "aws_db_parameter_group" "postgres" {
   name   = var.name
   family = "postgres16"
+}
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
+resource "aws_db_instance" "postgresql" {
+  allocated_storage = 100
+  storage_type      = "gp3"
+  engine            = "postgres"
+  engine_version    = "16.3"
+  instance_class    = "db.t3.large"
+  identifier        = var.name
+  username          = "postgres"
+  # password             = aws_secretsmanager_secret_version.secure_one_version.secret_string
+  skip_final_snapshot        = true # Change to false if you want a final snapshot
+  db_subnet_group_name       = aws_db_subnet_group.rds.id
+  storage_encrypted          = true
+  parameter_group_name       = aws_db_parameter_group.postgres.name
+  multi_az                   = true
+  vpc_security_group_ids     = [aws_security_group.rds.id]
+  auto_minor_version_upgrade = true
+  #checkov: Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
+  enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"]
+  # CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
+  #monitoring_interval  = 5
+  # CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
+  deletion_protection = false
+  #CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
+  copy_tags_to_snapshot         = true
+  performance_insights_enabled  = true
+  manage_master_user_password   = true
+  master_user_secret_kms_key_id = aws_kms_key.encryption_secret.arn
+  # master_user_secret_kms_key_id = aws_kms_key.example.arn
+  # kms_key_id = aws_kms_key.example.arn
+  # performance_insights_kms_key_id = aws_kms_key.example.arn
+  ca_cert_identifier = "rds-ca-rsa2048-g1"
+  apply_immediately  = true
 }
\ No newline at end of file

From 3511ad350954d39af237cd5a79ac58ab29346512 Mon Sep 17 00:00:00 2001
From: Sourav Kundu <skundu.dev@gmail.com>
Date: Sat, 24 Aug 2024 22:02:01 -0500
Subject: [PATCH 7/8] #5 store rds password arn in ssm parameter

---
 ssm_parameter.tf | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 ssm_parameter.tf

diff --git a/ssm_parameter.tf b/ssm_parameter.tf
new file mode 100644
index 0000000..d58ef82
--- /dev/null
+++ b/ssm_parameter.tf
@@ -0,0 +1,28 @@
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter
+resource "aws_ssm_parameter" "rds_secret_arn" {
+  name   = "/${var.name}/rds-password-arn"
+  type   = "SecureString"
+  value  = aws_db_instance.postgresql.master_user_secret[0].secret_arn
+}
+#Create a policy to read from the specific parameter store
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy
+resource "aws_iam_policy" "ssm_parameter_policy" {
+  name        = "${var.name}-ssm-parameter-read-policy"
+  path        = "/"
+  description = "Policy to read the RDS Password ARN stored in the SSM Parameter Store."
+  # Terraform's "jsonencode" function converts a
+  # Terraform expression result to valid JSON syntax.
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "ssm:GetParameters",
+          "ssm:GetParameter"
+        ],
+        Resource = [aws_ssm_parameter.rds_secret_arn.arn]
+      }
+    ]
+  })
+}
\ No newline at end of file

From 83eca3f3776105801e5d2564141d418b9e1b7a62 Mon Sep 17 00:00:00 2001
From: Sourav Kundu <skundu.dev@gmail.com>
Date: Sun, 25 Aug 2024 09:21:56 -0500
Subject: [PATCH 8/8] format

---
 ssm_parameter.tf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ssm_parameter.tf b/ssm_parameter.tf
index d58ef82..c3ae8e4 100644
--- a/ssm_parameter.tf
+++ b/ssm_parameter.tf
@@ -1,8 +1,8 @@
 #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter
 resource "aws_ssm_parameter" "rds_secret_arn" {
-  name   = "/${var.name}/rds-password-arn"
-  type   = "SecureString"
-  value  = aws_db_instance.postgresql.master_user_secret[0].secret_arn
+  name  = "/${var.name}/rds-password-arn"
+  type  = "SecureString"
+  value = aws_db_instance.postgresql.master_user_secret[0].secret_arn
 }
 #Create a policy to read from the specific parameter store
 #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy