Add RDS Postgresql

.gitignore

@@ -25,7 +25,7 @@ override.tf.json
 
 # Ignore transient lock info files created by terraform apply
 .terraform.tfstate.lock.info
-
+.terraform.lock.hcl
 # Include override files you do wish to add to version control using negated pattern
 # !example_override.tf
 

kms.tf

@@ -0,0 +1,12 @@
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key
+resource "aws_kms_key" "encryption_secret" {
+  enable_key_rotation     = true
+  description             = "Key to encrypt secret"
+  deletion_window_in_days = 7
+  #checkov:skip=CKV2_AWS_64: Not including a KMS Key policy
+}
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias
+resource "aws_kms_alias" "encryption_secret" {
+  name          = "alias/${var.name}"
+  target_key_id = aws_kms_key.encryption_secret.key_id
+}

rds.tf

@@ -0,0 +1,45 @@
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group
+resource "aws_db_subnet_group" "rds" {
+  name       = "${var.name}-subnet-group"
+  subnet_ids = [for subnet in aws_subnet.db : subnet.id]
+}
+
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_parameter_group
+resource "aws_db_parameter_group" "postgres" {
+  name   = var.name
+  family = "postgres16"
+}
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
+resource "aws_db_instance" "postgresql" {
+  allocated_storage = 100
+  storage_type      = "gp3"
+  engine            = "postgres"
+  engine_version    = "16.3"
+  instance_class    = "db.t3.large"
+  identifier        = var.name
+  username          = "postgres"
+  # password             = aws_secretsmanager_secret_version.secure_one_version.secret_string
+  skip_final_snapshot        = true # Change to false if you want a final snapshot
+  db_subnet_group_name       = aws_db_subnet_group.rds.id
+  storage_encrypted          = true
+  parameter_group_name       = aws_db_parameter_group.postgres.name
+  multi_az                   = true
+  vpc_security_group_ids     = [aws_security_group.rds.id]
+  auto_minor_version_upgrade = true
+  #checkov: Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
+  enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"]
+  # CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
+  #monitoring_interval  = 5
+  # CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
+  deletion_protection = false
+  #CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"
+  copy_tags_to_snapshot         = true
+  performance_insights_enabled  = true
+  manage_master_user_password   = true
+  master_user_secret_kms_key_id = aws_kms_key.encryption_secret.arn
+  # master_user_secret_kms_key_id = aws_kms_key.example.arn
+  # kms_key_id = aws_kms_key.example.arn
+  # performance_insights_kms_key_id = aws_kms_key.example.arn
+  ca_cert_identifier = "rds-ca-rsa2048-g1"
+  apply_immediately  = true
+}

security_group.tf

@@ -1,4 +1,36 @@
 #https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group
 resource "aws_default_security_group" "default" {
   vpc_id = aws_vpc.this.id
+}
+
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
+resource "aws_security_group" "rds" {
+  name        = "${var.name}-rds-sg"
+  description = "Security group for RDS in ${var.name}"
+  vpc_id      = aws_vpc.this.id
+  tags = {
+    "Name" = "${var.name}-sg"
+  }
+  # checkov:skip=CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
+  # This security group is attached to the Amazon ElastiCache Serverless resource
+}
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
+resource "aws_security_group_rule" "ingress_rds_sg" {
+  description       = "allow traffic to RDS"
+  type              = "ingress"
+  from_port         = 5432
+  to_port           = 5432
+  protocol          = "tcp"
+  cidr_blocks       = [var.vpc_cidr]
+  security_group_id = aws_security_group.rds.id
+}
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
+resource "aws_security_group_rule" "egress_rds_sg" {
+  description       = "allow traffic to reach outside the vpc"
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = [var.vpc_cidr]
+  security_group_id = aws_security_group.rds.id
 }

ssm_parameter.tf

@@ -0,0 +1,28 @@
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter
+resource "aws_ssm_parameter" "rds_secret_arn" {
+  name  = "/${var.name}/rds-password-arn"
+  type  = "SecureString"
+  value = aws_db_instance.postgresql.master_user_secret[0].secret_arn
+}
+#Create a policy to read from the specific parameter store
+#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy
+resource "aws_iam_policy" "ssm_parameter_policy" {
+  name        = "${var.name}-ssm-parameter-read-policy"
+  path        = "/"
+  description = "Policy to read the RDS Password ARN stored in the SSM Parameter Store."
+  # Terraform's "jsonencode" function converts a
+  # Terraform expression result to valid JSON syntax.
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "ssm:GetParameters",
+          "ssm:GetParameter"
+        ],
+        Resource = [aws_ssm_parameter.rds_secret_arn.arn]
+      }
+    ]
+  })
+}