Merge pull request #92 from companieshouse/add-dba-dev-ingress

Permit RDS ingress from DBA-Dev

groups/heritage-shared-infrastructure/locals.tf

@@ -67,6 +67,25 @@ locals {
     for key, value in var.rds_databases : key => value if length(value.rds_app_access) > 0
   }
 
+  chd_dba_dev_ingress_cidrs_list    = jsondecode(data.vault_generic_secret.chd_rds.data_json)["dba-dev-cidrs"]
+  chdata_dba_dev_ingress_cidrs_list = jsondecode(data.vault_generic_secret.chdata_rds.data_json)["dba-dev-cidrs"]
+  wck_dba_dev_ingress_cidrs_list    = jsondecode(data.vault_generic_secret.wck_rds.data_json)["dba-dev-cidrs"]
+
+  dba_dev_ingress_instances_map = {
+    chd    = local.chd_dba_dev_ingress_cidrs_list,
+    chdata = local.chdata_dba_dev_ingress_cidrs_list,
+    wck    = local.wck_dba_dev_ingress_cidrs_list
+  }
+
+  dba_dev_ingress_rules_map = merge([
+    for instance, cidrs in local.dba_dev_ingress_instances_map : {
+      for idx, cidr in cidrs : "${instance}_${idx}" => {
+        cidr  = cidr
+        sg_id = module.rds_security_group[instance].this_security_group_id
+      }
+    }
+  ]...)
+
   default_tags = {
     Terraform = "true"
     Region    = var.aws_region

groups/heritage-shared-infrastructure/rds.tf

@@ -43,6 +43,16 @@ module "rds_app_security_group" {
   egress_rules = ["all-all"]
 }
 
+resource "aws_security_group_rule" "dba_dev_ingress" {
+  for_each = local.dba_dev_ingress_rules_map
+
+  type              = "ingress"
+  from_port         = 1521
+  to_port           = 1521
+  protocol          = "tcp"
+  cidr_blocks       = [each.value["cidr"]]
+  security_group_id = each.value.sg_id
+}
 
 # ------------------------------------------------------------------------------
 # RDS Instance