Merge pull request #45 from companieshouse/feature/add-dynamic-app-sg…

…-for-rds Add dynamically created SGs for application access
companieshouse · Jul 7, 2021 · afb8ebf · afb8ebf
2 parents c8ad3f2 + d366a80
commit afb8ebf
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 4 deletions.
diff --git a/groups/heritage-shared-infrastructure/locals.tf b/groups/heritage-shared-infrastructure/locals.tf
@@ -191,6 +191,9 @@ locals {
     ]
   }
 
+  rds_databases_requiring_app_access = {
+    for key, value in var.rds_databases : key => value if length(value.rds_app_access) > 0
+  }
 
   default_tags = {
     Terraform = "true"

diff --git a/groups/heritage-shared-infrastructure/rds.tf b/groups/heritage-shared-infrastructure/rds.tf
@@ -11,7 +11,7 @@ module "rds_security_group" {
   description = format("Security group for the %s RDS database", upper(each.key))
   vpc_id      = data.aws_vpc.vpc.id
 
-  ingress_cidr_blocks = concat(local.admin_cidrs, each.value.rds_onpremise_access, each.value.rds_app_access)
+  ingress_cidr_blocks = concat(local.admin_cidrs, each.value.rds_onpremise_access)
   ingress_rules       = ["oracle-db-tcp"]
   ingress_with_cidr_blocks = [
     {
@@ -27,6 +27,23 @@ module "rds_security_group" {
   egress_rules = ["all-all"]
 }
 
+module "rds_app_security_group" {
+  for_each = local.rds_databases_requiring_app_access
+
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "~> 3.0"
+
+  name        = "sgr-${each.key}-rds-002"
+  description = format("Security group for the %s RDS database", upper(each.key))
+  vpc_id      = data.aws_vpc.vpc.id
+
+  ingress_cidr_blocks = concat(each.value.rds_app_access)
+  ingress_rules       = ["oracle-db-tcp"]
+
+  egress_rules = ["all-all"]
+}
+
+
 # ------------------------------------------------------------------------------
 # RDS Instance
 # ------------------------------------------------------------------------------
@@ -75,10 +92,12 @@ module "rds" {
   performance_insights_retention_period = 7
 
   # RDS Security Group
-  vpc_security_group_ids = [
+  vpc_security_group_ids = flatten([
     module.rds_security_group[each.key].this_security_group_id,
-    data.aws_security_group.rds_shared.id
-  ]
+    data.aws_security_group.rds_shared.id,
+    [for key, value in module.rds_app_security_group : value.this_security_group_id if key == each.key],
+  ])
+
 
   # DB subnet group
   subnet_ids = data.aws_subnet_ids.data.ids