From 1a5aa8ffbad408695bb28b13d1d1232506812ec7 Mon Sep 17 00:00:00 2001 From: Wayne Jenkins Date: Wed, 7 Jul 2021 12:34:03 +0100 Subject: [PATCH 1/3] Added new local var that is populated based on a lookup on existing map --- groups/heritage-shared-infrastructure/locals.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/groups/heritage-shared-infrastructure/locals.tf b/groups/heritage-shared-infrastructure/locals.tf index a6fbb41..f9f6f99 100644 --- a/groups/heritage-shared-infrastructure/locals.tf +++ b/groups/heritage-shared-infrastructure/locals.tf @@ -191,6 +191,9 @@ locals { ] } + rds_databases_requiring_app_access = { + for key, value in var.rds_databases : key => value if length(value.rds_app_access) > 0 + } default_tags = { Terraform = "true" From 417cbe896216679536551ed10e5a48500a9fb053 Mon Sep 17 00:00:00 2001 From: Wayne Jenkins Date: Wed, 7 Jul 2021 12:34:17 +0100 Subject: [PATCH 2/3] Added new security group resource to create an app-specific SG dyhamically based on new local var Updated RDS resource creation to ;ink any SGs created to their appropriate RDS instances --- groups/heritage-shared-infrastructure/rds.tf | 27 +++++++++++++++++--- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/groups/heritage-shared-infrastructure/rds.tf b/groups/heritage-shared-infrastructure/rds.tf index 77900f0..0ca56eb 100644 --- a/groups/heritage-shared-infrastructure/rds.tf +++ b/groups/heritage-shared-infrastructure/rds.tf @@ -11,7 +11,7 @@ module "rds_security_group" { description = format("Security group for the %s RDS database", upper(each.key)) vpc_id = data.aws_vpc.vpc.id - ingress_cidr_blocks = concat(local.admin_cidrs, each.value.rds_onpremise_access, each.value.rds_app_access) + ingress_cidr_blocks = concat(local.admin_cidrs, each.value.rds_onpremise_access) ingress_rules = ["oracle-db-tcp"] ingress_with_cidr_blocks = [ { @@ -27,6 +27,23 @@ module "rds_security_group" { egress_rules = ["all-all"] } +module "rds_app_security_group" { + for_each = local.rds_databases_requiring_app_access + + source = "terraform-aws-modules/security-group/aws" + version = "~> 3.0" + + name = "sgr-${each.key}-rds-002" + description = format("Security group for the %s RDS database", upper(each.key)) + vpc_id = data.aws_vpc.vpc.id + + ingress_cidr_blocks = concat(each.value.rds_app_access) + ingress_rules = ["oracle-db-tcp"] + + egress_rules = ["all-all"] +} + + # ------------------------------------------------------------------------------ # RDS Instance # ------------------------------------------------------------------------------ @@ -75,10 +92,12 @@ module "rds" { performance_insights_retention_period = 7 # RDS Security Group - vpc_security_group_ids = [ + vpc_security_group_ids = flatten([ module.rds_security_group[each.key].this_security_group_id, - data.aws_security_group.rds_shared.id - ] + data.aws_security_group.rds_shared.id, + [for key, value in module.rds_app_security_group : value.this_security_group_id], + ]) + # DB subnet group subnet_ids = data.aws_subnet_ids.data.ids From d366a800d2caee261fcfd847923c7facec30f090 Mon Sep 17 00:00:00 2001 From: Wayne Jenkins Date: Wed, 7 Jul 2021 13:27:02 +0100 Subject: [PATCH 3/3] Added conditional to ensure additional SGs attached to appropriate RDS instances --- groups/heritage-shared-infrastructure/rds.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/groups/heritage-shared-infrastructure/rds.tf b/groups/heritage-shared-infrastructure/rds.tf index 0ca56eb..b7f83ba 100644 --- a/groups/heritage-shared-infrastructure/rds.tf +++ b/groups/heritage-shared-infrastructure/rds.tf @@ -95,7 +95,7 @@ module "rds" { vpc_security_group_ids = flatten([ module.rds_security_group[each.key].this_security_group_id, data.aws_security_group.rds_shared.id, - [for key, value in module.rds_app_security_group : value.this_security_group_id], + [for key, value in module.rds_app_security_group : value.this_security_group_id if key == each.key], ])