From 275faf8b891ce965f54531aaba847ac9f09a92db Mon Sep 17 00:00:00 2001 From: vijay-stephen Date: Tue, 10 Dec 2024 17:58:57 +0000 Subject: [PATCH] Merge pull request #1 from sourcefuse/feature/sg-module Security Group Module --- .../modules/terraform-aws-arc-db/README.md | 234 ++++++++---------- 1 file changed, 105 insertions(+), 129 deletions(-) diff --git a/docs/arc-iac-docs/modules/terraform-aws-arc-db/README.md b/docs/arc-iac-docs/modules/terraform-aws-arc-db/README.md index 96ec053a7..3a1dcc1b2 100644 --- a/docs/arc-iac-docs/modules/terraform-aws-arc-db/README.md +++ b/docs/arc-iac-docs/modules/terraform-aws-arc-db/README.md @@ -1,152 +1,134 @@ ![Module Structure](./static/banner.png) -# [terraform-aws-arc-db](https://github.com/sourcefuse/terraform-aws-arc-db) +# [terraform-aws-arc-security-group](https://github.com/sourcefuse/terraform-aws-arc-security-group) -Latest Release Last Updated ![Terraform](https://img.shields.io/badge/terraform-%235835CC.svg?style=for-the-badge&logo=terraform&logoColor=white) ![GitHub Actions](https://img.shields.io/badge/github%20actions-%232671E5.svg?style=for-the-badge&logo=githubactions&logoColor=white) +Latest Release Last Updated ![Terraform](https://img.shields.io/badge/terraform-%235835CC.svg?style=for-the-badge&logo=terraform&logoColor=white) ![GitHub Actions](https://img.shields.io/badge/github%20actions-%232671E5.svg?style=for-the-badge&logo=githubactions&logoColor=white) -[![Quality gate](https://sonarcloud.io/api/project_badges/quality_gate?project=sourcefuse_terraform-aws-arc-db)](https://sonarcloud.io/summary/new_code?id=sourcefuse_terraform-aws-arc-db) +[![Quality gate](https://sonarcloud.io/api/project_badges/quality_gate?project=sourcefuse_terraform-aws-arc-security-group&token=0e57ba3902cccbb2b9c0585a9859bccbf2d00e3c)](https://sonarcloud.io/summary/new_code?id=sourcefuse_terraform-aws-arc-security-group) -[![Known Vulnerabilities](https://github.com/sourcefuse/terraform-aws-ref-arch-db/actions/workflows/snyk.yaml/badge.svg)](https://github.com/sourcefuse/terraform-aws-ref-arch-db/actions/workflows/snyk.yaml) +[![Known Vulnerabilities](https://github.com/sourcefuse/terraform-aws-arc-security-group/actions/workflows/snyk.yaml/badge.svg)](https://github.com/sourcefuse/terraform-aws-arc-security-group/actions/workflows/snyk.yaml) -## Overview +## Introduction -The SourceFuse AWS Reference Architecture (ARC) Terraform module offers a comprehensive solution for efficiently managing Aurora, RDS cluster, RDS proxy and RDS (Relational Database Service) instances within the Amazon Web Services (AWS) environment. This Terraform module is designed to streamline the provisioning, configuration, and management of these database instances, leveraging best practices. +The SourceFuse AWS Reference Architecture (ARC) Terraform module for creating and managing AWS security groups with customizable rules. It simplifies defining inbound and outbound rules for specific protocols, ports, and CIDR ranges, ensuring secure and efficient network traffic control in your infrastructure. -For more information about this repository and its usage, please see [Terraform AWS ARC DB Usage Guide](https://github.com/sourcefuse/terraform-aws-arc-db/blob/main/docs/module-usage-guide/README.md). +For more information about this repository and its usage, please see [Terraform AWS ARC Security Group Module Usage Guide](docs/module-usage-guide/README.md). -## Module Usage - -To see a full example, check out the [main.tf](https://github.com/sourcefuse/terraform-aws-arc-db/blob/main/example/main.tf) file in the example folder. +### Prerequisites +Before using this module, ensure you have the following: + +- AWS credentials configured. +- Terraform installed. +- A working knowledge of Terraform. + +## Usage +See the `examples` folder for a complete example. + +```hcl + +locals { + security_group_data = { + create = true + description = "Security Group for Loadbalancer" + + ingress_rules = [ + { + description = "Allow VPC traffic" + cidr_block = data.aws_vpc.this.cidr_block + from_port = 0 + ip_protocol = "tcp" + to_port = 65535 + }, + { + description = "Allow traffic from self" + self = true + from_port = 0 + ip_protocol = "tcp" + to_port = 65535 + }, + { + description = "Allow traffic from security group" + source_security_group_id = data.aws_security_group.default.id + from_port = 0 + ip_protocol = "tcp" + to_port = 65535 + } + ] + + egress_rules = [ + { + description = "Allow all outbound traffic" + cidr_block = "0.0.0.0/0" + from_port = -1 + ip_protocol = "-1" + to_port = -1 + } + ] + } +} + +module "arc_security_group" { + source = "sourcefuse/arc-security-group/aws" + version = "0.0.1" + + name = "${var.namespace}-${var.environment}-sg" + vpc_id = data.aws_vpc.this.id + ingress_rules = local.security_group_data.ingress_rules + egress_rules = local.security_group_data.egress_rules + + tags = module.tags.tags +} +``` ## Requirements | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.3, < 2.0.0 | -| [aws](#requirement\_aws) | >= 4.0, < 6.0 | -| [null](#requirement\_null) | >= 3.1 | -| [random](#requirement\_random) | >= 3.4 | +| [terraform](#requirement\_terraform) | > 1.4, < 2.0.0 | +| [aws](#requirement\_aws) | ~> 5.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.73.0 | -| [random](#provider\_random) | 3.6.3 | +| [aws](#provider\_aws) | 5.80.0 | ## Modules -| Name | Source | Version | -|------|--------|---------| -| [proxy\_security\_group](#module\_proxy\_security\_group) | ./modules/security-group | n/a | -| [security\_group](#module\_security\_group) | ./modules/security-group | n/a | +No modules. ## Resources | Name | Type | |------|------| -| [aws_db_instance.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance) | resource | -| [aws_db_option_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_option_group) | resource | -| [aws_db_parameter_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_parameter_group) | resource | -| [aws_db_proxy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_proxy) | resource | -| [aws_db_proxy_default_target_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_proxy_default_target_group) | resource | -| [aws_db_proxy_target.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_proxy_target) | resource | -| [aws_db_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource | -| [aws_iam_policy.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_policy.read_secrets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | -| [aws_iam_role.enhanced_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role.proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | -| [aws_iam_role_policy_attachment.attach_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.enhanced_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_iam_role_policy_attachment.proxy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | -| [aws_kms_alias.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource | -| [aws_kms_key.secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | -| [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | -| [aws_rds_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster) | resource | -| [aws_rds_cluster_instance.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance) | resource | -| [aws_secretsmanager_secret.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | -| [aws_secretsmanager_secret_version.db_secret_version](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | -| [aws_ssm_parameter.database_creds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | -| [random_password.master](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | -| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | -| [aws_iam_policy.enhanced_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | -| [aws_kms_alias.rds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_vpc_security_group_egress_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource | +| [aws_vpc_security_group_ingress_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [allocated\_storage](#input\_allocated\_storage) | (optional) Storage for RDS instance | `string` | `20` | no | -| [allow\_major\_version\_upgrade](#input\_allow\_major\_version\_upgrade) | Whether major version upgrades are allowed during maintenance windows. | `bool` | `false` | no | -| [apply\_immediately](#input\_apply\_immediately) | Whether to apply changes immediately or during the next maintenance window. | `bool` | `false` | no | -| [auto\_minor\_version\_upgrade](#input\_auto\_minor\_version\_upgrade) | Whether minor engine upgrades are applied automatically during the maintenance window. | `bool` | `true` | no | -| [backup\_retention\_period](#input\_backup\_retention\_period) | The number of days to retain backups for the DB cluster. | `number` | `7` | no | -| [ca\_cert\_identifier](#input\_ca\_cert\_identifier) | The identifier of the CA certificate for the DB instance. If not specified, the RDS default CA is used. | `string` | `null` | no | -| [ca\_certificate\_identifier](#input\_ca\_certificate\_identifier) | (optional) The CA certificate identifier to use for the DB cluster's server certificate. | `string` | `null` | no | -| [copy\_tags\_to\_snapshot](#input\_copy\_tags\_to\_snapshot) | Whether to copy all tags to snapshots. | `bool` | `true` | no | -| [database\_name](#input\_database\_name) | The name of the database to create when the cluster is created. | `string` | `null` | no | -| [db\_cluster\_parameter\_group\_name](#input\_db\_cluster\_parameter\_group\_name) | (optional) A cluster parameter group to associate with the cluster. | `string` | `null` | no | -| [db\_instance\_parameter\_group\_name](#input\_db\_instance\_parameter\_group\_name) | (optional) Instance parameter group to associate with all instances of the DB cluster. The db\_instance\_parameter\_group\_name parameter is only valid in combination with the allow\_major\_version\_upgrade parameter. | `string` | `null` | no | -| [db\_server\_class](#input\_db\_server\_class) | Instance class for RDS instance | `string` | `"db.t3.medium"` | no | -| [db\_subnet\_group\_data](#input\_db\_subnet\_group\_data) | (optional) DB Subnet Group details | 
object({
    name        = string
    create      = optional(bool, false)
    description = optional(string, null)
    subnet_ids  = optional(list(string), [])
  })
| n/a | yes | -| [delete\_automated\_backups](#input\_delete\_automated\_backups) | (optional) Specifies whether to remove automated backups immediately after the DB cluster is deleted. Default is true. | `string` | `true` | no | -| [deletion\_protection](#input\_deletion\_protection) | Whether to enable deletion protection for the DB cluster. | `bool` | `false` | no | -| [enable\_multi\_az](#input\_enable\_multi\_az) | Whether to enable Multi-AZ deployment for the RDS instance. | `bool` | `false` | no | -| [enabled\_cloudwatch\_logs\_exports](#input\_enabled\_cloudwatch\_logs\_exports) | List of log types to export to CloudWatch Logs. Valid values: audit, error, general, slowquery. | `list(string)` | `[]` | no | -| [engine](#input\_engine) | The database engine to use for the RDS cluster (e.g., aurora, aurora-mysql, aurora-postgresql). | `string` | n/a | yes | -| [engine\_lifecycle\_support](#input\_engine\_lifecycle\_support) | (optional) The life cycle type for this DB instance. This setting is valid for cluster types Aurora DB clusters and Multi-AZ DB clusters. Valid values are open-source-rds-extended-support, open-source-rds-extended-support-disabled. Default value is open-source-rds-extended-support | `string` | `"open-source-rds-extended-support"` | no | -| [engine\_mode](#input\_engine\_mode) | (optional) Database engine mode. Valid values: global (only valid for Aurora MySQL 1.21 and earlier), parallelquery, provisioned, serverless. Defaults to: provisioned
Note :- For Serverless V2 , engine\_mode should be "provisioned" but for simplecity "serverless" is expected
Refer : https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#rds-serverless-v2-cluster | `string` | `"provisioned"` | no | -| [engine\_type](#input\_engine\_type) | (optional) Engine type, valid values are 'rds' or 'cluster' | `string` | n/a | yes | -| [engine\_version](#input\_engine\_version) | The version of the database engine to use. | `string` | n/a | yes | -| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | n/a | yes | -| [final\_snapshot\_identifier](#input\_final\_snapshot\_identifier) | (optional) Name of your final DB snapshot when this DB cluster is deleted. If omitted, no final snapshot will be made. | `string` | `null` | no | -| [iam\_database\_authentication\_enabled](#input\_iam\_database\_authentication\_enabled) | Enable IAM database authentication for the RDS cluster. | `bool` | `false` | no | -| [iops](#input\_iops) | The amount of provisioned IOPS. Required if using io1 storage type. | `number` | `0` | no | -| [kms\_data](#input\_kms\_data) | Configuration for KMS key settings for RDS encryption and performance insights:
- create: (Optional) If true, a new KMS key is created.
- kms\_key\_id: (Optional) The ID of an existing KMS key for RDS encryption. If null it used AWS managed keys
- performance\_insights\_kms\_key\_id: (Optional) Key ID for Performance Insights. If null it used AWS managed keys
- description: (Optional) description for the KMS key.
- policy: (Optional) Specific policy for the KMS key.
- deletion\_window\_in\_days: (Optional) Number of days before deletion, default is 7.
- enable\_key\_rotation: (Optional) Enables key rotation for security; defaults to true. | 
object({
    create                          = optional(bool, true)
    kms_key_id                      = optional(string, null)
    performance_insights_kms_key_id = optional(string, null)
    name                            = optional(string, null)
    description                     = optional(string, null)
    policy                          = optional(string, null)
    deletion_window_in_days         = optional(number, 7)
    enable_key_rotation             = optional(bool, true)
  })
| 
{
  "create": false
}
| no | -| [license\_model](#input\_license\_model) | The license model for the DB instance (e.g., license-included, bring-your-own-license, general-public-license). | `string` | n/a | yes | -| [manage\_user\_password](#input\_manage\_user\_password) | (optional) Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if master\_password is provided."
null - is equal to 'false', don't set it to false , known bug : https://github.com/hashicorp/terraform-provider-aws/issues/31179 | `bool` | `null` | no | -| [monitoring\_interval](#input\_monitoring\_interval) | The interval, in seconds, between points when Enhanced Monitoring metrics are collected. Valid values are 0, 1, 5, 10, 15, 30, 60. | `number` | `0` | no | -| [monitoring\_role\_arn](#input\_monitoring\_role\_arn) | The ARN for the IAM role that allows RDS to send Enhanced Monitoring metrics to CloudWatch Logs. | `string` | `null` | no | -| [name](#input\_name) | The identifier for the RDS instance or cluster. | `string` | n/a | yes | -| [namespace](#input\_namespace) | Namespace for the resources. | `string` | n/a | yes | -| [network\_type](#input\_network\_type) | (optional) Network type of the cluster. Valid values: IPV4, DUAL. | `string` | `"IPV4"` | no | -| [option\_group\_config](#input\_option\_group\_config) | Configuration for RDS option group, with attributes to create or specify a group name, engine details, and database options including settings, ports, and versions. | 
object({
    create               = optional(bool, false)
    name                 = optional(string, null)
    engine_name          = optional(string)
    major_engine_version = optional(string)
    description          = optional(string, "Managed by Terraform")
    options = map(object({
      option_name = string
      port        = number
      version     = string
      option_settings = map(object({
        name  = string
        value = string
      }))
    }))
  })
| 
{
  "name": null,
  "options": {}
}
| no | -| [parameter\_group\_config](#input\_parameter\_group\_config) | Configuration for RDS parameter group, with options to create or specify a group name, family, and a map of database parameters including settings and apply methods. | 
object({
    create      = optional(bool, false)
    name        = optional(string, null)
    family      = optional(string)
    description = optional(string, "Managed by Terraform")
    parameters = map(object({
      name         = string
      value        = string
      apply_method = optional(string, "immediate") # Options: "immediate" or "pending-reboot"
    }))
  })
| 
{
  "name": null,
  "parameters": {}
}
| no | -| [password](#input\_password) | The password for the database. | `string` | `null` | no | -| [performance\_insights\_enabled](#input\_performance\_insights\_enabled) | (optional) Valid only for Non-Aurora Multi-AZ DB Clusters. Enables Performance Insights for the RDS Cluster | `bool` | `false` | no | -| [performance\_insights\_retention\_period](#input\_performance\_insights\_retention\_period) | The retention period (in days) for Performance Insights data. Valid values are 7, 731, or any value between 8 and 730. | `number` | `7` | no | -| [port](#input\_port) | Port on which the DB accepts connections | `number` | n/a | yes | -| [preferred\_backup\_window](#input\_preferred\_backup\_window) | The daily time range during which backups are taken. | `string` | `"07:00-09:00"` | no | -| [preferred\_maintenance\_window](#input\_preferred\_maintenance\_window) | The weekly time range during which maintenance can occur. | `string` | `"sun:06:00-sun:07:00"` | no | -| [proxy\_config](#input\_proxy\_config) | Configuration object for setting up an AWS RDS Proxy. It includes options for creating the proxy, connection pooling, authentication, and other proxy-specific settings.

- **create** (optional): A boolean that determines whether to create the RDS Proxy resource. Defaults to false.
- **name** (optional): The name of the RDS Proxy. If not specified, Terraform will create a default name.
- **engine\_family**: The database engine family for the proxy (e.g., "MYSQL", "POSTGRESQL").
- **vpc\_subnet\_ids**: List of VPC subnet IDs in which the proxy will be deployed.
- **security\_group\_data**: List of security groups to associate with the RDS Proxy.
- **require\_tls** (optional): Boolean flag to enforce the use of TLS for client connections to the proxy. Defaults to false.
- **debug\_logging** (optional): Boolean flag to enable debug logging for the proxy. Defaults to false.
- **idle\_client\_timeout\_secs** (optional): Number of seconds before the proxy closes idle client connections. The minimum is 60 seconds (1 minute), and the maximum is 28,800 seconds (8 hours). Defaults to 1,800 seconds (30 minutes).
- **role\_arn** (optional): The ARN of the IAM role used by the proxy for accessing database credentials in AWS Secrets Manager. If null, Terraform will create a new IAM role.

Authentication settings:
- **auth.auth\_scheme**: The authentication scheme to use (e.g., "SECRETS").
- **auth.description** (optional): A description of the authentication method. Defaults to null.
- **auth.iam\_auth** (optional): Specifies whether to use IAM authentication for the proxy. Defaults to "DISABLED".
- **auth.secret\_arn**: The ARN of the AWS Secrets Manager secret that contains the database credentials.
- **auth.client\_password\_auth\_type**: Specifies the password authentication type for the database.

Connection pool configuration:
- **connection\_pool\_config.connection\_borrow\_timeout** (optional): The amount of time (in seconds) a client connection can be held open before being returned to the pool. Defaults to 5 seconds.
- **connection\_pool\_config.init\_query** (optional): An optional initialization query executed when a connection is first established. Defaults to null.
- **connection\_pool\_config.max\_connections\_percent** (optional): The maximum percentage of available database connections that the proxy can use. Defaults to 100%.
- **connection\_pool\_config.max\_idle\_connections\_percent** (optional): The maximum percentage of idle database connections that the proxy can keep open. Defaults to 50%.
- **connection\_pool\_config.session\_pinning\_filters** (optional): List of filters for controlling session pinning behavior. Defaults to an empty list. | 
object({
    create                   = optional(bool, false)
    name                     = optional(string, null)
    engine_family            = string
    vpc_subnet_ids           = list(string)
    require_tls              = optional(bool, false)
    debug_logging            = optional(bool, false)
    idle_client_timeout_secs = optional(number, 30 * 60) // in seconds The minimum is 1 minute and the maximum is 8 hours.
    role_arn                 = optional(string, null)    // null value will create new role
    auth = object({
      auth_scheme               = string
      description               = optional(string, null)
      iam_auth                  = optional(string, "DISABLED")
      client_password_auth_type = string
    })
    additional_auth_list = optional(list(object({
      auth_scheme               = string
      secret_arn                = optional(string, null)
      description               = optional(string, null)
      iam_auth                  = optional(string, "DISABLED")
      client_password_auth_type = string
    })), [])
    connection_pool_config = object({
      connection_borrow_timeout    = optional(number, 5)
      init_query                   = optional(string, null)
      max_connections_percent      = optional(number, 100)
      max_idle_connections_percent = optional(number, 50)
      session_pinning_filters      = optional(list(string), [])
    })
    security_group_data = optional(object({
      security_group_ids_to_attach = optional(list(string), [])
      create                       = optional(bool, true)
      description                  = optional(string, null)
      ingress_rules = optional(list(object({
        description              = optional(string, null)
        cidr_block               = optional(string, null)
        source_security_group_id = optional(string, null)
        from_port                = number
        ip_protocol              = string
        to_port                  = string
        self                     = optional(bool, false)
      })), [])
      egress_rules = optional(list(object({
        description                   = optional(string, null)
        cidr_block                    = optional(string, null)
        destination_security_group_id = optional(string, null)
        from_port                     = number
        ip_protocol                   = string
        to_port                       = string
      })), [])
    }))
  })
| 
{
  "auth": null,
  "connection_pool_config": null,
  "create": false,
  "engine_family": "POSTGRESQL",
  "security_group_data": {
    "create": false
  },
  "vpc_subnet_ids": []
}
| no | -| [publicly\_accessible](#input\_publicly\_accessible) | Whether the RDS instance should be publicly accessible. | `bool` | `false` | no | -| [rds\_cluster\_instances](#input\_rds\_cluster\_instances) | "(optional) A list of objects defining configurations for RDS Cluster instances. Each object represents a single RDS instance configuration within the cluster, including options for instance class, monitoring, performance insights, maintenance windows, and other instance-specific settings."
name: Optional. Name of the instance (default: null).
instance\_class: The instance class for the RDS instance (e.g., db.r5.large).
availability\_zone: Optional. Specifies the availability zone for the instance (default: null).
publicly\_accessible: Optional. Whether the instance is publicly accessible (default: false).
db\_parameter\_group\_name: Optional. The name of the DB parameter group to associate with the instance (default: null).
apply\_immediately: Optional. Apply modifications immediately or during the next maintenance window (default: false).
ca\_cert\_identifier: Optional. Identifier for the CA certificate for the instance (default: null).
promotion\_tier: Optional. Promotion tier for the instance within the cluster (default: 0).
copy\_tags\_to\_snapshot: Optional. Copy tags to snapshots (default: true). | 
list(object({
    name                    = optional(string, null)
    instance_class          = string
    availability_zone       = optional(string, null)
    publicly_accessible     = optional(bool, false)
    db_parameter_group_name = optional(string, null)
    promotion_tier          = optional(number, 0)
    copy_tags_to_snapshot   = optional(bool, true)
  }))
| `[]` | no | -| [security\_group\_data](#input\_security\_group\_data) | (optional) Security Group data | 
object({
    security_group_ids_to_attach = optional(list(string), [])
    create                       = optional(bool, true)
    description                  = optional(string, null)
    ingress_rules = optional(list(object({
      description              = optional(string, null)
      cidr_block               = optional(string, null)
      source_security_group_id = optional(string, null)
      from_port                = number
      ip_protocol              = string
      to_port                  = string
    })), [])
    egress_rules = optional(list(object({
      description                   = optional(string, null)
      cidr_block                    = optional(string, null)
      destination_security_group_id = optional(string, null)
      from_port                     = number
      ip_protocol                   = string
      to_port                       = string
    })), [])
  })
| 
{
  "create": false
}
| no | -| [serverlessv2\_scaling\_config](#input\_serverlessv2\_scaling\_config) | Configuration for Serverless V2 scaling:
- max\_capacity: (Required) The maximum ACU capacity for scaling (e.g., 256.0).
- min\_capacity: (Required) The minimum ACU capacity for scaling (e.g., 0.5). | 
object({
    max_capacity = number
    min_capacity = number
  })
| 
{
  "max_capacity": 1,
  "min_capacity": 0.5
}
| no | -| [skip\_final\_snapshot](#input\_skip\_final\_snapshot) | (optional) Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false. | `string` | `true` | no | -| [storage\_encrypted](#input\_storage\_encrypted) | Whether to enable storage encryption. | `bool` | `true` | no | -| [storage\_type](#input\_storage\_type) | (optional) Required for Multi-AZ DB cluster) (Forces new for Multi-AZ DB clusters) Specifies the storage type to be associated with the DB cluster. For Aurora DB clusters, storage\_type modifications can be done in-place. For Multi-AZ DB Clusters, the iops argument must also be set. Valid values are: "", aurora-iopt1 (Aurora DB Clusters); io1, io2 (Multi-AZ DB Clusters). Default: "" (Aurora DB Clusters); io1 (Multi-AZ DB Clusters). | `string` | `""` | no | -| [tags](#input\_tags) | A map of tags to assign to the DB Cluster. | `map(string)` | `{}` | no | -| [username](#input\_username) | The username for the database. | `string` | n/a | yes | +| [description](#input\_description) | (optional) Description of Security Group | `string` | `null` | no | +| [egress\_rules](#input\_egress\_rules) | (optional) List of egress rules for the security group. | 
list(object({
    description                   = optional(string, null)
    cidr_block                    = optional(string, null)
    destination_security_group_id = optional(string, null)
    from_port                     = number
    ip_protocol                   = string
    to_port                       = string
    prefix_list_id                = optional(string, null)
  }))
| `[]` | no | +| [ingress\_rules](#input\_ingress\_rules) | (optional) List of ingress rules for the security group. | 
list(object({
    description              = optional(string, null)
    cidr_block               = optional(string, null)
    source_security_group_id = optional(string, null)
    from_port                = number
    ip_protocol              = string
    to_port                  = string
    self                     = optional(bool, false)
  }))
| `[]` | no | +| [name](#input\_name) | Security Group name | `string` | n/a | yes | +| [tags](#input\_tags) | Tags for Security Group | `map(string)` | `{}` | no | | [vpc\_id](#input\_vpc\_id) | VPC Id for creating security group | `string` | n/a | yes | ## Outputs | Name | Description | |------|-------------| -| [arn](#output\_arn) | Instance or Cluster ARN | -| [database](#output\_database) | database name | -| [endpoint](#output\_endpoint) | Instance or Cluster Endpoint | -| [id](#output\_id) | Instance or Cluster ID | -| [identifier](#output\_identifier) | Instance or Cluster Identifier | -| [kms\_key\_id](#output\_kms\_key\_id) | Instance or Cluster KM Key ID | -| [monitoring\_role\_arn](#output\_monitoring\_role\_arn) | Instance or Cluster Monitoring role arn | -| [performance\_insights\_kms\_key\_id](#output\_performance\_insights\_kms\_key\_id) | Instance or Cluster Performance insight KM Key ID | -| [port](#output\_port) | Dtabase server port | -| [username](#output\_username) | Username for the Database | +| [id](#output\_id) | Security Group ID | +## Versioning +This project uses a `.version` file at the root of the repo which the pipeline reads from and does a git tag. + +When you intend to commit to `main`, you will need to increment this version. Once the project is merged, +the pipeline will kick off and tag the latest git commit. + ## Development ### Prerequisites @@ -160,11 +142,11 @@ To see a full example, check out the [main.tf](https://github.com/sourcefuse/ter ### Configurations - Configure pre-commit hooks + ```sh + pre-commit install + ``` -```sh -pre-commit install -``` -### Git commits +### Versioning while Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch @@ -173,28 +155,22 @@ For Example ```sh git commit -m "your commit message #major" ``` -By specifying this , it will bump the version and if you dont specify this in your commit message then by default it will consider patch and will bump that accordingly +By specifying this , it will bump the version and if you don't specify this in your commit message then by default it will consider patch and will bump that accordingly ### Tests - - Tests are available in `test` directory - Configure the dependencies - -```sh -cd test -go mod init github.com/sourcefuse/terraform-aws-ref-arch-db -go get github.com/gruntwork-io/terratest/modules/terraform -``` - -- Now execute the test - -```sh -cd test/ -go test -``` + ```sh + cd test/ + go mod init github.com/sourcefuse/terraform-aws-refarch- + go get github.com/gruntwork-io/terratest/modules/terraform + ``` +- Now execute the test + ```sh + go test -timeout 30m + ``` ## Authors This project is authored by: - - SourceFuse ARC Team