Merge pull request #11 from Datatamer/DEV-14278

DEV-14278, DEV-14279 Address tfsec warnings and make example more complete.

Author: daniosim

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @Datatamer/devops @Datatamer/ci-team

README.md

@@ -29,6 +29,7 @@ Smallest complete fully working example. This example might require extra resour
 This terraform module will create:
 * an AWS RDS Postgres instance
 * a database parameter group
+* a database subnet group
 * a security group for the rds instance
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
@@ -49,11 +50,11 @@ This terraform module will create:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| password | The postgres password | `string` | n/a | yes |
+| password | The password for the master DB user. | `string` | n/a | yes |
 | rds\_subnet\_ids | VPC subnet IDs in subnet group | `list(string)` | n/a | yes |
-| spark\_cluster\_sg\_ids | Security group is attached to the ec2 instances of EMR Spark | `list(string)` | n/a | yes |
+| spark\_cluster\_sg\_ids | List of Spark service access security group IDs to allow ingress from | `list(string)` | n/a | yes |
 | subnet\_group\_name | The name of the subnet group to add the RDS instance to | `string` | n/a | yes |
-| tamr\_vm\_sg\_id | Security group id attached to the tamr vm | `string` | n/a | yes |
+| tamr\_vm\_sg\_id | Tamr VM security group ID to allow ingress from | `string` | n/a | yes |
 | vpc\_id | VPC ID for the rds security group | `string` | n/a | yes |
 | additional\_cidrs | Additional CIDR to connect to RDS Postgres instance | `list(string)` | `[]` | no |
 | additional\_tags | Additional tags to set on the RDS instance | `map` | `{}` | no |
@@ -69,11 +70,11 @@ This terraform module will create:
 | max\_allocated\_storage | Max allocate storage | `number` | `1000` | no |
 | parameter\_group\_family | The family of the DB parameter group | `string` | `"postgres12"` | no |
 | parameter\_group\_name | The name of the rds parameter group | `string` | `"rds-postgres-pg"` | no |
-| postgres\_name | The name of the postgres instance | `string` | `"tamr_rds_db"` | no |
+| postgres\_name | The name of the postgres database to create on the DB instance | `string` | `"tamr_rds_db"` | no |
 | security\_group\_name | Name for the security group for the rds instance | `string` | `"tamr_rds_sg"` | no |
 | skip\_final\_snapshot | Skip final snapshot | `bool` | `true` | no |
 | storage\_type | Storage type (e.g. gp2, io1) | `string` | `"gp2"` | no |
-| username | The postgres username | `string` | `"tamr"` | no |
+| username | The username for the master DB user. | `string` | `"tamr"` | no |
 
 ## Outputs
 

examples/minimal/README.md

@@ -11,11 +11,10 @@ No provider.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| identifier\_prefix | Identifier prefix for the resources | `string` | n/a | yes |
-| parameter\_group\_name | Name of the parameter group | `string` | n/a | yes |
-| pg\_password | Password for postgres | `string` | n/a | yes |
-| pg\_username | Username for postgres | `string` | n/a | yes |
-| postgres\_db\_name | Name of the postgres db | `string` | n/a | yes |
+| spark\_service\_access\_sg\_ids | List of Spark service access security group IDs to allow ingress from | `list(string)` | n/a | yes |
+| subnet\_ids | List of at least 2 subnets in different AZs for DB subnet group | `list(string)` | n/a | yes |
+| tamr\_vm\_sg\_id | Security group ID of Tamr VM to allow ingress from | `string` | n/a | yes |
+| vpc\_id | VPC ID of network. | `string` | n/a | yes |
 
 ## Outputs
 

examples/minimal/local.tfvars

@@ -1 +1,4 @@
-postgres_db_name = "example_postgres_db"
+vpc_id                      = "vpc-example"
+subnet_ids                  = ["subnet-az1", "subnet-az2"]
+spark_service_access_sg_ids = ["example-spark-service-access-sg"]
+tamr_vm_sg_id               = "example-tamr-vm-sg"

examples/minimal/main.tf

@@ -1,15 +1,18 @@
 module "rds_postgres" {
-  source               = "git::https://github.com/Datatamer/terraform-aws-rds-postgres.git?ref=0.3.0"
-  postgres_name        = "example_rds_postgres"
+  # source               = "git::https://github.com/Datatamer/terraform-aws-rds-postgres.git?ref=0.3.0"
+  source = "../.."
+
+  identifier_prefix    = "example-rds-pg-"
+  postgres_name        = "example0"
   parameter_group_name = "example-rds-postgres-pg"
-  identifier_prefix    = "example-rds-"
+  username             = "example-tamr-master"
+  password             = "foo" #tfsec:ignore:GEN003
 
-  username = "exampleUsername"
-  password = "examplePassword"
+  vpc_id            = var.vpc_id
+  subnet_group_name = "example_subnet_group"
+  # Network requirement: DB subnet group needs a subnet in at least two Availability Zones
+  rds_subnet_ids = var.subnet_ids
 
-  subnet_group_name    = "example_subnet"
-  rds_subnet_ids       = ["example-subnet-1", "example-subnet-2"]
-  spark_cluster_sg_ids = ["sg-examplesecuritygroup1", "sg-examplesecuritygroup2"]
-  tamr_vm_sg_id        = "sg-exampletamrsecuritygroup"
-  vpc_id               = "vpc-examplevpcnetworkid"
+  spark_cluster_sg_ids = var.spark_service_access_sg_ids
+  tamr_vm_sg_id        = var.tamr_vm_sg_id
 }

examples/minimal/variables.tf

@@ -1,24 +1,19 @@
-variable "postgres_db_name" {
+variable "vpc_id" {
   type        = string
-  description = "Name of the postgres db"
+  description = "VPC ID of network."
 }
 
-variable "parameter_group_name" {
-  type        = string
-  description = "Name of the parameter group"
+variable "subnet_ids" {
+  type        = list(string)
+  description = "List of at least 2 subnets in different AZs for DB subnet group"
 }
 
-variable "identifier_prefix" {
-  type        = string
-  description = "Identifier prefix for the resources"
-}
-
-variable "pg_username" {
-  type        = string
-  description = "Username for postgres"
+variable "spark_service_access_sg_ids" {
+  type        = list(string)
+  description = "List of Spark service access security group IDs to allow ingress from"
 }
 
-variable "pg_password" {
+variable "tamr_vm_sg_id" {
   type        = string
-  description = "Password for postgres"
+  description = "Security group ID of Tamr VM to allow ingress from"
 }

modules/rds-postgres-sg/main.tf

@@ -6,6 +6,7 @@ resource "aws_security_group" "rds_postgres_sg" {
 }
 
 resource "aws_security_group_rule" "tamr_vm" {
+  description              = "Rule for ingress from Tamr VM to Postgres"
   from_port                = 5432
   protocol                 = "tcp"
   security_group_id        = aws_security_group.rds_postgres_sg.id
@@ -15,6 +16,7 @@ resource "aws_security_group_rule" "tamr_vm" {
 }
 
 resource "aws_security_group_rule" "spark_cluster" {
+  description              = "Rule for ingress from Spark cluster to Postgres"
   count                    = length(var.spark_cluster_sg_ids)
   from_port                = 5432
   protocol                 = "tcp"
@@ -25,6 +27,7 @@ resource "aws_security_group_rule" "spark_cluster" {
 }
 
 resource "aws_security_group_rule" "additional_cidrs" {
+  description       = "Rule for ingress from additional CIDRs to Postgres"
   count             = length(var.additional_cidrs) == 0 ? 0 : 1
   from_port         = 5432
   protocol          = "tcp"

variables.tf

@@ -1,16 +1,16 @@
 variable "password" {
-  description = "The postgres password"
+  description = "The password for the master DB user."
   type        = string
 }
 
 variable "username" {
-  description = "The postgres username"
+  description = "The username for the master DB user."
   type        = string
   default     = "tamr"
 }
 
 variable "postgres_name" {
-  description = "The name of the postgres instance"
+  description = "The name of the postgres database to create on the DB instance"
   type        = string
   default     = "tamr_rds_db"
 }
@@ -23,7 +23,7 @@ variable "parameter_group_name" {
 
 variable "identifier_prefix" {
   description = "Identifier prefix for the RDS instance"
-  type        = "string"
+  type        = string
   default     = "tamr-rds-"
 }
 
@@ -110,12 +110,12 @@ variable "security_group_name" {
 }
 
 variable "tamr_vm_sg_id" {
-  description = "Security group id attached to the tamr vm"
+  description = "Tamr VM security group ID to allow ingress from"
   type        = string
 }
 
 variable "spark_cluster_sg_ids" {
-  description = "Security group is attached to the ec2 instances of EMR Spark"
+  description = "List of Spark service access security group IDs to allow ingress from"
   type        = list(string)
 }