Terraform013

templates/README.md

@@ -1,5 +1,3 @@
-
-
 # Overview
 Your infrastructure should be up and running, your terraform repository is the source of truth for your infrastructure, here is [a list of components and resources][zero-resource-list] that comes with the EKS-stack
 

templates/kubernetes/terraform/modules/kubernetes/README.md

@@ -38,7 +38,7 @@ The `cert_manager.tf` config has a good example of using this in practice. To al
 ```
 module "iam_assumable_role_my_role_name" {
   source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
-  version                       = "~> v2.6.0"
+  version                       = "~> v2.14.0"
   create_role                   = true
   role_name                     = "my-role-name"
   provider_url                  = replace(data.aws_eks_cluster.cluster.identity.0.oidc.0.issuer, "https://", "")

templates/kubernetes/terraform/modules/kubernetes/cert_manager.tf

@@ -87,7 +87,7 @@ resource "helm_release" "cert_manager" {
 # Create a role using oidc to map service accounts
 module "iam_assumable_role_cert_manager" {
   source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
-  version                       = "~> v2.6.0"
+  version                       = "~> v2.14.0"
   create_role                   = true
   role_name                     = "<% .Name %>-k8s-${var.environment}-cert-manager"
   provider_url                  = replace(data.aws_eks_cluster.cluster.identity.0.oidc.0.issuer, "https://", "")

templates/kubernetes/terraform/modules/kubernetes/cluster_autoscaler.tf

@@ -36,7 +36,7 @@ resource "helm_release" "cluster_autoscaler" {
 # Create a role using oidc to map service accounts
 module "iam_assumable_role_cluster_autoscaler" {
   source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
-  version                       = "~> v2.6.0"
+  version                       = "~> v2.14.0"
   create_role                   = true
   role_name                     = "<% .Name %>-k8s-${var.environment}-cluster-autoscaler"
   provider_url                  = replace(data.aws_eks_cluster.cluster.identity.0.oidc.0.issuer, "https://", "")

templates/kubernetes/terraform/modules/kubernetes/database-service.tf

@@ -9,9 +9,12 @@ resource "kubernetes_namespace" "app_namespace" {
 }
 
 resource "kubernetes_service" "app_db" {
+  ## this should match the deployable backend's name/namespace
+  ## it uses this service to connect and create application user
+  ## https://github.com/commitdev/zero-deployable-backend/blob/b2cee21982b1e6a0ac9996e2a1bf214e5bf10ab5/db-ops/create-db-user.sh#L6
   metadata {  
     namespace = kubernetes_namespace.app_namespace.metadata[0].name
-    name = "<% .Name %>"
+    name = "database"
   }
   spec {
     type = "ExternalName"

templates/kubernetes/terraform/modules/kubernetes/external_dns.tf

@@ -1,7 +1,7 @@
 # Create a role using oidc to map service accounts
 module "iam_assumable_role_external_dns" {
   source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
-  version                       = "~> v2.6.0"
+  version                       = "~> v2.14.0"
   create_role                   = true
   role_name                     = "<% .Name %>-k8s-${var.environment}-external-dns"
   provider_url                  = replace(data.aws_eks_cluster.cluster.identity.0.oidc.0.issuer, "https://", "")

templates/kubernetes/terraform/modules/kubernetes/monitoring/main.tf

@@ -5,7 +5,7 @@ data "aws_eks_cluster" "cluster" {
 # Create a role using oidc to map service accounts
 module "iam_assumable_role_cloudwatch" {
   source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
-  version                       = "~> v2.6.0"
+  version                       = "~> v2.14.0"
   create_role                   = true
   role_name                     = "<% .Name %>-k8s-${var.environment}-cloudwatch"
   provider_url                  = replace(data.aws_eks_cluster.cluster.identity.0.oidc.0.issuer, "https://", "")
@@ -16,7 +16,7 @@ module "iam_assumable_role_cloudwatch" {
 # Create a role using oidc to map service accounts
 module "iam_assumable_role_fluentd" {
   source                        = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
-  version                       = "~> v2.6.0"
+  version                       = "~> v2.14.0"
   create_role                   = true
   role_name                     = "<% .Name %>-k8s-${var.environment}-fluentd"
   provider_url                  = replace(data.aws_eks_cluster.cluster.identity.0.oidc.0.issuer, "https://", "")

templates/terraform/README.md

@@ -1,12 +1,12 @@
 ## Guidelines & Style Convention Summary
 
 - All Terraform configuration should be formatted with `terraform fmt` before being accepted into this repository.
-- This repository is Terraform version >= 0.12, as such, leverage features from this release whenever possible.
+- This repository is Terraform version >= 0.13, as such, leverage features from this release whenever possible.
     See https://www.terraform.io/upgrade-guides/0-12.html for more information.
 - Leverage community-maintained Terraform modules whenever possible.
 - Attempt to minimize duplication whenever possible, but only within reason -- sometimes duplication is an acceptable solution.
 - Follow style conventions described in `docs/guide.pdf` whenever possible.
-- Whenever possible, inject resources down versus referencing resources across modules. This has been made easier with new features in v0.12.
+- Whenever possible, inject resources down versus referencing resources across modules. This has been made easier with new features in v0.13.
 - Whenever possible, define the types of variables.
 
 ### Module Conventions

templates/terraform/bootstrap/secrets/main.tf

@@ -5,7 +5,7 @@ provider "aws" {
 
 
 terraform {
-  required_version = ">= 0.12"
+  required_version = ">= 0.13"
 }
 
 locals {

templates/terraform/environments/prod/main.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.12"
+  required_version = ">= 0.13"
   backend "s3" {
     bucket         = "<% .Name %>-prod-terraform-state"
     key            = "infrastructure/terraform/environments/production/main"
@@ -39,6 +39,7 @@ module "prod" {
   domain_name = "<% index .Params `productionHostRoot` %>"
 
   # DB configuration
+  database = "<% index .Params `database` %>"
   db_instance_class = "db.t3.small"
   db_storage_gb = 100
 

templates/terraform/environments/stage/main.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 0.12"
+  required_version = ">= 0.13"
   backend "s3" {
     bucket         = "<% .Name %>-stage-terraform-state"
     key            = "infrastructure/terraform/environments/staging/main"
@@ -40,6 +40,7 @@ module "stage" {
   vpc_use_single_nat_gateway = true
 
   # DB configuration
+  database = "<% index .Params `database` %>"
   db_instance_class = "db.t3.small"
   db_storage_gb = 20
 }

templates/terraform/modules/certificate/versions.tf

@@ -1,4 +1,4 @@
 
 terraform {
-  required_version = ">= 0.12"
+  required_version = ">= 0.13"
 }

templates/terraform/modules/database/main.tf

@@ -9,13 +9,19 @@ module "rds_security_group" {
 
   number_of_computed_ingress_with_source_security_group_id = 1
   computed_ingress_with_source_security_group_id = [
-    {
+    var.database == "postgres" ? {
       from_port   = 5432
       to_port     = 5432
       protocol    = "tcp"
       description = "PostgreSQL from EKS"
       source_security_group_id = "${var.allowed_security_group_id}"
-    },
+    }:{
+      from_port   = 3306
+      to_port     = 3306
+      protocol    = "tcp"
+      description = "MYSQL from EKS"
+      source_security_group_id = "${var.allowed_security_group_id}"
+    }
   ]
 
   egress_rules        = ["all-all"]
@@ -39,9 +45,10 @@ data "aws_secretsmanager_secret_version" "rds_master_secret" {
   secret_id = data.aws_secretsmanager_secret.rds_master_secret.name
 }
 
-module "rds" {
+module "rds_postgres" {
+  count = var.database_engine == "postgres" ? 1 : 0
   source  = "terraform-aws-modules/rds/aws"
-  version = "2.14.0"
+  version = "2.17.0"
 
   identifier = "${var.project}-${var.environment}"
 
@@ -78,11 +85,69 @@ module "rds" {
   # Enhanced monitoring
   performance_insights_enabled = true
   create_monitoring_role = true
-  monitoring_role_name = "${var.project}-${var.environment}-rds-monitoring-role"
+  monitoring_role_name = "${var.project}-${var.environment}-rds-postgres-monitoring-role"
+  monitoring_interval = "30"
+
+  tags = {
+    Name = "${var.project}-${var.environment}-rds-postgres"
+    Env  = "${var.environment}"
+  }
+  depends_on = [module.rds_security_group]
+}
+
+module "rds_mysql" {
+  count = var.database_engine == "mysql" ? 1 : 0
+  source  = "terraform-aws-modules/rds/aws"
+  version = "2.17.0"
+
+  identifier = "${var.project}-${var.environment}"
+
+  engine            = "mysql"
+  engine_version    = "5.7"
+  instance_class    = var.instance_class
+  allocated_storage = var.storage_gb
+  storage_encrypted = true
+
+  name     = "${replace(var.project, "-", "")}"
+  username = "master_user"
+  password = "${data.aws_secretsmanager_secret_version.rds_master_secret.secret_string}"
+  port     = "3306"
+
+  vpc_security_group_ids = ["${module.rds_security_group.this_security_group_id}"]
+
+  maintenance_window = "Mon:00:00-Mon:03:00"
+  backup_window      = "03:00-06:00"
+
+  # disable backups to create DB faster in non-production environments
+  backup_retention_period = var.environment == "production" ? 30 : 0
+
+  # Subnet is created by the vpc module
+  create_db_subnet_group = false
+  db_subnet_group_name = "${var.project}-${var.environment}-vpc"
+
+  # DB parameter and option group
+  family = "mysql5.7"
+  major_engine_version = "5.7"
+
+  final_snapshot_identifier = "final-snapshot"
+  deletion_protection = true
+
+  # Enhanced monitoring
+  # Seems like mysql doesnt have performance insight on this instance size 
+  # Amazon RDS for MySQL
+  # 8.0.17 and higher 8.0 versions, version 5.7.22 and higher 5.7 versions,
+  # and version 5.6.41 and higher 5.6 versions. Not supported for version 5.5. 
+  # Not supported on the following DB instance classes: 
+  # db.t2.micro, db.t2.small, db.t3.micro, db.t3.small, 
+  # all db.m6g instance classes, and all db.r6g instance classes.
+  performance_insights_enabled = false
+  create_monitoring_role = true
+  monitoring_role_name = "${var.project}-${var.environment}-rds-mysql-monitoring-role"
   monitoring_interval = "30"
 
   tags = {
     Name = "${var.project}-${var.environment}-rds-postgres"
     Env  = "${var.environment}"
   }
+  depends_on = [module.rds_security_group]
 }

templates/terraform/modules/database/variables.tf

@@ -21,3 +21,7 @@ variable "instance_class" {
 variable "storage_gb" {
   description = "The amount of storage to allocate for the db, in GB"
 }
+
+variable "database_engine" {
+  description = "Which database engine to use, currently supports `postgres` or `mysql`"
+}

templates/terraform/modules/database/versions.tf

@@ -1,4 +1,4 @@
 
 terraform {
-  required_version = ">= 0.12"
+  required_version = ">= 0.13"
 }

templates/terraform/modules/ecr/versions.tf

@@ -1,4 +1,4 @@
 
 terraform {
-  required_version = ">= 0.12"
+  required_version = ">= 0.13"
 }

templates/terraform/modules/eks/versions.tf

@@ -1,4 +1,4 @@
 
 terraform {
-  required_version = ">= 0.12"
+  required_version = ">= 0.13"
 }

templates/terraform/modules/environment/main.tf

@@ -79,6 +79,7 @@ module "db" {
   allowed_security_group_id = module.eks.worker_security_group_id
   instance_class            = var.db_instance_class
   storage_gb                = var.db_storage_gb
+  database_engine             = var.database
 }
 
 module "ecr" {

templates/terraform/modules/environment/variables.tf

@@ -63,3 +63,8 @@ variable "vpc_use_single_nat_gateway" {
   type        = bool
   default     = true
 }
+
+variable "database" {
+  default = "postgres"
+  description = "Which database engine to use, currently supports postgres or mysql"
+}

templates/terraform/modules/environment/versions.tf

@@ -1,3 +1,3 @@
 terraform {
-  required_version = ">= 0.12"
+  required_version = ">= 0.13"
 }

templates/terraform/modules/s3_hosting/versions.tf

@@ -1,4 +1,4 @@
 
 terraform {
-  required_version = ">= 0.12"
+  required_version = ">= 0.13"
 }

templates/terraform/modules/secret/versions.tf

@@ -1,4 +1,4 @@
 
 terraform {
-  required_version = ">= 0.12"
+  required_version = ">= 0.13"
 }

templates/terraform/modules/vpc/versions.tf

@@ -1,4 +1,4 @@
 
 terraform {
-  required_version = ">= 0.12"
+  required_version = ">= 0.13"
 }

zero-module.yml

@@ -61,6 +61,11 @@ parameters:
       type: regex
       value: '^([a-z0-9]+(-[a-z0-9]+)*\.)$'
       errorMessage: Invalid subdomain (cannot contain special chars & must end with a '.')
+  - field: database
+    label: Database engine to use (postgres)
+    options:
+      - "postgres"
+      - "mysql"
   - field: accountId
     label: AWS Account ID
     execute: aws sts get-caller-identity --query "Account" | tr -d '"'
@@ -70,4 +75,3 @@ parameters:
   - field: randomSeed
     label: Random seed that will be shared between projects to come up with deterministic resource names
     execute: uuidgen | head -c 8
-