Add encryption to RDS (#59)

* Fix readme and cloudwatch+docker dep

* Initial commit

* Changing defaults

* Adding proxy.env content and fixing redis.env merge

Author: LeoDiazL

README.md

@@ -191,7 +191,7 @@ The following inputs can be used as `step.with` keys
 #### **Load Balancer Inputs**
 | Name             | Type    | Description                        |
 |------------------|---------|------------------------------------|
-| `aws_elb_create` | Boolean | Toggles the creation of a load balancer and map ports to the EC2 instance. Defaults to `true`.|
+| `aws_elb_create` | Boolean | Toggles the creation of a load balancer and map ports to the EC2 instance. Defaults to `false`.|
 | `aws_elb_security_group_name` | String | The name of the ELB security group. Defaults to `SG for ${aws_resource_identifier} - ELB`. |
 | `aws_elb_app_port` | String | Port in the EC2 instance to be redirected to. Default is `3000`. Accepts comma separated values like `3000,3001`. | 
 | `aws_elb_app_protocol` | String | Protocol to enable. Could be HTTP, HTTPS, TCP or SSL. Defaults to `TCP`. If length doesn't match, will use `TCP` for all.|
@@ -240,10 +240,16 @@ The following inputs can be used as `step.with` keys
 | `aws_rds_db_subnets`| String | Specify which subnets to use as a list of strings.  Example: `i-1234,i-5678,i-9101`. |
 | `aws_rds_db_allocated_storage`| String | Storage size. Defaults to `10`. |
 | `aws_rds_db_max_allocated_storage`| String | Max storage size. Defaults to `0` to disable auto-scaling. |
+| `aws_rds_db_storage_encrypted` | Boolean | Toogle storage encryption. Defatuls to false. |
+| `aws_rds_db_storage_type` | String | Storage type. Like gp2 / gp3. Defaults to gp2. |
+| `aws_rds_db_kms_key_id` | String | The ARN for the KMS encryption key. |
 | `aws_rds_db_instance_class`| String | DB instance server type. Defaults to `db.t3.micro`. See [this list](https://aws.amazon.com/rds/instance-types/). |
 | `aws_rds_db_final_snapshot` | String | If final snapshot is wanted, add a snapshot name. Leave emtpy if not. |
 | `aws_rds_db_restore_snapshot_identifier` | String | Name of the snapshot to restore the databse from. |
 | `aws_rds_db_cloudwatch_logs_exports`| String | Set of log types to enable for exporting to CloudWatch logs. Defaults to `postgresql`. Options are MySQL and MariaDB: `audit,error,general,slowquery`. PostgreSQL: `postgresql,upgrade`. MSSQL: `agent,error`. Oracle: `alert,audit,listener,trace`. |
+| `aws_rds_db_multi_az` | Boolean| Specifies if the RDS instance is multi-AZ. Defaults to `false`. |
+| `aws_rds_db_maintenance_window` | String | The window to perform maintenance in. Eg: `Mon:00:00-Mon:03:00` |
+| `aws_rds_db_apply_immediately` | Boolean | Specifies whether any database modifications are applied immediately, or during the next maintenance window. Defaults to `false`.|
 | `aws_rds_db_additional_tags` | JSON | Add additional tags to the terraform [default tags](https://www.hashicorp.com/blog/default-tags-in-the-terraform-aws-provider), any tags put here will be added to RDS provisioned resources.|
 <hr/>
 <br/>

action.yaml

@@ -353,6 +353,15 @@ inputs:
   aws_rds_db_max_allocated_storage:
     description: 'Max storage size. Defaults to 0 to disable auto-scaling.'
     required: false
+  aws_rds_db_storage_encrypted:
+    description: 'Toogle storage encryption. Defatuls to false.'
+    required: false
+  aws_rds_db_storage_type:
+    description: 'Storage type. Like gp2 / gp3. Defaults to gp2.'
+    required: false
+  aws_rds_db_kms_key_id:
+    description: 'The ARN for the KMS encryption key.'
+    required: false
   aws_rds_db_instance_class:
     description: 'DB instance server type. Defaults to db.t3.micro.'
     required: false
@@ -365,6 +374,15 @@ inputs:
   aws_rds_db_cloudwatch_logs_exports:
     description: 'Set of log types to enable for exporting to CloudWatch logs.'
     required: false
+  aws_rds_db_multi_az:
+    description: 'Specifies if the RDS instance is multi-AZ'
+    required: false
+  aws_rds_db_maintenance_window:
+    description: 'The window to perform maintenance in. Eg: Mon:00:00-Mon:03:00 '
+    required: false
+  aws_rds_db_apply_immediately:
+    description: 'Specifies whether any database modifications are applied immediately, or during the next maintenance window'
+    required: false
   aws_rds_db_additional_tags:
     description: 'A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}`'
     required: false
@@ -1041,10 +1059,16 @@ runs:
         AWS_RDS_DB_SUBNETS: ${{ inputs.aws_rds_db_subnets }}
         AWS_RDS_DB_ALLOCATED_STORAGE: ${{ inputs.aws_rds_db_allocated_storage }}
         AWS_RDS_DB_MAX_ALLOCATED_STORAGE: ${{ inputs.aws_rds_db_max_allocated_storage }}
+        AWS_RDS_DB_STORAGE_ENCRYPTED: ${{ inputs.aws_rds_db_storage_encrypted }}
+        AWS_RDS_DB_STORAGE_TYPE: ${{ inputs.aws_rds_db_storage_type }}
+        AWS_RDS_DB_KMS_KEY_ID: ${{ inputs.aws_rds_db_kms_key_id }}
         AWS_RDS_DB_INSTANCE_CLASS: ${{ inputs.aws_rds_db_instance_class }}
         AWS_RDS_DB_FINAL_SNAPSHOT: ${{ inputs.aws_rds_db_final_snapshot }}
         AWS_RDS_DB_RESTORE_SNAPSHOT_IDENTIFIER: ${{ inputs.aws_rds_db_restore_snapshot_identifier }}
         AWS_RDS_DB_CLOUDWATCH_LOGS_EXPORTS: ${{ inputs.aws_rds_db_cloudwatch_logs_exports }}
+        AWS_RDS_DB_MULTI_AZ: ${{ inputs.aws_rds_db_multi_az }}
+        AWS_RDS_DB_MAINTENANCE_WINDOWS: ${{ inputs.aws_rds_db_maintenance_window }}
+        AWS_RDS_DB_APPLY_IMMEDIATELY: ${{ inputs.aws_rds_db_apply_immediately }}
         AWS_RDS_DB_ADDITIONAL_TAGS: ${{ inputs.aws_rds_db_additional_tags }}
 
         # AWS AURORA

operations/_scripts/generate/generate_vars_terraform.sh

@@ -176,10 +176,16 @@ if [[ $(alpha_only "$AWS_RDS_DB_ENABLE") == true ]]; then
   aws_rds_db_subnets=$(generate_var aws_rds_db_subnets $AWS_RDS_DB_SUBNETS)
   aws_rds_db_allocated_storage=$(generate_var aws_rds_db_allocated_storage $AWS_RDS_DB_ALLOCATED_STORAGE)
   aws_rds_db_max_allocated_storage=$(generate_var aws_rds_db_max_allocated_storage $AWS_RDS_DB_MAX_ALLOCATED_STORAGE)
+  aws_rds_db_storage_encrypted=$(generate_var aws_rds_db_storage_encrypted $AWS_RDS_DB_STORAGE_ENCRYPTED)
+  aws_rds_db_storage_type=$(generate_var aws_rds_db_storage_type $AWS_RDS_DB_STORAGE_TYPE)
+  aws_rds_db_kms_key_id=$(generate_var aws_rds_db_kms_key_id $AWS_RDS_DB_KMS_KEY_ID)
   aws_rds_db_instance_class=$(generate_var aws_rds_db_instance_class $AWS_RDS_DB_INSTANCE_CLASS)
   aws_rds_db_final_snapshot=$(generate_var aws_rds_db_final_snapshot $AWS_RDS_DB_FINAL_SNAPSHOT)
   aws_rds_db_restore_snapshot_identifier=$(generate_var aws_rds_db_restore_snapshot_identifier $AWS_RDS_DB_RESTORE_SNAPSHOT_IDENTIFIER)
   aws_rds_db_cloudwatch_logs_exports=$(generate_var aws_rds_db_cloudwatch_logs_exports $AWS_RDS_DB_CLOUDWATCH_LOGS_EXPORTS)
+  aws_rds_db_multi_az=$(generate_var aws_rds_db_multi_az $AWS_RDS_DB_MULTI_AZ)
+  aws_rds_db_maintenance_window=$(generate_var aws_rds_db_maintenance_window $AWS_RDS_DB_MAINTENANCE_WINDOWS)
+  aws_rds_db_apply_immediately=$(generate_var aws_rds_db_apply_immediately $AWS_RDS_DB_APPLY_IMMEDIATELY)
   aws_rds_db_additional_tags=$(generate_var aws_rds_db_additional_tags $AWS_RDS_DB_ADDITIONAL_TAGS)
 fi
 
@@ -473,10 +479,16 @@ $aws_rds_db_port
 $aws_rds_db_subnets
 $aws_rds_db_allocated_storage
 $aws_rds_db_max_allocated_storage
+$aws_rds_db_storage_encrypted
+$aws_rds_db_storage_type
+$aws_rds_db_kms_key_id
 $aws_rds_db_instance_class
 $aws_rds_db_final_snapshot
 $aws_rds_db_restore_snapshot_identifier
 $aws_rds_db_cloudwatch_logs_exports
+$aws_rds_db_multi_az
+$aws_rds_db_maintenance_window
+$aws_rds_db_apply_immediately
 $aws_rds_db_additional_tags
 
 #-- AURORA --#

operations/deployment/terraform/aws/aws_variables.tf

@@ -480,6 +480,24 @@ variable "aws_rds_db_max_allocated_storage" {
   default     = "0"
 }
 
+variable "aws_rds_db_storage_encrypted" {
+  type        = bool
+  description = "Toogle storage encryption. Defatuls to false."
+  default     = false
+}
+
+variable "aws_rds_db_storage_type" {
+  type        = string
+  description = "Storage type. Like gp2 / gp3. Defaults to gp2."
+  default     = ""
+}
+
+variable "aws_rds_db_kms_key_id" {
+  type        = string
+  description = "The ARN for the KMS encryption key."
+  default     = ""
+}
+
 variable "aws_rds_db_instance_class" {
   type        = string
   description = "Server size"
@@ -504,6 +522,24 @@ variable "aws_rds_db_cloudwatch_logs_exports" {
   default     = "postgresql"
 }
 
+variable "aws_rds_db_multi_az" {
+  type        = bool
+  description = "Specifies if the RDS instance is multi-AZ"
+  default     = false
+}
+
+variable "aws_rds_db_maintenance_window" {
+  type        = string
+  description = "The window to perform maintenance in. Eg: Mon:00:00-Mon:03:00 "
+  default     = ""
+}
+
+variable "aws_rds_db_apply_immediately" {
+  type        = bool
+  description = "Specifies whether any database modifications are applied immediately, or during the next maintenance window"
+  default     = false
+}
+
 variable "aws_rds_db_additional_tags" {
   type        = string
   description = "A list of strings that will be added to created resources"

operations/deployment/terraform/aws/bitops.after-deploy.d/merge-tf-env.sh

@@ -6,28 +6,32 @@ set -e
 echo "BitOps Ansible before script: Merge Terraform Enviornment Variables..."
 
 ANSIBLE_DIR=ansible/clone_repo
-TERRAFORM_PATH=terraform/aws
+AWS_TERRAFORM_PATH=terraform/aws
+#COMMONS_TERRAFORM_PATH=terraform/commons
 
 # Merging order
-order=ec2,efs,rds,aurora,reids,repo,ghv,ghs,aws
+order=ec2,efs,rds,aurora,redis,proxy,repo,ghv,ghs,aws
 
 # Ansible dotenv file -> The final destination of all
 ENV_OUT_FILE="${BITOPS_ENVROOT}/${ANSIBLE_DIR}/app.env"
 
 # TF dotenv file
-ENV_EC2_FILE="${BITOPS_ENVROOT}/${TERRAFORM_PATH}/ec2.env"
+ENV_EC2_FILE="${BITOPS_ENVROOT}/${AWS_TERRAFORM_PATH}/ec2.env"
 
 # EFS dotenv file
-ENV_EFS_FILE="${BITOPS_ENVROOT}/${TERRAFORM_PATH}/efs.env"
+ENV_EFS_FILE="${BITOPS_ENVROOT}/${AWS_TERRAFORM_PATH}/efs.env"
 
 # RDS dotenv file
-ENV_RDS_FILE="${BITOPS_ENVROOT}/${TERRAFORM_PATH}/rds.env"
+ENV_RDS_FILE="${BITOPS_ENVROOT}/${AWS_TERRAFORM_PATH}/rds.env"
 
 # Aurora dotenv file
-ENV_AURORA_FILE="${BITOPS_ENVROOT}/${TERRAFORM_PATH}/aurora.env"
+ENV_AURORA_FILE="${BITOPS_ENVROOT}/${AWS_TERRAFORM_PATH}/aurora.env"
 
 # Redis dotenv file
-ENV_REDIS_FILE="${BITOPS_ENVROOT}/${TERRAFORM_PATH}/redis.env"
+ENV_REDIS_FILE="${BITOPS_ENVROOT}/${AWS_TERRAFORM_PATH}/redis.env"
+
+# Proxy dotenv file
+ENV_PROXY_FILE="${BITOPS_ENVROOT}/${AWS_TERRAFORM_PATH}/proxy.env"
 
 # Repo env file
 ENV_REPO_FILE="${BITOPS_ENVROOT}/env-files/repo.env"
@@ -39,7 +43,7 @@ ENV_GHV_FILE="${BITOPS_ENVROOT}/env-files/ghv.env"
 ENV_GHS_FILE="${BITOPS_ENVROOT}/env-files/ghs.env"
 
 # TF AWS dotenv file
-ENV_AWS_SECRET_FILE="${BITOPS_ENVROOT}/${TERRAFORM_PATH}/aws.env"
+ENV_AWS_SECRET_FILE="${BITOPS_ENVROOT}/${AWS_TERRAFORM_PATH}/aws.env"
 
 # Make sure app.env is empty, if not, delete it and create one.
 
@@ -98,6 +102,10 @@ function process {
       # Code to be executed for option9
       merge $ENV_REDIS_FILE "Redis"
       ;;
+    proxy)
+      # Code to be executed for option9
+      merge $ENV_PROXY_FILE "Proxy"
+      ;;
     *)
       # Code to be executed if no matching option is found
       echo "Invalid option"

operations/deployment/terraform/aws/bitovi_main.tf

@@ -146,10 +146,16 @@ module "rds" {
   aws_rds_db_subnets                     = var.aws_rds_db_subnets
   aws_rds_db_allocated_storage           = var.aws_rds_db_allocated_storage
   aws_rds_db_max_allocated_storage       = var.aws_rds_db_max_allocated_storage
+  aws_rds_db_storage_encrypted           = var.aws_rds_db_storage_encrypted
+  aws_rds_db_storage_type                = var.aws_rds_db_storage_type
+  aws_rds_db_kms_key_id                  = var.aws_rds_db_kms_key_id
   aws_rds_db_instance_class              = var.aws_rds_db_instance_class
   aws_rds_db_final_snapshot              = var.aws_rds_db_final_snapshot
   aws_rds_db_restore_snapshot_identifier = var.aws_rds_db_restore_snapshot_identifier
   aws_rds_db_cloudwatch_logs_exports     = var.aws_rds_db_cloudwatch_logs_exports
+  aws_rds_db_multi_az                    = var.aws_rds_db_multi_az
+  aws_rds_db_maintenance_window          = var.aws_rds_db_maintenance_window
+  aws_rds_db_apply_immediately           = var.aws_rds_db_apply_immediately
   # Others
   aws_selected_vpc_id                    = module.vpc.aws_selected_vpc_id
   aws_subnets_vpc_subnets_ids            = module.vpc.aws_selected_vpc_subnets
@@ -294,6 +300,13 @@ module "db_proxy" {
   }
 }
 
+module "proxy_dot_env" {
+  source   = "../modules/commons/dot_env"
+  filename = "proxy.env"
+  content  = join("\n",[try(module.db_proxy_aurora.proxy_dot_env,""),try(module.db_proxy_rds.proxy_dot_env,""),try(module.db_proxy.proxy_dot_env,"")])
+  depends_on = [ module.db_proxy_aurora,module.db_proxy_rds,module.db_proxy_rds ]
+}
+
 module "redis" {
   source = "../modules/aws/redis"
   count  = var.aws_redis_enable ? 1 : 0

operations/deployment/terraform/modules/aws/db_proxy/aws_dotenv_proxy.tf

@@ -3,14 +3,12 @@
 locals {
   var_name  = var.aws_rds_db_proxy ? "DB_PROXY" : var.aws_aurora_proxy ? "DBA_PROXY" : "PROXY_ENDPOINT"
   file_name = var.aws_rds_db_proxy ? "rds" : var.aws_aurora_proxy ? "aurora" : "proxy"
+  dot_env   = <<-EOT
+#### Proxy values for ${local.file_name}
+${local.var_name}=${aws_db_proxy.rds_proxy[0].endpoint}"
+EOT
 }
 
-
-resource "local_file" "aurora-dotenv" {
-  filename = format("%s/%s", abspath(path.root), "proxy.${local.file_name}.env")
-  content  = <<-EOT
-
-#### Proxy values
-${local.var_name}=${aws_db_proxy.rds_proxy[0].endpoint}
-EOT
+output "proxy_dot_env" {
+  value = local.dot_env
 }

operations/deployment/terraform/modules/aws/rds/aws_rds.tf

@@ -62,6 +62,9 @@ resource "aws_db_instance" "default" {
   port                             = var.aws_rds_db_port != null ? tonumber(var.aws_rds_db_port) : null
   allocated_storage                = tonumber(var.aws_rds_db_allocated_storage)
   max_allocated_storage            = tonumber(var.aws_rds_db_max_allocated_storage)
+  storage_encrypted                = var.aws_rds_db_storage_encrypted
+  storage_type                     = var.aws_rds_db_storage_type
+  kms_key_id                       = var.aws_rds_db_kms_key_id
   instance_class                   = var.aws_rds_db_instance_class
   username                         = var.aws_rds_db_user != null ? var.aws_rds_db_user : "dbuser"
   password                         = random_password.rds.result
@@ -71,6 +74,9 @@ resource "aws_db_instance" "default" {
   publicly_accessible              = var.aws_rds_db_publicly_accessible 
   enabled_cloudwatch_logs_exports  = [var.aws_rds_db_cloudwatch_logs_exports]
   vpc_security_group_ids           = [aws_security_group.rds_db_security_group.id]
+  multi_az                         = var.aws_rds_db_multi_az
+  maintenance_window               = var.aws_rds_db_maintenance_window
+  apply_immediately                = var.aws_rds_db_apply_immediately
   tags = {
     Name = "${var.aws_resource_identifier}-rds"
   }

operations/deployment/terraform/modules/aws/rds/aws_rds_vars.tf

@@ -12,10 +12,16 @@ variable "aws_rds_db_port" {}
 variable "aws_rds_db_subnets" {}
 variable "aws_rds_db_allocated_storage" {}
 variable "aws_rds_db_max_allocated_storage" {}
+variable "aws_rds_db_storage_encrypted" {}
+variable "aws_rds_db_storage_type" {}
+variable "aws_rds_db_kms_key_id" {}
 variable "aws_rds_db_instance_class" {}
 variable "aws_rds_db_final_snapshot" {}
 variable "aws_rds_db_restore_snapshot_identifier" {}
 variable "aws_rds_db_cloudwatch_logs_exports" {}
+variable "aws_rds_db_multi_az" {}
+variable "aws_rds_db_maintenance_window" {}
+variable "aws_rds_db_apply_immediately" {}
 variable "aws_resource_identifier" {}
 variable "aws_resource_identifier_supershort" {}
 variable "aws_selected_vpc_id" {}

operations/deployment/terraform/modules/commons/dot_env/dot_env.tf

@@ -0,0 +1,12 @@
+resource "local_file" "file_dotenv" {
+  filename = format("%s/%s", abspath(path.root), var.filename)
+  content  = sensitive(var.content)
+}
+
+variable "content" {
+  type = string
+}
+
+variable "filename" {
+  type = string
+}