added public accessibility flag and greatly improved module documentation and reusability

apolloakora · apolloakora · commit ef6a1146261c · 2019-09-22T23:12:33.000+01:00
diff --git a/README.md b/README.md
@@ -58,11 +58,11 @@ This AWS PostgreSQL database terraform module requires these input variables.
 
 | Input Variable | Type | Comment |
 |:-------- |:---- |:------- |
-**in_database_name** | String | **alphanumeric only name** to give the new database and it must start with a letter - note that providing a different name causes terraform to create a different database
-**in_clone_snapshot** | Boolean | if true the in_id_of_db_to_clone must be provided and will cause the database to be created from the last available snapshot of the specified database
-**in_id_of_db_to_clone** | String | this ID must be provided if **`in_clone_snapshot`** is true causing the database to be created from the last available snapshot
-**in_security_group_id** | String | the security group that will constrain traffic to and from the  database
-**in_db_subnet_ids** | List | list of private subnet IDs in at least two availability zones (see example) for housing database instances
+**`in_database_name`** | String | **alphanumeric only name** to give the new database and it must start with a letter - note that providing a different name causes terraform to create a different database
+**`in_clone_snapshot`** | Boolean | if true the in_id_of_db_to_clone must be provided and will cause the database to be created from the last available snapshot of the specified database
+**`in_id_of_db_to_clone`** | String | this ID must be provided if **`in_clone_snapshot`** is true causing the database to be created from the last available snapshot
+**`in_security_group_id`** | String | the security group that will constrain traffic to and from the  database
+**`in_db_subnet_ids`** | List | list of private subnet IDs in at least two availability zones (see example) for housing database instances
 
 
 ### Resource Tag Inputs
@@ -84,11 +84,9 @@ $ export TF_VAR_in_description="was created by $USER@$HOSTNAME on $(date)."
 
 ## Outputs
 
-| Output Variable          | Type   | Comment |
-|:------------------------ |:------ |:------- |
-**out_database_username**  | String | The first database username prefixed with user_rw_ followed by randomized characters.
-**out_database_password**  | String | Robust terraform created 48 character password that includes the allowed special characters
-**out_clone_db_hostname**  | String | The addressable hostname of the database that has been cloned from a snapshot
-**out_clone_db_endpoint**  | String | The database endpoint with protool suffix of the database that has been cloned from a snapshot
-**out_fresh_db_hostname**  | String | The addressable hostname of the newly created (fresh) database
-**out_fresh_db_endpoint**  | String | The database endpoint with protool suffix of the newly created (fresh) database
+| Output Variable            | Type   | Comment |
+|:-------------------------- |:------ |:------- |
+**`out_database_username`**  | String | The first database username prefixed with user_rw_ followed by randomized characters.
+**`out_database_password`**  | String | Robust terraform created 48 character password that includes the allowed special characters
+**`out_clone_db_hostname`**  | String | The addressable hostname of the database that has been cloned from a snapshot
+**`out_fresh_db_hostname`**  | String | The addressable hostname of the newly created (fresh) database
diff --git a/example/README.md b/example/README.md
@@ -0,0 +1,83 @@
+
+# Terraform Docker Example | Clone PostgreSQL Database | Create New PostgreSQL Database
+
+This example clones an RDS PostgreSQL database and creates a brand new RDS database.
+
+### Step 1 | git clone into docker volume
+
+First we create a docker volume (called **`vol.postgres.tfstate`**) and add the terraform module code to it by way of an **alpine git** container.
+
+```
+docker volume create vol.postgres.tfstate
+docker run --interactive \
+           --tty         \
+	   --rm          \
+	   --volume vol.postgres.tfstate:/terraform-work \
+	   alpine/git \
+	   clone https://github.com/devops4me/terraform-aws-postgres-rds /terraform-work
+sudo ls -lah /var/lib/docker/volumes/vol.postgres.tfstate/_data
+```
+
+**verify** - when you list the files in the container you will see the terraform module's contents there.
+
+
+### Step 2 | terraform init via docker
+
+As our volume contains the terraform module code from git we are now ready to perform a terraform init. We use the **[devops4me/terraform container](https://cloud.docker.com/repository/docker/devops4me/terraform/general)** container which adds a VOLUME mapping to the **[hashicorp/terraform](https://hub.docker.com/r/hashicorp/terraform/)** container at the **`/terraform-work`** location.
+
+```
+docker run --interactive \
+           --tty \
+	   --rm \
+	   --name vm.terraform \
+	   --volume vol.postgres.tfstate:/terraform-work \
+	   devops4me/terraform init example
+sudo ls -lah /var/lib/docker/volumes/vol.postgres.tfstate/_data
+```
+
+**verify** - the directory listing now contains a **`.terraform`** directory.
+
+
+
+### Step 3 | terraform apply via docker
+
+At last we can run the terraform apply. Provide a **role arn** only if your organization works with roles alongside the other 3 AWS authentication keys.
+
+```
+docker run --interactive \
+           --tty \
+	   --rm \
+	   --name vm.terraform \
+	   --env AWS_DEFAULT_REGION=<<aws-region-key>> \
+	   --env AWS_ACCESS_KEY_ID=<<aws-access-key>> \
+	   --env AWS_SECRET_ACCESS_KEY=<<aws-secret-key>> \
+	   --env TF_VAR_in_role_arn=<<aws-role-arn>> \
+	   --env TF_VAR_in_id_of_db_to_clone=<<database_id>> \
+	   --env TF_VAR_in_publicly_accessible=true \
+	   --volume vol.postgres.tfstate:/terraform-work \
+	   devops4me/terraform apply -auto-approve example
+sudo ls -lah /var/lib/docker/volumes/vol.postgres.tfstate/_data
+```
+
+**verify** - the **docker volume** now has a **tfstate file** which documents the state of your infrastructure after terraform apply.
+
+
+### Step 4 | terraform destroy via docker
+
+After running plan and apply either once or multiple times you may feel the need to **`terraform destroy`** the infrastructure.
+
+```
+docker run --interactive \
+           --tty \
+	   --rm \
+	   --name vm.terraform \
+	   --env AWS_DEFAULT_REGION=<<aws-region-key>> \
+	   --env AWS_ACCESS_KEY_ID=<<aws-access-key>> \
+	   --env AWS_SECRET_ACCESS_KEY=<<aws-secret-key>> \
+	   --env TF_VAR_in_role_arn=<<aws-role-arn>> \
+	   --volume vol.postgres.tfstate:/terraform-work \
+	   devops4me/terraform destroy -auto-approve example
+sudo ls -lah /var/lib/docker/volumes/vol.postgres.tfstate/_data
+```
+
+**verify** - check your AWS console and also note that the volume now has a **tfstate backup file** created by terraform.
diff --git a/example/postgres.example-main.tf b/example/postgres.example-main.tf
@@ -1,30 +1,31 @@
 
-### ############################ ###
-### Example RDS Postgres Outputs ###
-### ############################ ###
-
-output out_fresh_database_hostname { value = module.fresh_db.out_fresh_db_hostname }
-output out_fresh_database_endpoint { value = module.fresh_db.out_fresh_db_endpoint }
-
-output out_clone_database_hostname { value = module.clone_db.out_clone_db_hostname }
-output out_clone_database_endpoint { value = module.clone_db.out_clone_db_endpoint }
-
-output out_fresh_database_username { value = module.fresh_db.out_database_username }
-output out_fresh_database_password { value = module.fresh_db.out_database_password }
-
-output out_clone_database_username { value = module.clone_db.out_database_username }
-output out_clone_database_password { value = module.clone_db.out_database_password }
-
+/*
+ | --
+ | -- If you are using an IAM role as the AWS access mechanism then
+ | -- pass it as in_role_arn commonly through an environment variable
+ | -- named TF_VAR_in_role_arn in addition to the usual AWS access
+ | -- key, secret key and default region parameters.
+ | --
+*/
+provider aws {
+    dynamic assume_role {
+        for_each = length( var.in_role_arn ) > 0 ? [ var.in_role_arn ] : [] 
+        content {
+            role_arn = assume_role.value
+	}
+    }
+}
 
 module fresh_db {
 
     source = "./.."
 
-    in_security_group_id = module.security-group.out_security_group_id
-    in_db_subnet_ids     = module.vpc-network.out_private_subnet_ids
-    in_database_name     = local.fresh_db_name
+    in_publicly_accessible = var.in_publicly_accessible
+    in_db_subnet_ids       = var.in_publicly_accessible ? module.vpc-network.out_public_subnet_ids : module.vpc-network.out_private_subnet_ids
+    in_security_group_id   = module.security-group.out_security_group_id
+    in_database_name       = local.fresh_db_name
 
-    in_ecosystem  = local.ecosystem_name
+    in_ecosystem   = local.ecosystem_name
     in_timestamp   = local.timestamp
     in_description = local.description
 }
@@ -34,100 +35,53 @@ module clone_db {
 
     source = "./.."
 
-    in_security_group_id = module.security-group.out_security_group_id
-    in_db_subnet_ids     = module.vpc-network.out_private_subnet_ids
-    in_id_of_db_to_clone = var.in_id_of_db_to_clone
-    in_clone_snapshot = true
+    in_publicly_accessible = var.in_publicly_accessible
+    in_db_subnet_ids       = var.in_publicly_accessible ? module.vpc-network.out_public_subnet_ids : module.vpc-network.out_private_subnet_ids
+    in_id_of_db_to_clone   = var.in_id_of_db_to_clone
+    in_security_group_id   = module.security-group.out_security_group_id
+    in_clone_snapshot      = true
 
     in_database_name = local.clone_db_name
 
-    in_ecosystem  = local.ecosystem_name
+    in_ecosystem   = local.ecosystem_name
     in_timestamp   = local.timestamp
     in_description = local.description
 }
 
 
 module vpc-network {
 
-    source                 = "devops4me/vpc-network/aws"
-    version                = "1.0.2"
+    source  = "devops4me/vpc-network/aws"
+    version = "~> 1.0.2"
 
     in_vpc_cidr            = "10.81.0.0/16"
-    in_num_public_subnets  = 3
-    in_num_private_subnets = 3
+    in_num_public_subnets  = 2
+    in_num_private_subnets = var.in_publicly_accessible ? 0 : 2
 
-    in_ecosystem  = local.ecosystem_name
+    in_ecosystem   = local.ecosystem_name
     in_timestamp   = local.timestamp
     in_description = local.description
 }
 
 
 module security-group {
 
-    source         = "github.com/devops4me/terraform-aws-security-group"
-    in_ingress     = [ "postgres" ]
-    in_vpc_id      = module.vpc-network.out_vpc_id
+    source     = "github.com/devops4me/terraform-aws-security-group"
+    in_ingress = [ "postgres", "ssh" ]
+    in_vpc_id  = module.vpc-network.out_vpc_id
 
-    in_ecosystem_name  = local.ecosystem_name
-    in_tag_timestamp   = local.timestamp
-    in_tag_description = local.description
+    in_ecosystem   = local.ecosystem_name
+    in_timestamp   = local.timestamp
+    in_description = local.description
 }
 
 
 locals {
+
     fresh_db_name  = "brandnewdb"
     clone_db_name  = "snapshotdb"
-}
-
-
-variable in_id_of_db_to_clone {
-    description = "The ID of mummy database to clone from."
-}
-
-
 
-/*
- | --
- | -- If you are using an IAM role as the AWS access mechanism then
- | -- pass it as in_role_arn commonly through an environment variable
- | -- named TF_VAR_in_role_arn in addition to the usual AWS access
- | -- key, secret key and default region parameters.
- | --
- | -- Individuals and small businesses without hundreds of AWS accounts
- | -- can omit the in_role_arn variable. and thanks to dynamic assignment
- | --
-*/
-provider aws {
-    dynamic assume_role {
-        for_each = length( var.in_role_arn ) > 0 ? [ var.in_role_arn ] : [] 
-        content {
-            role_arn = assume_role.value
-	}
-    }
-}
-
-variable in_role_arn {
-    description = "The Role ARN to use when we assume role to implement the provisioning."
-    default = ""
-}
-
-
-/*
- | --
- | -- ### ############# ###
- | -- ### Resource Tags ###
- | -- ### ############# ###
- | --
- | -- Terraform will tag every significant resource allowing you to report and collate
- | --
- | --   [1] - all infrastructure in all environments dedicated to your app (ecosystem_name)
- | --   [2] - the infrastructure dedicated to this environment instance (timestamp)
- | --
- | -- The human readable description reveals the when, where and what of the infrastructure.
- | --
-*/
-locals {
-    ecosystem_name = "dbstack"
+    ecosystem_name = "sanjievesdb"
     timestamp = formatdate( "YYMMDDhhmmss", timestamp() )
     date_time = formatdate( "EEEE DD-MMM-YY hh:mm:ss ZZZ", timestamp() )
     description = "was created by me on ${ local.date_time }."
diff --git a/example/postgres.example-outputs.tf b/example/postgres.example-outputs.tf
@@ -0,0 +1,28 @@
+
+### ############################ ###
+### Example RDS Postgres Outputs ###
+### ############################ ###
+
+output out_fresh_database_hostname {
+    value = module.fresh_db.out_fresh_db_hostname
+}
+
+output out_fresh_database_username {
+    value = module.fresh_db.out_database_username
+}
+
+output out_fresh_database_password {
+    value = module.fresh_db.out_database_password
+}
+
+output out_clone_database_hostname {
+    value = module.clone_db.out_clone_db_hostname
+}
+
+output out_clone_database_username {
+    value = module.clone_db.out_database_username
+}
+
+output out_clone_database_password {
+    value = module.clone_db.out_database_password
+}
diff --git a/example/postgres.example-variables.tf b/example/postgres.example-variables.tf
@@ -0,0 +1,36 @@
+
+/*
+ | --
+ | -- If cloning the database then the module needs to know the RDS ID of
+ | -- the database whose last available snapshot will be sought after.
+ | --
+*/
+variable in_id_of_db_to_clone {
+    description = "The ID of mummy database to clone from."
+}
+
+
+/*
+ | --
+ | -- You must state whether you want the created databases to be publicly
+ | -- accessible or not. If yes then the database must live in public subnets.
+ | --
+*/
+variable in_publicly_accessible {
+    description = "Make the RDS database publicly accessible inside a public subnet and appropriate security group."
+    type = bool
+}
+
+
+/*
+ | --
+ | -- If you are using an IAM role as the AWS access mechanism then
+ | -- pass it as in_role_arn commonly through an environment variable
+ | -- named TF_VAR_in_role_arn in addition to the usual AWS access
+ | -- key, secret key and default region parameters.
+ | --
+*/
+variable in_role_arn {
+    description = "The Role ARN to use when we assume role to implement the provisioning."
+    default = ""
+}
diff --git a/rds.postgres-main.tf b/rds.postgres-main.tf
@@ -25,7 +25,9 @@ locals {
 resource aws_db_instance fresh {
 
     count = var.in_clone_snapshot ? 0 : 1
+
     identifier = "${ var.in_database_name }-fresh-${ var.in_ecosystem }-${ var.in_timestamp }"
+    publicly_accessible = var.in_publicly_accessible
 
     name     = var.in_database_name
     username = local.db_username
@@ -73,6 +75,7 @@ resource aws_db_instance clone {
 
     snapshot_identifier = data.aws_db_snapshot.from[0].id
     identifier = "${ var.in_database_name }-clone-${ var.in_ecosystem }-${ var.in_timestamp }"
+    publicly_accessible = var.in_publicly_accessible
 
     name     = var.in_database_name
     port     = 5432
diff --git a/rds.postgres-outputs.tf b/rds.postgres-outputs.tf
@@ -11,15 +11,6 @@ output out_fresh_db_hostname {
     value = length( aws_db_instance.fresh ) == 0 ? "n/a" : aws_db_instance.fresh[0].address
 }
 
-output out_fresh_db_endpoint {
-    value = length( aws_db_instance.fresh ) == 0 ? "n/a" : aws_db_instance.fresh[0].endpoint
-}
-
 output out_clone_db_hostname {
     value = length( aws_db_instance.clone ) == 0 ? "n/a" : aws_db_instance.clone[0].address
 }
-
-output out_clone_db_endpoint {
-    value = length( aws_db_instance.clone ) == 0 ? "n/a" : aws_db_instance.clone[0].endpoint
-}
-
diff --git a/rds.postgres-variables.tf b/rds.postgres-variables.tf
