diff --git a/terraform/.terraform.lock.hcl b/terraform/.terraform.lock.hcl index 4352125..2c6aacb 100644 --- a/terraform/.terraform.lock.hcl +++ b/terraform/.terraform.lock.hcl @@ -23,3 +23,23 @@ provider "registry.terraform.io/hashicorp/aws" { "zh:e4b70a70e925b9ccb7d44e17fd8e7b89aa744a965f298f8bb2480a5c96f3c4f0", ] } + +provider "registry.terraform.io/hashicorp/random" { + version = "3.5.1" + constraints = "3.5.1" + hashes = [ + "h1:IL9mSatmwov+e0+++YX2V6uel+dV6bn+fC/cnGDK3Ck=", + "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64", + "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d", + "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831", + "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3", + "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b", + "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2", + "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865", + "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03", + "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602", + "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014", + ] +} diff --git a/terraform/main.tf b/terraform/main.tf index 122989d..5640727 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -12,6 +12,10 @@ terraform { source = "hashicorp/aws" version = "~> 5.12" } + random = { + source = "hashicorp/random" + version = "3.5.1" + } } required_version = ">= 1.2.0" @@ -36,10 +40,10 @@ resource "aws_vpc" "backend_vpc" { } resource "aws_subnet" "bastion_subnet" { - vpc_id = aws_vpc.backend_vpc.id - cidr_block = var.bastion_cidr + vpc_id = aws_vpc.backend_vpc.id + cidr_block = var.bastion_cidr availability_zone = var.bastion_az - tags = { + tags = { Name = "bastion-subnet-1" } } @@ -91,7 +95,7 @@ data "aws_ami" "amzn_linux_2023_ami" { } resource "aws_instance" "bastion_host" { - ami = data.aws_ami.amzn_linux_2023_ami + ami = data.aws_ami.amzn_linux_2023_ami.id instance_type = "t2.micro" subnet_id = aws_subnet.bastion_subnet.id @@ -107,7 +111,7 @@ resource "aws_instance" "bastion_host" { ################################################################################ resource "aws_db_subnet_group" "db_subnet_group" { - name = "FastAPIDBSubnetGroup" + name = "fastapi-db-subnet-group" subnet_ids = [aws_subnet.db_subnet[0].id, aws_subnet.db_subnet[1].id] } @@ -138,20 +142,20 @@ resource "random_password" "db_proxy_password" { } resource "aws_secretsmanager_secret" "db_proxy_secret" { - name = "DBProxySecret" + name = "db-proxy-secret" } resource "aws_secretsmanager_secret_version" "db_version" { secret_id = aws_secretsmanager_secret.db_proxy_secret.id # https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy-setup.html#rds-proxy-secrets-arns secret_string = jsonencode({ - "username" = var.lambda_db_username - "password" = random_password.db_proxy_password.result + "username" = var.lambda_db_username + "password" = random_password.db_proxy_password.result }) } resource "aws_iam_role" "db_proxy_role" { - name = "DBProxyRole" + name = "db-proxy-role" assume_role_policy = jsonencode({ Version = "2012-10-17" @@ -167,14 +171,14 @@ resource "aws_iam_role" "db_proxy_role" { } resource "aws_iam_policy" "db_proxy_policy" { - name = "DBProxyPolicy" + name = "db-proxy-policy" policy = jsonencode({ Version = "2012-10-17", Statement = [ { - Action = "secretsmanager:GetSecretValue", - Effect = "Allow", + Action = "secretsmanager:GetSecretValue", + Effect = "Allow", Resource = aws_secretsmanager_secret.db_proxy_secret.arn } ] @@ -187,7 +191,7 @@ resource "aws_iam_role_policy_attachment" "db_proxy_role_policy_attachment" { } resource "aws_db_proxy" "db_proxy" { - name = "DBProxy" + name = "db-proxy" debug_logging = true idle_client_timeout = 1800 require_tls = true @@ -195,7 +199,7 @@ resource "aws_db_proxy" "db_proxy" { engine_family = "POSTGRESQL" vpc_security_group_ids = [aws_security_group.db_sg.id] - vpc_subnet_ids = [aws_subnet.db_subnet.id] + vpc_subnet_ids = [aws_subnet.lambda_subnet[0].id, aws_subnet.lambda_subnet[1].id] auth { auth_scheme = "SECRETS" diff --git a/terraform/variables.tf b/terraform/variables.tf index 99bcf68..09b8456 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -6,28 +6,38 @@ variable "aws_region" { variable "vpc_cidr" { description = "CIDR block for the vpc" + type = string + default = "10.0.0.0/16" +} + +variable "bastion_cidr" { type = string - default = "10.0.0.0/16" + default = "10.0.1.0/24" } variable "db_cidr" { - type = list - default = ["10.0.11.0/24", "10.0.12.0/24"] + type = list(string) + default = ["10.0.11.0/24", "10.0.12.0/24"] } variable "lambda_cidr" { - type = list - default = ["10.0.21.0/24", "10.0.22.0/24"] + type = list(string) + default = ["10.0.21.0/24", "10.0.22.0/24"] +} + +variable "bastion_az" { + type = string + default = "ap-southeast-2a" } variable "db_azs" { - type = list - default = ["ap-southeast-2a", "ap-southeast-2b"] + type = list(string) + default = ["ap-southeast-2a", "ap-southeast-2b"] } variable "lambda_azs" { - type = list - default = ["ap-southeast-2a", "ap-southeast-2b"] + type = list(string) + default = ["ap-southeast-2a", "ap-southeast-2b"] } variable "lambda_db_username" {