-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathREADME.yaml
175 lines (141 loc) · 6.44 KB
/
README.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
---
#
# This is the canonical configuration for the `README.md`
# Run `make readme` to rebuild the `README.md`
#
# Name of this project
name: terraform-aws-rds-lambda-db-provisioner
# Tags of this project
tags:
- aws
- terraform
- terraform-modules
- rds
- database
- lambda
# Logo for this project
#logo: docs/logo.png
# License of this project
license: "APACHE2"
# Canonical GitHub repo
github_repo: aleks-fofanov/terraform-aws-rds-lambda-db-provisioner
# Badges to display
badges:
- name: "Build Status"
image: "https://travis-ci.org/aleks-fofanov/terraform-aws-rds-lambda-db-provisioner.svg?branch=master"
url: "https://travis-ci.org/aleks-fofanov/terraform-aws-rds-lambda-db-provisioner"
- name: "Latest Release"
image: "https://img.shields.io/github/release/aleks-fofanov/terraform-aws-rds-lambda-db-provisioner.svg"
url: "https://github.com/aleks-fofanov/terraform-aws-rds-lambda-db-provisioner/releases/latest"
# Short description of this project
description: |-
Terraform module to provision a database and optionally a user in RDS instance in a VPC.
### Terraform versions
Terraform 0.12. Pin module version to `~> 1.0`. Submit pull-requests to `master` branch.
introduction: |-
This module provisions a AWS lambda function which creates a new database and optionally a new user in RDS instances
in a VPC. Supported engines are `postgres` and `mysql`. A newly created user, or a master user (in case when you
don't need a new user) will be granted all permissions to created database.
**Features**:
- Master user password as well as new user password can be passed to the module either via
- Module variables
- Parameters in SSM Parameter Store (**Recommended!**)
- Secrets in Secrets Manager (**Recommended!**)
- Lambda function execution logs are shipped to Cloudwatch.
- No database or user will be created if they are already exist.
**Notes on using secrets from AWS Secrets Manager**:
- When [referencing secrets stored in Secrets Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/integration-ps-secretsmanager.html),
the `/aws/reference/secretsmanager` prefix must be used
- A secret must contain password in the `password` field or be a plain-text secret
**Caveats**:
- This lambda function needs internet access in order to comminitcate with AWS API. You need to associate this
function with one or more private subnets in your VPC and make sure that their routing tables have a default
route pointing to NAT Gateway or NAT Instance in a public subnet. Associating a lambda function with a public
subnet doesn't give it internet connectivity or public IP address. More context:
[Give Internet Access to a Lambda Function in a VPC](https://aws.amazon.com/premiumsupport/knowledge-center/internet-access-lambda-function/)
- This lambda function **DOES NOT DROP provisioned database or user** on destroy in order to prevent accidental data
loss. Please make sure to delete provisioned database and user manually.
- ENIs attached to a lambda function may cause `DependencyViolation` error when you try to destroy associated
security groups and/or subnets.
More context: [Corresponding issue on github](https://github.com/terraform-providers/terraform-provider-aws/issues/10329)
**Backlog**:
[ ] Support SSL connections to RDS
[ ] Switch to Circle CI for CI/CD pipelines
This module is backed by best of breed terraform modules maintained by [Cloudposse](https://github.com/cloudposse).
# How to use this project
usage: |-
This example creates a database `new_database` and a user `new_user` with the passwords
passed via variables.
```hcl
module "db_provisioner" {
source = "git::https://github.com/aleks-fofanov/terraform-aws-rds-lambda-db-provisioner.git?ref=master"
name = "stack"
namespace = "cp"
stage = "prod"
db_instance_id = "prod-stack-db"
db_instance_security_group_id = "sg-XXXXXXXX"
db_master_password = "XXXXXXXX"
db_name = "new_database"
db_user = "new_user"
db_user_password = "XXXXXXXX"
vpc_config = {
vpc_id = "vpc-XXXXXXXX"
subnet_ids = ["subnet-XXXXXXXX", "subnet-XXXXXXXX"]
security_group_ids = []
}
}
```
examples: |-
### Example with passwords passed via SSM Parameters
This example creates a database `new_database` and a user `new_user` with the passwords
passed via SSM Parameters.
```hcl
module "db_provisioner" {
source = "git::https://github.com/aleks-fofanov/terraform-aws-rds-lambda-db-provisioner.git?ref=master"
name = "stack"
namespace = "cp"
stage = "prod"
db_instance_id = "prod-stack-db"
db_instance_security_group_id = "sg-XXXXXXXX"
db_master_password_ssm_param = "/cp/prod/stack/database/master_password"
db_master_password_ssm_param_kms_key = "alias/aws/ssm"
db_name = "new_database"
db_user = "new_user"
db_user_password_ssm_param = "/cp/prod/stack/database/new_user_password"
db_user_password_ssm_param_kms_key = "alias/aws/ssm"
vpc_config = {
vpc_id = "vpc-XXXXXXXX"
subnet_ids = ["subnet-XXXXXXXX", "subnet-XXXXXXXX"]
security_group_ids = []
}
}
```
### Example without a new user
This example creates a database `new_database` without a new user with the master user password
passed via SSM Parameter.
```hcl
module "db_provisioner" {
source = "git::https://github.com/aleks-fofanov/terraform-aws-rds-lambda-db-provisioner.git?ref=master"
name = "stack"
namespace = "cp"
stage = "prod"
db_instance_id = "prod-stack-db"
db_instance_security_group_id = "sg-XXXXXXXX"
db_master_password_ssm_param = "/cp/prod/stack/database/master_password"
db_master_password_ssm_param_kms_key = "alias/aws/ssm"
db_name = "new_database"
vpc_config = {
vpc_id = "vpc-XXXXXXXX"
subnet_ids = ["subnet-XXXXXXXX", "subnet-XXXXXXXX"]
security_group_ids = []
}
}
```
include:
- "docs/terraform.md"
# Contributors to this project
contributors:
- name: "Aleksandr Fofanov"
github: "aleks-fofanov"
- name: "Mike Arnold"
github: "razorsedge"