Feat: 🚀 Pull from master branch and create new release. (#9)

* [fix/docdb_structure]Fix: Removed the default secuirty group created with document module and restructure the module. * [fix/docdb_structure]Fix: Removed the default secuirty group created with document module and restructure the module. * [fix/docdb_structure]Fix: Removed the default secuirty group created with document module and restructure the module. * [fix/docdb_structure]Fix: Removed the default secuirty group created with document module and restructure the module. * [fix/docdb_structure]Fix: Removed the default secuirty group created with document module and restructure the module. * [fix/docdb_structure]Fix: Ignored the tfsec warning for kms key * [fix/docdb_structure]Fix: Ignored the tfsec warning for kms key * [fix/docdb_structure]Fix: Ignored the tfsec warning for kms key * [fix/docdb_structure]Feat:ignored the tfsec warning for kms key and update the security group with description * [fix/docdb_structure]Fix: Restructure and fix the documentDB terraform module. * feat: introduce certeficiate authority for cluster instance * feat: fixed tf checks * fix: ran terraform format * fix: add enable variable * fix: fixed lints * fix: fixed lints --------- Co-authored-by: Anmol Nagpal <[email protected]> Co-authored-by: Anmol Nagpal <[email protected]>
clouddrove · Jan 25, 2024 · 8d2c8c1 · 8d2c8c1
1 parent 327bbb3
commit 8d2c8c1
Show file tree

Hide file tree

Showing 11 changed files with 167 additions and 147 deletions.
diff --git a/README.md b/README.md
@@ -84,8 +84,10 @@ module "documentdb" {
   database_name         = "rds"
   environment           = "test"
   label_order           = ["environment", "name"]
-  master_password       = "test123456"
+  master_username       = "db-user"  
+  master_password       = "gfbaJpP00W0m413Bc1fe"
   instance_class        = "db.t3.medium"
+  cluster_family        = "docdb5.0"  
   cluster_size          = 1
 }
 
@@ -94,17 +96,24 @@ module "documentdb" {
 ```hcl
 module "documentdb" {
   source = "clouddrove/terraform-aws-documentdb/aws"
-  vpc_id              = module.vpc.vpc_id
-  subnet_list         = module.subnets.private_subnet_id
-  database_name       = "rds"
-  environment         = "test"
-  label_order         = ["environment", "name"]
-  skip_final_snapshot = false
-  storage_encrypted   = true
-  kms_key_id          = module.kms_key.key_arn
-  tls_enabled         = true
-  instance_class      = "db.t3.medium"
-  cluster_size        = 1
+  name                    = "documentdb"
+  environment             = "test"
+  label_order             = ["environment", "name"]
+  vpc_id                  = module.vpc.vpc_id
+  subnet_list             = module.subnets.private_subnet_id
+  vpc_security_group_ids  = [module.security_group-documentdb.security_group_ids]
+  database_name           = "test"
+  master_username         = "db-user"  
+  master_password         = "QfbaJpP00W0m413Bw1fe"  
+  skip_final_snapshot     = false
+  storage_encrypted       = true
+  kms_key_id              = module.kms_key.key_arn
+  tls_enabled             = true
+  instance_class          = "db.t3.medium"
+  cluster_family          = "docdb5.0"  
+  cluster_size            = 2
+  deletion_protection     = true
+  preferred_backup_window = "07:00-07:30"
 }
 
   ```

diff --git a/README.yaml b/README.yaml
@@ -50,8 +50,10 @@ usage: |-
     database_name         = "rds"
     environment           = "test"
     label_order           = ["environment", "name"]
-    master_password       = "test123456"
+    master_username       = "db-user"  
+    master_password       = "gfbaJpP00W0m413Bc1fe"
     instance_class        = "db.t3.medium"
+    cluster_family        = "docdb5.0"  
     cluster_size          = 1
   }
 
@@ -60,17 +62,24 @@ usage: |-
   ```hcl
   module "documentdb" {
     source = "clouddrove/terraform-aws-documentdb/aws"
-    vpc_id              = module.vpc.vpc_id
-    subnet_list         = module.subnets.private_subnet_id
-    database_name       = "rds"
-    environment         = "test"
-    label_order         = ["environment", "name"]
-    skip_final_snapshot = false
-    storage_encrypted   = true
-    kms_key_id          = module.kms_key.key_arn
-    tls_enabled         = true
-    instance_class      = "db.t3.medium"
-    cluster_size        = 1
+    name                    = "documentdb"
+    environment             = "test"
+    label_order             = ["environment", "name"]
+    vpc_id                  = module.vpc.vpc_id
+    subnet_list             = module.subnets.private_subnet_id
+    vpc_security_group_ids  = [module.security_group-documentdb.security_group_ids]
+    database_name           = "test"
+    master_username         = "db-user"  
+    master_password         = "QfbaJpP00W0m413Bw1fe"  
+    skip_final_snapshot     = false
+    storage_encrypted       = true
+    kms_key_id              = module.kms_key.key_arn
+    tls_enabled             = true
+    instance_class          = "db.t3.medium"
+    cluster_family          = "docdb5.0"  
+    cluster_size            = 2
+    deletion_protection     = true
+    preferred_backup_window = "07:00-07:30"
   }
 
     ```
diff --git a/example/basic/main.tf b/example/basic/main.tf
@@ -1,5 +1,5 @@
 provider "aws" {
-  region = "eu-west-1"
+  region = "us-east-1"
 }
 
 module "vpc" {
@@ -33,11 +33,12 @@ module "subnets" {
 
 module "documentdb" {
   source              = "../../"
-  database_name       = "rds"
+  enable              = true
   environment         = "test"
-  vpc_id              = module.vpc.vpc_id
-  subnet_list         = module.subnets.private_subnet_id
   label_order         = ["environment", "name"]
+  subnet_list         = module.subnets.private_subnet_id
+  database_name       = "test-db"
+  master_username     = "test"
   master_password     = var.master_password
   instance_class      = var.instance_class
   cluster_size        = var.cluster_size

diff --git a/example/basic/variable.tf b/example/basic/variable.tf
@@ -1,17 +1,17 @@
 variable "master_password" {
   type        = string
-  default     = "test123456"
-  description = ""
+  default     = "QfbaJpP00W0m413Bw1fe"
+  description = "Master password for documentDB."
 }
 
 variable "instance_class" {
   type        = string
   default     = "db.t3.medium"
-  description = ""
+  description = "Instance class for DocumentDB Cluster."
 }
 
 variable "cluster_size" {
   type        = number
   default     = 1
-  description = ""
+  description = "cluster size of DocumentDB."
 }
diff --git a/example/secured/main.tf b/example/secured/main.tf
@@ -1,6 +1,6 @@
 
 provider "aws" {
-  region = "eu-west-1"
+  region = "us-east-1"
 }
 
 module "vpc" {
@@ -19,7 +19,7 @@ module "subnets" {
   version = "2.0.1"
 
   name        = "subnets"
-  environment = "sandbox"
+  environment = "test"
   label_order = ["environment", "name"]
 
   nat_gateway_enabled = true
@@ -63,42 +63,38 @@ data "aws_iam_policy_document" "kms" {
 
 }
 
-data "aws_iam_policy_document" "default" {
-  statement {
-    effect  = "Allow"
-    actions = ["sts:AssumeRole"]
-    principals {
-      type        = "Service"
-      identifiers = ["ec2.amazonaws.com"]
-    }
-  }
-}
+module "security_group-documentdb" {
+  source  = "clouddrove/security-group/aws"
+  version = "1.3.0"
+
+  name          = "documentdb"
+  environment   = "test"
+  protocol      = "tcp"
+  label_order   = ["environment", "name"]
+  vpc_id        = module.vpc.vpc_id
+  allowed_ip    = ["172.16.0.0/16"]
+  description   = "Instance default security group"
+  allowed_ports = [27017]
 
-data "aws_iam_policy_document" "iam-policy" {
-  statement {
-    actions = [
-      "ssm:UpdateInstanceInformation",
-      "ssmmessages:CreateControlChannel",
-      "ssmmessages:CreateDataChannel",
-      "ssmmessages:OpenControlChannel",
-    "ssmmessages:OpenDataChannel"]
-    effect    = "Allow"
-    resources = ["*"]
-  }
 }
 
 module "documentdb" {
-  source              = "../../"
-  database_name       = "rds"
-  environment         = "test"
-  label_order         = ["environment", "name"]
-  vpc_id              = module.vpc.vpc_id
-  subnet_list         = module.subnets.private_subnet_id
-  skip_final_snapshot = var.skip_final_snapshot
-  storage_encrypted   = var.storage_encrypted
-  kms_key_id          = module.kms_key.key_arn
-  tls_enabled         = var.tls_enabled
-  instance_class      = var.instance_class
-  cluster_size        = var.cluster_size
-  deletion_protection = true
+  source                  = "../../"
+  enable                  = true
+  name                    = "documentdb"
+  environment             = "test"
+  label_order             = ["environment", "name"]
+  subnet_list             = module.subnets.private_subnet_id
+  vpc_security_group_ids  = [module.security_group-documentdb.security_group_ids]
+  database_name           = "test"
+  skip_final_snapshot     = var.skip_final_snapshot
+  storage_encrypted       = var.storage_encrypted
+  kms_key_id              = module.kms_key.key_arn
+  tls_enabled             = var.tls_enabled
+  instance_class          = var.instance_class
+  cluster_family          = "docdb5.0"
+  cluster_size            = var.cluster_size
+  deletion_protection     = true
+  preferred_backup_window = "07:00-07:30"
+  ca_cert_identifier      = "rds-ca-rsa2048-g1"
 }
diff --git a/example/secured/variable.tf b/example/secured/variable.tf
@@ -1,29 +1,29 @@
 variable "skip_final_snapshot" {
   type        = bool
+  description = "Determines whether a final DB snapshot is created before the DB cluster is deleted."
   default     = false
-  description = ""
 }
 
 variable "storage_encrypted" {
   type        = bool
+  description = "Specifies whether the DB cluster is encrypted."
   default     = true
-  description = ""
 }
 
 variable "tls_enabled" {
   type        = bool
   default     = true
-  description = ""
+  description = "When true than cluster using TLS for communication."
 }
 
 variable "instance_class" {
   type        = string
   default     = "db.t3.medium"
-  description = ""
+  description = "The instance class to use. For more details, see https://docs.aws.amazon.com/documentdb/latest/developerguide/db-instance-classes.html#db-instance-class-specs ."
 }
 
 variable "cluster_size" {
-  type        = number
-  default     = 1
-  description = ""
-}
+  type        = string
+  default     = "1"
+  description = "Number of DB instances to create in the cluster"
+}
diff --git a/example/secured/versions.tf b/example/secured/versions.tf
@@ -5,7 +5,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.31.0"
+      version = ">= 5.30"
     }
   }
 }
diff --git a/main.tf b/main.tf
@@ -1,46 +1,33 @@
-#Module      : Label
-#Description : This terraform module is designed to generate consistent label names and tags
-#              for resources. You can use terraform-labels to implement a strict naming
-#              convention.
+##-----------------------------------------------------------------------------
+## label Module.
+##-----------------------------------------------------------------------------
 module "labels" {
   source      = "clouddrove/labels/aws"
   version     = "1.3.0"
+  enabled     = var.enable
   name        = var.name
   repository  = var.repository
   environment = var.environment
   managedby   = var.managedby
   label_order = var.label_order
 }
 
-#Module      : DocumentDB
-#Description : This terraform module is designed to create DocumentDB
-resource "aws_security_group" "this" {
-  name        = "security_group-allow_all_documentdb-${var.database_name}"
-  description = "Allow inbound traffic"
-
-  vpc_id = var.vpc_id
-
-  ingress {
-    from_port   = var.port
-    to_port     = var.port
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-}
+##-----------------------------------------------------------------------------
+## Random password genrator
+##-----------------------------------------------------------------------------
 
 resource "random_password" "master" {
-  count   = length(var.master_password) == 0 ? 1 : 0
+  count   = var.enable && length(var.master_password) == 0 ? 1 : 0
   length  = 15
   special = false
 }
+
+##-----------------------------------------------------------------------------
+## AWS Document DB Cluster.
+##-----------------------------------------------------------------------------
+
 resource "aws_docdb_cluster" "this" {
+  count                           = var.enable ? 1 : 0
   cluster_identifier              = var.database_name
   master_username                 = var.master_username
   master_password                 = length(var.master_password) == 0 ? random_password.master[0].result : var.master_password
@@ -51,35 +38,50 @@ resource "aws_docdb_cluster" "this" {
   apply_immediately               = var.apply_immediately
   deletion_protection             = var.deletion_protection
   storage_encrypted               = var.storage_encrypted
-  kms_key_id                      = var.kms_key_id
+  kms_key_id                      = var.kms_key_id #tfsec:ignore:aws-documentdb-encryption-customer-key
   snapshot_identifier             = var.snapshot_identifier
-  vpc_security_group_ids          = [aws_security_group.this.id]
-  db_subnet_group_name            = aws_docdb_subnet_group.this.name
-  db_cluster_parameter_group_name = aws_docdb_cluster_parameter_group.this.name
+  vpc_security_group_ids          = var.vpc_security_group_ids
+  db_subnet_group_name            = aws_docdb_subnet_group.this[0].name
+  db_cluster_parameter_group_name = aws_docdb_cluster_parameter_group.this[0].name
   engine                          = var.engine
   engine_version                  = var.engine_version
   enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports
   tags                            = module.labels.tags
 }
 
+##-----------------------------------------------------------------------------
+## AWS Document DB instance.
+##-----------------------------------------------------------------------------
+
 resource "aws_docdb_cluster_instance" "this" {
-  count              = var.cluster_size
+  count              = var.enable ? var.cluster_size : 0
   identifier         = "${var.database_name}-${count.index + 1}"
-  cluster_identifier = join("", aws_docdb_cluster.this.*.id)
+  cluster_identifier = aws_docdb_cluster.this[0].id
   apply_immediately  = var.apply_immediately
   instance_class     = var.instance_class
   tags               = module.labels.tags
   engine             = var.engine
+  ca_cert_identifier = var.ca_cert_identifier
 }
 
+##-----------------------------------------------------------------------------
+## AWS Document DB Subnet Group.
+##-----------------------------------------------------------------------------
+
 resource "aws_docdb_subnet_group" "this" {
+  count       = var.enable ? 1 : 0
   name        = "subnet-group-${var.database_name}"
   description = "Allowed subnets for DB cluster instances."
   subnet_ids  = var.subnet_list
   tags        = module.labels.tags
 }
 
+##-----------------------------------------------------------------------------
+## AWS Document DB cluster parameter Group.
+##-----------------------------------------------------------------------------
+
 resource "aws_docdb_cluster_parameter_group" "this" {
+  count       = var.enable ? 1 : 0
   name        = "parameter-group-${var.database_name}"
   description = "DB cluster parameter group."
   family      = var.cluster_family