Fix RDS password definition

bobbyiliev · bobbyiliev · commit d6c9b0bd3b09 · 2024-11-01T19:05:01.000+02:00
diff --git a/README.md b/README.md
@@ -43,7 +43,6 @@ The module has been tested with:
 | [aws_iam_role_policy.materialize_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_user.materialize](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
 | [aws_iam_user_policy.materialize_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
@@ -94,7 +93,7 @@ The module has been tested with:
 | <a name="output_materialize_s3_role_arn"></a> [materialize\_s3\_role\_arn](#output\_materialize\_s3\_role\_arn) | The ARN of the IAM role for Materialize |
 | <a name="output_metadata_backend_url"></a> [metadata\_backend\_url](#output\_metadata\_backend\_url) | PostgreSQL connection URL in the format required by Materialize |
 | <a name="output_oidc_provider_arn"></a> [oidc\_provider\_arn](#output\_oidc\_provider\_arn) | The ARN of the OIDC Provider |
-| <a name="output_persist_backend_url"></a> [persist\_backend\_url](#output\_persist\_backend\_url) | S3 connection URL in the format required by Materialize |
+| <a name="output_persist_backend_url"></a> [persist\_backend\_url](#output\_persist\_backend\_url) | S3 connection URL in the format required by Materialize using IRSA |
 | <a name="output_s3_bucket_name"></a> [s3\_bucket\_name](#output\_s3\_bucket\_name) | Name of the S3 bucket |
 | <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | VPC ID |
 <!-- END_TF_DOCS -->
diff --git a/main.tf b/main.tf
@@ -42,19 +42,20 @@ module "storage" {
 module "database" {
   source = "./modules/database"
 
-  db_identifier         = var.db_identifier
-  postgres_version      = var.postgres_version
-  instance_class        = var.db_instance_class
-  allocated_storage     = var.db_allocated_storage
-  database_name         = var.database_name
-  database_username     = var.database_username
-  multi_az              = var.db_multi_az
-  database_subnet_ids   = module.networking.private_subnet_ids
-  vpc_id                = module.networking.vpc_id
-  eks_security_group_id = module.eks.cluster_security_group_id
-  tags                  = var.tags
-  max_allocated_storage = var.db_max_allocated_storage
-  database_password     = var.database_password
+  db_identifier              = var.db_identifier
+  postgres_version           = var.postgres_version
+  instance_class             = var.db_instance_class
+  allocated_storage          = var.db_allocated_storage
+  database_name              = var.database_name
+  database_username          = var.database_username
+  multi_az                   = var.db_multi_az
+  database_subnet_ids        = module.networking.private_subnet_ids
+  vpc_id                     = module.networking.vpc_id
+  eks_security_group_id      = module.eks.cluster_security_group_id
+  eks_node_security_group_id = module.eks.node_security_group_id
+  tags                       = var.tags
+  max_allocated_storage      = var.db_max_allocated_storage
+  database_password          = var.database_password
 }
 
 resource "aws_cloudwatch_log_group" "materialize" {
@@ -98,9 +99,6 @@ resource "aws_iam_user_policy" "materialize_s3" {
   })
 }
 
-# Data source for current region
-data "aws_region" "current" {}
-
 resource "aws_iam_role" "materialize_s3" {
   name = "${var.environment}-materialize-s3-role"
 
diff --git a/modules/database/main.tf b/modules/database/main.tf
@@ -10,7 +10,8 @@ module "db" {
   major_engine_version = var.postgres_version
   instance_class       = var.instance_class
 
-  password = var.database_password
+  manage_master_user_password = false
+  password                    = var.database_password
 
   allocated_storage     = var.allocated_storage
   max_allocated_storage = var.max_allocated_storage
@@ -45,6 +46,15 @@ resource "aws_security_group" "database" {
     to_port         = 5432
     protocol        = "tcp"
     security_groups = [var.eks_security_group_id]
+    description     = "Allow PostgreSQL access from EKS cluster"
+  }
+
+  ingress {
+    from_port       = 5432
+    to_port         = 5432
+    protocol        = "tcp"
+    security_groups = [var.eks_node_security_group_id]
+    description     = "Allow PostgreSQL access from EKS nodes"
   }
 
   egress {
diff --git a/modules/database/variables.tf b/modules/database/variables.tf
@@ -60,6 +60,11 @@ variable "eks_security_group_id" {
   type        = string
 }
 
+variable "eks_node_security_group_id" {
+  description = "Security group ID of the EKS nodes"
+  type        = string
+}
+
 variable "backup_retention_period" {
   description = "Number of days to retain backups"
   type        = number
diff --git a/modules/eks/outputs.tf b/modules/eks/outputs.tf
@@ -8,6 +8,11 @@ output "cluster_security_group_id" {
   value       = module.eks.cluster_security_group_id
 }
 
+output "node_security_group_id" {
+  description = "Security group ID attached to the EKS nodes"
+  value       = module.eks.node_security_group_id
+}
+
 output "cluster_iam_role_name" {
   description = "IAM role name for the cluster"
   value       = module.eks.cluster_iam_role_name
diff --git a/outputs.tf b/outputs.tf
@@ -20,7 +20,7 @@ output "s3_bucket_name" {
 
 output "metadata_backend_url" {
   description = "PostgreSQL connection URL in the format required by Materialize"
-  value = format("postgres://%s:%s@%s/%s?sslmode=disable",
+  value = format("postgres://%s:%s@%s/%s?sslmode=require",
     var.database_username,
     var.database_password,
     module.database.db_instance_endpoint,
@@ -30,16 +30,13 @@ output "metadata_backend_url" {
 }
 
 output "persist_backend_url" {
-  description = "S3 connection URL in the format required by Materialize"
-  value = format("s3://%s:%s@%s/%s?endpoint=https%%3A%%2F%%2Fs3.%s.amazonaws.com&region=%s",
-    aws_iam_access_key.materialize_user.id,
-    aws_iam_access_key.materialize_user.secret,
+  description = "S3 connection URL in the format required by Materialize using IRSA"
+  value = format("s3://%s/%s:serviceaccount:%s:%s",
     var.bucket_name,
     var.environment,
-    data.aws_region.current.name,
-    data.aws_region.current.name
+    var.namespace,
+    var.service_account_name
   )
-  sensitive = true
 }
 
 # oidc_provider_arn
