Create rds postgres instance

terraform/aws/implementation/main.tf

@@ -31,22 +31,23 @@ module "vpc" {
 }
 
 module "eks" {
-  source                  = "./modules/eks"
-  region                  = var.region
-  eks_name                = local.name
-  vpc_id                  = module.vpc.vpc_id
-  public_subnet_ids       = module.vpc.public_subnets
-  private_subnet_ids      = module.vpc.private_subnets
-  smarty_auth_id          = var.smarty_auth_id
-  smarty_auth_token       = var.smarty_auth_token
-  aws_acm_certificate_arn = module.route53.aws_acm_certificate_arn
-  ecr_viewer_s3_role_arn  = module.s3.ecr_viewer_s3_role_arn
-  domain_name             = local.domain_name
-  ecr_bucket_name         = module.s3.ecr_bucket_name
-  enable_cognito          = var.enable_cognito
-  cognito_user_pool_arn   = module.cognito.cognito_user_pool_arn
-  cognito_client_id       = module.cognito.cognito_client_id
-  cognito_domain          = module.cognito.cognito_domain
+  source                   = "./modules/eks"
+  region                   = var.region
+  eks_name                 = local.name
+  vpc_id                   = module.vpc.vpc_id
+  public_subnet_ids        = module.vpc.public_subnets
+  private_subnet_ids       = module.vpc.private_subnets
+  smarty_auth_id           = var.smarty_auth_id
+  smarty_auth_token        = var.smarty_auth_token
+  aws_acm_certificate_arn  = module.route53.aws_acm_certificate_arn
+  ecr_viewer_s3_role_arn   = module.s3.ecr_viewer_s3_role_arn
+  tefca_viewer_db_role_arn = module.rds.tefca_viewer_db_role_arn
+  domain_name              = local.domain_name
+  ecr_bucket_name          = module.s3.ecr_bucket_name
+  enable_cognito           = var.enable_cognito
+  cognito_user_pool_arn    = module.cognito.cognito_user_pool_arn
+  cognito_client_id        = module.cognito.cognito_client_id
+  cognito_domain           = module.cognito.cognito_domain
 }
 
 module "route53" {
@@ -65,3 +66,11 @@ module "s3" {
   region                 = var.region
   eks_assume_role_policy = module.eks.eks_assume_role_policy
 }
+
+module "rds" {
+  source                 = "./modules/rds"
+  region                 = var.region
+  vpc_id                 = module.vpc.vpc_id
+  private_subnet_ids     = module.vpc.private_subnets
+  eks_assume_role_policy = module.eks.eks_assume_role_policy
+}

terraform/aws/implementation/modules/eks/data.tf

@@ -374,7 +374,10 @@ data "aws_iam_policy_document" "eks_assume_role_policy" {
     condition {
       test     = "StringEquals"
       variable = "${local.oidc_provider}:sub"
-      values   = ["system:serviceaccount:default:ecr-viewer"]
+      values = [
+        "system:serviceaccount:default:ecr-viewer",
+        "system:serviceaccount:default:tefca-viewer",
+      ]
     }
 
     principals {

terraform/aws/implementation/modules/eks/main.tf

@@ -326,6 +326,11 @@ resource "helm_release" "building_blocks" {
     value = var.ecr_viewer_s3_role_arn
   }
 
+  set {
+    name  = "tefcaViewerDBRoleArn"
+    value = var.tefca_viewer_db_role_arn
+  }
+
   #  Values needed for orchestration service
   set {
     name  = "fhirConverterUrl"

terraform/aws/implementation/modules/eks/variables.tf

@@ -55,6 +55,10 @@ variable "ecr_viewer_s3_role_arn" {
   description = "The s3 Role ARN for the ECR Viewer Service"
 }
 
+variable "tefca_viewer_db_role_arn" {
+  description = "The db Role ARN for the Tefca Viewer Service"
+}
+
 variable "domain_name" {
   description = "The domain name to use"
   type        = string

terraform/aws/implementation/modules/rds/data.tf

@@ -0,0 +1,18 @@
+data "aws_iam_policy_document" "tefca_viewer_db_policy" {
+  statement {
+    sid    = ""
+    effect = "Allow"
+    actions = [
+      "rds:Connect",
+      "rds:DescribeDBInstances",
+      "rds:DescribeDBClusters",
+      "rds:DescribeDBSnapshots",
+      "rds:DescribeDBParameterGroups"
+    ]
+
+    resources = [
+      aws_db_instance.tefca-viewer-db.arn,
+      "${aws_db_instance.tefca-viewer-db.arn}/*",
+    ]
+  }
+}

terraform/aws/implementation/modules/rds/iam.tf

@@ -0,0 +1,16 @@
+# db role
+resource "aws_iam_role" "db_role_for_tefca_viewer" {
+  name               = "DBAccessRoleForTefcaViewer"
+  assume_role_policy = var.eks_assume_role_policy
+}
+
+resource "aws_iam_policy" "db_tefca_viewer_policy" {
+  name        = "AWSDBIAMPolicyForTefcaViewer"
+  description = "Policy for Tefca Viewer and DB in DIBBS"
+  policy      = data.aws_iam_policy_document.tefca_viewer_db_policy.json
+}
+
+resource "aws_iam_role_policy_attachment" "db_tefca_viewer_policy" {
+  role       = aws_iam_role.db_role_for_tefca_viewer.name
+  policy_arn = aws_iam_policy.db_tefca_viewer_policy.arn
+}

terraform/aws/implementation/modules/rds/main.tf

@@ -0,0 +1,72 @@
+# Define the RDS instance for Postgres
+resource "aws_db_instance" "tefca-viewer-db" {
+  identifier                = var.db_identifier
+  instance_class            = "db.t3.micro"
+  allocated_storage         = 5
+  engine                    = var.engine_type
+  engine_version            = var.engine_version
+  username                  = var.db_username
+  password                  = random_string.setup_rds_password.result
+  db_subnet_group_name      = aws_db_subnet_group.this.name
+  vpc_security_group_ids    = var.private_subnet_ids
+  parameter_group_name      = aws_db_parameter_group.this.name
+  publicly_accessible       = false
+  skip_final_snapshot       = true
+  final_snapshot_identifier = true
+}
+
+# Create a parameter group to configure Postgres RDS parameters
+resource "aws_db_parameter_group" "this" {
+  name   = "${var.db_identifier}-pg"
+  family = var.family
+
+  parameter {
+    name  = "log_connections"
+    value = "1"
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+# Security group for RDS
+resource "aws_security_group" "ds_sg" {
+  vpc_id = var.vpc_id
+
+  # Allow inbound traffic on port 5432 for PostgreSQL from within the VPC
+  ingress {
+    from_port   = 5432
+    to_port     = 5432
+    protocol    = "tcp"
+    cidr_blocks = ["10.0.0.0/16"]
+  }
+
+  # Allow all outbound traffic
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.db_identifier}-security-group"
+  }
+}
+
+# Create a DB subnet group
+resource "aws_db_subnet_group" "this" {
+  name       = "${var.db_identifier}-subnet-group"
+  subnet_ids = var.private_subnet_ids
+
+}
+
+# TODO: Update for Production to AWS Secrets Manager 
+# This resource's attribute(s) default value is true 
+resource "random_string" "setup_rds_password" {
+  length = 13 #update as needed
+
+  # Character set that excludes problematic characters like quotes, backslashes, etc.
+  override_special = "_!@#-$%^&*()[]{}"
+}

terraform/aws/implementation/modules/rds/output.tf

@@ -0,0 +1,3 @@
+output "tefca_viewer_db_role_arn" {
+  value = aws_iam_role.db_role_for_tefca_viewer.arn
+}

terraform/aws/implementation/modules/rds/variables.tf

@@ -0,0 +1,49 @@
+# Note: only lowercase alphanumeric characters and hyphens allowed in "identifier"
+variable "db_identifier" {
+  type        = string
+  description = "Name of RDS Instance"
+  default     = "tefca-viewer-db"
+}
+
+variable "db_username" {
+  type        = string
+  description = "Username of RDS Instance"
+  default     = "tefcaViewerDbUser"
+}
+
+variable "eks_assume_role_policy" {
+  type = string
+}
+
+variable "engine_type" {
+  type        = string
+  description = "Engine of RDS Instance"
+  default     = "postgres"
+}
+
+variable "engine_version" {
+  type        = string
+  description = "Engine Version of RDS Instance"
+  default     = "16.3"
+}
+
+variable "family" {
+  type        = string
+  description = "RDS Family"
+  default     = "postgres16"
+}
+
+variable "private_subnet_ids" {
+  type        = list(string)
+  description = "List of private subnet IDs"
+}
+
+variable "region" {
+  type    = string
+  default = "us-east-1"
+}
+
+variable "vpc_id" {
+  type        = string
+  description = "ID of the VPC"
+}