diff --git a/services/terraform/self-host/.gitignore b/services/terraform/self-host/.gitignore index d9fafa2dc..697b6f5c5 100644 --- a/services/terraform/self-host/.gitignore +++ b/services/terraform/self-host/.gitignore @@ -1,35 +1,37 @@ +.env + # Local .terraform directories **/.terraform/* # .tfstate files *.tfstate *.tfstate.* .terraform.lock.hcl # Crash log files crash.log crash.*.log # Exclude all .tfvars files, which are likely to contain sensitive data, such as # password, private keys, and other secrets. These should not be part of version # control as they are data points which are potentially sensitive and subject # to change depending on the environment. *.tfvars *.tfvars.json # Ignore override files as they are usually used to override resources locally and so # are not checked in override.tf override.tf.json *_override.tf *_override.tf.json # Include override files you do wish to add to version control using negated pattern # !example_override.tf # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan # example: *tfplan* # Ignore CLI configuration files .terraformrc terraform.rc diff --git a/services/terraform/self-host/aws_db.tf b/services/terraform/self-host/aws_db.tf index 1699fa7dc..d599073bf 100644 --- a/services/terraform/self-host/aws_db.tf +++ b/services/terraform/self-host/aws_db.tf @@ -1,113 +1,120 @@ +locals { + mariadb_database_name = local.local_with_default_environment_vars.COMM_DATABASE_DATABASE + mariadb_username = local.local_with_default_environment_vars.COMM_DATABASE_USER + mariadb_password = local.local_with_default_environment_vars.COMM_DATABASE_PASSWORD + mariadb_port = jsondecode(local.local_with_default_environment_vars.COMM_DATABASE_PORT) +} + # MariaDB Security Group resource "aws_security_group" "keyserver_mariadb_security_group" { name = "keyserver-mariadb-sg" description = "Allow inbound traffic on port 3307 and all outbound traffic" vpc_id = local.vpc_id # Inbound rules ingress { - from_port = 3307 - to_port = 3307 + from_port = local.mariadb_port + to_port = local.mariadb_port protocol = "tcp" security_groups = [aws_security_group.keyserver_service.id] } ingress { - from_port = 3307 - to_port = 3307 + from_port = local.mariadb_port + to_port = local.mariadb_port protocol = "tcp" cidr_blocks = ["${var.allowed_ip}/32"] } # Outbound rules egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } } # MariaDB RDS Instance resource "aws_db_instance" "mariadb" { allocated_storage = 100 max_allocated_storage = 3000 storage_type = "gp3" db_name = "mariadb" identifier = "mariadb-instance" engine = "mariadb" engine_version = "10.11" instance_class = "db.m6g.large" db_subnet_group_name = aws_db_subnet_group.public_db_subnet_group.name vpc_security_group_ids = [aws_security_group.keyserver_mariadb_security_group.id] - username = var.mariadb_username - password = var.mariadb_password + username = local.mariadb_username + password = local.mariadb_password parameter_group_name = aws_db_parameter_group.mariadb_parameter_group.name storage_encrypted = true publicly_accessible = true - port = 3307 + port = local.mariadb_port skip_final_snapshot = true } # MariaDB Parameter Group resource "aws_db_parameter_group" "mariadb_parameter_group" { name = "mariadb-parameter-group" family = "mariadb10.11" parameter { apply_method = "pending-reboot" name = "performance_schema" value = "1" } parameter { apply_method = "immediate" name = "max_allowed_packet" # 256 MiB: (1024 * 1024 * 256) value = "268435456" } parameter { apply_method = "immediate" name = "local_infile" value = "0" } parameter { apply_method = "immediate" name = "sql_mode" value = "STRICT_ALL_TABLES" } parameter { apply_method = "pending-reboot" name = "innodb_buffer_pool_size" value = "{DBInstanceClassMemory*3/4}" } parameter { apply_method = "pending-reboot" name = "innodb_ft_min_token_size" value = "1" } parameter { apply_method = "immediate" name = "innodb_ft_enable_stopword" value = "0" } } resource "null_resource" "create_comm_database" { depends_on = [aws_db_instance.mariadb, aws_security_group.keyserver_mariadb_security_group] provisioner "local-exec" { command = <