dominodatalab · Secretions · Dec 18, 2023 · Dec 18, 2023 · Dec 19, 2023 · Dec 19, 2023
@@ -19,6 +19,7 @@ module "eks" {
   ssh_key             = local.infra.ssh_key
   node_iam_policies   = local.infra.node_iam_policies
   efs_security_group  = local.infra.efs_security_group
+  rds_security_group  = local.infra.rds_security_group
   eks                 = var.eks
   network_info        = local.infra.network
   kms_info            = local.kms

@@ -50,6 +50,10 @@ storage = {
   ecr = {
     force_destroy_on_deletion = true
   }
+  rds = {
+    enabled = false
+    deletion_protection = false
+  }
   efs = {
     access_point_path = "/domino"
     backup_vault = {

@@ -235,6 +235,14 @@ variable "storage" {
     ecr = optional(object({
       force_destroy_on_deletion = optional(bool, true)
     }), {})
+    rds = optional(object({
+      enabled = optional(bool, false)
+      engine_version = optional(string, "15.4")
+      instance_class = optional(string, "db.m5.large")
+      multi_az = optional(bool, true)
+      allocated_storage = optional(number, 100)
+      deletion_protection = optional(bool, true)
+    }), {}),
   })
 
   default = {}

@@ -60,3 +60,14 @@ resource "aws_security_group_rule" "efs" {
   description              = "EFS access"
   source_security_group_id = aws_security_group.eks_nodes.id
 }
+
+resource "aws_security_group_rule" "rds-postgresql" {
+  count                    = var.rds_security_group != null ? 1 : 0
+  security_group_id        = var.rds_security_group
+  protocol                 = "tcp"
+  from_port                = 5432
+  to_port                  = 5432
+  type                     = "ingress"
+  description              = "RDS postgresql access"
+  source_security_group_id = aws_security_group.eks_nodes.id
+}
@@ -89,6 +89,11 @@ variable "efs_security_group" {
   type        = string
 }
 
+variable "rds_security_group" {
+  description = "Security Group ID for RDS postgresql"
+  type        = string
+}
+
 variable "bastion_info" {
   description = <<EOF
     user                = Bastion username.

@@ -1,3 +1,8 @@
+output "rds_enabled" {
+    description = "fuck"
+    value = var.storage.rds.enabled
+}
+
 output "hostname" {
   description = "Domino instance URL."
   value       = try("${var.deploy_id}.${var.route53_hosted_zone_name}", null)
@@ -66,6 +71,11 @@ output "efs_security_group" {
   value       = module.storage.info.efs.security_group_id
 }
 
+output "rds_security_group" {
+  description = "Security Group ID for RDS postgresql"
+  value       = module.storage.info.rds.security_group_id
+}
+
 output "node_iam_policies" {
   description = "Policies attached to EKS nodes role"
   value       = local.node_iam_policies

@@ -13,6 +13,12 @@ output "info" {
       container_registry = ECR base registry URL. Grab the base AWS account ECR URL and add the deploy_id. Domino will append /environment and /model.
       iam_policy_arn     = ECR IAM Policy ARN.
     }
+    rds = {
+      address = "Hostname of RDS Postgres instance"
+      port = "Port of RDS postgres instance"
+      username = "Master username for RDS postgres instance
+      master_user_secret = "Secret information for RDS postgres instance"
+    }
   EOF
   value = {
     efs = {
@@ -31,5 +37,12 @@ output "info" {
       container_registry = join("/", concat(slice(split("/", aws_ecr_repository.this["environment"].repository_url), 0, 1), [var.deploy_id]))
       iam_policy_arn     = aws_iam_policy.ecr.arn
     }
+    rds = {
+      address = var.storage.rds.enabled ? aws_db_instance.postgresql[0].address: null
+      port = var.storage.rds.enabled ? aws_db_instance.postgresql[0].port : null
+      username = var.storage.rds.enabled ? aws_db_instance.postgresql[0].username : null
+      master_user_secret = var.storage.rds.enabled ? aws_db_instance.postgresql[0].master_user_secret : null
+      security_group_id = var.storage.rds.enabled ? aws_security_group.postgresql[0].id : null
+    }
   }
 }
@@ -0,0 +1,46 @@
+resource "aws_security_group" "postgresql" {
+    count = var.storage.rds.enabled ? 1 : 0
+
+    name = "${var.deploy_id}-rds-postgresql"
+    description = "RDS Security Group"
+    vpc_id = var.network_info.vpc_id
+
+    lifecycle {
+        create_before_destroy = true
+    }
+}
+
+
+resource "aws_db_subnet_group" "postgresql" {
+    count = var.storage.rds.enabled ? 1 : 0
+
+    name = "postgresql"
+    subnet_ids = local.private_subnet_ids
+}
+
+resource "aws_db_instance" "postgresql" {
+    count = var.storage.rds.enabled ? 1 : 0
+
+    copy_tags_to_snapshot = true
+
+    engine = "postgres"
+    engine_version = var.storage.rds.engine_version
+
+    db_subnet_group_name = aws_db_subnet_group.postgresql[0].name
+    vpc_security_group_ids = [aws_security_group.postgresql[0].id]
+    instance_class = var.storage.rds.instance_class
+    multi_az = var.storage.rds.multi_az
+    allocated_storage = var.storage.rds.allocated_storage /* validate > 100? */
+
+    manage_master_user_password = true
+    username = "postgres"
+
+    publicly_accessible = false
+
+    auto_minor_version_upgrade = true
+
+    deletion_protection = var.storage.rds.deletion_protection
+    skip_final_snapshot = ! var.storage.rds.deletion_protection
+    delete_automated_backups = ! var.storage.rds.deletion_protection
+    final_snapshot_identifier = var.deploy_id
+}
@@ -42,6 +42,9 @@ variable "storage" {
       ecr = {
         force_destroy_on_deletion = Toogle to allow recursive deletion of all objects in the ECR repositories. if 'false' terraform will NOT be able to delete non-empty repositories.
       }
+      rds = {
+        enabled = "Toggle to enable provisioning RDS server for hosted postgres"
+      }
       enable_remote_backup = Enable tagging required for cross-account backups
       costs_enabled = Determines whether to provision domino cost related infrastructures, ie, long term storage
     }
@@ -66,6 +69,14 @@ variable "storage" {
     ecr = optional(object({
       force_destroy_on_deletion = optional(bool)
     }))
+    rds = optional(object({
+      enabled = optional(bool, false)
+      engine_version = optional(string, "15.4")
+      instance_class = optional(string, "db.m5.large")
+      multi_az = optional(bool, true)
+      allocated_storage = optional(number, 100)
+      deletion_protection = optional(bool, true)
+    }), {}),
     enable_remote_backup = optional(bool)
     costs_enabled        = optional(bool)
   })

@@ -349,6 +349,9 @@ variable "storage" {
       ecr = {
         force_destroy_on_deletion = Toogle to allow recursive deletion of all objects in the ECR repositories. if 'false' terraform will NOT be able to delete non-empty repositories.
       }
+      rds = {
+        enabled = "Toggle to enable provisioning RDS server for hosted postgres"
+      }
       enable_remote_backup = Enable tagging required for cross-account backups
       costs_enabled = Determines whether to provision domino cost related infrastructures, ie, long term storage
     }
@@ -373,6 +376,14 @@ variable "storage" {
     ecr = optional(object({
       force_destroy_on_deletion = optional(bool, true)
     }), {}),
+    rds = optional(object({
+      enabled = optional(bool, false)
+      engine_version = optional(string, "15.4")
+      instance_class = optional(string, "db.m5.large")
+      multi_az = optional(bool, true)
+      allocated_storage = optional(number, 100)
+      deletion_protection = optional(bool, true)
+    }), {}),
     enable_remote_backup = optional(bool, false)
     costs_enabled        = optional(bool, true)
   })