Merge pull request #14 from truefoundry/db-s3-iam-optional-install

Db s3 iam optional install

README.md

@@ -22,7 +22,7 @@ Truefoundry AWS Control Plane Module
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_truefoundry_bucket"></a> [truefoundry\_bucket](#module\_truefoundry\_bucket) | terraform-aws-modules/s3-bucket/aws | 3.14.0 |
-| <a name="module_truefoundry_oidc_iam"></a> [truefoundry\_oidc\_iam](#module\_truefoundry\_oidc\_iam) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.39.0 |
+| <a name="module_truefoundry_oidc_iam"></a> [truefoundry\_oidc\_iam](#module\_truefoundry\_oidc\_iam) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 5.39.1 |
 
 ## Resources
 
@@ -78,6 +78,7 @@ Truefoundry AWS Control Plane Module
 | <a name="input_truefoundry_db_deletion_protection"></a> [truefoundry\_db\_deletion\_protection](#input\_truefoundry\_db\_deletion\_protection) | n/a | `bool` | `true` | no |
 | <a name="input_truefoundry_db_enable_insights"></a> [truefoundry\_db\_enable\_insights](#input\_truefoundry\_db\_enable\_insights) | Enable insights to truefoundry db | `bool` | `false` | no |
 | <a name="input_truefoundry_db_enable_override"></a> [truefoundry\_db\_enable\_override](#input\_truefoundry\_db\_enable\_override) | Enable override for truefoundry db name. You must pass truefoundry\_db\_override\_name | `bool` | `false` | no |
+| <a name="input_truefoundry_db_enabled"></a> [truefoundry\_db\_enabled](#input\_truefoundry\_db\_enabled) | variable to enable/disable truefoundry db creation | `bool` | `true` | no |
 | <a name="input_truefoundry_db_engine_version"></a> [truefoundry\_db\_engine\_version](#input\_truefoundry\_db\_engine\_version) | Truefoundry DB Postgres version | `string` | `"13.14"` | no |
 | <a name="input_truefoundry_db_ingress_security_group"></a> [truefoundry\_db\_ingress\_security\_group](#input\_truefoundry\_db\_ingress\_security\_group) | SG allowed to connect to the database | `string` | n/a | yes |
 | <a name="input_truefoundry_db_instance_class"></a> [truefoundry\_db\_instance\_class](#input\_truefoundry\_db\_instance\_class) | Instance class for RDS | `string` | n/a | yes |
@@ -90,8 +91,10 @@ Truefoundry AWS Control Plane Module
 | <a name="input_truefoundry_db_storage_iops"></a> [truefoundry\_db\_storage\_iops](#input\_truefoundry\_db\_storage\_iops) | Provisioned IOPS for the db | `number` | n/a | yes |
 | <a name="input_truefoundry_db_storage_type"></a> [truefoundry\_db\_storage\_type](#input\_truefoundry\_db\_storage\_type) | Storage type for truefoundry db | `string` | `"gp3"` | no |
 | <a name="input_truefoundry_db_subnet_ids"></a> [truefoundry\_db\_subnet\_ids](#input\_truefoundry\_db\_subnet\_ids) | List of subnets where the RDS database will be deployed | `list(string)` | n/a | yes |
+| <a name="input_truefoundry_iam_role_enabled"></a> [truefoundry\_iam\_role\_enabled](#input\_truefoundry\_iam\_role\_enabled) | variable to enable/disable truefoundry iam role creation | `bool` | `true` | no |
 | <a name="input_truefoundry_s3_cors_origins"></a> [truefoundry\_s3\_cors\_origins](#input\_truefoundry\_s3\_cors\_origins) | List of CORS origins for Mlfoundry bucket | `list(string)` | <pre>[<br>  "*"<br>]</pre> | no |
 | <a name="input_truefoundry_s3_enable_override"></a> [truefoundry\_s3\_enable\_override](#input\_truefoundry\_s3\_enable\_override) | Enable override for s3 bucket name. You must pass truefoundry\_s3\_override\_name | `bool` | `false` | no |
+| <a name="input_truefoundry_s3_enabled"></a> [truefoundry\_s3\_enabled](#input\_truefoundry\_s3\_enabled) | variable to enable/disable truefoundry s3 bucket creation | `bool` | `true` | no |
 | <a name="input_truefoundry_s3_encryption_algorithm"></a> [truefoundry\_s3\_encryption\_algorithm](#input\_truefoundry\_s3\_encryption\_algorithm) | Algorithm used for encrypting the default bucket. | `string` | `"AES256"` | no |
 | <a name="input_truefoundry_s3_encryption_key_arn"></a> [truefoundry\_s3\_encryption\_key\_arn](#input\_truefoundry\_s3\_encryption\_key\_arn) | ARN of the key used to encrypt the bucket. Only needed if you set aws:kms as encryption algorithm. | `string` | `null` | no |
 | <a name="input_truefoundry_s3_force_destroy"></a> [truefoundry\_s3\_force\_destroy](#input\_truefoundry\_s3\_force\_destroy) | Force destroy for mlfoundry s3 bucket | `bool` | `false` | no |

bucket.tf

@@ -41,13 +41,15 @@ data "aws_iam_policy_document" "truefoundry_bucket_policy" {
 }
 
 resource "aws_iam_policy" "truefoundry_bucket_policy" {
+  count       = var.truefoundry_iam_role_enabled ? var.truefoundry_s3_enabled ? 1 : 0 : 0
   name_prefix = "${local.truefoundry_unique_name}-access-to-bucket"
   description = "IAM policy for TrueFoundry bucket"
   policy      = data.aws_iam_policy_document.truefoundry_bucket_policy.json
   tags        = local.tags
 }
 
 module "truefoundry_bucket" {
+  count   = var.truefoundry_s3_enabled ? 1 : 0
   source  = "terraform-aws-modules/s3-bucket/aws"
   version = "3.14.0"
 

iam-ecr.tf

@@ -41,6 +41,7 @@ data "aws_iam_policy_document" "svcfoundry_access_to_ecr" {
 }
 
 resource "aws_iam_policy" "svcfoundry_access_to_ecr" {
+  count       = var.truefoundry_iam_role_enabled ? 1 : 0
   name_prefix = "${local.svcfoundry_unique_name}-access-to-ecr"
   description = "ECR access for ${var.svcfoundry_name} on ${var.cluster_name}"
   policy      = data.aws_iam_policy_document.svcfoundry_access_to_ecr.json

iam-rds.tf

@@ -6,13 +6,14 @@ data "aws_iam_policy_document" "truefoundry_db_iam_auth_policy_document" {
       "rds-db:connect"
     ]
     resources = [
-      "arn:aws:rds-db:${var.aws_region}:${var.aws_account_id}:dbuser:${aws_db_instance.truefoundry_db.id}/*"
+      "arn:aws:rds-db:${var.aws_region}:${var.aws_account_id}:dbuser:${aws_db_instance.truefoundry_db[0].id}/*"
     ]
   }
 }
 
 # we cannnot apply count here as module.truefoundry_oidc_iam requires fixed no of role_policy_arns
 resource "aws_iam_policy" "truefoundry_db_iam_auth_policy" {
+  count       = var.truefoundry_iam_role_enabled ? 1 : 0
   name_prefix = "${local.svcfoundry_unique_name}-db-iam-auth-policy"
   description = "IAM based authentication policy for ${var.svcfoundry_name} and ${var.mlfoundry_name} in cluster ${var.cluster_name}"
   policy      = data.aws_iam_policy_document.truefoundry_db_iam_auth_policy_document.json

iam-sa.tf

@@ -2,7 +2,8 @@
 
 module "truefoundry_oidc_iam" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
-  version = "5.39.0"
+  count   = var.truefoundry_iam_role_enabled ? 1 : 0
+  version = "5.39.1"
 
   create_role  = true
   role_name    = "${var.cluster_name}-truefoundry-deps"
@@ -13,12 +14,12 @@ module "truefoundry_oidc_iam" {
   ]
 
   role_policy_arns = [
-    aws_iam_policy.truefoundry_bucket_policy.arn,
-    aws_iam_policy.svcfoundry_access_to_ssm.arn,
-    aws_iam_policy.svcfoundry_access_to_multitenant_ssm.arn,
-    aws_iam_policy.truefoundry_assume_role_all.arn,
-    aws_iam_policy.svcfoundry_access_to_ecr.arn,
-    aws_iam_policy.truefoundry_db_iam_auth_policy.arn,
+    aws_iam_policy.truefoundry_bucket_policy[0].arn,
+    aws_iam_policy.svcfoundry_access_to_ssm[0].arn,
+    aws_iam_policy.svcfoundry_access_to_multitenant_ssm[0].arn,
+    aws_iam_policy.truefoundry_assume_role_all[0].arn,
+    aws_iam_policy.svcfoundry_access_to_ecr[0].arn,
+    aws_iam_policy.truefoundry_db_iam_auth_policy[0].arn,
   ]
   tags = local.tags
 }

iam-ssm.tf

@@ -1,10 +1,3 @@
-resource "aws_iam_policy" "svcfoundry_access_to_ssm" {
-  name_prefix = "${local.svcfoundry_unique_name}-access-to-ssm"
-  description = "SSM read access for ${var.svcfoundry_name} on ${var.cluster_name}"
-  policy      = data.aws_iam_policy_document.svcfoundry_access_to_ssm.json
-  tags        = local.tags
-}
-
 data "aws_iam_policy_document" "svcfoundry_access_to_ssm" {
   statement {
     effect = "Allow"
@@ -23,16 +16,17 @@ data "aws_iam_policy_document" "svcfoundry_access_to_ssm" {
     ]
     resources = [
       "arn:aws:ssm:${var.aws_region}:${var.aws_account_id}:parameter/${var.account_name}/${var.svcfoundry_name}/*",
-      "arn:aws:ssm:${var.aws_region}:${var.aws_account_id}:parameter/${var.account_name}/${aws_db_instance.truefoundry_db.id}/*",
+      "arn:aws:ssm:${var.aws_region}:${var.aws_account_id}:parameter/${var.account_name}/${aws_db_instance.truefoundry_db[0].id}/*",
       "arn:aws:ssm:${var.aws_region}:${var.aws_account_id}:parameter/${var.account_name}/truefoundry/dockerhub/IMAGE_PULL_CREDENTIALS",
     ]
   }
 }
 
-resource "aws_iam_policy" "svcfoundry_access_to_multitenant_ssm" {
-  name_prefix = "${local.svcfoundry_unique_name}-access-to-multitenant-ssm"
-  description = "SSM read access for ${var.svcfoundry_name} to all multitenant params on ${var.cluster_name}"
-  policy      = data.aws_iam_policy_document.svcfoundry_access_to_multitenant_ssm.json
+resource "aws_iam_policy" "svcfoundry_access_to_ssm" {
+  count       = var.truefoundry_iam_role_enabled ? 1 : 0
+  name_prefix = "${local.svcfoundry_unique_name}-access-to-ssm"
+  description = "SSM read access for ${var.svcfoundry_name} on ${var.cluster_name}"
+  policy      = data.aws_iam_policy_document.svcfoundry_access_to_ssm.json
   tags        = local.tags
 }
 
@@ -54,6 +48,14 @@ data "aws_iam_policy_document" "svcfoundry_access_to_multitenant_ssm" {
   }
 }
 
+resource "aws_iam_policy" "svcfoundry_access_to_multitenant_ssm" {
+  count       = var.truefoundry_iam_role_enabled ? 1 : 0
+  name_prefix = "${local.svcfoundry_unique_name}-access-to-multitenant-ssm"
+  description = "SSM read access for ${var.svcfoundry_name} to all multitenant params on ${var.cluster_name}"
+  policy      = data.aws_iam_policy_document.svcfoundry_access_to_multitenant_ssm.json
+  tags        = local.tags
+}
+
 # allow servicefoundry to assume any role to support Assume role feature
 data "aws_iam_policy_document" "truefoundry_assume_role_all" {
   statement {
@@ -68,6 +70,7 @@ data "aws_iam_policy_document" "truefoundry_assume_role_all" {
 }
 
 resource "aws_iam_policy" "truefoundry_assume_role_all" {
+  count       = var.truefoundry_iam_role_enabled ? 1 : 0
   name_prefix = "truefoundry-allow-assume-role-all"
   description = "Allow access to assume role for ${local.svcfoundry_unique_name} and ${local.mlfoundry_unique_name} in ${var.cluster_name}"
   policy      = data.aws_iam_policy_document.truefoundry_assume_role_all.json

kms.tf

@@ -1,19 +1,20 @@
+# Kms key is used to encrypt the master user password for the RDS instance
 resource "aws_kms_key" "truefoundry_db_master_user_secret_kms_key" {
-  count               = var.manage_master_user_password ? 1 : 0
+  count               = var.truefoundry_db_enabled ? var.manage_master_user_password ? 1 : 0 : 0
   enable_key_rotation = true
   description         = "Truefoundry RDS Postgres Database encryption key"
   policy              = data.aws_iam_policy_document.truefoundry_db_master_user_secret_kms_policy[0].json
   tags                = local.tags
 }
 
 resource "aws_kms_alias" "truefoundry_db_master_user_secret_kms" {
-  count         = var.manage_master_user_password ? 1 : 0
+  count         = var.truefoundry_db_enabled ? var.manage_master_user_password ? 1 : 0 : 0
   name          = "alias/${var.cluster_name}-db-kms"
   target_key_id = aws_kms_key.truefoundry_db_master_user_secret_kms_key[0].id
 }
 
 data "aws_iam_policy_document" "truefoundry_db_master_user_secret_kms_policy" {
-  count   = var.manage_master_user_password ? 1 : 0
+  count   = var.truefoundry_db_enabled ? var.manage_master_user_password ? 1 : 0 : 0
   version = "2012-10-17"
   statement {
     effect  = "Allow"

output.tf

@@ -1,40 +1,40 @@
 output "truefoundry_db_id" {
-  value = aws_db_instance.truefoundry_db.id
+  value = var.truefoundry_db_enabled ? aws_db_instance.truefoundry_db[0].id : ""
 }
 
 output "truefoundry_db_endpoint" {
-  value = aws_db_instance.truefoundry_db.endpoint
+  value = var.truefoundry_db_enabled ? aws_db_instance.truefoundry_db[0].endpoint : ""
 }
 
 output "truefoundry_db_address" {
-  value = aws_db_instance.truefoundry_db.address
+  value = var.truefoundry_db_enabled ? aws_db_instance.truefoundry_db[0].address : ""
 }
 
 output "truefoundry_db_port" {
-  value = aws_db_instance.truefoundry_db.port
+  value = var.truefoundry_db_enabled ? aws_db_instance.truefoundry_db[0].port : 0
 }
 
 output "truefoundry_db_database_name" {
-  value = aws_db_instance.truefoundry_db.db_name
+  value = var.truefoundry_db_enabled ? aws_db_instance.truefoundry_db[0].db_name : ""
 }
 
 output "truefoundry_db_engine" {
-  value = aws_db_instance.truefoundry_db.engine
+  value = var.truefoundry_db_enabled ? aws_db_instance.truefoundry_db[0].engine : ""
 }
 
 output "truefoundry_db_username" {
-  value = aws_db_instance.truefoundry_db.username
+  value = var.truefoundry_db_enabled ? aws_db_instance.truefoundry_db[0].username : ""
 }
 
 output "truefoundry_db_password" {
-  value     = aws_db_instance.truefoundry_db.password
+  value     = var.truefoundry_db_enabled ? aws_db_instance.truefoundry_db[0].password : ""
   sensitive = true
 }
 
 output "truefoundry_bucket_id" {
-  value = module.truefoundry_bucket.s3_bucket_id
+  value = var.truefoundry_s3_enabled ? module.truefoundry_bucket[0].s3_bucket_id : ""
 }
 
 output "truefoundry_iam_role_arn" {
-  value = module.truefoundry_oidc_iam.iam_role_arn
+  value = var.truefoundry_iam_role_enabled ? module.truefoundry_oidc_iam[0].iam_role_arn : ""
 }

rds.tf

@@ -1,17 +1,19 @@
 resource "random_password" "truefoundry_db_password" {
-  count            = var.manage_master_user_password ? 0 : 1
+  count            = var.truefoundry_db_enabled ? var.manage_master_user_password ? 0 : 1 : 0
   length           = 24
   special          = true
   override_special = "#%&*()-_=+[]{}<>:"
 }
 
 resource "aws_db_subnet_group" "rds" {
+  count      = var.truefoundry_db_enabled ? 1 : 0
   name       = "${local.truefoundry_db_unique_name}-rds"
   subnet_ids = var.truefoundry_db_subnet_ids
   tags       = local.tags
 }
 
 resource "aws_security_group" "rds" {
+  count  = var.truefoundry_db_enabled ? 1 : 0
   name   = "${local.truefoundry_db_unique_name}-rds"
   vpc_id = var.vpc_id
   tags   = local.tags
@@ -31,7 +33,7 @@ resource "aws_security_group" "rds" {
   }
 }
 resource "aws_security_group" "rds-public" {
-  count  = var.truefoundry_db_publicly_accessible ? 1 : 0
+  count  = var.truefoundry_db_enabled ? var.truefoundry_db_publicly_accessible ? 1 : 0 : 0
   name   = "${local.truefoundry_db_unique_name}-rds-public"
   vpc_id = var.vpc_id
   tags   = local.tags
@@ -52,15 +54,16 @@ resource "aws_security_group" "rds-public" {
 }
 
 resource "aws_db_instance" "truefoundry_db" {
+  count                                 = var.truefoundry_db_enabled ? 1 : 0
   tags                                  = local.tags
   engine                                = "postgres"
   engine_version                        = var.truefoundry_db_engine_version
   multi_az                              = var.truefoundry_db_multiple_az
   allocated_storage                     = var.truefoundry_db_allocated_storage
   max_allocated_storage                 = var.truefoundry_db_max_allocated_storage
   port                                  = local.truefoundry_db_port
-  db_subnet_group_name                  = aws_db_subnet_group.rds.name
-  vpc_security_group_ids                = concat([aws_security_group.rds.id], aws_security_group.rds-public[*].id)
+  db_subnet_group_name                  = aws_db_subnet_group.rds[0].name
+  vpc_security_group_ids                = concat([aws_security_group.rds[0].id], aws_security_group.rds-public[*].id)
   username                              = local.truefoundry_db_master_username
   identifier                            = var.truefoundry_db_enable_override ? var.truefoundry_db_override_name : null
   identifier_prefix                     = var.truefoundry_db_enable_override ? null : local.truefoundry_db_unique_name
@@ -85,8 +88,8 @@ resource "aws_db_instance" "truefoundry_db" {
 }
 
 resource "aws_secretsmanager_secret_rotation" "turefoundry_db_secret_rotation" {
-  count              = var.manage_master_user_password ? var.manage_master_user_password_rotation ? 1 : 0 : 0
-  secret_id          = aws_db_instance.truefoundry_db.master_user_secret[0].secret_arn
+  count              = var.truefoundry_db_enabled ? var.manage_master_user_password ? var.manage_master_user_password_rotation ? 1 : 0 : 0 : 0
+  secret_id          = aws_db_instance.truefoundry_db[0].master_user_secret[0].secret_arn
   rotate_immediately = var.master_user_password_rotate_immediately
   rotation_rules {
     automatically_after_days = var.master_user_password_rotation_automatically_after_days

upgrade-guide.md

@@ -0,0 +1,28 @@
+# terraform-aws-truefoundry-control-plane
+This guide will help you to migrate your terraform code across versions. Keeping your terraform state to the latest version is always recommeneded
+
+## Upgrade 0.3.x to 0.4.x
+1. Ensure you have migrated to the latest version of `0.3.x` which is `0.3.10`
+2. Run a plan with `0.4.0` by executing `terraform plan` or `terragrunt plan`
+3. Run the following command to perform the resource moving
+```shell
+# running state move of IAM role
+terragrunt state mv module.truefoundry_oidc_iam.aws_iam_role.this[0] module.truefoundry_oidc_iam[0].aws_iam_role.this[0]
+
+# running a for loop to move the related policies
+for i in {0..5}
+do
+echo "Doing this for resource $i"
+terragrunt state mv module.truefoundry_oidc_iam.aws_iam_role_policy_attachment.custom[$i] module.truefoundry_oidc_iam[0].aws_iam_role_policy_attachment.custom[$i]
+echo "Resource $i is moved"
+done
+
+terragrunt state mv module.truefoundry_bucket.aws_s3_bucket.this[0] module.truefoundry_bucket[0].aws_s3_bucket.this[0]
+terragrunt state mv module.truefoundry_bucket.aws_s3_bucket_cors_configuration.this[0] module.truefoundry_bucket[0].aws_s3_bucket_cors_configuration.this[0]
+terragrunt state mv module.truefoundry_bucket.aws_s3_bucket_intelligent_tiering_configuration.this module.truefoundry_bucket[0].aws_s3_bucket_intelligent_tiering_configuration.this
+terragrunt state mv module.truefoundry_bucket.aws_s3_bucket_lifecycle_configuration.this[0] module.truefoundry_bucket[0].aws_s3_bucket_lifecycle_configuration.this[0]
+terragrunt state mv module.truefoundry_bucket.aws_s3_bucket_policy.this[0] module.truefoundry_bucket[0].aws_s3_bucket_policy.this[0]
+terragrunt state mv module.truefoundry_bucket.aws_s3_bucket_public_access_block.this[0] module.truefoundry_bucket[0].aws_s3_bucket_public_access_block.this[0]
+terragrunt state mv module.truefoundry_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0] module.truefoundry_bucket[0].aws_s3_bucket_server_side_encryption_configuration.this[0]
+terragrunt state mv module.truefoundry_bucket.aws_s3_bucket_versioning.this[0] module.truefoundry_bucket[0].aws_s3_bucket_versioning.this[0]
+```

variables.tf

@@ -45,6 +45,12 @@ variable "vpc_id" {
 ## Database
 ##################################################################################
 
+variable "truefoundry_db_enabled" {
+  type        = bool
+  description = "variable to enable/disable truefoundry db creation"
+  default     = true
+}
+
 variable "truefoundry_db_ingress_security_group" {
   type        = string
   description = "SG allowed to connect to the database"
@@ -182,6 +188,12 @@ variable "master_user_password_rotation_duration" {
 ## Mlfoundry bucket
 ##################################################################################
 
+variable "truefoundry_s3_enabled" {
+  type        = bool
+  description = "variable to enable/disable truefoundry s3 bucket creation"
+  default     = true
+}
+
 variable "truefoundry_s3_enable_override" {
   description = "Enable override for s3 bucket name. You must pass truefoundry_s3_override_name"
   type        = bool
@@ -264,4 +276,14 @@ variable "svcfoundry_k8s_service_account" {
 variable "svcfoundry_k8s_namespace" {
   description = "The k8s svcfoundry namespace"
   type        = string
-}
+}
+
+##################################################################################
+## IAM role
+##################################################################################
+
+variable "truefoundry_iam_role_enabled" {
+  default     = true
+  type        = bool
+  description = "variable to enable/disable truefoundry iam role creation"
+}