diff --git a/CHANGELOG.md b/CHANGELOG.md index 3fa9a55..4a25cd7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,14 @@ # Changelog +## 1.0.3 (2024-07-22) + +### Features +- Amazon RDS Aurora MySQL module +- Amazon RDS Aurora MySQL Kinesis module +- Amazon RDS Aurora MySQL Slow query module +- Amazon RDS Aurora PostgreSQL module +- Amazon RDS Aurora PostgreSQL Kinesis module + ## 1.0.2 (2024-07-12) ### Features diff --git a/DSF_VERSION_COMPATABILITY.md b/DSF_VERSION_COMPATABILITY.md index b041104..daea41b 100644 --- a/DSF_VERSION_COMPATABILITY.md +++ b/DSF_VERSION_COMPATABILITY.md @@ -18,6 +18,26 @@ The following table lists the DSF versions that each module is tested and mainta onboard-aws-rds-neptune-slow-query 4.17+ + + + onboard-aws-rds-aurora-mysql + 4.17+ + + + onboard-aws-rds-aurora-mysql-kinesis + 4.17+ + + + onboard-aws-rds-aurora-mysql-slowquery + 4.17+ + + + onboard-aws-rds-aurora-postgresql + 4.17+ + + + onboard-aws-rds-aurora-postgresql-kinesis + 4.17+ onboard-aws-rds-mariadb diff --git a/examples/onboard-aws-rds-aurora-mysql-kinesis/README.md b/examples/onboard-aws-rds-aurora-mysql-kinesis/README.md new file mode 100644 index 0000000..0256407 --- /dev/null +++ b/examples/onboard-aws-rds-aurora-mysql-kinesis/README.md @@ -0,0 +1,28 @@ +# Onboard Amazon Aurora MySQL via Kinesis example +This example includes additional prerequisites that will need to be completed to fully utilize the module. More details can be found in the [onboarding documentation](https://docs.imperva.com/bundle/onboarding-databases-to-sonar-reference-guide/page/Amazon-Aurora-MySQL-Onboarding-Steps_48366913.html). + +It creates both 'aws' and 'dsfhub' resources. More information regarding authentication to each one can be found in the relevant provider documentation: +- [aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) +- [dsfhub](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs) + +## Prerequisites +### Account Asset Permissions +An AWS account asset will need to be onboarded to your DSF hub prior to using this module. The account asset will need to be granted permissions to be able to read from the newly created kinesis stream. + + + + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aws-aurora-mysql-kinesis](#module\_aws-aurora-mysql-kinesis) | ../../modules/onboard-aws-rds-aurora-mysql-kinesis | n/a | +| [aws-default-account-asset](#module\_aws-default-account-asset) | ../../modules/dsfhub-aws-cloud-account | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes | +| [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes | + \ No newline at end of file diff --git a/examples/onboard-aws-rds-aurora-mysql-kinesis/main.tf b/examples/onboard-aws-rds-aurora-mysql-kinesis/main.tf new file mode 100644 index 0000000..cc523d3 --- /dev/null +++ b/examples/onboard-aws-rds-aurora-mysql-kinesis/main.tf @@ -0,0 +1,76 @@ +locals { + aws_region = "us-east-2" + apply_immediately = true + master_user = "admin" + master_password = "Abcd1234" + + admin_email = "test@example.com" + gateway_id = "a1b2c3d4-e5f6-g8h9-wxyz-123456790" +} + +################################################################################ +# Providers +################################################################################ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +provider "aws" { + region = local.aws_region +} + +variable "dsfhub_host" {} # TF_VAR_dsfhub_host env variable +variable "dsfhub_token" {} # TF_VAR_dsfhub_token env variable + +provider "dsfhub" { + dsfhub_host = var.dsfhub_host + dsfhub_token = var.dsfhub_token +} + +################################################################################ +# Prerequisites +# 1. AWS cloud account +################################################################################ +# 1. AWS cloud account +module "aws-default-account-asset" { + source = "../../modules/dsfhub-aws-cloud-account" + + admin_email = local.admin_email + asset_display_name = "aws-account-asset" + asset_id = "arn:aws:iam::1234567890" + auth_mechanism = "default" + gateway_id = local.gateway_id + region = local.aws_region +} + +################################################################################ +# Amazon Aurora MySQL via kinesis stream +################################################################################ +module "aws-aurora-mysql-kinesis" { + source = "../../modules/onboard-aws-rds-aurora-mysql-kinesis" + + aws_aurora_mysql_cluster_admin_email = local.admin_email + aws_aurora_mysql_cluster_gateway_id = local.gateway_id + aws_aurora_mysql_cluster_parent_asset_id = module.aws-default-account-asset.this.asset_id + aws_aurora_mysql_cluster_region = local.aws_region + + aws_kinesis_admin_email = local.admin_email + aws_kinesis_audit_pull_enabled = true + aws_kinesis_gateway_id = local.gateway_id + aws_kinesis_reason = "default" + aws_kinesis_region = local.aws_region + + cluster_apply_immediately = local.apply_immediately + cluster_db_master_password = local.master_password + cluster_db_master_username = local.master_user + cluster_id = "tf-aurora-mysql-kinesis-cluster" + cluster_final_snapshot = true + + instance_apply_immediately = local.apply_immediately + instance_identifier = "tf-aurora-mysql-kinesis-instance" + instance_publicly_accessible = true +} diff --git a/examples/onboard-aws-rds-aurora-mysql-slowquery/README.md b/examples/onboard-aws-rds-aurora-mysql-slowquery/README.md new file mode 100644 index 0000000..1ecc26a --- /dev/null +++ b/examples/onboard-aws-rds-aurora-mysql-slowquery/README.md @@ -0,0 +1,28 @@ +# Onboard Amazon Aurora MySQL Slow Query example +This example includes additional prerequisites that will need to be completed to fully utilize the module. More details can be found in the [onboarding documentation](https://docs.imperva.com/bundle/onboarding-databases-to-sonar-reference-guide/page/Amazon-Aurora-MySQL-Onboarding-Steps_48366913.html). + +This example creates both 'aws' and 'dsfhub' resources. More information regarding authentication to each can be found in the relevant provider documentation: +- [aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) +- [dsfhub](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs) + +## Prerequisites +### Account Asset Permissions +An AWS account asset will need to be onboarded to your DSF hub prior to using this module. The account asset will need to be granted permissions to be able to read from the newly created CloudWatch log group. + + + + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aws-aurora-mysql-slowquery](#module\_aws-aurora-mysql-slowquery) | ../../modules/onboard-aws-rds-aurora-mysql-slowquery | n/a | +| [aws-default-account-asset](#module\_aws-default-account-asset) | ../../modules/dsfhub-aws-cloud-account | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes | +| [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes | + \ No newline at end of file diff --git a/examples/onboard-aws-rds-aurora-mysql-slowquery/main.tf b/examples/onboard-aws-rds-aurora-mysql-slowquery/main.tf new file mode 100644 index 0000000..1d5f97f --- /dev/null +++ b/examples/onboard-aws-rds-aurora-mysql-slowquery/main.tf @@ -0,0 +1,101 @@ +locals { + aws_region = "us-east-2" + vpc_security_group_ids = [ + "sg-12a345678912b1c2a", + "sg-34b456789c12b231e" + ] + subnet_group_name = "my-subnet-group" + admin_email = "person@example.com" + gateway_id = "a1b2c3d4-1234-5678-9123-cd1edcef7642" +} + +################################################################################ +# Providers +################################################################################ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +provider "aws" { + region = local.aws_region +} + +variable "dsfhub_host" {} # TF_VAR_dsfhub_host env variable +variable "dsfhub_token" {} # TF_VAR_dsfhub_token env variable + +provider "dsfhub" { + dsfhub_host = var.dsfhub_host + dsfhub_token = var.dsfhub_token +} + +################################################################################ +# Prerequisites +# AWS cloud account +################################################################################ + +module "aws-default-account-asset" { + source = "../../modules/dsfhub-aws-cloud-account" + + admin_email = local.admin_email + asset_display_name = "aws-account-asset" + asset_id = "arn:aws:iam::123456789101:role/iam-role" + auth_mechanism = "default" + gateway_id = local.gateway_id + region = local.aws_region +} + +################################################################################ +# Amazon Aurora MySQL Slowquery +################################################################################ + +module "aws-aurora-mysql-slowquery" { + source = "../../modules/onboard-aws-rds-aurora-mysql-slowquery" + + cluster_parameter_group_name = "aurora-mysql-cpg-tf" + cluster_parameter_group_parameters = [ + { + name = "server_audit_logging" + value = 1 + }, + { + name = "server_audit_excl_users" + value = "rdsadmin" + }, + { + name = "server_audit_events" + value = "CONNECT,QUERY,QUERY_DCL,QUERY_DDL,QUERY_DML" + }, + { + name = "slow_query_log" + value = 1 + }, + { + name = "long_query_time" + value = 5 + }, + { + name = "log_slow_admin_statements" + value = 1 + } + ] + + cluster_cluster_id = "aurora-mysql-cluster" + cluster_db_master_username = "admin" + cluster_db_master_password = "mypassword" + cluster_db_subnet_group_name = local.subnet_group_name + cluster_vpc_security_group_ids = local.vpc_security_group_ids + + instance_identifier = "aurora-mysql-inst" + instance_publicly_accessible = false + + aws_aurora_mysql_cluster_admin_email = local.admin_email + aws_aurora_mysql_cluster_gateway_id = local.gateway_id + aws_aurora_mysql_cluster_parent_asset_id = module.aws-default-account-asset.this.asset_id + aws_aurora_mysql_cluster_region = local.aws_region + + aws_log_group_audit_pull_enabled = true +} diff --git a/examples/onboard-aws-rds-aurora-mysql/README.md b/examples/onboard-aws-rds-aurora-mysql/README.md new file mode 100644 index 0000000..76c3df3 --- /dev/null +++ b/examples/onboard-aws-rds-aurora-mysql/README.md @@ -0,0 +1,28 @@ +# Onboard Amazon Aurora MySQL example +This example includes additional prerequisites that will need to be completed to fully utilize the module. More details can be found in the [onboarding documentation](https://docs.imperva.com/bundle/onboarding-databases-to-sonar-reference-guide/page/Amazon-Aurora-MySQL-Onboarding-Steps_48366913.html). + +This example creates both 'aws' and 'dsfhub' resources. More information regarding authentication to each can be found in the relevant provider documentation: +- [aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) +- [dsfhub](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs) + +## Prerequisites +### Account Asset Permissions +An AWS account asset will need to be onboarded to your DSF hub prior to using this module. The account asset will need to be granted permissions to be able to read from the newly created CloudWatch log group. + + + + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aws-aurora-mysql](#module\_aws-aurora-mysql) | ../../modules/onboard-aws-rds-aurora-mysql | n/a | +| [aws-default-account-asset](#module\_aws-default-account-asset) | ../../modules/dsfhub-aws-cloud-account | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes | +| [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes | + \ No newline at end of file diff --git a/examples/onboard-aws-rds-aurora-mysql/main.tf b/examples/onboard-aws-rds-aurora-mysql/main.tf new file mode 100644 index 0000000..f18b2a3 --- /dev/null +++ b/examples/onboard-aws-rds-aurora-mysql/main.tf @@ -0,0 +1,75 @@ +locals { + aws_region = "us-east-2" + vpc_security_group_ids = [ + "sg-12a345678912b1c2a", + "sg-34b456789c12b231e" + ] + subnet_group_name = "my-subnet-group" + admin_email = "person@example.com" + gateway_id = "a1b2c3d4-1234-5678-9123-cd1edcef7642" +} + +################################################################################ +# Providers +################################################################################ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +provider "aws" { + region = local.aws_region +} + +variable "dsfhub_host" {} # TF_VAR_dsfhub_host env variable +variable "dsfhub_token" {} # TF_VAR_dsfhub_token env variable + +provider "dsfhub" { + dsfhub_host = var.dsfhub_host + dsfhub_token = var.dsfhub_token +} + +################################################################################ +# Prerequisites +# AWS cloud account +################################################################################ + +module "aws-default-account-asset" { + source = "../../modules/dsfhub-aws-cloud-account" + + admin_email = local.admin_email + asset_display_name = "aws-account-asset" + asset_id = "arn:aws:iam::123456789101:role/iam-role" + auth_mechanism = "default" + gateway_id = local.gateway_id + region = local.aws_region +} + +################################################################################ +# Amazon Aurora Mysql +################################################################################ + +module "aws-aurora-mysql" { + source = "../../modules/onboard-aws-rds-aurora-mysql" + + cluster_parameter_group_name = "aurora-mysql-cpg-tf" + + cluster_cluster_id = "aurora-mysql-cluster" + cluster_db_master_username = "admin" + cluster_db_master_password = "mypassword" + cluster_db_subnet_group_name = local.subnet_group_name + cluster_vpc_security_group_ids = local.vpc_security_group_ids + + instance_identifier = "aurora-mysql-inst" + instance_publicly_accessible = false + + aws_aurora_mysql_cluster_admin_email = local.admin_email + aws_aurora_mysql_cluster_gateway_id = local.gateway_id + aws_aurora_mysql_cluster_parent_asset_id = module.aws-default-account-asset.this.asset_id + aws_aurora_mysql_cluster_region = local.aws_region + + aws_log_group_audit_pull_enabled = true +} diff --git a/examples/onboard-aws-rds-aurora-postgresql-kinesis/README.md b/examples/onboard-aws-rds-aurora-postgresql-kinesis/README.md new file mode 100644 index 0000000..c12872b --- /dev/null +++ b/examples/onboard-aws-rds-aurora-postgresql-kinesis/README.md @@ -0,0 +1,28 @@ +# Onboard Amazon Aurora PostgreSQL via Kinesis example +This example includes additional prerequisites that will need to be completed to fully utilize the module. More details can be found in the [onboarding documentation](https://docs.imperva.com/bundle/onboarding-databases-to-sonar-reference-guide/page/Amazon-Aurora-PostgreSQL-Onboarding-Steps_48366929.html). + +It creates both 'aws' and 'dsfhub' resources. More information regarding authentication to each one can be found in the relevant provider documentation: +- [aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) +- [dsfhub](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs) + +## Prerequisites +### Account Asset Permissions +An AWS account asset will need to be onboarded to your DSF hub prior to using this module. The account asset will need to be granted permissions to be able to read from the newly created kinesis stream. + + + + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aws-aurora-postgresql-kinesis](#module\_aws-aurora-postgresql-kinesis) | ../../modules/onboard-aws-rds-aurora-postgresql-kinesis | n/a | +| [aws-default-account-asset](#module\_aws-default-account-asset) | ../../modules/dsfhub-aws-cloud-account | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes | +| [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes | + \ No newline at end of file diff --git a/examples/onboard-aws-rds-aurora-postgresql-kinesis/main.tf b/examples/onboard-aws-rds-aurora-postgresql-kinesis/main.tf new file mode 100644 index 0000000..354bc4c --- /dev/null +++ b/examples/onboard-aws-rds-aurora-postgresql-kinesis/main.tf @@ -0,0 +1,106 @@ +locals { + aws_region = "us-east-2" + apply_immediately = true + master_user = "PGadmin" + master_password = "Abcd1234" + + admin_email = "test@example.com" + gateway_id = "a1b2c3d4-e5f6-g8h9-wxyz-123456790" +} + +################################################################################ +# Providers +################################################################################ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +provider "aws" { + region = local.aws_region +} + +variable "dsfhub_host" {} # TF_VAR_dsfhub_host env variable +variable "dsfhub_token" {} # TF_VAR_dsfhub_token env variable + +provider "dsfhub" { + dsfhub_host = var.dsfhub_host + dsfhub_token = var.dsfhub_token +} + +################################################################################ +# Prerequisites +# 1. AWS cloud account +################################################################################ +# 1. AWS cloud account +module "aws-default-account-asset" { + source = "../../modules/dsfhub-aws-cloud-account" + + admin_email = local.admin_email + asset_display_name = "aws-account-asset" + asset_id = "arn:aws:iam::1234567890" + auth_mechanism = "default" + gateway_id = local.gateway_id + region = local.aws_region +} + +################################################################################ +# Amazon Aurora PostgreSQL 16 via kinesis stream +################################################################################ +module "aws-aurora-postgresql-kinesis" { + source = "../../modules/onboard-aws-rds-aurora-postgresql-kinesis" + + aws_aurora_postgresql_cluster_admin_email = local.admin_email + aws_aurora_postgresql_cluster_audit_type = "KINESIS" + aws_aurora_postgresql_cluster_gateway_id = local.gateway_id + aws_aurora_postgresql_cluster_parent_asset_id = module.aws-default-account-asset.this.asset_id + aws_aurora_postgresql_cluster_region = local.aws_region + + aws_kinesis_admin_email = local.admin_email + aws_kinesis_audit_pull_enabled = true + aws_kinesis_gateway_id = local.gateway_id + aws_kinesis_region = local.aws_region + + cluster_apply_immediately = true + cluster_db_engine_version = "16" + cluster_db_master_password = local.master_password + cluster_db_master_username = local.master_user + cluster_id = "tf-aurora-postgresql-kinesis-cluster" + + instance_apply_immediately = true + instance_class = "db.r5.large" + instance_identifier = "tf-aurora-postgresql-kinesis-instance" + instance_publicly_accessible = true +} + +################################################################################ +# Amazon Aurora PostgreSQL 16 via kinesis stream aggregated +################################################################################ +module "aws-aurora-postgresql-kinesis" { + source = "../../modules/onboard-aws-rds-aurora-postgresql-kinesis" + + aws_aurora_postgresql_cluster_admin_email = local.admin_email + aws_aurora_postgresql_cluster_audit_type = "KINESIS_AGGREGATED" + aws_aurora_postgresql_cluster_gateway_id = local.gateway_id + aws_aurora_postgresql_cluster_parent_asset_id = module.aws-default-account-asset.this.asset_id + aws_aurora_postgresql_cluster_region = local.aws_region + + aws_kinesis_admin_email = local.admin_email + aws_kinesis_audit_pull_enabled = true + aws_kinesis_gateway_id = local.gateway_id + aws_kinesis_region = local.aws_region + + cluster_apply_immediately = true + cluster_db_engine_version = "16" + cluster_db_master_password = local.master_password + cluster_db_master_username = local.master_user + cluster_id = "tf-aurora-postgresql-kinesis-cluster" + + instance_apply_immediately = true + instance_class = "db.r5.large" + instance_identifier = "tf-aurora-postgresql-kinesis-instance" + instance_publicly_accessible = true +} diff --git a/examples/onboard-aws-rds-aurora-postgresql/README.md b/examples/onboard-aws-rds-aurora-postgresql/README.md new file mode 100644 index 0000000..43676b1 --- /dev/null +++ b/examples/onboard-aws-rds-aurora-postgresql/README.md @@ -0,0 +1,45 @@ +# Onboard Amazon Aurora PostgreSQL example +This example includes additional prerequisites that will need to be completed to fully utilize the module. More details can be found in the [onboarding documentation](https://docs.imperva.com/bundle/onboarding-databases-to-sonar-reference-guide/page/Amazon-Aurora-PostgreSQL-Onboarding-Steps_48366929.html). + +This example creates both 'aws' and 'dsfhub' resources. More information regarding authentication to each can be found in the relevant provider documentation: +- [aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) +- [dsfhub](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs) + +## Prerequisites +### Account Asset Permissions +An AWS account asset will need to be onboarded to your DSF hub prior to using this module. The account asset will need to be granted permissions to be able to read from the newly created CloudWatch log group. + +### Database Configuration +Part of the onboarding process involves connecting to your Aurora PostgreSQL cluster and running SQL commands to create both a role and an extension. This module includes an example for how to connect to the instance from your local machine and create both of these. + +**Note:** This example requires the ``psql`` client to be installed, as well as for the newly created Aurora cluster to be accessible from your local machine. + + + + +## Providers + +| Name | Version | +|------|---------| +| [terraform](#provider\_terraform) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aurora-postgresql](#module\_aurora-postgresql) | ../../modules/onboard-aws-rds-aurora-postgresql | n/a | +| [aws-default-account-asset](#module\_aws-default-account-asset) | ../../modules/dsfhub-aws-cloud-account | n/a | + +## Resources + +| Name | Type | +|------|------| +| [terraform_data.configure_database](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes | +| [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes | + \ No newline at end of file diff --git a/examples/onboard-aws-rds-aurora-postgresql/configure_database.sh b/examples/onboard-aws-rds-aurora-postgresql/configure_database.sh new file mode 100755 index 0000000..c864119 --- /dev/null +++ b/examples/onboard-aws-rds-aurora-postgresql/configure_database.sh @@ -0,0 +1,38 @@ +#!/bin/bash +# Configures Aurora Postgresql database for auditing by connecting to the +# database using 'psql' +# +# Connection to the database uses PG environment variables +# See postgres documentation for more information: +# https://www.postgresql.org/docs/current/libpq-envars.html +################################################################################ + +# Settings +current_directory=$(dirname "$(realpath "${BASH_SOURCE[0]}")") +sql_file="${current_directory}/configure_database.sql" + +# Functions +function is_pkg_installed { + local pkg="$1" + if ! command -v "${pkg}" &> /dev/null + then + echo "Package '${pkg}' is not installed." + echo "Install on MacOS: brew install libpq" + echo "Install on Ubuntu: apt-get install -y libpq-dev" + echo "Install on CentOS: yum install -y libpq" + echo "Exiting..." + exit 1 + else + return 0 + fi +} + +################################################################################ +is_pkg_installed "psql" +if [ ! -r "${sql_file}" ]; then + echo "Unable to read ${sql_file}" + echo "Exiting..." + exit 1 +else + psql --file="${sql_file}" +fi diff --git a/examples/onboard-aws-rds-aurora-postgresql/configure_database.sql b/examples/onboard-aws-rds-aurora-postgresql/configure_database.sql new file mode 100644 index 0000000..4486147 --- /dev/null +++ b/examples/onboard-aws-rds-aurora-postgresql/configure_database.sql @@ -0,0 +1,18 @@ +DO +$$ +BEGIN + RAISE NOTICE 'Creating auditor role "rds_pgaudit".'; + IF EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'rds_pgaudit') THEN + RAISE NOTICE 'Role "rds_pgaudit" already exists. Skipping.'; + ELSE + CREATE ROLE rds_pgaudit; + END IF; + + RAISE NOTICE 'Creating audit extension "pgaudit".'; + IF EXISTS (SELECT FROM pg_catalog.pg_extension WHERE extname = 'pgaudit') THEN + RAISE NOTICE 'Audit extension "pgaudit" already exists. Skipping.'; + ELSE + CREATE EXTENSION pgaudit; + END IF; +END +$$; diff --git a/examples/onboard-aws-rds-aurora-postgresql/main.tf b/examples/onboard-aws-rds-aurora-postgresql/main.tf new file mode 100644 index 0000000..a783934 --- /dev/null +++ b/examples/onboard-aws-rds-aurora-postgresql/main.tf @@ -0,0 +1,133 @@ +locals { + aws_region = "us-east-2" + apply_immediately = true + master_user = "admin" + master_password = "Abcd1234" + subnet_group_name = "default" + vpc_security_groups = ["sg-0123456789abcdefg"] + + admin_email = "test@example.com" + gateway_id = "a1b2c3d4-e5f6-g8h9-wxyz-123456790" +} + +################################################################################ +# Providers +################################################################################ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +provider "aws" { + region = local.aws_region +} + +variable "dsfhub_host" {} # TF_VAR_dsfhub_host env variable +variable "dsfhub_token" {} # TF_VAR_dsfhub_token env variable + +provider "dsfhub" { + dsfhub_host = var.dsfhub_host + dsfhub_token = var.dsfhub_token +} + +################################################################################ +# Prerequisites +# 1. AWS cloud account +# 2. Method to create 'pgaudit' extension and 'rds_pgaudit' role on the postgres +# cluster. +################################################################################ +# 1. AWS cloud account +module "aws-default-account-asset" { + source = "../../modules/dsfhub-aws-cloud-account" + + admin_email = local.admin_email + asset_display_name = "aws-account-asset" + asset_id = "arn:aws:iam::1234567890" + auth_mechanism = "default" + gateway_id = local.gateway_id + region = local.aws_region +} + +# 2. Run shell script locally to create extension and role on the newly created +# postgres cluster. +resource "terraform_data" "configure_database" { + depends_on = [module.aurora-postgresql] + + provisioner "local-exec" { + environment = { + PGHOST = module.aurora-postgresql.cluster.endpoint + PGUSER = local.master_user + PGPASSWORD = local.master_password + PGPORT = module.aurora-postgresql.cluster.port + PGDATABASE = "postgres" + } + + command = "./configure_database.sh" + + on_failure = fail + } +} + +################################################################################ +# Amazon Aurora PostgreSQL 16.1 +################################################################################ +module "aurora-postgresql" { + source = "../../modules/onboard-aws-rds-aurora-postgresql" + + aws_aurora_postgresql_cluster_admin_email = local.admin_email + aws_aurora_postgresql_cluster_gateway_id = local.gateway_id + aws_aurora_postgresql_cluster_parent_asset_id = module.aws-default-account-asset.this.asset_id + aws_aurora_postgresql_cluster_region = local.aws_region + + aws_log_group_admin_email = local.admin_email + aws_log_group_audit_pull_enabled = true + aws_log_group_gateway_id = local.gateway_id + aws_log_group_region = local.aws_region + + cluster_db_engine_version = "16.1" + cluster_db_master_password = local.master_password + cluster_db_master_username = local.master_user + cluster_db_subnet_group_name = local.subnet_group_name + cluster_final_snapshot = true + cluster_id = "tf-aurora-postgresql-cluster" + cluster_parameter_group_name = "tf-aurora-postgresql-instance-pg" + cluster_vpc_security_group_ids = local.vpc_security_groups + + instance_apply_immediately = local.apply_immediately + instance_identifier = "tf-aurora-postgresql-instance" + instance_publicly_accessible = true +} + +################################################################################ +# Amazon Aurora PostgreSQL 16.1 Aggregated +################################################################################ +module "aurora-postgresql" { + source = "../../modules/onboard-aws-rds-aurora-postgresql" + + aws_aurora_postgresql_cluster_admin_email = local.admin_email + aws_aurora_postgresql_cluster_audit_type = "AGGREGATED" + aws_aurora_postgresql_cluster_gateway_id = local.gateway_id + aws_aurora_postgresql_cluster_parent_asset_id = module.aws-default-account-asset.this.asset_id + aws_aurora_postgresql_cluster_region = local.aws_region + + aws_log_group_admin_email = local.admin_email + aws_log_group_audit_pull_enabled = true + aws_log_group_gateway_id = local.gateway_id + aws_log_group_region = local.aws_region + + cluster_db_engine_version = "16.1" + cluster_db_master_password = local.master_password + cluster_db_master_username = local.master_user + cluster_db_subnet_group_name = local.subnet_group_name + cluster_final_snapshot = true + cluster_id = "tf-aurora-postgresql-cluster" + cluster_parameter_group_name = "tf-aurora-postgresql-instance-pg" + cluster_vpc_security_group_ids = local.vpc_security_groups + + instance_apply_immediately = local.apply_immediately + instance_identifier = "tf-aurora-postgresql-instance" + instance_publicly_accessible = true +} diff --git a/modules/aws-kms-key/README.md b/modules/aws-kms-key/README.md new file mode 100644 index 0000000..36de536 --- /dev/null +++ b/modules/aws-kms-key/README.md @@ -0,0 +1,35 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [custom\_master\_key\_spec](#input\_custom\_master\_key\_spec) | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC\_DEFAULT, RSA\_2048, RSA\_3072, RSA\_4096, HMAC\_256, ECC\_NIST\_P256, ECC\_NIST\_P384, ECC\_NIST\_P521, or ECC\_SECG\_P256K1. | `string` | `null` | no | +| [deletion\_window\_in\_days](#input\_deletion\_window\_in\_days) | The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. | `number` | `null` | no | +| [description](#input\_description) | The description of the key as viewed in AWS console. | `string` | `null` | no | +| [is\_enabled](#input\_is\_enabled) | Specifies whether the key is enabled. | `bool` | `null` | no | +| [key\_usage](#input\_key\_usage) | Specifies the intended use of the key. Valid values: ENCRYPT\_DECRYPT, SIGN\_VERIFY, GENERATE\_VERIFY\_MAC. | `string` | `null` | no | +| [multi\_region](#input\_multi\_region) | Indicates whether the KMS key is a multi-Region (true) or regional (false) key. | `bool` | `null` | no | +| [tags](#input\_tags) | A map of tags to assign to the object. | `map(string)` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | AWS KMS key | + \ No newline at end of file diff --git a/modules/aws-kms-key/main.tf b/modules/aws-kms-key/main.tf new file mode 100644 index 0000000..fad1072 --- /dev/null +++ b/modules/aws-kms-key/main.tf @@ -0,0 +1,9 @@ +resource "aws_kms_key" "this" { + customer_master_key_spec = var.custom_master_key_spec + deletion_window_in_days = var.deletion_window_in_days + description = var.description + is_enabled = var.is_enabled + key_usage = var.key_usage + multi_region = var.multi_region + tags = var.tags +} diff --git a/modules/aws-kms-key/outputs.tf b/modules/aws-kms-key/outputs.tf new file mode 100644 index 0000000..236cd0d --- /dev/null +++ b/modules/aws-kms-key/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "AWS KMS key" + value = aws_kms_key.this +} diff --git a/modules/aws-kms-key/variables.tf b/modules/aws-kms-key/variables.tf new file mode 100644 index 0000000..bb0d055 --- /dev/null +++ b/modules/aws-kms-key/variables.tf @@ -0,0 +1,41 @@ +variable "custom_master_key_spec" { + description = "Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1." + type = string + default = null +} + +variable "deletion_window_in_days" { + description = "The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive." + type = number + default = null +} + +variable "description" { + description = "The description of the key as viewed in AWS console." + type = string + default = null +} + +variable "is_enabled" { + description = "Specifies whether the key is enabled." + type = bool + default = null +} + +variable "key_usage" { + description = "Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, GENERATE_VERIFY_MAC." + type = string + default = null +} + +variable "multi_region" { + description = " Indicates whether the KMS key is a multi-Region (true) or regional (false) key." + type = bool + default = null +} + +variable "tags" { + description = "A map of tags to assign to the object." + type = map(string) + default = null +} diff --git a/modules/aws-rds-cluster-activity-stream/README.md b/modules/aws-rds-cluster-activity-stream/README.md new file mode 100644 index 0000000..d43545c --- /dev/null +++ b/modules/aws-rds-cluster-activity-stream/README.md @@ -0,0 +1,32 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_rds_cluster_activity_stream.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_activity_stream) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [kms\_key\_id](#input\_kms\_key\_id) | The AWS KMS key identifier for encrypting messages in the database activity stream. The AWS KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. | `string` | n/a | yes | +| [mode](#input\_mode) | Specifies the mode of the database activity stream. Database events such as a change or access generate an activity stream event. The database session can handle these events either synchronously or asynchronously. One of: sync, async. | `string` | n/a | yes | +| [resource\_arn](#input\_resource\_arn) | The Amazon Resource Name (ARN) of the DB cluster | `string` | n/a | yes | +| [engine\_native\_audit\_fields\_included](#input\_engine\_native\_audit\_fields\_included) | Specifies whether the database activity stream includes engine-native audit fields. This option only applies to an Oracle DB instance. By default, no engine-native audit fields are included. | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | RDS cluster activity stream | + \ No newline at end of file diff --git a/modules/aws-rds-cluster-activity-stream/main.tf b/modules/aws-rds-cluster-activity-stream/main.tf new file mode 100644 index 0000000..62d69e9 --- /dev/null +++ b/modules/aws-rds-cluster-activity-stream/main.tf @@ -0,0 +1,6 @@ +resource "aws_rds_cluster_activity_stream" "this" { + resource_arn = var.resource_arn + mode = var.mode + kms_key_id = var.kms_key_id + engine_native_audit_fields_included = var.engine_native_audit_fields_included # oracle specific +} diff --git a/modules/aws-rds-cluster-activity-stream/outputs.tf b/modules/aws-rds-cluster-activity-stream/outputs.tf new file mode 100644 index 0000000..3414fcc --- /dev/null +++ b/modules/aws-rds-cluster-activity-stream/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "RDS Cluster activity stream" + value = aws_rds_cluster_activity_stream.this +} diff --git a/modules/aws-rds-cluster-activity-stream/variables.tf b/modules/aws-rds-cluster-activity-stream/variables.tf new file mode 100644 index 0000000..9f84a49 --- /dev/null +++ b/modules/aws-rds-cluster-activity-stream/variables.tf @@ -0,0 +1,24 @@ +variable "resource_arn" { + description = "The Amazon Resource Name (ARN) of the DB cluster" + type = string +} + +variable "mode" { + description = "Specifies the mode of the database activity stream. Database events such as a change or access generate an activity stream event. The database session can handle these events either synchronously or asynchronously. One of: sync, async." + type = string + validation { + condition = contains(["sync", "async"], var.mode) + error_message = "Invalid value, select either 'sync' or 'async'." + } +} + +variable "kms_key_id" { + description = "The AWS KMS key identifier for encrypting messages in the database activity stream. The AWS KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key." + type = string +} + +variable "engine_native_audit_fields_included" { + description = "Specifies whether the database activity stream includes engine-native audit fields. This option only applies to an Oracle DB instance. By default, no engine-native audit fields are included." + type = string + default = null +} diff --git a/modules/aws-rds-cluster-instance/README.md b/modules/aws-rds-cluster-instance/README.md new file mode 100644 index 0000000..56337c1 --- /dev/null +++ b/modules/aws-rds-cluster-instance/README.md @@ -0,0 +1,37 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_rds_cluster_instance.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [cluster\_id](#input\_cluster\_id) | The name of the RDS cluster | `string` | n/a | yes | +| [identifier](#input\_identifier) | The name of the aurora cluster instance | `string` | n/a | yes | +| [apply\_immediately](#input\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | +| [db\_engine](#input\_db\_engine) | Cluster engine e.g., aurora-mysql | `string` | `null` | no | +| [db\_instance\_class](#input\_db\_instance\_class) | The instance type of the RDS cluster. Example: 'db.t3.micro' | `string` | `null` | no | +| [db\_subnet\_group\_name](#input\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | +| [maintenance\_schedule](#input\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | +| [minor\_version\_upgrade](#input\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. | `bool` | `null` | no | +| [publicly\_accessible](#input\_publicly\_accessible) | If instance is publicly accessible. Default false | `bool` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | aurora mysql cluster instance | + \ No newline at end of file diff --git a/modules/aws-rds-cluster-instance/main.tf b/modules/aws-rds-cluster-instance/main.tf new file mode 100644 index 0000000..5343fe1 --- /dev/null +++ b/modules/aws-rds-cluster-instance/main.tf @@ -0,0 +1,12 @@ +resource "aws_rds_cluster_instance" "this" { + + apply_immediately = var.apply_immediately + auto_minor_version_upgrade = var.minor_version_upgrade + cluster_identifier = var.cluster_id + db_subnet_group_name = var.db_subnet_group_name + identifier = var.identifier + instance_class = var.db_instance_class + engine = var.db_engine + preferred_maintenance_window = var.maintenance_schedule + publicly_accessible = var.publicly_accessible +} diff --git a/modules/aws-rds-cluster-instance/outputs.tf b/modules/aws-rds-cluster-instance/outputs.tf new file mode 100644 index 0000000..f57e416 --- /dev/null +++ b/modules/aws-rds-cluster-instance/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "Aurora MySQL Cluster instance" + value = aws_rds_cluster_instance.this +} diff --git a/modules/aws-rds-cluster-instance/variables.tf b/modules/aws-rds-cluster-instance/variables.tf new file mode 100644 index 0000000..597c46b --- /dev/null +++ b/modules/aws-rds-cluster-instance/variables.tf @@ -0,0 +1,52 @@ +variable "identifier" { + description = "The name of the aurora cluster instance" + type = string +} + +variable "db_engine" { + description = "Cluster engine e.g., aurora-mysql" + type = string + default = null +} + +variable "cluster_id" { + description = "The name of the RDS cluster" + type = string +} + +variable "publicly_accessible" { + description = "If instance is publicly accessible. Default false" + type = bool + default = null +} + +variable "db_subnet_group_name" { + description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available." + type = string + default = null +} + +variable "db_instance_class" { + description = "The instance type of the RDS cluster. Example: 'db.t3.micro'" + type = string + default = null +} + +variable "maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = null +} + +variable "apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = null +} + +variable "minor_version_upgrade" { + description = "Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window." + type = bool + default = null +} + diff --git a/modules/aws-rds-cluster-parameter-group/README.md b/modules/aws-rds-cluster-parameter-group/README.md new file mode 100644 index 0000000..39682ab --- /dev/null +++ b/modules/aws-rds-cluster-parameter-group/README.md @@ -0,0 +1,33 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_rds_cluster_parameter_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_parameter_group) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [family](#input\_family) | The family of the DB cluster parameter group. | `string` | n/a | yes | +| [name](#input\_name) | The name of the DB cluster parameter group | `string` | n/a | yes | +| [description](#input\_description) | The description of the DB cluster parameter group. | `string` | `null` | no | +| [parameters](#input\_parameters) | List of objects containing parameters for the DB cluster parameter group. | 
list(
    object({
      name         = string
      apply_method = optional(string, "immediate")
      value        = any
    })
  )
| `null` | no | +| [tags](#input\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | AWS RDS cluster parameter group | + \ No newline at end of file diff --git a/modules/aws-rds-cluster-parameter-group/main.tf b/modules/aws-rds-cluster-parameter-group/main.tf new file mode 100644 index 0000000..3b3bc5d --- /dev/null +++ b/modules/aws-rds-cluster-parameter-group/main.tf @@ -0,0 +1,15 @@ +resource "aws_rds_cluster_parameter_group" "this" { + name = var.name + family = var.family + description = var.description + + dynamic "parameter" { + for_each = var.parameters + + content { + name = parameter.value.name + value = parameter.value.value + apply_method = parameter.value.apply_method != null ? parameter.value.apply_method : null + } + } +} \ No newline at end of file diff --git a/modules/aws-rds-cluster-parameter-group/outputs.tf b/modules/aws-rds-cluster-parameter-group/outputs.tf new file mode 100644 index 0000000..eb47aeb --- /dev/null +++ b/modules/aws-rds-cluster-parameter-group/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "AWS RDS cluster parameter group" + value = aws_rds_cluster_parameter_group.this +} \ No newline at end of file diff --git a/modules/aws-rds-cluster-parameter-group/variables.tf b/modules/aws-rds-cluster-parameter-group/variables.tf new file mode 100644 index 0000000..e6da6c7 --- /dev/null +++ b/modules/aws-rds-cluster-parameter-group/variables.tf @@ -0,0 +1,33 @@ +variable "name" { + description = "The name of the DB cluster parameter group" + type = string +} + +variable "family" { + description = "The family of the DB cluster parameter group." + type = string +} + +variable "description" { + description = "The description of the DB cluster parameter group." + type = string + default = null +} + +variable "parameters" { + description = "List of objects containing parameters for the DB cluster parameter group." + type = list( + object({ + name = string + apply_method = optional(string, "immediate") + value = any + }) + ) + default = null +} + +variable "tags" { + description = "A map of tags to assign to the resource." + type = map(string) + default = null +} diff --git a/modules/aws-rds-cluster/README.md b/modules/aws-rds-cluster/README.md new file mode 100644 index 0000000..20d5064 --- /dev/null +++ b/modules/aws-rds-cluster/README.md @@ -0,0 +1,43 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_rds_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [cluster\_id](#input\_cluster\_id) | The name of the RDS cluster | `string` | n/a | yes | +| [db\_master\_password](#input\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | +| [db\_master\_username](#input\_db\_master\_username) | Username for the master DB user, must not use rdsadmin as that is reserved. | `string` | n/a | yes | +| [apply\_immediately](#input\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | +| [backup\_retention](#input\_backup\_retention) | Days to retain backups for, Default is 1 day. | `number` | `null` | no | +| [db\_enabled\_cloudwatch\_logs\_exports](#input\_db\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery. | `list(any)` | `null` | no | +| [db\_engine](#input\_db\_engine) | Cluster engine e.g., aurora-mysql | `string` | `null` | no | +| [db\_engine\_version](#input\_db\_engine\_version) | Database engine version, e.g., 8.0.mysql\_aurora.3.05.1 | `string` | `null` | no | +| [db\_port](#input\_db\_port) | Port on which the DB accepts connections. | `number` | `null` | no | +| [db\_subnet\_group\_name](#input\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | +| [final\_snapshot](#input\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false | `bool` | `null` | no | +| [maintenance\_schedule](#input\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | +| [network\_type](#input\_network\_type) | Network type of the cluster. Valid values: IPV4, DUAL | `string` | `null` | no | +| [parameter\_group\_name](#input\_parameter\_group\_name) | Cluster parameter group associated with the cluster | `string` | `null` | no | +| [vpc\_security\_group\_ids](#input\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(any)` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | Aurora Mysql cluster | + \ No newline at end of file diff --git a/modules/aws-rds-cluster/main.tf b/modules/aws-rds-cluster/main.tf new file mode 100644 index 0000000..88e1a8a --- /dev/null +++ b/modules/aws-rds-cluster/main.tf @@ -0,0 +1,25 @@ +resource "aws_rds_cluster" "this" { + + # Cluster settings + cluster_identifier = var.cluster_id + engine = var.db_engine + engine_version = var.db_engine_version + port = var.db_port + backup_retention_period = var.backup_retention + preferred_maintenance_window = var.maintenance_schedule + skip_final_snapshot = var.final_snapshot + + # credentials + master_username = var.db_master_username + master_password = var.db_master_password + + # network + network_type = var.network_type + db_subnet_group_name = var.db_subnet_group_name + vpc_security_group_ids = var.vpc_security_group_ids + + # audit + enabled_cloudwatch_logs_exports = var.db_enabled_cloudwatch_logs_exports + db_cluster_parameter_group_name = var.parameter_group_name + apply_immediately = var.apply_immediately +} diff --git a/modules/aws-rds-cluster/outputs.tf b/modules/aws-rds-cluster/outputs.tf new file mode 100644 index 0000000..552ac2a --- /dev/null +++ b/modules/aws-rds-cluster/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "Aurora MySQL cluster" + value = aws_rds_cluster.this +} diff --git a/modules/aws-rds-cluster/variables.tf b/modules/aws-rds-cluster/variables.tf new file mode 100644 index 0000000..eae236f --- /dev/null +++ b/modules/aws-rds-cluster/variables.tf @@ -0,0 +1,86 @@ +variable "db_enabled_cloudwatch_logs_exports" { + description = "Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery." + type = list(any) + default = null +} + +variable "db_engine" { + description = "Cluster engine e.g., aurora-mysql" + type = string + default = null +} +variable "db_engine_version" { + description = "Database engine version, e.g., 8.0.mysql_aurora.3.05.1" + type = string + default = null +} + +variable "cluster_id" { + description = "The name of the RDS cluster" + type = string +} + + +variable "backup_retention" { + description = "Days to retain backups for, Default is 1 day." + type = number + default = null +} + +variable "db_master_username" { + description = "Username for the master DB user, must not use rdsadmin as that is reserved." + type = string +} + +variable "db_master_password" { + description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage_master_user_password is set to true" + type = string +} + +variable "network_type" { + description = " Network type of the cluster. Valid values: IPV4, DUAL" + type = string + default = null +} + +variable "db_subnet_group_name" { + description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available." + type = string + default = null +} + +variable "vpc_security_group_ids" { + description = "List of VPC security groups to associate." + type = list(any) + default = null +} + +variable "maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = null +} + +variable "final_snapshot" { + description = "Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final_snapshot_identifier. Default is false" + type = bool + default = null +} + +variable "db_port" { + description = "Port on which the DB accepts connections." + type = number + default = null +} + +variable "apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = null +} + +variable "parameter_group_name" { + description = "Cluster parameter group associated with the cluster" + type = string + default = null +} diff --git a/modules/dsfhub-aws-kinesis/README.md b/modules/dsfhub-aws-kinesis/README.md new file mode 100644 index 0000000..ab294b4 --- /dev/null +++ b/modules/dsfhub-aws-kinesis/README.md @@ -0,0 +1,37 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [dsfhub](#provider\_dsfhub) | n/a | + +## Resources + +| Name | Type | +|------|------| +| [dsfhub_log_aggregator.this](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs/resources/log_aggregator) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [admin\_email](#input\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | +| [asset\_display\_name](#input\_asset\_display\_name) | User-friendly name of the asset, defined by user | `string` | n/a | yes | +| [asset\_id](#input\_asset\_id) | AWS kinesis stream ARN | `string` | n/a | yes | +| [gateway\_id](#input\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes | +| [parent\_asset\_id](#input\_parent\_asset\_id) | The asset\_id that contains this asset (e.g. Asset ID of the database sending audit events). The parent must either be an AWS account, or have a parent which is an AWS account. | `string` | n/a | yes | +| [audit\_pull\_enabled](#input\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no | +| [audit\_type](#input\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `null` | no | +| [reason](#input\_reason) | Used to differentiate connections that belong to the same asset | `string` | `"default"` | no | +| [region](#input\_region) | AWS region of the kinesis stream | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | AWS Kinesis asset | + \ No newline at end of file diff --git a/modules/dsfhub-aws-kinesis/main.tf b/modules/dsfhub-aws-kinesis/main.tf new file mode 100644 index 0000000..511981e --- /dev/null +++ b/modules/dsfhub-aws-kinesis/main.tf @@ -0,0 +1,27 @@ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +resource "dsfhub_log_aggregator" "this" { + server_type = "AWS KINESIS" + + admin_email = var.admin_email + asset_display_name = var.asset_display_name + asset_id = var.asset_id + audit_pull_enabled = var.audit_pull_enabled + audit_type = var.audit_type + gateway_id = var.gateway_id + parent_asset_id = var.parent_asset_id + + asset_connection { + auth_mechanism = "default" + + reason = var.reason + region = var.region + + } +} diff --git a/modules/dsfhub-aws-kinesis/outputs.tf b/modules/dsfhub-aws-kinesis/outputs.tf new file mode 100644 index 0000000..db98ba8 --- /dev/null +++ b/modules/dsfhub-aws-kinesis/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "AWS Kinesis asset" + value = dsfhub_log_aggregator.this +} diff --git a/modules/dsfhub-aws-kinesis/variables.tf b/modules/dsfhub-aws-kinesis/variables.tf new file mode 100644 index 0000000..ca26f91 --- /dev/null +++ b/modules/dsfhub-aws-kinesis/variables.tf @@ -0,0 +1,48 @@ +variable "admin_email" { + description = "The email address to notify about the asset." + type = string +} + +variable "asset_display_name" { + description = "User-friendly name of the asset, defined by user" + type = string +} + +variable "asset_id" { + description = "AWS kinesis stream ARN" + type = string +} + +variable "audit_pull_enabled" { + description = "If true, sonargateway will collect the audit logs for this system if it can." + type = bool + default = false +} + +variable "audit_type" { + description = "Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details" + type = string + default = null +} + +variable "gateway_id" { + description = "The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'." + type = string +} + +variable "parent_asset_id" { + description = "The asset_id that contains this asset (e.g. Asset ID of the database sending audit events). The parent must either be an AWS account, or have a parent which is an AWS account." + type = string +} + +variable "reason" { + description = "Used to differentiate connections that belong to the same asset" + type = string + default = "default" +} + +variable "region" { + description = "AWS region of the kinesis stream" + type = string + default = null +} diff --git a/modules/dsfhub-aws-rds-aurora-mysql-cluster/README.md b/modules/dsfhub-aws-rds-aurora-mysql-cluster/README.md new file mode 100644 index 0000000..4513be6 --- /dev/null +++ b/modules/dsfhub-aws-rds-aurora-mysql-cluster/README.md @@ -0,0 +1,39 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [dsfhub](#provider\_dsfhub) | n/a | + +## Resources + +| Name | Type | +|------|------| +| [dsfhub_data_source.this](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs/resources/data_source) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [admin\_email](#input\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | +| [asset\_display\_name](#input\_asset\_display\_name) | User-friendly name of the asset, defined by user | `string` | n/a | yes | +| [asset\_id](#input\_asset\_id) | AWS ARN, e.g. "arn:aws:rds:us-east-2:123456790:cluster:db-name" | `string` | n/a | yes | +| [gateway\_id](#input\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [parent\_asset\_id](#input\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | n/a | yes | +| [auth\_mechanism](#input\_auth\_mechanism) | Specifies the auth mechanism used by the connection | `string` | `null` | no | +| [password](#input\_password) | User's password | `string` | `null` | no | +| [region](#input\_region) | AWS region containing the cluster. | `string` | `null` | no | +| [server\_host\_name](#input\_server\_host\_name) | Endpoint URL | `string` | `null` | no | +| [server\_port](#input\_server\_port) | Port of the cluster for connection | `string` | `null` | no | +| [username](#input\_username) | Username to connect to the cluster with | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | Aurora Mysql cluster DSF asset | + \ No newline at end of file diff --git a/modules/dsfhub-aws-rds-aurora-mysql-cluster/main.tf b/modules/dsfhub-aws-rds-aurora-mysql-cluster/main.tf new file mode 100644 index 0000000..c106077 --- /dev/null +++ b/modules/dsfhub-aws-rds-aurora-mysql-cluster/main.tf @@ -0,0 +1,32 @@ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +resource "dsfhub_data_source" "this" { + server_type = "AWS RDS AURORA MYSQL CLUSTER" + + admin_email = var.admin_email + asset_display_name = var.asset_display_name + asset_id = var.asset_id + gateway_id = var.gateway_id + server_host_name = var.server_host_name + parent_asset_id = var.parent_asset_id + region = var.region + server_port = var.server_port + + dynamic "asset_connection" { + # If auth_mechanism is not defined, do not create a connection + for_each = var.auth_mechanism != null ? [0] : [] + + content { + auth_mechanism = var.auth_mechanism != null ? var.auth_mechanism : null + username = var.username + password = var.password + reason = "default" + } + } +} diff --git a/modules/dsfhub-aws-rds-aurora-mysql-cluster/outputs.tf b/modules/dsfhub-aws-rds-aurora-mysql-cluster/outputs.tf new file mode 100644 index 0000000..8c46e7f --- /dev/null +++ b/modules/dsfhub-aws-rds-aurora-mysql-cluster/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "Aurora MySQL cluster DSF asset" + value = dsfhub_data_source.this +} diff --git a/modules/dsfhub-aws-rds-aurora-mysql-cluster/variables.tf b/modules/dsfhub-aws-rds-aurora-mysql-cluster/variables.tf new file mode 100644 index 0000000..30ca5a2 --- /dev/null +++ b/modules/dsfhub-aws-rds-aurora-mysql-cluster/variables.tf @@ -0,0 +1,68 @@ +variable "admin_email" { + description = "The email address to notify about this asset" + type = string +} + +variable "asset_display_name" { + description = "User-friendly name of the asset, defined by user" + type = string +} + +variable "asset_id" { + description = "AWS ARN, e.g. \"arn:aws:rds:us-east-2:123456790:cluster:db-name\"" + type = string +} + +variable "auth_mechanism" { + description = "Specifies the auth mechanism used by the connection" + type = string + default = null + validation { + condition = ( + # auth_mechanism can either be null, or one of the supported values + var.auth_mechanism == null || + can(contains(["password"], var.auth_mechanism)) + ) + error_message = "Incorrect auth_mechanism. Supported auth_mechanisms: password." + } +} + +variable "parent_asset_id" { + description = "The asset_id of the cloud account with auth-mech such as key-pair, iam-role etc." + type = string +} + +variable "region" { + description = "AWS region containing the cluster." + type = string + default = null +} + +variable "server_host_name" { + description = "Endpoint URL" + type = string + default = null +} + +variable "server_port" { + description = "Port of the cluster for connection" + type = string + default = null +} + +variable "gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string +} + +variable "username" { + description = "Username to use to connect to the cluster." + type = string + default = null +} + +variable "password" { + description = "User's password" + type = string + default = null +} diff --git a/modules/dsfhub-aws-rds-aurora-postgresql-cluster/README.md b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/README.md new file mode 100644 index 0000000..e8a0fc8 --- /dev/null +++ b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/README.md @@ -0,0 +1,40 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [dsfhub](#provider\_dsfhub) | n/a | + +## Resources + +| Name | Type | +|------|------| +| [dsfhub_data_source.this](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs/resources/data_source) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [admin\_email](#input\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | +| [asset\_display\_name](#input\_asset\_display\_name) | User-friendly name of the asset, defined by user | `string` | n/a | yes | +| [asset\_id](#input\_asset\_id) | AWS ARN, e.g. "arn:aws:rds:us-east-2:123456790:cluster:db-name" | `string` | n/a | yes | +| [gateway\_id](#input\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [parent\_asset\_id](#input\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | n/a | yes | +| [audit\_type](#input\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `null` | no | +| [auth\_mechanism](#input\_auth\_mechanism) | Specifies the auth mechanism used by the connection | `string` | `null` | no | +| [password](#input\_password) | User's password | `string` | `null` | no | +| [region](#input\_region) | AWS region containing the cluster. | `string` | `null` | no | +| [server\_host\_name](#input\_server\_host\_name) | Endpoint URL | `string` | `null` | no | +| [server\_port](#input\_server\_port) | Port of the cluster for connection | `string` | `null` | no | +| [username](#input\_username) | Username to connect to the cluster with | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | Aurora PostgreSQL DSF asset | + \ No newline at end of file diff --git a/modules/dsfhub-aws-rds-aurora-postgresql-cluster/main.tf b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/main.tf new file mode 100644 index 0000000..53b444f --- /dev/null +++ b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/main.tf @@ -0,0 +1,33 @@ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +resource "dsfhub_data_source" "this" { + server_type = "AWS RDS AURORA POSTGRESQL CLUSTER" + + admin_email = var.admin_email + asset_display_name = var.asset_display_name + asset_id = var.asset_id + audit_type = var.audit_type + gateway_id = var.gateway_id + server_host_name = var.server_host_name + parent_asset_id = var.parent_asset_id + region = var.region + server_port = var.server_port + + dynamic "asset_connection" { + # If auth_mechanism is not defined, do not create a connection + for_each = var.auth_mechanism != null ? [0] : [] + + content { + auth_mechanism = var.auth_mechanism != null ? var.auth_mechanism : null + username = var.username + password = var.password + reason = "default" + } + } +} diff --git a/modules/dsfhub-aws-rds-aurora-postgresql-cluster/outputs.tf b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/outputs.tf new file mode 100644 index 0000000..555a870 --- /dev/null +++ b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "Aurora PostgreSQL DSF asset" + value = dsfhub_data_source.this +} diff --git a/modules/dsfhub-aws-rds-aurora-postgresql-cluster/variables.tf b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/variables.tf new file mode 100644 index 0000000..5280ea6 --- /dev/null +++ b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/variables.tf @@ -0,0 +1,74 @@ +variable "admin_email" { + description = "The email address to notify about this asset" + type = string +} + +variable "asset_display_name" { + description = "User-friendly name of the asset, defined by user" + type = string +} + +variable "asset_id" { + description = "AWS ARN, e.g. \"arn:aws:rds:us-east-2:123456790:cluster:db-name\"" + type = string +} + +variable "audit_type" { + description = "Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details" + type = string + default = null +} + +variable "auth_mechanism" { + description = "Specifies the auth mechanism used by the connection" + type = string + default = null + validation { + condition = ( + # auth_mechanism can either be null, or one of the supported values + var.auth_mechanism == null || + can(contains(["password"], var.auth_mechanism)) + ) + error_message = "Incorrect auth_mechanism. Supported auth_mechanisms: password." + } +} + +variable "parent_asset_id" { + description = "The asset_id of the cloud account with auth-mech such as key-pair, iam-role etc." + type = string +} + +variable "region" { + description = "AWS region containing the cluster." + type = string + default = null +} + +variable "server_host_name" { + description = "Endpoint URL" + type = string + default = null +} + +variable "server_port" { + description = "Port of the cluster for connection" + type = string + default = null +} + +variable "gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string +} + +variable "username" { + description = "Username to use to connect to the cluster." + type = string + default = null +} + +variable "password" { + description = "User's password" + type = string + default = null +} diff --git a/modules/onboard-aws-rds-aurora-mysql-kinesis/README.md b/modules/onboard-aws-rds-aurora-mysql-kinesis/README.md new file mode 100644 index 0000000..e49f332 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql-kinesis/README.md @@ -0,0 +1,89 @@ +# onboard-aws-rds-aurora-mysql-kinesis +Onboard Amazon Aurora MySQL to DSF Hub using a kinesis stream. + +## Notes +There is one prerequisite for using this module: +1. An AWS cloud account asset onboarded to your DSF Hub with permissions to pull from Kinesis streams. + +See the corresponding example for more details. + + + + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aurora-mysql-cluster](#module\_aurora-mysql-cluster) | ../aws-rds-cluster | n/a | +| [aurora-mysql-cluster-activity-stream](#module\_aurora-mysql-cluster-activity-stream) | ../aws-rds-cluster-activity-stream | n/a | +| [aurora-mysql-instance](#module\_aurora-mysql-instance) | ../aws-rds-cluster-instance | n/a | +| [aws-kinesis-asset](#module\_aws-kinesis-asset) | ../dsfhub-aws-kinesis | n/a | +| [aws-kms-key](#module\_aws-kms-key) | ../aws-kms-key | n/a | +| [aws-rds-aurora-mysql-cluster-asset](#module\_aws-rds-aurora-mysql-cluster-asset) | ../dsfhub-aws-rds-aurora-mysql-cluster | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_arn.aurora_mysql_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_aurora\_mysql\_cluster\_admin\_email](#input\_aws\_aurora\_mysql\_cluster\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | +| [aws\_aurora\_mysql\_cluster\_gateway\_id](#input\_aws\_aurora\_mysql\_cluster\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [aws\_aurora\_mysql\_cluster\_parent\_asset\_id](#input\_aws\_aurora\_mysql\_cluster\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | n/a | yes | +| [aws\_kinesis\_admin\_email](#input\_aws\_kinesis\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | +| [aws\_kinesis\_gateway\_id](#input\_aws\_kinesis\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes | +| [cluster\_db\_master\_password](#input\_cluster\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | +| [cluster\_db\_master\_username](#input\_cluster\_db\_master\_username) | Username for the master DB user, must not use rdsadmin as that is reserved. | `string` | n/a | yes | +| [cluster\_id](#input\_cluster\_id) | The name of the Aurora MySQL cluster | `string` | n/a | yes | +| [instance\_identifier](#input\_instance\_identifier) | The name of the aurora mysql cluster instance | `string` | n/a | yes | +| [aws\_aurora\_mysql\_cluster\_region](#input\_aws\_aurora\_mysql\_cluster\_region) | AWS region containing the cluster. | `string` | `null` | no | +| [aws\_kinesis\_audit\_pull\_enabled](#input\_aws\_kinesis\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no | +| [aws\_kinesis\_reason](#input\_aws\_kinesis\_reason) | Used to differentiate connections that belong to the same asset | `string` | `"default"` | no | +| [aws\_kinesis\_region](#input\_aws\_kinesis\_region) | AWS region of the kinesis stream | `string` | `null` | no | +| [cluster\_apply\_immediately](#input\_cluster\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | +| [cluster\_backup\_retention](#input\_cluster\_backup\_retention) | Days to retain backups for, Default is 1 day. | `number` | `null` | no | +| [cluster\_db\_enabled\_cloudwatch\_logs\_exports](#input\_cluster\_db\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery. | `list(any)` | `null` | no | +| [cluster\_db\_engine\_version](#input\_cluster\_db\_engine\_version) | Database engine version, i.e. 8.0.mysql\_aurora.3.05.1 | `string` | `null` | no | +| [cluster\_db\_port](#input\_cluster\_db\_port) | Port on which the DB accepts connections. | `number` | `null` | no | +| [cluster\_db\_subnet\_group\_name](#input\_cluster\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | +| [cluster\_final\_snapshot](#input\_cluster\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false | `bool` | `null` | no | +| [cluster\_maintenance\_schedule](#input\_cluster\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | +| [cluster\_network\_type](#input\_cluster\_network\_type) | Network type of the cluster. Valid values: IPV4, DUAL | `string` | `null` | no | +| [cluster\_parameter\_group\_name](#input\_cluster\_parameter\_group\_name) | Cluster parameter group associated with the cluster | `string` | `null` | no | +| [cluster\_vpc\_security\_group\_ids](#input\_cluster\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(any)` | `null` | no | +| [db\_instance\_class](#input\_db\_instance\_class) | The instance type of the RDS cluster. Supported instance classes for database activity streams can be found at https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.Overview.html#DBActivityStreams.Overview.requirements.classes. | `string` | `"db.r5.large"` | no | +| [instance\_apply\_immediately](#input\_instance\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `true` | no | +| [instance\_maintenance\_schedule](#input\_instance\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | +| [instance\_minor\_version\_upgrade](#input\_instance\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. | `bool` | `null` | no | +| [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | If instance is publicly accessible. Default false | `bool` | `null` | no | +| [key\_custom\_master\_key\_spec](#input\_key\_custom\_master\_key\_spec) | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC\_DEFAULT, RSA\_2048, RSA\_3072, RSA\_4096, HMAC\_256, ECC\_NIST\_P256, ECC\_NIST\_P384, ECC\_NIST\_P521, or ECC\_SECG\_P256K1. | `string` | `"SYMMETRIC_DEFAULT"` | no | +| [key\_deletion\_window\_in\_days](#input\_key\_deletion\_window\_in\_days) | The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. | `number` | `30` | no | +| [key\_description](#input\_key\_description) | The description of the key as viewed in AWS console. | `string` | `"AWS KMS Key to encrypt Aurora Mysql Database Activity Stream."` | no | +| [key\_is\_enabled](#input\_key\_is\_enabled) | Specifies whether the key is enabled. | `bool` | `true` | no | +| [key\_multi\_region](#input\_key\_multi\_region) | Indicates whether the KMS key is a multi-Region (true) or regional (false) key. | `bool` | `false` | no | +| [key\_tags](#input\_key\_tags) | A map of tags to assign to the object. | `map(string)` | `null` | no | +| [key\_usage](#input\_key\_usage) | Specifies the intended use of the key. Valid values: ENCRYPT\_DECRYPT, SIGN\_VERIFY, GENERATE\_VERIFY\_MAC. | `string` | `"ENCRYPT_DECRYPT"` | no | +| [stream\_mode](#input\_stream\_mode) | Specifies the mode of the database activity stream. Database events such as a change or access generate an activity stream event. The database session can handle these events either synchronously or asynchronously. One of: sync, async. | `string` | `"async"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [activity\_stream](#output\_activity\_stream) | Aurora MySQL kinesis activity stream | +| [aws\_kinesis\_asset](#output\_aws\_kinesis\_asset) | AWS Kinesis stream asset | +| [aws\_rds\_aurora\_mysql\_cluster\_asset](#output\_aws\_rds\_aurora\_mysql\_cluster\_asset) | Aurora MySQL cluster asset | +| [cluster](#output\_cluster) | Aurora MySQL Cluster | +| [instance](#output\_instance) | Aurora MySQL Cluster instance | +| [kms\_key](#output\_kms\_key) | AWS KMS Key | + \ No newline at end of file diff --git a/modules/onboard-aws-rds-aurora-mysql-kinesis/main.tf b/modules/onboard-aws-rds-aurora-mysql-kinesis/main.tf new file mode 100644 index 0000000..f3def54 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql-kinesis/main.tf @@ -0,0 +1,87 @@ +module "aurora-mysql-cluster" { + source = "../aws-rds-cluster" + + apply_immediately = var.cluster_apply_immediately + backup_retention = var.cluster_backup_retention + cluster_id = var.cluster_id + db_enabled_cloudwatch_logs_exports = var.cluster_db_enabled_cloudwatch_logs_exports + db_engine = "aurora-mysql" + db_engine_version = var.cluster_db_engine_version + db_master_password = var.cluster_db_master_password + db_master_username = var.cluster_db_master_username + db_port = var.cluster_db_port + db_subnet_group_name = var.cluster_db_subnet_group_name + final_snapshot = var.cluster_final_snapshot + maintenance_schedule = var.cluster_maintenance_schedule + network_type = var.cluster_network_type + parameter_group_name = var.cluster_parameter_group_name + vpc_security_group_ids = var.cluster_vpc_security_group_ids +} + +module "aurora-mysql-instance" { + source = "../aws-rds-cluster-instance" + + apply_immediately = var.instance_apply_immediately + cluster_id = module.aurora-mysql-cluster.this.cluster_identifier + db_engine = "aurora-mysql" + db_instance_class = var.db_instance_class + db_subnet_group_name = module.aurora-mysql-cluster.this.db_subnet_group_name + identifier = var.instance_identifier + maintenance_schedule = var.instance_maintenance_schedule + minor_version_upgrade = var.instance_minor_version_upgrade + publicly_accessible = var.instance_publicly_accessible +} + +module "aws-kms-key" { + source = "../aws-kms-key" + + custom_master_key_spec = var.key_custom_master_key_spec + deletion_window_in_days = var.key_deletion_window_in_days + description = var.key_description + is_enabled = var.key_is_enabled + key_usage = var.key_usage + multi_region = var.key_multi_region + tags = var.key_tags +} + +module "aurora-mysql-cluster-activity-stream" { + source = "../aws-rds-cluster-activity-stream" + + engine_native_audit_fields_included = false + kms_key_id = module.aws-kms-key.this.arn + mode = var.stream_mode + resource_arn = module.aurora-mysql-cluster.this.arn +} + +module "aws-rds-aurora-mysql-cluster-asset" { + source = "../dsfhub-aws-rds-aurora-mysql-cluster" + + admin_email = var.aws_aurora_mysql_cluster_admin_email + asset_display_name = module.aurora-mysql-cluster.this.cluster_identifier + asset_id = module.aurora-mysql-cluster.this.arn + gateway_id = var.aws_aurora_mysql_cluster_gateway_id + parent_asset_id = var.aws_aurora_mysql_cluster_parent_asset_id + region = var.aws_aurora_mysql_cluster_region + server_host_name = module.aurora-mysql-cluster.this.endpoint + server_port = module.aurora-mysql-cluster.this.port +} + +# Collect region and account info for kinesis asset_id +data "aws_region" "current" {} +data "aws_arn" "aurora_mysql_cluster" { + arn = module.aurora-mysql-cluster.this.arn +} + +module "aws-kinesis-asset" { + source = "../dsfhub-aws-kinesis" + + admin_email = var.aws_kinesis_admin_email + asset_display_name = "AWS Kinesis - ${module.aurora-mysql-cluster-activity-stream.this.kinesis_stream_name}" + asset_id = "arn:aws:kinesis:${data.aws_region.current.name}:${data.aws_arn.aurora_mysql_cluster.account}:stream/${module.aurora-mysql-cluster-activity-stream.this.kinesis_stream_name}" + audit_pull_enabled = var.aws_kinesis_audit_pull_enabled + audit_type = "KINESIS" + gateway_id = var.aws_kinesis_gateway_id + parent_asset_id = module.aws-rds-aurora-mysql-cluster-asset.this.asset_id + reason = var.aws_kinesis_reason + region = var.aws_kinesis_region +} diff --git a/modules/onboard-aws-rds-aurora-mysql-kinesis/outputs.tf b/modules/onboard-aws-rds-aurora-mysql-kinesis/outputs.tf new file mode 100644 index 0000000..d3fcba7 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql-kinesis/outputs.tf @@ -0,0 +1,29 @@ +output "cluster" { + description = "Aurora MySQL Cluster" + value = module.aurora-mysql-cluster.this +} + +output "instance" { + description = "Aurora MySQL Cluster instance" + value = module.aurora-mysql-instance.this +} + +output "kms_key" { + description = "AWS KMS Key" + value = module.aws-kms-key.this +} + +output "activity_stream" { + description = "Aurora MySQL kinesis activity stream" + value = module.aurora-mysql-cluster-activity-stream.this +} + +output "aws_rds_aurora_mysql_cluster_asset" { + description = "Aurora MySQL cluster asset" + value = module.aws-rds-aurora-mysql-cluster-asset.this +} + +output "aws_kinesis_asset" { + description = "AWS Kinesis stream asset" + value = module.aws-kinesis-asset.this +} diff --git a/modules/onboard-aws-rds-aurora-mysql-kinesis/variables.tf b/modules/onboard-aws-rds-aurora-mysql-kinesis/variables.tf new file mode 100644 index 0000000..0232784 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql-kinesis/variables.tf @@ -0,0 +1,228 @@ +variable "aws_aurora_mysql_cluster_admin_email" { + description = "The email address to notify about this asset" + type = string +} + +variable "aws_aurora_mysql_cluster_parent_asset_id" { + description = "The asset_id of the cloud account with auth-mech such as key-pair, iam-role etc." + type = string +} + +variable "aws_aurora_mysql_cluster_region" { + description = "AWS region containing the cluster." + type = string + default = null +} + +variable "aws_aurora_mysql_cluster_gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string +} + +variable "aws_kinesis_admin_email" { + description = "The email address to notify about the asset." + type = string +} + +variable "aws_kinesis_audit_pull_enabled" { + description = "If true, sonargateway will collect the audit logs for this system if it can." + type = bool + default = false +} + +variable "aws_kinesis_gateway_id" { + description = "The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'." + type = string +} + +variable "aws_kinesis_reason" { + description = "Used to differentiate connections that belong to the same asset" + type = string + default = "default" +} + +variable "aws_kinesis_region" { + description = "AWS region of the kinesis stream" + type = string + default = null +} + +variable "cluster_db_enabled_cloudwatch_logs_exports" { + description = "Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery." + type = list(any) + default = null +} + +variable "cluster_db_engine_version" { + description = "Database engine version, i.e. 8.0.mysql_aurora.3.05.1" + type = string + default = null +} + +variable "cluster_id" { + description = "The name of the Aurora MySQL cluster" + type = string +} + +variable "cluster_backup_retention" { + description = "Days to retain backups for, Default is 1 day." + type = number + default = null +} + +variable "cluster_db_master_username" { + description = "Username for the master DB user, must not use rdsadmin as that is reserved." + type = string +} + +variable "cluster_db_master_password" { + description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage_master_user_password is set to true" + type = string +} + +variable "cluster_network_type" { + description = " Network type of the cluster. Valid values: IPV4, DUAL" + type = string + default = null +} + +variable "cluster_db_subnet_group_name" { + description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available." + type = string + default = null +} + +variable "cluster_vpc_security_group_ids" { + description = "List of VPC security groups to associate." + type = list(any) + default = null +} + +variable "cluster_maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = null +} + +variable "cluster_final_snapshot" { + description = "Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final_snapshot_identifier. Default is false" + type = bool + default = null +} + +variable "cluster_db_port" { + description = "Port on which the DB accepts connections." + type = number + default = null +} + +variable "cluster_apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = null +} + +variable "cluster_parameter_group_name" { + description = "Cluster parameter group associated with the cluster" + type = string + default = null +} + +variable "instance_identifier" { + description = "The name of the aurora mysql cluster instance" + type = string +} + +variable "instance_publicly_accessible" { + description = "If instance is publicly accessible. Default false" + type = bool + default = null +} + +variable "db_instance_class" { + description = "The instance type of the RDS cluster. Supported instance classes for database activity streams can be found at https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.Overview.html#DBActivityStreams.Overview.requirements.classes." + type = string + default = "db.r5.large" + validation { + # Class must be one of supported for database activity streams + condition = ( + can(regex("^db.r7g.*large$", var.db_instance_class)) || + can(regex("^db.r6g.*large$", var.db_instance_class)) || + can(regex("^db.r6i.*large$", var.db_instance_class)) || + can(regex("^db.r5.*large$", var.db_instance_class)) || + can(regex("^db.x2g.*$", var.db_instance_class)) + ) + error_message = "Invalid instance class for database activity streams. Supported instance classes for database activity streams can be found at https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.Overview.html#DBActivityStreams.Overview.requirements.classes." + } +} + +variable "instance_maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = null +} + +variable "instance_apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = true +} + +variable "instance_minor_version_upgrade" { + description = "Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window." + type = bool + default = null +} + +variable "key_custom_master_key_spec" { + description = "Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1." + type = string + default = "SYMMETRIC_DEFAULT" +} + +variable "key_deletion_window_in_days" { + description = "The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive." + type = number + default = 30 +} + +variable "key_description" { + description = "The description of the key as viewed in AWS console." + type = string + default = "AWS KMS Key to encrypt Aurora Mysql Database Activity Stream." +} + +variable "key_is_enabled" { + description = "Specifies whether the key is enabled." + type = bool + default = true +} + +variable "key_usage" { + description = "Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, GENERATE_VERIFY_MAC." + type = string + default = "ENCRYPT_DECRYPT" +} + +variable "key_multi_region" { + description = " Indicates whether the KMS key is a multi-Region (true) or regional (false) key." + type = bool + default = false +} + +variable "key_tags" { + description = "A map of tags to assign to the object." + type = map(string) + default = null +} + +variable "stream_mode" { + description = "Specifies the mode of the database activity stream. Database events such as a change or access generate an activity stream event. The database session can handle these events either synchronously or asynchronously. One of: sync, async." + type = string + default = "async" + validation { + condition = contains(["sync", "async"], var.stream_mode) + error_message = "Invalid value, select either 'sync' or 'async'." + } +} + diff --git a/modules/onboard-aws-rds-aurora-mysql-slowquery/README.md b/modules/onboard-aws-rds-aurora-mysql-slowquery/README.md new file mode 100644 index 0000000..b019026 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql-slowquery/README.md @@ -0,0 +1,73 @@ +# onboard-aws-rds-aurora-mysql-slowquery +Onboard Amazon Aurora MySQL Slowquery to DSF Hub. + +## Notes +There is one prerequisite for using this module: +1. An AWS cloud account asset onboarded to your DSF Hub with permissions to pull from CloudWatch log groups. + +See the corresponding example for more details. + + + + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aurora-mysql-cluster](#module\_aurora-mysql-cluster) | ../aws-rds-cluster | n/a | +| [aurora-mysql-cluster-parameter-group](#module\_aurora-mysql-cluster-parameter-group) | ../aws-rds-cluster-parameter-group | n/a | +| [aurora-mysql-instances](#module\_aurora-mysql-instances) | ../aws-rds-cluster-instance | n/a | +| [aurora-mysql-log-group](#module\_aurora-mysql-log-group) | ../aws-cloudwatch-log-group | n/a | +| [aurora-mysql-log-group-slowquery](#module\_aurora-mysql-log-group-slowquery) | ../aws-cloudwatch-log-group | n/a | +| [aws-log-group-asset](#module\_aws-log-group-asset) | ../dsfhub-aws-log-group | n/a | +| [aws-log-group-slowquery-asset](#module\_aws-log-group-slowquery-asset) | ../dsfhub-aws-log-group | n/a | +| [aws-rds-aurora-mysql-cluster-asset](#module\_aws-rds-aurora-mysql-cluster-asset) | ../dsfhub-aws-rds-aurora-mysql-cluster | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_aurora\_mysql\_cluster\_region](#input\_aws\_aurora\_mysql\_cluster\_region) | AWS region containing the instance. | `string` | n/a | yes | +| [cluster\_cluster\_id](#input\_cluster\_cluster\_id) | The name of the aurora mysql cluster | `string` | n/a | yes | +| [cluster\_db\_master\_password](#input\_cluster\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | +| [cluster\_db\_master\_username](#input\_cluster\_db\_master\_username) | Username for the master DB user, must not use rdsadmin as that is reserved. | `string` | n/a | yes | +| [cluster\_parameter\_group\_name](#input\_cluster\_parameter\_group\_name) | The name of the DB cluster parameter group | `string` | n/a | yes | +| [instance\_identifier](#input\_instance\_identifier) | The name of the aurora mysql cluster instance | `string` | n/a | yes | +| [aws\_aurora\_mysql\_cluster\_admin\_email](#input\_aws\_aurora\_mysql\_cluster\_admin\_email) | The email address to notify about the assets. | `string` | `null` | no | +| [aws\_aurora\_mysql\_cluster\_gateway\_id](#input\_aws\_aurora\_mysql\_cluster\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | `null` | no | +| [aws\_aurora\_mysql\_cluster\_parent\_asset\_id](#input\_aws\_aurora\_mysql\_cluster\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | `null` | no | +| [aws\_log\_group\_audit\_pull\_enabled](#input\_aws\_log\_group\_audit\_pull\_enabled) | Turn on/off auditing on the data source and log aggregator | `bool` | `false` | no | +| [aws\_log\_group\_audit\_type](#input\_aws\_log\_group\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `"LOG_GROUP"` | no | +| [cluster\_apply\_immediately](#input\_cluster\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `true` | no | +| [cluster\_backup\_retention](#input\_cluster\_backup\_retention) | Days to retain backups for, Default is 1 day. | `number` | `1` | no | +| [cluster\_db\_enabled\_cloudwatch\_logs\_exports](#input\_cluster\_db\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery. | `list(any)` | 
[
  "audit",
  "slowquery"
]
| no | +| [cluster\_db\_engine](#input\_cluster\_db\_engine) | Cluster engine i.e, aurora-mysql | `string` | `"aurora-mysql"` | no | +| [cluster\_db\_engine\_version](#input\_cluster\_db\_engine\_version) | Database engine version, i.e. 8.0.mysql\_aurora.3.05.1 | `string` | `"8.0.mysql_aurora.3.04.1"` | no | +| [cluster\_db\_port](#input\_cluster\_db\_port) | Port on which the DB accepts connections. | `number` | `3306` | no | +| [cluster\_db\_subnet\_group\_name](#input\_cluster\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | +| [cluster\_final\_snapshot](#input\_cluster\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false | `bool` | `true` | no | +| [cluster\_maintenance\_schedule](#input\_cluster\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `"sun:18:00-sun:21:00"` | no | +| [cluster\_network\_type](#input\_cluster\_network\_type) | Network type of the cluster. Valid values: IPV4, DUAL | `string` | `"IPV4"` | no | +| [cluster\_parameter\_group\_description](#input\_cluster\_parameter\_group\_description) | The description of the DB cluster parameter group. | `string` | `"RDS aurora mysql cluster parameter group"` | no | +| [cluster\_parameter\_group\_family](#input\_cluster\_parameter\_group\_family) | The family of the DB cluster parameter group. | `string` | `"aurora-mysql8.0"` | no | +| [cluster\_parameter\_group\_parameters](#input\_cluster\_parameter\_group\_parameters) | List of objects containing parameters for the DB cluster parameter group. | 
list(
    object({
      name         = string
      apply_method = optional(string, "immediate")
      value        = any
    })
  )
| 
[
  {
    "name": "server_audit_logging",
    "value": 1
  },
  {
    "name": "server_audit_excl_users",
    "value": "rdsadmin"
  },
  {
    "name": "server_audit_events",
    "value": "CONNECT,QUERY,QUERY_DCL,QUERY_DDL,QUERY_DML"
  },
  {
    "name": "slow_query_log",
    "value": 1
  },
  {
    "name": "long_query_time",
    "value": 0
  },
  {
    "name": "log_slow_admin_statements",
    "value": 1
  }
]
| no | +| [cluster\_parameter\_group\_tags](#input\_cluster\_parameter\_group\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | +| [cluster\_vpc\_security\_group\_ids](#input\_cluster\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(any)` | `null` | no | +| [instance\_db\_instance\_class](#input\_instance\_db\_instance\_class) | The instance type of the RDS cluster. Example: 'db.t3.micro' | `string` | `"db.t3.medium"` | no | +| [instance\_minor\_version\_upgrade](#input\_instance\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. | `bool` | `false` | no | +| [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | If instance is publicly accessible. Default false | `bool` | `false` | no | +| [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire. | `number` | `7` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [cluster](#output\_cluster) | Aurora Mysql Cluster | +| [cluster\_parameter\_group](#output\_cluster\_parameter\_group) | Aurora Mysql Cluster parameter group | +| [dsf\_aurora\_mysql\_cluster](#output\_dsf\_aurora\_mysql\_cluster) | Aurora Mysql cluster DSF asset | +| [dsf\_aurora\_mysql\_log\_group](#output\_dsf\_aurora\_mysql\_log\_group) | DSF Aurora Mysql log group asset | +| [dsf\_aurora\_mysql\_log\_group\_slowquery](#output\_dsf\_aurora\_mysql\_log\_group\_slowquery) | DSF Aurora Mysql slow query log group asset | +| [instance](#output\_instance) | Aurora Mysql instance | +| [log\_group](#output\_log\_group) | Aurora Mysql log group | +| [log\_group\_slowquery](#output\_log\_group\_slowquery) | Aurora Mysql slow query log group | + \ No newline at end of file diff --git a/modules/onboard-aws-rds-aurora-mysql-slowquery/main.tf b/modules/onboard-aws-rds-aurora-mysql-slowquery/main.tf new file mode 100644 index 0000000..f1c60b7 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql-slowquery/main.tf @@ -0,0 +1,104 @@ +module "aurora-mysql-cluster-parameter-group" { + source = "../aws-rds-cluster-parameter-group" + + description = var.cluster_parameter_group_description + family = var.cluster_parameter_group_family + name = var.cluster_parameter_group_name + parameters = var.cluster_parameter_group_parameters + tags = var.cluster_parameter_group_tags +} + +module "aurora-mysql-cluster" { + depends_on = [module.aurora-mysql-cluster-parameter-group, module.aurora-mysql-log-group] + source = "../aws-rds-cluster" + + cluster_id = var.cluster_cluster_id + db_engine = var.cluster_db_engine + db_engine_version = var.cluster_db_engine_version + db_port = var.cluster_db_port + backup_retention = var.cluster_backup_retention + maintenance_schedule = var.cluster_maintenance_schedule + final_snapshot = var.cluster_final_snapshot + db_master_username = var.cluster_db_master_username + db_master_password = var.cluster_db_master_password + network_type = var.cluster_network_type + db_subnet_group_name = var.cluster_db_subnet_group_name + vpc_security_group_ids = var.cluster_vpc_security_group_ids + db_enabled_cloudwatch_logs_exports = var.cluster_db_enabled_cloudwatch_logs_exports + parameter_group_name = module.aurora-mysql-cluster-parameter-group.this.name + apply_immediately = var.cluster_apply_immediately +} + +module "aurora-mysql-instances" { + depends_on = [module.aurora-mysql-cluster] + source = "../aws-rds-cluster-instance" + + apply_immediately = var.cluster_apply_immediately + cluster_id = module.aurora-mysql-cluster.this.cluster_identifier + db_engine = module.aurora-mysql-cluster.this.engine + db_subnet_group_name = module.aurora-mysql-cluster.this.db_subnet_group_name + db_instance_class = var.instance_db_instance_class + identifier = var.instance_identifier + minor_version_upgrade = var.instance_minor_version_upgrade + maintenance_schedule = var.cluster_maintenance_schedule + publicly_accessible = var.instance_publicly_accessible +} + +module "aurora-mysql-log-group" { + source = "../aws-cloudwatch-log-group" + + name = "/aws/rds/cluster/${var.cluster_cluster_id}/audit" + retention_in_days = var.log_group_retention_in_days +} + +module "aurora-mysql-log-group-slowquery" { + source = "../aws-cloudwatch-log-group" + + name = "/aws/rds/cluster/${var.cluster_cluster_id}/slowquery" + retention_in_days = var.log_group_retention_in_days +} + + +module "aws-rds-aurora-mysql-cluster-asset" { + source = "../dsfhub-aws-rds-aurora-mysql-cluster" + + admin_email = var.aws_aurora_mysql_cluster_admin_email + asset_display_name = module.aurora-mysql-cluster.this.id + asset_id = module.aurora-mysql-cluster.this.arn + gateway_id = var.aws_aurora_mysql_cluster_gateway_id + server_host_name = module.aurora-mysql-cluster.this.endpoint + parent_asset_id = var.aws_aurora_mysql_cluster_parent_asset_id + region = var.aws_aurora_mysql_cluster_region + server_port = module.aurora-mysql-cluster.this.port + username = module.aurora-mysql-cluster.this.master_username + password = module.aurora-mysql-cluster.this.master_password +} + +module "aws-log-group-asset" { + depends_on = [module.aws-rds-aurora-mysql-cluster-asset] + source = "../dsfhub-aws-log-group" + + admin_email = var.aws_aurora_mysql_cluster_admin_email + asset_display_name = module.aurora-mysql-log-group.this.id + asset_id = "${module.aurora-mysql-log-group.this.arn}:*" + audit_pull_enabled = var.aws_log_group_audit_pull_enabled + gateway_id = var.aws_aurora_mysql_cluster_gateway_id + parent_asset_id = module.aws-rds-aurora-mysql-cluster-asset.this.asset_id + audit_type = var.aws_log_group_audit_type + region = var.aws_aurora_mysql_cluster_region +} + +module "aws-log-group-slowquery-asset" { + depends_on = [module.aws-rds-aurora-mysql-cluster-asset, module.aws-log-group-asset] + source = "../dsfhub-aws-log-group" + + admin_email = var.aws_aurora_mysql_cluster_admin_email + asset_display_name = module.aurora-mysql-log-group-slowquery.this.id + asset_id = "${module.aurora-mysql-log-group-slowquery.this.arn}:*" + audit_pull_enabled = var.aws_log_group_audit_pull_enabled + gateway_id = var.aws_aurora_mysql_cluster_gateway_id + parent_asset_id = module.aws-rds-aurora-mysql-cluster-asset.this.asset_id + audit_type = "AWS_RDS_AURORA_MYSQL_SLOW" + region = var.aws_aurora_mysql_cluster_region +} + diff --git a/modules/onboard-aws-rds-aurora-mysql-slowquery/outputs.tf b/modules/onboard-aws-rds-aurora-mysql-slowquery/outputs.tf new file mode 100644 index 0000000..3cdc2d9 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql-slowquery/outputs.tf @@ -0,0 +1,39 @@ +output "cluster_parameter_group" { + description = "Aurora MySQL Cluster parameter group" + value = module.aurora-mysql-cluster-parameter-group.this +} + +output "cluster" { + description = "Aurora MySQL Cluster" + value = module.aurora-mysql-cluster.this +} + +output "instance" { + description = "Aurora MySQL instance" + value = module.aurora-mysql-instances.this +} + +output "log_group" { + description = "Aurora MySQL log group" + value = module.aurora-mysql-log-group.this +} + +output "log_group_slowquery" { + description = "Aurora MySQL slow query log group" + value = module.aurora-mysql-log-group-slowquery.this +} + +output "dsf_aurora_mysql_cluster" { + description = "Aurora MySQL cluster DSF asset" + value = module.aws-rds-aurora-mysql-cluster-asset.this +} + +output "dsf_aurora_mysql_log_group" { + description = "Aurora MySQL log group asset" + value = module.aws-log-group-asset.this +} + +output "dsf_aurora_mysql_log_group_slowquery" { + description = "Aurora MySQL slow query log group asset" + value = module.aws-log-group-slowquery-asset.this +} diff --git a/modules/onboard-aws-rds-aurora-mysql-slowquery/variables.tf b/modules/onboard-aws-rds-aurora-mysql-slowquery/variables.tf new file mode 100644 index 0000000..a300bf2 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql-slowquery/variables.tf @@ -0,0 +1,211 @@ +# Cluster Parameter group variables +variable "cluster_parameter_group_name" { + description = "The name of the DB cluster parameter group" + type = string +} + +variable "cluster_parameter_group_family" { + description = "The family of the DB cluster parameter group." + type = string + default = "aurora-mysql8.0" +} + +variable "cluster_parameter_group_description" { + description = "The description of the DB cluster parameter group." + type = string + default = "RDS aurora mysql cluster parameter group" +} + +variable "cluster_parameter_group_parameters" { + description = "List of objects containing parameters for the DB cluster parameter group." + type = list( + object({ + name = string + apply_method = optional(string, "immediate") + value = any + }) + ) + default = [ + { + name = "server_audit_logging" + value = 1 + }, + { + name = "server_audit_excl_users" + value = "rdsadmin" + }, + { + name = "server_audit_events" + value = "CONNECT,QUERY,QUERY_DCL,QUERY_DDL,QUERY_DML" + }, + { + name = "slow_query_log" + value = 1 + }, + { + name = "long_query_time" + value = 0 + }, + { + name = "log_slow_admin_statements" + value = 1 + } + ] +} + +variable "cluster_parameter_group_tags" { + description = "A map of tags to assign to the resource." + type = map(string) + default = null +} + +# Aurora Mysql Cluster variables +variable "cluster_db_enabled_cloudwatch_logs_exports" { + description = "Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery." + type = list(any) + default = ["audit", "slowquery"] +} + +variable "cluster_db_engine" { + description = "Cluster engine i.e, aurora-mysql" + type = string + default = "aurora-mysql" +} + +variable "cluster_db_engine_version" { + description = "Database engine version, i.e. 8.0.mysql_aurora.3.05.1" + type = string + default = "8.0.mysql_aurora.3.04.1" +} + +variable "cluster_cluster_id" { + description = "The name of the aurora mysql cluster" + type = string +} + +variable "cluster_backup_retention" { + description = "Days to retain backups for, Default is 1 day." + type = number + default = 1 +} + +variable "cluster_db_master_username" { + description = "Username for the master DB user, must not use rdsadmin as that is reserved." + type = string +} + +variable "cluster_db_master_password" { + description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage_master_user_password is set to true" + type = string +} + +variable "cluster_network_type" { + description = " Network type of the cluster. Valid values: IPV4, DUAL" + type = string + default = "IPV4" +} + +variable "cluster_db_subnet_group_name" { + description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available." + type = string + default = null +} + +variable "cluster_vpc_security_group_ids" { + description = "List of VPC security groups to associate." + type = list(any) + default = null +} + +variable "cluster_maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = "sun:18:00-sun:21:00" +} + +variable "cluster_final_snapshot" { + description = "Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final_snapshot_identifier. Default is false" + type = bool + default = true +} +variable "cluster_db_port" { + description = "Port on which the DB accepts connections." + type = number + default = 3306 +} +variable "cluster_apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = true +} + +# Aurora Mysql Instance variables +variable "instance_identifier" { + description = "The name of the aurora mysql cluster instance" + type = string +} + +variable "instance_db_instance_class" { + description = "The instance type of the RDS cluster. Example: 'db.t3.micro'" + type = string + default = "db.t3.medium" +} + +variable "instance_minor_version_upgrade" { + description = "Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window." + type = bool + default = false +} + +variable "instance_publicly_accessible" { + description = "If instance is publicly accessible. Default false" + type = bool + default = false +} + +#AWS cloudwatch variables +variable "log_group_retention_in_days" { + description = "Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire." + type = number + default = 7 +} + +# DSFHUB asset variables +variable "aws_aurora_mysql_cluster_admin_email" { + description = "The email address to notify about the assets." + type = string + default = null +} + +variable "aws_aurora_mysql_cluster_gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string + default = null +} + +variable "aws_aurora_mysql_cluster_parent_asset_id" { + description = "The asset_id of the cloud account with auth-mech such as key-pair, iam-role etc." + type = string + default = null +} + +variable "aws_aurora_mysql_cluster_region" { + description = "AWS region containing the instance." + type = string +} + +variable "aws_log_group_audit_type" { + description = "Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details" + type = string + default = "LOG_GROUP" + validation { + condition = contains(["AGGREGATED", "LOG_GROUP"], var.aws_log_group_audit_type) + error_message = "Invalid Value. Select from LOG_GROUP or AGGREGATED." + } +} + +variable "aws_log_group_audit_pull_enabled" { + description = "Turn on/off auditing on the data source and log aggregator" + type = bool + default = false +} diff --git a/modules/onboard-aws-rds-aurora-mysql/README.md b/modules/onboard-aws-rds-aurora-mysql/README.md new file mode 100644 index 0000000..b94eca0 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql/README.md @@ -0,0 +1,69 @@ +# onboard-aws-rds-aurora-mysql +Onboard Amazon Aurora MySQL to DSF Hub. + +## Notes +There is one prerequisite for using this module: +1. An AWS cloud account asset onboarded to your DSF Hub with permissions to pull from CloudWatch log groups. + +See the corresponding example for more details. + + + + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aurora-mysql-cluster](#module\_aurora-mysql-cluster) | ../aws-rds-cluster | n/a | +| [aurora-mysql-cluster-parameter-group](#module\_aurora-mysql-cluster-parameter-group) | ../aws-rds-cluster-parameter-group | n/a | +| [aurora-mysql-instances](#module\_aurora-mysql-instances) | ../aws-rds-cluster-instance | n/a | +| [aurora-mysql-log-group](#module\_aurora-mysql-log-group) | ../aws-cloudwatch-log-group | n/a | +| [aws-log-group-asset](#module\_aws-log-group-asset) | ../dsfhub-aws-log-group | n/a | +| [aws-rds-aurora-mysql-cluster-asset](#module\_aws-rds-aurora-mysql-cluster-asset) | ../dsfhub-aws-rds-aurora-mysql-cluster | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_aurora\_mysql\_cluster\_region](#input\_aws\_aurora\_mysql\_cluster\_region) | AWS region containing the instance. | `string` | n/a | yes | +| [cluster\_cluster\_id](#input\_cluster\_cluster\_id) | The name of the aurora mysql cluster | `string` | n/a | yes | +| [cluster\_db\_master\_password](#input\_cluster\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | +| [cluster\_db\_master\_username](#input\_cluster\_db\_master\_username) | Username for the master DB user, must not use rdsadmin as that is reserved. | `string` | n/a | yes | +| [cluster\_parameter\_group\_name](#input\_cluster\_parameter\_group\_name) | The name of the DB cluster parameter group | `string` | n/a | yes | +| [instance\_identifier](#input\_instance\_identifier) | The name of the aurora mysql cluster instance | `string` | n/a | yes | +| [aws\_aurora\_mysql\_cluster\_admin\_email](#input\_aws\_aurora\_mysql\_cluster\_admin\_email) | The email address to notify about the assets. | `string` | `null` | no | +| [aws\_aurora\_mysql\_cluster\_gateway\_id](#input\_aws\_aurora\_mysql\_cluster\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | `null` | no | +| [aws\_aurora\_mysql\_cluster\_parent\_asset\_id](#input\_aws\_aurora\_mysql\_cluster\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | `null` | no | +| [aws\_log\_group\_audit\_pull\_enabled](#input\_aws\_log\_group\_audit\_pull\_enabled) | Turn on/off auditing on the data source and log aggregator | `bool` | `false` | no | +| [aws\_log\_group\_audit\_type](#input\_aws\_log\_group\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `"LOG_GROUP"` | no | +| [cluster\_apply\_immediately](#input\_cluster\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `true` | no | +| [cluster\_backup\_retention](#input\_cluster\_backup\_retention) | Days to retain backups for, Default is 1 day. | `number` | `1` | no | +| [cluster\_db\_enabled\_cloudwatch\_logs\_exports](#input\_cluster\_db\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery. | `list(any)` | 
[
  "audit"
]
| no | +| [cluster\_db\_engine](#input\_cluster\_db\_engine) | Cluster engine i.e, aurora-mysql | `string` | `"aurora-mysql"` | no | +| [cluster\_db\_engine\_version](#input\_cluster\_db\_engine\_version) | Database engine version, i.e. 8.0.mysql\_aurora.3.05.1 | `string` | `"8.0.mysql_aurora.3.04.1"` | no | +| [cluster\_db\_port](#input\_cluster\_db\_port) | Port on which the DB accepts connections. | `number` | `3306` | no | +| [cluster\_db\_subnet\_group\_name](#input\_cluster\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | +| [cluster\_final\_snapshot](#input\_cluster\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false | `bool` | `true` | no | +| [cluster\_maintenance\_schedule](#input\_cluster\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `"sun:18:00-sun:21:00"` | no | +| [cluster\_network\_type](#input\_cluster\_network\_type) | Network type of the cluster. Valid values: IPV4, DUAL | `string` | `"IPV4"` | no | +| [cluster\_parameter\_group\_description](#input\_cluster\_parameter\_group\_description) | The description of the DB cluster parameter group. | `string` | `"RDS aurora mysql cluster parameter group"` | no | +| [cluster\_parameter\_group\_family](#input\_cluster\_parameter\_group\_family) | The family of the DB cluster parameter group. | `string` | `"aurora-mysql8.0"` | no | +| [cluster\_parameter\_group\_parameters](#input\_cluster\_parameter\_group\_parameters) | List of objects containing parameters for the DB cluster parameter group. | 
list(
    object({
      name         = string
      apply_method = optional(string, "immediate")
      value        = any
    })
  )
| 
[
  {
    "name": "server_audit_logging",
    "value": 1
  },
  {
    "name": "server_audit_excl_users",
    "value": "rdsadmin"
  },
  {
    "name": "server_audit_events",
    "value": "CONNECT,QUERY,QUERY_DCL,QUERY_DDL,QUERY_DML"
  }
]
| no | +| [cluster\_parameter\_group\_tags](#input\_cluster\_parameter\_group\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | +| [cluster\_vpc\_security\_group\_ids](#input\_cluster\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(any)` | `null` | no | +| [instance\_db\_instance\_class](#input\_instance\_db\_instance\_class) | The instance type of the RDS cluster. Example: 'db.t3.micro' | `string` | `"db.t3.medium"` | no | +| [instance\_minor\_version\_upgrade](#input\_instance\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. | `bool` | `false` | no | +| [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | If instance is publicly accessible. Default false | `bool` | `false` | no | +| [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire. | `number` | `7` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [cluster](#output\_cluster) | Aurora Mysql Cluster | +| [cluster\_parameter\_group](#output\_cluster\_parameter\_group) | Aurora Mysql Cluster parameter group | +| [dsf\_aurora\_mysql\_cluster](#output\_dsf\_aurora\_mysql\_cluster) | Aurora Mysql cluster DSF asset | +| [dsf\_aurora\_mysql\_log\_group](#output\_dsf\_aurora\_mysql\_log\_group) | DSF Aurora Mysql log group asset | +| [instance](#output\_instance) | Aurora Mysql instance | +| [log\_group](#output\_log\_group) | Aurora Mysql log group | + \ No newline at end of file diff --git a/modules/onboard-aws-rds-aurora-mysql/main.tf b/modules/onboard-aws-rds-aurora-mysql/main.tf new file mode 100644 index 0000000..af57602 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql/main.tf @@ -0,0 +1,82 @@ +module "aurora-mysql-cluster-parameter-group" { + source = "../aws-rds-cluster-parameter-group" + + description = var.cluster_parameter_group_description + family = var.cluster_parameter_group_family + name = var.cluster_parameter_group_name + parameters = var.cluster_parameter_group_parameters + tags = var.cluster_parameter_group_tags +} + +module "aurora-mysql-cluster" { + depends_on = [module.aurora-mysql-cluster-parameter-group, module.aurora-mysql-log-group] + source = "../aws-rds-cluster" + + cluster_id = var.cluster_cluster_id + db_engine = "aurora-mysql" + db_engine_version = var.cluster_db_engine_version + db_port = var.cluster_db_port + backup_retention = var.cluster_backup_retention + maintenance_schedule = var.cluster_maintenance_schedule + final_snapshot = var.cluster_final_snapshot + db_master_username = var.cluster_db_master_username + db_master_password = var.cluster_db_master_password + network_type = var.cluster_network_type + db_subnet_group_name = var.cluster_db_subnet_group_name + vpc_security_group_ids = var.cluster_vpc_security_group_ids + db_enabled_cloudwatch_logs_exports = var.cluster_db_enabled_cloudwatch_logs_exports + parameter_group_name = module.aurora-mysql-cluster-parameter-group.this.name + apply_immediately = var.cluster_apply_immediately +} + +module "aurora-mysql-instances" { + depends_on = [module.aurora-mysql-cluster] + source = "../aws-rds-cluster-instance" + + apply_immediately = var.cluster_apply_immediately + cluster_id = module.aurora-mysql-cluster.this.cluster_identifier + db_engine = module.aurora-mysql-cluster.this.engine + db_instance_class = var.instance_db_instance_class + db_subnet_group_name = module.aurora-mysql-cluster.this.db_subnet_group_name + identifier = var.instance_identifier + maintenance_schedule = var.cluster_maintenance_schedule + minor_version_upgrade = var.instance_minor_version_upgrade + publicly_accessible = var.instance_publicly_accessible +} + +module "aurora-mysql-log-group" { + source = "../aws-cloudwatch-log-group" + + name = "/aws/rds/cluster/${var.cluster_cluster_id}/audit" + retention_in_days = var.log_group_retention_in_days +} + +module "aws-rds-aurora-mysql-cluster-asset" { + source = "../dsfhub-aws-rds-aurora-mysql-cluster" + + admin_email = var.aws_aurora_mysql_cluster_admin_email + asset_display_name = module.aurora-mysql-cluster.this.id + asset_id = module.aurora-mysql-cluster.this.arn + auth_mechanism = "password" + gateway_id = var.aws_aurora_mysql_cluster_gateway_id + server_host_name = module.aurora-mysql-cluster.this.endpoint + parent_asset_id = var.aws_aurora_mysql_cluster_parent_asset_id + region = var.aws_aurora_mysql_cluster_region + server_port = module.aurora-mysql-cluster.this.port + username = module.aurora-mysql-cluster.this.master_username + password = module.aurora-mysql-cluster.this.master_password +} + +module "aws-log-group-asset" { + depends_on = [module.aws-rds-aurora-mysql-cluster-asset] + source = "../dsfhub-aws-log-group" + + admin_email = var.aws_aurora_mysql_cluster_admin_email + asset_display_name = module.aurora-mysql-log-group.this.id + asset_id = "${module.aurora-mysql-log-group.this.arn}:*" + audit_pull_enabled = var.aws_log_group_audit_pull_enabled + gateway_id = var.aws_aurora_mysql_cluster_gateway_id + parent_asset_id = module.aws-rds-aurora-mysql-cluster-asset.this.asset_id + audit_type = var.aws_log_group_audit_type + region = var.aws_aurora_mysql_cluster_region +} diff --git a/modules/onboard-aws-rds-aurora-mysql/outputs.tf b/modules/onboard-aws-rds-aurora-mysql/outputs.tf new file mode 100644 index 0000000..b69ff6f --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql/outputs.tf @@ -0,0 +1,29 @@ +output "cluster_parameter_group" { + description = "Aurora MySQL Cluster parameter group" + value = module.aurora-mysql-cluster-parameter-group.this +} + +output "cluster" { + description = "Aurora MySQL Cluster" + value = module.aurora-mysql-cluster.this +} + +output "instance" { + description = "Aurora MySQL instance" + value = module.aurora-mysql-instances.this +} + +output "log_group" { + description = "Aurora MySQL log group" + value = module.aurora-mysql-log-group.this +} + +output "dsf_aurora_mysql_cluster" { + description = "Aurora MySQL cluster asset" + value = module.aws-rds-aurora-mysql-cluster-asset.this +} + +output "dsf_aurora_mysql_log_group" { + description = "Aurora MySQL log group asset" + value = module.aws-log-group-asset.this +} diff --git a/modules/onboard-aws-rds-aurora-mysql/variables.tf b/modules/onboard-aws-rds-aurora-mysql/variables.tf new file mode 100644 index 0000000..e443141 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql/variables.tf @@ -0,0 +1,201 @@ +# Cluster Parameter group variables +variable "cluster_parameter_group_name" { + description = "The name of the DB cluster parameter group" + type = string +} + +variable "cluster_parameter_group_family" { + description = "The family of the DB cluster parameter group." + type = string + default = "aurora-mysql8.0" +} + +variable "cluster_parameter_group_description" { + description = "The description of the DB cluster parameter group." + type = string + default = "RDS aurora mysql cluster parameter group" +} + +variable "cluster_parameter_group_parameters" { + description = "List of objects containing parameters for the DB cluster parameter group." + type = list( + object({ + name = string + apply_method = optional(string, "immediate") + value = any + }) + ) + default = [ + { + name = "server_audit_logging" + value = 1 + }, + { + name = "server_audit_excl_users" + value = "rdsadmin" + }, + { + name = "server_audit_events" + value = "CONNECT,QUERY,QUERY_DCL,QUERY_DDL,QUERY_DML" + } + ] +} + +variable "cluster_parameter_group_tags" { + description = "A map of tags to assign to the resource." + type = map(string) + default = null +} + +# Aurora Mysql Cluster variables +variable "cluster_db_enabled_cloudwatch_logs_exports" { + description = "Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery." + type = list(any) + default = ["audit"] +} + +variable "cluster_db_engine" { + description = "Cluster engine i.e, aurora-mysql" + type = string + default = "aurora-mysql" +} + +variable "cluster_db_engine_version" { + description = "Database engine version, i.e. 8.0.mysql_aurora.3.05.1" + type = string + default = "8.0.mysql_aurora.3.04.1" +} + +variable "cluster_cluster_id" { + description = "The name of the aurora mysql cluster" + type = string +} + +variable "cluster_backup_retention" { + description = "Days to retain backups for, Default is 1 day." + type = number + default = 1 +} + +variable "cluster_db_master_username" { + description = "Username for the master DB user, must not use rdsadmin as that is reserved." + type = string +} + +variable "cluster_db_master_password" { + description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage_master_user_password is set to true" + type = string +} + +variable "cluster_network_type" { + description = " Network type of the cluster. Valid values: IPV4, DUAL" + type = string + default = "IPV4" +} + +variable "cluster_db_subnet_group_name" { + description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available." + type = string + default = null +} + +variable "cluster_vpc_security_group_ids" { + description = "List of VPC security groups to associate." + type = list(any) + default = null +} + +variable "cluster_maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = "sun:18:00-sun:21:00" +} + +variable "cluster_final_snapshot" { + description = "Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final_snapshot_identifier. Default is false" + type = bool + default = true +} + +variable "cluster_db_port" { + description = "Port on which the DB accepts connections." + type = number + default = 3306 +} + +variable "cluster_apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = true +} + +# Aurora Mysql Instance variables +variable "instance_identifier" { + description = "The name of the aurora mysql cluster instance" + type = string +} + +variable "instance_db_instance_class" { + description = "The instance type of the RDS cluster. Example: 'db.t3.micro'" + type = string + default = "db.t3.medium" +} + +variable "instance_minor_version_upgrade" { + description = "Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window." + type = bool + default = false +} + +variable "instance_publicly_accessible" { + description = "If instance is publicly accessible. Default false" + type = bool + default = false +} + +#AWS cloudwatch variables +variable "log_group_retention_in_days" { + description = "Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire." + type = number + default = 7 +} + +# DSFHUB asset variables +variable "aws_aurora_mysql_cluster_admin_email" { + description = "The email address to notify about the assets." + type = string + default = null +} + +variable "aws_aurora_mysql_cluster_gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string + default = null +} + +variable "aws_aurora_mysql_cluster_parent_asset_id" { + description = "The asset_id of the cloud account with auth-mech such as key-pair, iam-role etc." + type = string + default = null +} + +variable "aws_aurora_mysql_cluster_region" { + description = "AWS region containing the instance." + type = string +} + +variable "aws_log_group_audit_type" { + description = "Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details" + type = string + default = "LOG_GROUP" + validation { + condition = contains(["AGGREGATED", "LOG_GROUP"], var.aws_log_group_audit_type) + error_message = "Invalid Value. Select from LOG_GROUP or AGGREGATED." + } +} + +variable "aws_log_group_audit_pull_enabled" { + description = "Turn on/off auditing on the data source and log aggregator" + type = bool + default = false +} \ No newline at end of file diff --git a/modules/onboard-aws-rds-aurora-postgresql-kinesis/README.md b/modules/onboard-aws-rds-aurora-postgresql-kinesis/README.md new file mode 100644 index 0000000..9eb4dfa --- /dev/null +++ b/modules/onboard-aws-rds-aurora-postgresql-kinesis/README.md @@ -0,0 +1,91 @@ +# onboard-aws-rds-aurora-postgresql-kinesis +Onboard Amazon Aurora PostgreSQL to DSF Hub using a kinesis stream. + +## Notes +There is one prerequisite for using this module: +1. An AWS cloud account asset onboarded to your DSF Hub with permissions to pull from Kinesis streams. + +See the corresponding example for more details. + + + + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aurora-postgresql-cluster](#module\_aurora-postgresql-cluster) | ../aws-rds-cluster | n/a | +| [aurora-postgresql-cluster-activity-stream](#module\_aurora-postgresql-cluster-activity-stream) | ../aws-rds-cluster-activity-stream | n/a | +| [aurora-postgresql-instance](#module\_aurora-postgresql-instance) | ../aws-rds-cluster-instance | n/a | +| [aws-kinesis-asset](#module\_aws-kinesis-asset) | ../dsfhub-aws-kinesis | n/a | +| [aws-kms-key](#module\_aws-kms-key) | ../aws-kms-key | n/a | +| [aws-rds-aurora-postgresql-cluster-asset](#module\_aws-rds-aurora-postgresql-cluster-asset) | ../dsfhub-aws-rds-aurora-postgresql-cluster | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_arn.aurora_postgresql_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_aurora\_postgresql\_cluster\_admin\_email](#input\_aws\_aurora\_postgresql\_cluster\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | +| [aws\_aurora\_postgresql\_cluster\_gateway\_id](#input\_aws\_aurora\_postgresql\_cluster\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [aws\_aurora\_postgresql\_cluster\_parent\_asset\_id](#input\_aws\_aurora\_postgresql\_cluster\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | n/a | yes | +| [aws\_kinesis\_admin\_email](#input\_aws\_kinesis\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | +| [aws\_kinesis\_gateway\_id](#input\_aws\_kinesis\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes | +| [cluster\_db\_master\_password](#input\_cluster\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | +| [cluster\_db\_master\_username](#input\_cluster\_db\_master\_username) | Username for the master DB user. | `string` | n/a | yes | +| [cluster\_id](#input\_cluster\_id) | The name of the Aurora PostgreSQL cluster | `string` | n/a | yes | +| [instance\_identifier](#input\_instance\_identifier) | The name of the aurora cluster instance | `string` | n/a | yes | +| [aws\_aurora\_postgresql\_cluster\_audit\_type](#input\_aws\_aurora\_postgresql\_cluster\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `"KINESIS"` | no | +| [aws\_aurora\_postgresql\_cluster\_region](#input\_aws\_aurora\_postgresql\_cluster\_region) | AWS region containing the cluster. | `string` | `null` | no | +| [aws\_kinesis\_audit\_pull\_enabled](#input\_aws\_kinesis\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no | +| [aws\_kinesis\_reason](#input\_aws\_kinesis\_reason) | Used to differentiate connections that belong to the same asset | `string` | `"default"` | no | +| [aws\_kinesis\_region](#input\_aws\_kinesis\_region) | AWS region of the kinesis stream | `string` | `null` | no | +| [cluster\_apply\_immediately](#input\_cluster\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | +| [cluster\_backup\_retention](#input\_cluster\_backup\_retention) | Days to retain backups for, Default is 1 day. | `number` | `null` | no | +| [cluster\_db\_enabled\_cloudwatch\_logs\_exports](#input\_cluster\_db\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery. | `list(any)` | `null` | no | +| [cluster\_db\_engine\_version](#input\_cluster\_db\_engine\_version) | Database engine version, e.g., 16.1 | `string` | `"16.1"` | no | +| [cluster\_db\_port](#input\_cluster\_db\_port) | Port on which the DB accepts connections. | `number` | `null` | no | +| [cluster\_db\_subnet\_group\_name](#input\_cluster\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | +| [cluster\_final\_snapshot](#input\_cluster\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false | `bool` | `null` | no | +| [cluster\_maintenance\_schedule](#input\_cluster\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | +| [cluster\_network\_type](#input\_cluster\_network\_type) | Network type of the cluster. Valid values: IPV4, DUAL | `string` | `null` | no | +| [cluster\_parameter\_group\_name](#input\_cluster\_parameter\_group\_name) | Cluster parameter group associated with the cluster | `string` | `null` | no | +| [cluster\_vpc\_security\_group\_ids](#input\_cluster\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(any)` | `null` | no | +| [instance\_apply\_immediately](#input\_instance\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | +| [instance\_class](#input\_instance\_class) | The instance type of the RDS cluster. Supported instance classes for database activity streams can be found at https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.Overview.html#DBActivityStreams.Overview.requirements.classes. | `string` | `"db.r5.large"` | no | +| [instance\_db\_subnet\_group\_name](#input\_instance\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | +| [instance\_maintenance\_schedule](#input\_instance\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | +| [instance\_minor\_version\_upgrade](#input\_instance\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. | `bool` | `null` | no | +| [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | If instance is publicly accessible. Default false | `bool` | `null` | no | +| [key\_custom\_master\_key\_spec](#input\_key\_custom\_master\_key\_spec) | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC\_DEFAULT, RSA\_2048, RSA\_3072, RSA\_4096, HMAC\_256, ECC\_NIST\_P256, ECC\_NIST\_P384, ECC\_NIST\_P521, or ECC\_SECG\_P256K1. | `string` | `"SYMMETRIC_DEFAULT"` | no | +| [key\_deletion\_window\_in\_days](#input\_key\_deletion\_window\_in\_days) | The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. | `number` | `30` | no | +| [key\_description](#input\_key\_description) | The description of the key as viewed in AWS console. | `string` | `"AWS KMS Key to encrypt Aurora PostgreSQL Database Activity Stream."` | no | +| [key\_is\_enabled](#input\_key\_is\_enabled) | Specifies whether the key is enabled. | `bool` | `true` | no | +| [key\_multi\_region](#input\_key\_multi\_region) | Indicates whether the KMS key is a multi-Region (true) or regional (false) key. | `bool` | `false` | no | +| [key\_tags](#input\_key\_tags) | A map of tags to assign to the object. | `map(string)` | `null` | no | +| [key\_usage](#input\_key\_usage) | Specifies the intended use of the key. Valid values: ENCRYPT\_DECRYPT, SIGN\_VERIFY, GENERATE\_VERIFY\_MAC. | `string` | `"ENCRYPT_DECRYPT"` | no | +| [stream\_mode](#input\_stream\_mode) | Specifies the mode of the database activity stream. Database events such as a change or access generate an activity stream event. The database session can handle these events either synchronously or asynchronously. One of: sync, async. | `string` | `"async"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [activity\_stream](#output\_activity\_stream) | Aurora PostgreSQL kinesis activity stream | +| [aws\_kinesis\_asset](#output\_aws\_kinesis\_asset) | AWS Kinesis stream asset | +| [aws\_rds\_aurora\_postgresql\_cluster\_asset](#output\_aws\_rds\_aurora\_postgresql\_cluster\_asset) | Aurora PostgreSQL cluster asset | +| [cluster](#output\_cluster) | Aurora PostgreSQL cluster | +| [instance](#output\_instance) | Aurora PostgreSQL instance | +| [kms\_key](#output\_kms\_key) | AWS KMS Key | + \ No newline at end of file diff --git a/modules/onboard-aws-rds-aurora-postgresql-kinesis/main.tf b/modules/onboard-aws-rds-aurora-postgresql-kinesis/main.tf new file mode 100644 index 0000000..5047956 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-postgresql-kinesis/main.tf @@ -0,0 +1,87 @@ +module "aurora-postgresql-cluster" { + source = "../aws-rds-cluster" + + apply_immediately = var.cluster_apply_immediately + backup_retention = var.cluster_backup_retention + cluster_id = var.cluster_id + db_enabled_cloudwatch_logs_exports = var.cluster_db_enabled_cloudwatch_logs_exports + db_engine = "aurora-postgresql" + db_engine_version = var.cluster_db_engine_version + db_master_password = var.cluster_db_master_password + db_master_username = var.cluster_db_master_username + db_port = var.cluster_db_port + db_subnet_group_name = var.cluster_db_subnet_group_name + final_snapshot = var.cluster_final_snapshot + maintenance_schedule = var.cluster_maintenance_schedule + network_type = var.cluster_network_type + parameter_group_name = var.cluster_parameter_group_name + vpc_security_group_ids = var.cluster_vpc_security_group_ids +} + +module "aurora-postgresql-instance" { + source = "../aws-rds-cluster-instance" + + apply_immediately = var.instance_apply_immediately + cluster_id = module.aurora-postgresql-cluster.this.cluster_identifier + db_engine = module.aurora-postgresql-cluster.this.engine + db_instance_class = var.instance_class + db_subnet_group_name = module.aurora-postgresql-cluster.this.db_subnet_group_name + identifier = var.instance_identifier + maintenance_schedule = var.instance_maintenance_schedule + minor_version_upgrade = var.instance_minor_version_upgrade + publicly_accessible = var.instance_publicly_accessible +} + +module "aws-kms-key" { + source = "../aws-kms-key" + + custom_master_key_spec = var.key_custom_master_key_spec + deletion_window_in_days = var.key_deletion_window_in_days + description = var.key_description + is_enabled = var.key_is_enabled + key_usage = var.key_usage + multi_region = var.key_multi_region + tags = var.key_tags +} + +module "aurora-postgresql-cluster-activity-stream" { + source = "../aws-rds-cluster-activity-stream" + + engine_native_audit_fields_included = false + kms_key_id = module.aws-kms-key.this.arn + mode = var.stream_mode + resource_arn = module.aurora-postgresql-cluster.this.arn +} + +module "aws-rds-aurora-postgresql-cluster-asset" { + source = "../dsfhub-aws-rds-aurora-postgresql-cluster" + + admin_email = var.aws_aurora_postgresql_cluster_admin_email + asset_display_name = module.aurora-postgresql-cluster.this.id + asset_id = module.aurora-postgresql-cluster.this.arn + audit_type = var.aws_aurora_postgresql_cluster_audit_type + gateway_id = var.aws_aurora_postgresql_cluster_gateway_id + parent_asset_id = var.aws_aurora_postgresql_cluster_parent_asset_id + region = var.aws_aurora_postgresql_cluster_region + server_host_name = module.aurora-postgresql-cluster.this.endpoint + server_port = module.aurora-postgresql-cluster.this.port +} + +# Collect region and account info for kinesis asset_id +data "aws_region" "current" {} +data "aws_arn" "aurora_postgresql_cluster" { + arn = module.aurora-postgresql-cluster.this.arn +} + +module "aws-kinesis-asset" { + source = "../dsfhub-aws-kinesis" + + admin_email = var.aws_kinesis_admin_email + asset_display_name = "AWS Kinesis - ${module.aurora-postgresql-cluster-activity-stream.this.kinesis_stream_name}" + asset_id = "arn:aws:kinesis:${data.aws_region.current.name}:${data.aws_arn.aurora_postgresql_cluster.account}:stream/${module.aurora-postgresql-cluster-activity-stream.this.kinesis_stream_name}" + audit_pull_enabled = var.aws_kinesis_audit_pull_enabled + gateway_id = var.aws_kinesis_gateway_id + parent_asset_id = module.aws-rds-aurora-postgresql-cluster-asset.this.asset_id + reason = var.aws_kinesis_reason + region = var.aws_kinesis_region +} diff --git a/modules/onboard-aws-rds-aurora-postgresql-kinesis/outputs.tf b/modules/onboard-aws-rds-aurora-postgresql-kinesis/outputs.tf new file mode 100644 index 0000000..30401e6 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-postgresql-kinesis/outputs.tf @@ -0,0 +1,29 @@ +output "cluster" { + description = "Aurora PostgreSQL cluster" + value = module.aurora-postgresql-cluster.this +} + +output "instance" { + description = "Aurora PostgreSQL instance" + value = module.aurora-postgresql-instance.this +} + +output "kms_key" { + description = "AWS KMS Key" + value = module.aws-kms-key.this +} + +output "activity_stream" { + description = "Aurora PostgreSQL kinesis activity stream" + value = module.aurora-postgresql-cluster-activity-stream.this +} + +output "aws_rds_aurora_postgresql_cluster_asset" { + description = "Aurora PostgreSQL cluster asset" + value = module.aws-rds-aurora-postgresql-cluster-asset.this +} + +output "aws_kinesis_asset" { + description = "AWS Kinesis stream asset" + value = module.aws-kinesis-asset.this +} diff --git a/modules/onboard-aws-rds-aurora-postgresql-kinesis/variables.tf b/modules/onboard-aws-rds-aurora-postgresql-kinesis/variables.tf new file mode 100644 index 0000000..fa076ed --- /dev/null +++ b/modules/onboard-aws-rds-aurora-postgresql-kinesis/variables.tf @@ -0,0 +1,250 @@ +variable "aws_aurora_postgresql_cluster_admin_email" { + description = "The email address to notify about this asset" + type = string +} + +variable "aws_aurora_postgresql_cluster_audit_type" { + description = "Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details" + type = string + default = "KINESIS" + validation { + condition = contains(["KINESIS", "KINESIS_AGGREGATED"], var.aws_aurora_postgresql_cluster_audit_type) + error_message = "Invalida audit_type. Select from \"KINESIS\", \"KINESIS_AGGREGATED\"" + } +} + +variable "aws_aurora_postgresql_cluster_parent_asset_id" { + description = "The asset_id of the cloud account with auth-mech such as key-pair, iam-role etc." + type = string +} + +variable "aws_aurora_postgresql_cluster_region" { + description = "AWS region containing the cluster." + type = string + default = null +} + +variable "aws_aurora_postgresql_cluster_gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string +} + +variable "aws_kinesis_admin_email" { + description = "The email address to notify about the asset." + type = string +} + +variable "aws_kinesis_audit_pull_enabled" { + description = "If true, sonargateway will collect the audit logs for this system if it can." + type = bool + default = false +} + +variable "aws_kinesis_gateway_id" { + description = "The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'." + type = string +} + +variable "aws_kinesis_reason" { + description = "Used to differentiate connections that belong to the same asset" + type = string + default = "default" +} + +variable "aws_kinesis_region" { + description = "AWS region of the kinesis stream" + type = string + default = null +} + +variable "cluster_db_enabled_cloudwatch_logs_exports" { + description = "Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery." + type = list(any) + default = null +} + +variable "cluster_db_engine_version" { + description = "Database engine version, e.g., 16.1" + type = string + default = "16.1" +} + +variable "cluster_id" { + description = "The name of the Aurora PostgreSQL cluster" + type = string +} + +variable "cluster_backup_retention" { + description = "Days to retain backups for, Default is 1 day." + type = number + default = null +} + +variable "cluster_db_master_username" { + description = "Username for the master DB user." + type = string + validation { + condition = ( + var.cluster_db_master_username != "rdsadmin" && + var.cluster_db_master_username != "admin" + ) + error_message = "The aurora cluster master username must not be either \"rdsadmin\" or \"admin\". Please select another value." + } +} + +variable "cluster_db_master_password" { + description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage_master_user_password is set to true" + type = string +} + +variable "cluster_network_type" { + description = " Network type of the cluster. Valid values: IPV4, DUAL" + type = string + default = null +} + +variable "cluster_db_subnet_group_name" { + description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available." + type = string + default = null +} + +variable "cluster_vpc_security_group_ids" { + description = "List of VPC security groups to associate." + type = list(any) + default = null +} + +variable "cluster_maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = null +} + +variable "cluster_final_snapshot" { + description = "Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final_snapshot_identifier. Default is false" + type = bool + default = null +} + +variable "cluster_db_port" { + description = "Port on which the DB accepts connections." + type = number + default = null +} + +variable "cluster_apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = null +} + +variable "cluster_parameter_group_name" { + description = "Cluster parameter group associated with the cluster" + type = string + default = null +} + +variable "instance_identifier" { + description = "The name of the aurora cluster instance" + type = string +} + +variable "instance_publicly_accessible" { + description = "If instance is publicly accessible. Default false" + type = bool + default = null +} + +variable "instance_db_subnet_group_name" { + description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available." + type = string + default = null +} + +variable "instance_class" { + description = "The instance type of the RDS cluster. Supported instance classes for database activity streams can be found at https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.Overview.html#DBActivityStreams.Overview.requirements.classes." + type = string + default = "db.r5.large" + validation { + # Class must be one of supported for database activity streams + condition = ( + can(regex("^db.r7g.*large$", var.instance_class)) || + can(regex("^db.r6g.*large$", var.instance_class)) || + can(regex("^db.r6i.*large$", var.instance_class)) || + can(regex("^db.r5.*large$", var.instance_class)) || + can(regex("^db.x2g.*$", var.instance_class)) + ) + error_message = "Invalid instance class for database activity streams. Supported instance classes for database activity streams can be found at https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.Overview.html#DBActivityStreams.Overview.requirements.classes." + } +} + +variable "instance_maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = null +} + +variable "instance_apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = null +} + +variable "instance_minor_version_upgrade" { + description = "Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window." + type = bool + default = null +} + +variable "key_custom_master_key_spec" { + description = "Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1." + type = string + default = "SYMMETRIC_DEFAULT" +} + +variable "key_deletion_window_in_days" { + description = "The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive." + type = number + default = 30 +} + +variable "key_description" { + description = "The description of the key as viewed in AWS console." + type = string + default = "AWS KMS Key to encrypt Aurora PostgreSQL Database Activity Stream." +} + +variable "key_is_enabled" { + description = "Specifies whether the key is enabled." + type = bool + default = true +} + +variable "key_usage" { + description = "Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, GENERATE_VERIFY_MAC." + type = string + default = "ENCRYPT_DECRYPT" +} + +variable "key_multi_region" { + description = " Indicates whether the KMS key is a multi-Region (true) or regional (false) key." + type = bool + default = false +} + +variable "key_tags" { + description = "A map of tags to assign to the object." + type = map(string) + default = null +} + +variable "stream_mode" { + description = "Specifies the mode of the database activity stream. Database events such as a change or access generate an activity stream event. The database session can handle these events either synchronously or asynchronously. One of: sync, async." + type = string + default = "async" + validation { + condition = contains(["sync", "async"], var.stream_mode) + error_message = "Invalid value, select either 'sync' or 'async'." + } +} diff --git a/modules/onboard-aws-rds-aurora-postgresql/README.md b/modules/onboard-aws-rds-aurora-postgresql/README.md new file mode 100644 index 0000000..29ab797 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-postgresql/README.md @@ -0,0 +1,75 @@ +# onboard-aws-rds-aurora-postgresql +Onboard Amazon Aurora PostgreSQL to DSF Hub. + +## Notes +There are two prerequisites for using this module: +1. An AWS cloud account asset onboarded to your DSF Hub with permissions to pull from CloudWatch log groups. +2. A method to create the 'pgaudit' extension and 'rds_pgaudit' role on the postgres instance. + +See the corresponding example for more details. + + + + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aurora-postgresql-cluster](#module\_aurora-postgresql-cluster) | ../aws-rds-cluster | n/a | +| [aurora-postgresql-cluster-parameter-group](#module\_aurora-postgresql-cluster-parameter-group) | ../aws-rds-cluster-parameter-group | n/a | +| [aurora-postgresql-instance](#module\_aurora-postgresql-instance) | ../aws-rds-cluster-instance | n/a | +| [aurora-postgresql-log-group](#module\_aurora-postgresql-log-group) | ../aws-cloudwatch-log-group | n/a | +| [aws-log-group-asset](#module\_aws-log-group-asset) | ../dsfhub-aws-log-group | n/a | +| [aws-rds-aurora-postgresql-cluster-asset](#module\_aws-rds-aurora-postgresql-cluster-asset) | ../dsfhub-aws-rds-aurora-postgresql-cluster | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_aurora\_postgresql\_cluster\_admin\_email](#input\_aws\_aurora\_postgresql\_cluster\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | +| [aws\_aurora\_postgresql\_cluster\_gateway\_id](#input\_aws\_aurora\_postgresql\_cluster\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [aws\_aurora\_postgresql\_cluster\_parent\_asset\_id](#input\_aws\_aurora\_postgresql\_cluster\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | n/a | yes | +| [aws\_log\_group\_admin\_email](#input\_aws\_log\_group\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | +| [aws\_log\_group\_gateway\_id](#input\_aws\_log\_group\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes | +| [aws\_log\_group\_region](#input\_aws\_log\_group\_region) | AWS region of the log group | `string` | n/a | yes | +| [cluster\_db\_master\_password](#input\_cluster\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | +| [cluster\_db\_master\_username](#input\_cluster\_db\_master\_username) | Username for the master DB user. | `string` | n/a | yes | +| [cluster\_id](#input\_cluster\_id) | The name of the RDS cluster | `string` | n/a | yes | +| [cluster\_parameter\_group\_name](#input\_cluster\_parameter\_group\_name) | The name of the DB cluster parameter group | `string` | n/a | yes | +| [instance\_identifier](#input\_instance\_identifier) | The name of the aurora cluster instance | `string` | n/a | yes | +| [aws\_aurora\_postgresql\_cluster\_audit\_type](#input\_aws\_aurora\_postgresql\_cluster\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `"LOG_GROUP"` | no | +| [aws\_aurora\_postgresql\_cluster\_region](#input\_aws\_aurora\_postgresql\_cluster\_region) | AWS region containing the cluster. | `string` | `null` | no | +| [aws\_log\_group\_audit\_pull\_enabled](#input\_aws\_log\_group\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no | +| [aws\_log\_group\_reason](#input\_aws\_log\_group\_reason) | Used to differentiate connections that belong to the same asset | `string` | `"default"` | no | +| [cluster\_apply\_immediately](#input\_cluster\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | +| [cluster\_backup\_retention](#input\_cluster\_backup\_retention) | Days to retain backups for, Default is 1 day. | `number` | `null` | no | +| [cluster\_db\_enabled\_cloudwatch\_logs\_exports](#input\_cluster\_db\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery. | `list(any)` | 
[
  "postgresql"
]
| no | +| [cluster\_db\_engine\_version](#input\_cluster\_db\_engine\_version) | Database engine version, e.g., 16.1 | `string` | `"16.1"` | no | +| [cluster\_db\_port](#input\_cluster\_db\_port) | Port on which the DB accepts connections. | `number` | `null` | no | +| [cluster\_db\_subnet\_group\_name](#input\_cluster\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | +| [cluster\_final\_snapshot](#input\_cluster\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false | `bool` | `true` | no | +| [cluster\_maintenance\_schedule](#input\_cluster\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | +| [cluster\_network\_type](#input\_cluster\_network\_type) | Network type of the cluster. Valid values: IPV4, DUAL | `string` | `null` | no | +| [cluster\_parameter\_group\_description](#input\_cluster\_parameter\_group\_description) | The description of the DB cluster parameter group. | `string` | `null` | no | +| [cluster\_parameter\_group\_family](#input\_cluster\_parameter\_group\_family) | The family of the DB cluster parameter group. | `string` | `"aurora-postgresql16"` | no | +| [cluster\_parameter\_group\_parameters](#input\_cluster\_parameter\_group\_parameters) | List of objects containing parameters for the DB cluster parameter group. | 
list(
    object({
      name         = string
      apply_method = optional(string, "immediate")
      value        = any
    })
  )
| 
[
  {
    "name": "log_connections",
    "value": 1
  },
  {
    "name": "log_disconnections",
    "value": 1
  },
  {
    "name": "log_error_verbosity",
    "value": "verbose"
  },
  {
    "name": "pgaudit.log",
    "value": "all"
  },
  {
    "name": "pgaudit.role",
    "value": "rds_pgaudit"
  },
  {
    "apply_method": "pending-reboot",
    "name": "shared_preload_libraries",
    "value": "pgaudit,pg_stat_statements"
  }
]
| no | +| [cluster\_parameter\_group\_tags](#input\_cluster\_parameter\_group\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | +| [cluster\_vpc\_security\_group\_ids](#input\_cluster\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(any)` | `null` | no | +| [instance\_apply\_immediately](#input\_instance\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | +| [instance\_db\_instance\_class](#input\_instance\_db\_instance\_class) | The instance type of the RDS cluster. Example: 'db.t3.micro' | `string` | `"db.t3.medium"` | no | +| [instance\_maintenance\_schedule](#input\_instance\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | +| [instance\_minor\_version\_upgrade](#input\_instance\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. | `bool` | `null` | no | +| [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | If instance is publicly accessible. Default false | `bool` | `null` | no | +| [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire. | `number` | `7` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [aws\_log\_group\_asset](#output\_aws\_log\_group\_asset) | AWS log group asset | +| [aws\_rds\_aurora\_postgresql\_cluster\_asset](#output\_aws\_rds\_aurora\_postgresql\_cluster\_asset) | Aurora PostgreSQL cluster asset | +| [cluster](#output\_cluster) | Aurora PostgreSQL cluster | +| [cluster\_parameter\_group](#output\_cluster\_parameter\_group) | Aurora PostgreSQL cluster parameter group | +| [instance](#output\_instance) | Aurora PostgreSQL instance | +| [log\_group](#output\_log\_group) | Aurora PostgreSQL log group | + \ No newline at end of file diff --git a/modules/onboard-aws-rds-aurora-postgresql/main.tf b/modules/onboard-aws-rds-aurora-postgresql/main.tf new file mode 100644 index 0000000..fc282ff --- /dev/null +++ b/modules/onboard-aws-rds-aurora-postgresql/main.tf @@ -0,0 +1,78 @@ +module "aurora-postgresql-cluster-parameter-group" { + source = "../aws-rds-cluster-parameter-group" + + description = var.cluster_parameter_group_description + family = var.cluster_parameter_group_family + name = var.cluster_parameter_group_name + parameters = var.cluster_parameter_group_parameters + tags = var.cluster_parameter_group_tags +} + +module "aurora-postgresql-cluster" { + depends_on = [module.aurora-postgresql-log-group] + source = "../aws-rds-cluster" + + apply_immediately = var.cluster_apply_immediately + backup_retention = var.cluster_backup_retention + cluster_id = var.cluster_id + db_enabled_cloudwatch_logs_exports = var.cluster_db_enabled_cloudwatch_logs_exports + db_engine = "aurora-postgresql" + db_engine_version = var.cluster_db_engine_version + db_master_password = var.cluster_db_master_password + db_master_username = var.cluster_db_master_username + db_port = var.cluster_db_port + db_subnet_group_name = var.cluster_db_subnet_group_name + final_snapshot = var.cluster_final_snapshot + maintenance_schedule = var.cluster_maintenance_schedule + network_type = var.cluster_network_type + parameter_group_name = module.aurora-postgresql-cluster-parameter-group.this.name + vpc_security_group_ids = var.cluster_vpc_security_group_ids +} + +module "aurora-postgresql-instance" { + source = "../aws-rds-cluster-instance" + + apply_immediately = var.instance_apply_immediately + cluster_id = module.aurora-postgresql-cluster.this.cluster_identifier + db_engine = module.aurora-postgresql-cluster.this.engine + db_instance_class = var.instance_db_instance_class + db_subnet_group_name = module.aurora-postgresql-cluster.this.db_subnet_group_name + identifier = var.instance_identifier + maintenance_schedule = var.instance_maintenance_schedule + minor_version_upgrade = var.instance_minor_version_upgrade + publicly_accessible = var.instance_publicly_accessible +} + +module "aurora-postgresql-log-group" { + source = "../aws-cloudwatch-log-group" + + name = "/aws/rds/cluster/${var.cluster_id}/postgresql" + retention_in_days = var.log_group_retention_in_days +} + +module "aws-rds-aurora-postgresql-cluster-asset" { + source = "../dsfhub-aws-rds-aurora-postgresql-cluster" + + admin_email = var.aws_aurora_postgresql_cluster_admin_email + asset_display_name = module.aurora-postgresql-cluster.this.id + asset_id = module.aurora-postgresql-cluster.this.arn + audit_type = var.aws_aurora_postgresql_cluster_audit_type + gateway_id = var.aws_aurora_postgresql_cluster_gateway_id + parent_asset_id = var.aws_aurora_postgresql_cluster_parent_asset_id + region = var.aws_aurora_postgresql_cluster_region + server_host_name = module.aurora-postgresql-cluster.this.endpoint + server_port = module.aurora-postgresql-cluster.this.port +} + +module "aws-log-group-asset" { + source = "../dsfhub-aws-log-group" + + admin_email = var.aws_log_group_admin_email + asset_display_name = "${module.aurora-postgresql-log-group.this.arn}:*" + asset_id = "${module.aurora-postgresql-log-group.this.arn}:*" + audit_pull_enabled = var.aws_log_group_audit_pull_enabled + gateway_id = var.aws_log_group_gateway_id + parent_asset_id = module.aws-rds-aurora-postgresql-cluster-asset.this.asset_id + reason = var.aws_log_group_reason + region = var.aws_log_group_region +} diff --git a/modules/onboard-aws-rds-aurora-postgresql/outputs.tf b/modules/onboard-aws-rds-aurora-postgresql/outputs.tf new file mode 100644 index 0000000..425c0dc --- /dev/null +++ b/modules/onboard-aws-rds-aurora-postgresql/outputs.tf @@ -0,0 +1,29 @@ +output "cluster_parameter_group" { + description = "Aurora PostgreSQL cluster parameter group" + value = module.aurora-postgresql-cluster-parameter-group.this +} + +output "cluster" { + description = "Aurora PostgreSQL cluster" + value = module.aurora-postgresql-cluster.this +} + +output "instance" { + description = "Aurora PostgreSQL instance" + value = module.aurora-postgresql-instance.this +} + +output "log_group" { + description = "Aurora PostgreSQL log group" + value = module.aurora-postgresql-log-group.this +} + +output "aws_rds_aurora_postgresql_cluster_asset" { + description = "Aurora PostgreSQL cluster asset" + value = module.aws-rds-aurora-postgresql-cluster-asset.this +} + +output "aws_log_group_asset" { + description = "AWS log group asset" + value = module.aws-log-group-asset.this +} diff --git a/modules/onboard-aws-rds-aurora-postgresql/variables.tf b/modules/onboard-aws-rds-aurora-postgresql/variables.tf new file mode 100644 index 0000000..89872ab --- /dev/null +++ b/modules/onboard-aws-rds-aurora-postgresql/variables.tf @@ -0,0 +1,241 @@ +variable "aws_aurora_postgresql_cluster_admin_email" { + description = "The email address to notify about this asset" + type = string +} + +variable "aws_aurora_postgresql_cluster_audit_type" { + description = "Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details" + type = string + default = "LOG_GROUP" + validation { + condition = contains(["LOG_GROUP", "AGGREGATED"], var.aws_aurora_postgresql_cluster_audit_type) + error_message = "Invalid Value. Select from LOG_GROUP, or AGGREGATED." + } +} + +variable "aws_aurora_postgresql_cluster_parent_asset_id" { + description = "The asset_id of the cloud account with auth-mech such as key-pair, iam-role etc." + type = string +} + +variable "aws_aurora_postgresql_cluster_region" { + description = "AWS region containing the cluster." + type = string + default = null +} + +variable "aws_aurora_postgresql_cluster_gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string +} + +variable "aws_log_group_admin_email" { + description = "The email address to notify about the asset." + type = string +} + +variable "aws_log_group_audit_pull_enabled" { + description = "If true, sonargateway will collect the audit logs for this system if it can." + type = bool + default = false +} + +variable "aws_log_group_gateway_id" { + description = "The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'." + type = string +} + +variable "aws_log_group_reason" { + description = "Used to differentiate connections that belong to the same asset" + type = string + default = "default" +} + +variable "aws_log_group_region" { + description = "AWS region of the log group" + type = string +} + +variable "cluster_db_enabled_cloudwatch_logs_exports" { + description = "Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery." + type = list(any) + default = ["postgresql"] +} + +variable "cluster_db_engine_version" { + description = "Database engine version, e.g., 16.1" + type = string + default = "16.1" +} + +variable "cluster_id" { + description = "The name of the RDS cluster" + type = string +} + +variable "cluster_backup_retention" { + description = "Days to retain backups for, Default is 1 day." + type = number + default = null +} + +variable "cluster_db_master_username" { + description = "Username for the master DB user." + type = string + validation { + condition = ( + var.cluster_db_master_username != "rdsadmin" && + var.cluster_db_master_username != "admin" + ) + error_message = "The aurora cluster master username must not be either \"rdsadmin\" or \"admin\". Please select another value." + } +} + +variable "cluster_db_master_password" { + description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage_master_user_password is set to true" + type = string +} + +variable "cluster_network_type" { + description = " Network type of the cluster. Valid values: IPV4, DUAL" + type = string + default = null +} + +variable "cluster_db_subnet_group_name" { + description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available." + type = string + default = null +} + +variable "cluster_vpc_security_group_ids" { + description = "List of VPC security groups to associate." + type = list(any) + default = null +} + +variable "cluster_maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = null +} + +variable "cluster_final_snapshot" { + description = "Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final_snapshot_identifier. Default is false" + type = bool + default = true +} + +variable "cluster_db_port" { + description = "Port on which the DB accepts connections." + type = number + default = null +} + +variable "cluster_apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = null +} + +variable "cluster_parameter_group_name" { + description = "The name of the DB cluster parameter group" + type = string +} + +variable "cluster_parameter_group_family" { + description = "The family of the DB cluster parameter group." + type = string + default = "aurora-postgresql16" +} + +variable "cluster_parameter_group_description" { + description = "The description of the DB cluster parameter group." + type = string + default = null +} + +variable "cluster_parameter_group_parameters" { + description = "List of objects containing parameters for the DB cluster parameter group." + type = list( + object({ + name = string + apply_method = optional(string, "immediate") + value = any + }) + ) + default = [ + { + name = "log_connections" + value = 1 + }, + { + name = "log_disconnections" + value = 1 + }, + { + name = "log_error_verbosity" + value = "verbose" + }, + { + name = "pgaudit.log" + value = "all" + }, + { + name = "pgaudit.role" + value = "rds_pgaudit" + }, + { + name = "shared_preload_libraries" + value = "pgaudit,pg_stat_statements" + apply_method = "pending-reboot" + } + ] +} + +variable "cluster_parameter_group_tags" { + description = "A map of tags to assign to the resource." + type = map(string) + default = null +} + +variable "instance_identifier" { + description = "The name of the aurora cluster instance" + type = string +} + +variable "instance_publicly_accessible" { + description = "If instance is publicly accessible. Default false" + type = bool + default = null +} + +variable "instance_db_instance_class" { + description = "The instance type of the RDS cluster. Example: 'db.t3.micro'" + type = string + default = "db.t3.medium" +} + +variable "instance_maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = null +} + +variable "instance_apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = null +} + +variable "instance_minor_version_upgrade" { + description = "Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window." + type = bool + default = null +} + +variable "log_group_retention_in_days" { + description = "Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire." + type = number + default = 7 +}