diff --git a/CHANGELOG.md b/CHANGELOG.md index 3fa9a55..4a25cd7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,14 @@ # Changelog +## 1.0.3 (2024-07-22) + +### Features +- Amazon RDS Aurora MySQL module +- Amazon RDS Aurora MySQL Kinesis module +- Amazon RDS Aurora MySQL Slow query module +- Amazon RDS Aurora PostgreSQL module +- Amazon RDS Aurora PostgreSQL Kinesis module + ## 1.0.2 (2024-07-12) ### Features diff --git a/DSF_VERSION_COMPATABILITY.md b/DSF_VERSION_COMPATABILITY.md index b041104..daea41b 100644 --- a/DSF_VERSION_COMPATABILITY.md +++ b/DSF_VERSION_COMPATABILITY.md @@ -18,6 +18,26 @@ The following table lists the DSF versions that each module is tested and mainta
list(| `null` | no | +| [tags](#input\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | AWS RDS cluster parameter group | + \ No newline at end of file diff --git a/modules/aws-rds-cluster-parameter-group/main.tf b/modules/aws-rds-cluster-parameter-group/main.tf new file mode 100644 index 0000000..3b3bc5d --- /dev/null +++ b/modules/aws-rds-cluster-parameter-group/main.tf @@ -0,0 +1,15 @@ +resource "aws_rds_cluster_parameter_group" "this" { + name = var.name + family = var.family + description = var.description + + dynamic "parameter" { + for_each = var.parameters + + content { + name = parameter.value.name + value = parameter.value.value + apply_method = parameter.value.apply_method != null ? parameter.value.apply_method : null + } + } +} \ No newline at end of file diff --git a/modules/aws-rds-cluster-parameter-group/outputs.tf b/modules/aws-rds-cluster-parameter-group/outputs.tf new file mode 100644 index 0000000..eb47aeb --- /dev/null +++ b/modules/aws-rds-cluster-parameter-group/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "AWS RDS cluster parameter group" + value = aws_rds_cluster_parameter_group.this +} \ No newline at end of file diff --git a/modules/aws-rds-cluster-parameter-group/variables.tf b/modules/aws-rds-cluster-parameter-group/variables.tf new file mode 100644 index 0000000..e6da6c7 --- /dev/null +++ b/modules/aws-rds-cluster-parameter-group/variables.tf @@ -0,0 +1,33 @@ +variable "name" { + description = "The name of the DB cluster parameter group" + type = string +} + +variable "family" { + description = "The family of the DB cluster parameter group." + type = string +} + +variable "description" { + description = "The description of the DB cluster parameter group." + type = string + default = null +} + +variable "parameters" { + description = "List of objects containing parameters for the DB cluster parameter group." + type = list( + object({ + name = string + apply_method = optional(string, "immediate") + value = any + }) + ) + default = null +} + +variable "tags" { + description = "A map of tags to assign to the resource." + type = map(string) + default = null +} diff --git a/modules/aws-rds-cluster/README.md b/modules/aws-rds-cluster/README.md new file mode 100644 index 0000000..56c0951 --- /dev/null +++ b/modules/aws-rds-cluster/README.md @@ -0,0 +1,47 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_rds_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [apply\_immediately](#input\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | +| [backup\_retention](#input\_backup\_retention) | Days to retain backups for, Default is 1 day. | `number` | `null` | no | +| [cluster\_id](#input\_cluster\_id) | The name of the RDS cluster | `string` | n/a | yes | +| [db\_enabled\_cloudwatch\_logs\_exports](#input\_db\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery. | `list(any)` | `null` | no | +| [db\_engine](#input\_db\_engine) | Cluster engine e.g., aurora-mysql | `string` | `null` | no | +| [db\_engine\_version](#input\_db\_engine\_version) | Database engine version, e.g., 8.0.mysql\_aurora.3.05.1 | `string` | `null` | no | +| [db\_master\_password](#input\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | +| [db\_master\_username](#input\_db\_master\_username) | Username for the master DB user, must not use rdsadmin as that is reserved. | `string` | n/a | yes | +| [db\_port](#input\_db\_port) | Port on which the DB accepts connections. | `number` | `null` | no | +| [db\_subnet\_group\_name](#input\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | +| [final\_snapshot](#input\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false | `bool` | `null` | no | +| [maintenance\_schedule](#input\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | +| [network\_type](#input\_network\_type) | Network type of the cluster. Valid values: IPV4, DUAL | `string` | `null` | no | +| [parameter\_group\_name](#input\_parameter\_group\_name) | Cluster parameter group associated with the cluster | `string` | `null` | no | +| [vpc\_security\_group\_ids](#input\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(any)` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | RDS Aurora cluster | + \ No newline at end of file diff --git a/modules/aws-rds-cluster/main.tf b/modules/aws-rds-cluster/main.tf new file mode 100644 index 0000000..c675f3e --- /dev/null +++ b/modules/aws-rds-cluster/main.tf @@ -0,0 +1,17 @@ +resource "aws_rds_cluster" "this" { + apply_immediately = var.apply_immediately + backup_retention_period = var.backup_retention + cluster_identifier = var.cluster_id + enabled_cloudwatch_logs_exports = var.db_enabled_cloudwatch_logs_exports + engine = var.db_engine + engine_version = var.db_engine_version + master_password = var.db_master_password + master_username = var.db_master_username + port = var.db_port + db_subnet_group_name = var.db_subnet_group_name + skip_final_snapshot = var.final_snapshot + preferred_maintenance_window = var.maintenance_schedule + db_cluster_parameter_group_name = var.parameter_group_name + network_type = var.network_type + vpc_security_group_ids = var.vpc_security_group_ids +} diff --git a/modules/aws-rds-cluster/outputs.tf b/modules/aws-rds-cluster/outputs.tf new file mode 100644 index 0000000..379f083 --- /dev/null +++ b/modules/aws-rds-cluster/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "RDS Aurora cluster" + value = aws_rds_cluster.this +} diff --git a/modules/aws-rds-cluster/variables.tf b/modules/aws-rds-cluster/variables.tf new file mode 100644 index 0000000..b636e83 --- /dev/null +++ b/modules/aws-rds-cluster/variables.tf @@ -0,0 +1,85 @@ +variable "apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = null +} + +variable "backup_retention" { + description = "Days to retain backups for, Default is 1 day." + type = number + default = null +} + +variable "cluster_id" { + description = "The name of the RDS cluster" + type = string +} + +variable "db_enabled_cloudwatch_logs_exports" { + description = "Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery." + type = list(any) + default = null +} + +variable "db_engine" { + description = "Cluster engine e.g., aurora-mysql" + type = string + default = null +} +variable "db_engine_version" { + description = "Database engine version, e.g., 8.0.mysql_aurora.3.05.1" + type = string + default = null +} + +variable "db_master_password" { + description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage_master_user_password is set to true" + type = string +} + +variable "db_master_username" { + description = "Username for the master DB user, must not use rdsadmin as that is reserved." + type = string +} + +variable "db_port" { + description = "Port on which the DB accepts connections." + type = number + default = null +} + +variable "db_subnet_group_name" { + description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available." + type = string + default = null +} + +variable "final_snapshot" { + description = "Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final_snapshot_identifier. Default is false" + type = bool + default = null +} + +variable "maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = null +} + +variable "network_type" { + description = " Network type of the cluster. Valid values: IPV4, DUAL" + type = string + default = null +} + +variable "parameter_group_name" { + description = "Cluster parameter group associated with the cluster" + type = string + default = null +} + +variable "vpc_security_group_ids" { + description = "List of VPC security groups to associate." + type = list(any) + default = null +} diff --git a/modules/dsfhub-aws-kinesis/README.md b/modules/dsfhub-aws-kinesis/README.md new file mode 100644 index 0000000..a62eeef --- /dev/null +++ b/modules/dsfhub-aws-kinesis/README.md @@ -0,0 +1,41 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [dsfhub](#provider\_dsfhub) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [dsfhub_log_aggregator.this](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs/resources/log_aggregator) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [admin\_email](#input\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | +| [asset\_display\_name](#input\_asset\_display\_name) | User-friendly name of the asset, defined by user | `string` | n/a | yes | +| [asset\_id](#input\_asset\_id) | AWS kinesis stream ARN | `string` | n/a | yes | +| [audit\_pull\_enabled](#input\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no | +| [audit\_type](#input\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `null` | no | +| [gateway\_id](#input\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes | +| [parent\_asset\_id](#input\_parent\_asset\_id) | The asset\_id that contains this asset (e.g. Asset ID of the database sending audit events). The parent must either be an AWS account, or have a parent which is an AWS account. | `string` | n/a | yes | +| [reason](#input\_reason) | Used to differentiate connections that belong to the same asset | `string` | `"default"` | no | +| [region](#input\_region) | AWS region of the kinesis stream | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | AWS Kinesis asset | + \ No newline at end of file diff --git a/modules/dsfhub-aws-kinesis/main.tf b/modules/dsfhub-aws-kinesis/main.tf new file mode 100644 index 0000000..511981e --- /dev/null +++ b/modules/dsfhub-aws-kinesis/main.tf @@ -0,0 +1,27 @@ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +resource "dsfhub_log_aggregator" "this" { + server_type = "AWS KINESIS" + + admin_email = var.admin_email + asset_display_name = var.asset_display_name + asset_id = var.asset_id + audit_pull_enabled = var.audit_pull_enabled + audit_type = var.audit_type + gateway_id = var.gateway_id + parent_asset_id = var.parent_asset_id + + asset_connection { + auth_mechanism = "default" + + reason = var.reason + region = var.region + + } +} diff --git a/modules/dsfhub-aws-kinesis/outputs.tf b/modules/dsfhub-aws-kinesis/outputs.tf new file mode 100644 index 0000000..db98ba8 --- /dev/null +++ b/modules/dsfhub-aws-kinesis/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "AWS Kinesis asset" + value = dsfhub_log_aggregator.this +} diff --git a/modules/dsfhub-aws-kinesis/variables.tf b/modules/dsfhub-aws-kinesis/variables.tf new file mode 100644 index 0000000..db21a9b --- /dev/null +++ b/modules/dsfhub-aws-kinesis/variables.tf @@ -0,0 +1,48 @@ +variable "admin_email" { + description = "The email address to notify about the asset." + type = string +} + +variable "asset_display_name" { + description = "User-friendly name of the asset, defined by user" + type = string +} + +variable "asset_id" { + description = "AWS kinesis stream ARN" + type = string +} + +variable "audit_pull_enabled" { + description = "If true, sonargateway will collect the audit logs for this system if it can." + type = bool + default = false +} + +variable "audit_type" { + description = "Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details" + type = string + default = null +} + +variable "gateway_id" { + description = "The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'." + type = string +} + +variable "parent_asset_id" { + description = "The asset_id that contains this asset (e.g. Asset ID of the database sending audit events). The parent must either be an AWS account, or have a parent which is an AWS account." + type = string +} + +variable "reason" { + description = "Used to differentiate connections that belong to the same asset" + type = string + default = "default" +} + +variable "region" { + description = "AWS region of the kinesis stream" + type = string + default = null +} diff --git a/modules/dsfhub-aws-rds-aurora-mysql-cluster/README.md b/modules/dsfhub-aws-rds-aurora-mysql-cluster/README.md new file mode 100644 index 0000000..4af6165 --- /dev/null +++ b/modules/dsfhub-aws-rds-aurora-mysql-cluster/README.md @@ -0,0 +1,43 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [dsfhub](#provider\_dsfhub) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [dsfhub_data_source.this](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs/resources/data_source) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [admin\_email](#input\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | +| [asset\_display\_name](#input\_asset\_display\_name) | User-friendly name of the asset, defined by user | `string` | n/a | yes | +| [asset\_id](#input\_asset\_id) | AWS ARN, e.g. "arn:aws:rds:us-east-2:123456790:cluster:db-name" | `string` | n/a | yes | +| [auth\_mechanism](#input\_auth\_mechanism) | Specifies the auth mechanism used by the connection | `string` | `null` | no | +| [gateway\_id](#input\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [parent\_asset\_id](#input\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | n/a | yes | +| [password](#input\_password) | User's password | `string` | `null` | no | +| [region](#input\_region) | AWS region containing the cluster. | `string` | `null` | no | +| [server\_host\_name](#input\_server\_host\_name) | Endpoint URL | `string` | `null` | no | +| [server\_port](#input\_server\_port) | Port of the cluster for connection | `string` | `null` | no | +| [username](#input\_username) | Username to use to connect to the cluster. | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | Aurora MySQL cluster DSF asset | + \ No newline at end of file diff --git a/modules/dsfhub-aws-rds-aurora-mysql-cluster/main.tf b/modules/dsfhub-aws-rds-aurora-mysql-cluster/main.tf new file mode 100644 index 0000000..c106077 --- /dev/null +++ b/modules/dsfhub-aws-rds-aurora-mysql-cluster/main.tf @@ -0,0 +1,32 @@ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +resource "dsfhub_data_source" "this" { + server_type = "AWS RDS AURORA MYSQL CLUSTER" + + admin_email = var.admin_email + asset_display_name = var.asset_display_name + asset_id = var.asset_id + gateway_id = var.gateway_id + server_host_name = var.server_host_name + parent_asset_id = var.parent_asset_id + region = var.region + server_port = var.server_port + + dynamic "asset_connection" { + # If auth_mechanism is not defined, do not create a connection + for_each = var.auth_mechanism != null ? [0] : [] + + content { + auth_mechanism = var.auth_mechanism != null ? var.auth_mechanism : null + username = var.username + password = var.password + reason = "default" + } + } +} diff --git a/modules/dsfhub-aws-rds-aurora-mysql-cluster/outputs.tf b/modules/dsfhub-aws-rds-aurora-mysql-cluster/outputs.tf new file mode 100644 index 0000000..8c46e7f --- /dev/null +++ b/modules/dsfhub-aws-rds-aurora-mysql-cluster/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "Aurora MySQL cluster DSF asset" + value = dsfhub_data_source.this +} diff --git a/modules/dsfhub-aws-rds-aurora-mysql-cluster/variables.tf b/modules/dsfhub-aws-rds-aurora-mysql-cluster/variables.tf new file mode 100644 index 0000000..30ca5a2 --- /dev/null +++ b/modules/dsfhub-aws-rds-aurora-mysql-cluster/variables.tf @@ -0,0 +1,68 @@ +variable "admin_email" { + description = "The email address to notify about this asset" + type = string +} + +variable "asset_display_name" { + description = "User-friendly name of the asset, defined by user" + type = string +} + +variable "asset_id" { + description = "AWS ARN, e.g. \"arn:aws:rds:us-east-2:123456790:cluster:db-name\"" + type = string +} + +variable "auth_mechanism" { + description = "Specifies the auth mechanism used by the connection" + type = string + default = null + validation { + condition = ( + # auth_mechanism can either be null, or one of the supported values + var.auth_mechanism == null || + can(contains(["password"], var.auth_mechanism)) + ) + error_message = "Incorrect auth_mechanism. Supported auth_mechanisms: password." + } +} + +variable "parent_asset_id" { + description = "The asset_id of the cloud account with auth-mech such as key-pair, iam-role etc." + type = string +} + +variable "region" { + description = "AWS region containing the cluster." + type = string + default = null +} + +variable "server_host_name" { + description = "Endpoint URL" + type = string + default = null +} + +variable "server_port" { + description = "Port of the cluster for connection" + type = string + default = null +} + +variable "gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string +} + +variable "username" { + description = "Username to use to connect to the cluster." + type = string + default = null +} + +variable "password" { + description = "User's password" + type = string + default = null +} diff --git a/modules/dsfhub-aws-rds-aurora-postgresql-cluster/README.md b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/README.md new file mode 100644 index 0000000..e6222a4 --- /dev/null +++ b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/README.md @@ -0,0 +1,44 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [dsfhub](#provider\_dsfhub) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [dsfhub_data_source.this](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs/resources/data_source) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [admin\_email](#input\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | +| [asset\_display\_name](#input\_asset\_display\_name) | User-friendly name of the asset, defined by user | `string` | n/a | yes | +| [asset\_id](#input\_asset\_id) | AWS ARN, e.g. "arn:aws:rds:us-east-2:123456790:cluster:db-name" | `string` | n/a | yes | +| [audit\_type](#input\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `null` | no | +| [auth\_mechanism](#input\_auth\_mechanism) | Specifies the auth mechanism used by the connection | `string` | `null` | no | +| [gateway\_id](#input\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [parent\_asset\_id](#input\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | n/a | yes | +| [password](#input\_password) | User's password | `string` | `null` | no | +| [region](#input\_region) | AWS region containing the cluster. | `string` | `null` | no | +| [server\_host\_name](#input\_server\_host\_name) | Endpoint URL | `string` | `null` | no | +| [server\_port](#input\_server\_port) | Port of the cluster for connection | `string` | `null` | no | +| [username](#input\_username) | Username to use to connect to the cluster. | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | Aurora PostgreSQL cluster DSF asset | + \ No newline at end of file diff --git a/modules/dsfhub-aws-rds-aurora-postgresql-cluster/main.tf b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/main.tf new file mode 100644 index 0000000..53b444f --- /dev/null +++ b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/main.tf @@ -0,0 +1,33 @@ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +resource "dsfhub_data_source" "this" { + server_type = "AWS RDS AURORA POSTGRESQL CLUSTER" + + admin_email = var.admin_email + asset_display_name = var.asset_display_name + asset_id = var.asset_id + audit_type = var.audit_type + gateway_id = var.gateway_id + server_host_name = var.server_host_name + parent_asset_id = var.parent_asset_id + region = var.region + server_port = var.server_port + + dynamic "asset_connection" { + # If auth_mechanism is not defined, do not create a connection + for_each = var.auth_mechanism != null ? [0] : [] + + content { + auth_mechanism = var.auth_mechanism != null ? var.auth_mechanism : null + username = var.username + password = var.password + reason = "default" + } + } +} diff --git a/modules/dsfhub-aws-rds-aurora-postgresql-cluster/outputs.tf b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/outputs.tf new file mode 100644 index 0000000..3b34474 --- /dev/null +++ b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "Aurora PostgreSQL cluster DSF asset" + value = dsfhub_data_source.this +} diff --git a/modules/dsfhub-aws-rds-aurora-postgresql-cluster/variables.tf b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/variables.tf new file mode 100644 index 0000000..5280ea6 --- /dev/null +++ b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/variables.tf @@ -0,0 +1,74 @@ +variable "admin_email" { + description = "The email address to notify about this asset" + type = string +} + +variable "asset_display_name" { + description = "User-friendly name of the asset, defined by user" + type = string +} + +variable "asset_id" { + description = "AWS ARN, e.g. \"arn:aws:rds:us-east-2:123456790:cluster:db-name\"" + type = string +} + +variable "audit_type" { + description = "Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details" + type = string + default = null +} + +variable "auth_mechanism" { + description = "Specifies the auth mechanism used by the connection" + type = string + default = null + validation { + condition = ( + # auth_mechanism can either be null, or one of the supported values + var.auth_mechanism == null || + can(contains(["password"], var.auth_mechanism)) + ) + error_message = "Incorrect auth_mechanism. Supported auth_mechanisms: password." + } +} + +variable "parent_asset_id" { + description = "The asset_id of the cloud account with auth-mech such as key-pair, iam-role etc." + type = string +} + +variable "region" { + description = "AWS region containing the cluster." + type = string + default = null +} + +variable "server_host_name" { + description = "Endpoint URL" + type = string + default = null +} + +variable "server_port" { + description = "Port of the cluster for connection" + type = string + default = null +} + +variable "gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string +} + +variable "username" { + description = "Username to use to connect to the cluster." + type = string + default = null +} + +variable "password" { + description = "User's password" + type = string + default = null +} diff --git a/modules/onboard-aws-rds-aurora-mysql-kinesis/README.md b/modules/onboard-aws-rds-aurora-mysql-kinesis/README.md new file mode 100644 index 0000000..de4dd7e --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql-kinesis/README.md @@ -0,0 +1,91 @@ +# onboard-aws-rds-aurora-mysql-kinesis +Onboard Amazon Aurora MySQL to DSF Hub using a kinesis stream. + +## Notes +There is one prerequisite for using this module: +1. An AWS cloud account asset onboarded to your DSF Hub with permissions to pull from Kinesis streams. + +See the corresponding example for more details. + + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aurora-mysql-cluster](#module\_aurora-mysql-cluster) | ../aws-rds-cluster | n/a | +| [aurora-mysql-cluster-activity-stream](#module\_aurora-mysql-cluster-activity-stream) | ../aws-rds-cluster-activity-stream | n/a | +| [aurora-mysql-instance](#module\_aurora-mysql-instance) | ../aws-rds-cluster-instance | n/a | +| [aws-kinesis-asset](#module\_aws-kinesis-asset) | ../dsfhub-aws-kinesis | n/a | +| [aws-kms-key](#module\_aws-kms-key) | ../aws-kms-key | n/a | +| [aws-rds-aurora-mysql-cluster-asset](#module\_aws-rds-aurora-mysql-cluster-asset) | ../dsfhub-aws-rds-aurora-mysql-cluster | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_arn.aurora_mysql_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_aurora\_mysql\_cluster\_admin\_email](#input\_aws\_aurora\_mysql\_cluster\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | +| [aws\_aurora\_mysql\_cluster\_gateway\_id](#input\_aws\_aurora\_mysql\_cluster\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [aws\_aurora\_mysql\_cluster\_parent\_asset\_id](#input\_aws\_aurora\_mysql\_cluster\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | n/a | yes | +| [aws\_aurora\_mysql\_cluster\_region](#input\_aws\_aurora\_mysql\_cluster\_region) | AWS region containing the cluster. | `string` | `null` | no | +| [aws\_kinesis\_admin\_email](#input\_aws\_kinesis\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | +| [aws\_kinesis\_audit\_pull\_enabled](#input\_aws\_kinesis\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no | +| [aws\_kinesis\_gateway\_id](#input\_aws\_kinesis\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes | +| [aws\_kinesis\_reason](#input\_aws\_kinesis\_reason) | Used to differentiate connections that belong to the same asset | `string` | `"default"` | no | +| [aws\_kinesis\_region](#input\_aws\_kinesis\_region) | AWS region of the kinesis stream | `string` | `null` | no | +| [cluster\_apply\_immediately](#input\_cluster\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | +| [cluster\_backup\_retention](#input\_cluster\_backup\_retention) | Days to retain backups for, Default is 1 day. | `number` | `null` | no | +| [cluster\_db\_enabled\_cloudwatch\_logs\_exports](#input\_cluster\_db\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery. | `list(any)` | `null` | no | +| [cluster\_db\_engine\_version](#input\_cluster\_db\_engine\_version) | Database engine version, i.e. 8.0.mysql\_aurora.3.05.1 | `string` | `null` | no | +| [cluster\_db\_master\_password](#input\_cluster\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | +| [cluster\_db\_master\_username](#input\_cluster\_db\_master\_username) | Username for the master DB user, must not use rdsadmin as that is reserved. | `string` | n/a | yes | +| [cluster\_db\_port](#input\_cluster\_db\_port) | Port on which the DB accepts connections. | `number` | `null` | no | +| [cluster\_db\_subnet\_group\_name](#input\_cluster\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | +| [cluster\_final\_snapshot](#input\_cluster\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false | `bool` | `null` | no | +| [cluster\_id](#input\_cluster\_id) | The name of the Aurora MySQL cluster | `string` | n/a | yes | +| [cluster\_maintenance\_schedule](#input\_cluster\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | +| [cluster\_network\_type](#input\_cluster\_network\_type) | Network type of the cluster. Valid values: IPV4, DUAL | `string` | `null` | no | +| [cluster\_parameter\_group\_name](#input\_cluster\_parameter\_group\_name) | Cluster parameter group associated with the cluster | `string` | `null` | no | +| [cluster\_vpc\_security\_group\_ids](#input\_cluster\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(any)` | `null` | no | +| [db\_instance\_class](#input\_db\_instance\_class) | The instance type of the RDS cluster. Supported instance classes for database activity streams can be found at https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.Overview.html#DBActivityStreams.Overview.requirements.classes. | `string` | `"db.r5.large"` | no | +| [instance\_apply\_immediately](#input\_instance\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `true` | no | +| [instance\_identifier](#input\_instance\_identifier) | The name of the aurora mysql cluster instance | `string` | n/a | yes | +| [instance\_maintenance\_schedule](#input\_instance\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | +| [instance\_minor\_version\_upgrade](#input\_instance\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. | `bool` | `null` | no | +| [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | If instance is publicly accessible. Default false | `bool` | `null` | no | +| [key\_custom\_master\_key\_spec](#input\_key\_custom\_master\_key\_spec) | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC\_DEFAULT, RSA\_2048, RSA\_3072, RSA\_4096, HMAC\_256, ECC\_NIST\_P256, ECC\_NIST\_P384, ECC\_NIST\_P521, or ECC\_SECG\_P256K1. | `string` | `"SYMMETRIC_DEFAULT"` | no | +| [key\_deletion\_window\_in\_days](#input\_key\_deletion\_window\_in\_days) | The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. | `number` | `30` | no | +| [key\_description](#input\_key\_description) | The description of the key as viewed in AWS console. | `string` | `"AWS KMS Key to encrypt Aurora MySQL Database Activity Stream."` | no | +| [key\_is\_enabled](#input\_key\_is\_enabled) | Specifies whether the key is enabled. | `bool` | `true` | no | +| [key\_multi\_region](#input\_key\_multi\_region) | Indicates whether the KMS key is a multi-Region (true) or regional (false) key. | `bool` | `false` | no | +| [key\_tags](#input\_key\_tags) | A map of tags to assign to the object. | `map(string)` | `null` | no | +| [key\_usage](#input\_key\_usage) | Specifies the intended use of the key. Valid values: ENCRYPT\_DECRYPT, SIGN\_VERIFY, GENERATE\_VERIFY\_MAC. | `string` | `"ENCRYPT_DECRYPT"` | no | +| [stream\_mode](#input\_stream\_mode) | Specifies the mode of the database activity stream. Database events such as a change or access generate an activity stream event. The database session can handle these events either synchronously or asynchronously. One of: sync, async. | `string` | `"async"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [activity\_stream](#output\_activity\_stream) | Aurora MySQL kinesis activity stream | +| [aws\_kinesis\_asset](#output\_aws\_kinesis\_asset) | AWS Kinesis stream asset | +| [aws\_rds\_aurora\_mysql\_cluster\_asset](#output\_aws\_rds\_aurora\_mysql\_cluster\_asset) | Aurora MySQL cluster asset | +| [cluster](#output\_cluster) | Aurora MySQL Cluster | +| [instance](#output\_instance) | Aurora MySQL Cluster instance | +| [kms\_key](#output\_kms\_key) | AWS KMS Key | + \ No newline at end of file diff --git a/modules/onboard-aws-rds-aurora-mysql-kinesis/main.tf b/modules/onboard-aws-rds-aurora-mysql-kinesis/main.tf new file mode 100644 index 0000000..f3def54 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql-kinesis/main.tf @@ -0,0 +1,87 @@ +module "aurora-mysql-cluster" { + source = "../aws-rds-cluster" + + apply_immediately = var.cluster_apply_immediately + backup_retention = var.cluster_backup_retention + cluster_id = var.cluster_id + db_enabled_cloudwatch_logs_exports = var.cluster_db_enabled_cloudwatch_logs_exports + db_engine = "aurora-mysql" + db_engine_version = var.cluster_db_engine_version + db_master_password = var.cluster_db_master_password + db_master_username = var.cluster_db_master_username + db_port = var.cluster_db_port + db_subnet_group_name = var.cluster_db_subnet_group_name + final_snapshot = var.cluster_final_snapshot + maintenance_schedule = var.cluster_maintenance_schedule + network_type = var.cluster_network_type + parameter_group_name = var.cluster_parameter_group_name + vpc_security_group_ids = var.cluster_vpc_security_group_ids +} + +module "aurora-mysql-instance" { + source = "../aws-rds-cluster-instance" + + apply_immediately = var.instance_apply_immediately + cluster_id = module.aurora-mysql-cluster.this.cluster_identifier + db_engine = "aurora-mysql" + db_instance_class = var.db_instance_class + db_subnet_group_name = module.aurora-mysql-cluster.this.db_subnet_group_name + identifier = var.instance_identifier + maintenance_schedule = var.instance_maintenance_schedule + minor_version_upgrade = var.instance_minor_version_upgrade + publicly_accessible = var.instance_publicly_accessible +} + +module "aws-kms-key" { + source = "../aws-kms-key" + + custom_master_key_spec = var.key_custom_master_key_spec + deletion_window_in_days = var.key_deletion_window_in_days + description = var.key_description + is_enabled = var.key_is_enabled + key_usage = var.key_usage + multi_region = var.key_multi_region + tags = var.key_tags +} + +module "aurora-mysql-cluster-activity-stream" { + source = "../aws-rds-cluster-activity-stream" + + engine_native_audit_fields_included = false + kms_key_id = module.aws-kms-key.this.arn + mode = var.stream_mode + resource_arn = module.aurora-mysql-cluster.this.arn +} + +module "aws-rds-aurora-mysql-cluster-asset" { + source = "../dsfhub-aws-rds-aurora-mysql-cluster" + + admin_email = var.aws_aurora_mysql_cluster_admin_email + asset_display_name = module.aurora-mysql-cluster.this.cluster_identifier + asset_id = module.aurora-mysql-cluster.this.arn + gateway_id = var.aws_aurora_mysql_cluster_gateway_id + parent_asset_id = var.aws_aurora_mysql_cluster_parent_asset_id + region = var.aws_aurora_mysql_cluster_region + server_host_name = module.aurora-mysql-cluster.this.endpoint + server_port = module.aurora-mysql-cluster.this.port +} + +# Collect region and account info for kinesis asset_id +data "aws_region" "current" {} +data "aws_arn" "aurora_mysql_cluster" { + arn = module.aurora-mysql-cluster.this.arn +} + +module "aws-kinesis-asset" { + source = "../dsfhub-aws-kinesis" + + admin_email = var.aws_kinesis_admin_email + asset_display_name = "AWS Kinesis - ${module.aurora-mysql-cluster-activity-stream.this.kinesis_stream_name}" + asset_id = "arn:aws:kinesis:${data.aws_region.current.name}:${data.aws_arn.aurora_mysql_cluster.account}:stream/${module.aurora-mysql-cluster-activity-stream.this.kinesis_stream_name}" + audit_pull_enabled = var.aws_kinesis_audit_pull_enabled + audit_type = "KINESIS" + gateway_id = var.aws_kinesis_gateway_id + parent_asset_id = module.aws-rds-aurora-mysql-cluster-asset.this.asset_id + reason = var.aws_kinesis_reason + region = var.aws_kinesis_region +} diff --git a/modules/onboard-aws-rds-aurora-mysql-kinesis/outputs.tf b/modules/onboard-aws-rds-aurora-mysql-kinesis/outputs.tf new file mode 100644 index 0000000..d3fcba7 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql-kinesis/outputs.tf @@ -0,0 +1,29 @@ +output "cluster" { + description = "Aurora MySQL Cluster" + value = module.aurora-mysql-cluster.this +} + +output "instance" { + description = "Aurora MySQL Cluster instance" + value = module.aurora-mysql-instance.this +} + +output "kms_key" { + description = "AWS KMS Key" + value = module.aws-kms-key.this +} + +output "activity_stream" { + description = "Aurora MySQL kinesis activity stream" + value = module.aurora-mysql-cluster-activity-stream.this +} + +output "aws_rds_aurora_mysql_cluster_asset" { + description = "Aurora MySQL cluster asset" + value = module.aws-rds-aurora-mysql-cluster-asset.this +} + +output "aws_kinesis_asset" { + description = "AWS Kinesis stream asset" + value = module.aws-kinesis-asset.this +} diff --git a/modules/onboard-aws-rds-aurora-mysql-kinesis/variables.tf b/modules/onboard-aws-rds-aurora-mysql-kinesis/variables.tf new file mode 100644 index 0000000..4060872 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql-kinesis/variables.tf @@ -0,0 +1,228 @@ +variable "aws_aurora_mysql_cluster_admin_email" { + description = "The email address to notify about this asset" + type = string +} + +variable "aws_aurora_mysql_cluster_parent_asset_id" { + description = "The asset_id of the cloud account with auth-mech such as key-pair, iam-role etc." + type = string +} + +variable "aws_aurora_mysql_cluster_region" { + description = "AWS region containing the cluster." + type = string + default = null +} + +variable "aws_aurora_mysql_cluster_gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string +} + +variable "aws_kinesis_admin_email" { + description = "The email address to notify about the asset." + type = string +} + +variable "aws_kinesis_audit_pull_enabled" { + description = "If true, sonargateway will collect the audit logs for this system if it can." + type = bool + default = false +} + +variable "aws_kinesis_gateway_id" { + description = "The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'." + type = string +} + +variable "aws_kinesis_reason" { + description = "Used to differentiate connections that belong to the same asset" + type = string + default = "default" +} + +variable "aws_kinesis_region" { + description = "AWS region of the kinesis stream" + type = string + default = null +} + +variable "cluster_db_enabled_cloudwatch_logs_exports" { + description = "Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery." + type = list(any) + default = null +} + +variable "cluster_db_engine_version" { + description = "Database engine version, i.e. 8.0.mysql_aurora.3.05.1" + type = string + default = null +} + +variable "cluster_id" { + description = "The name of the Aurora MySQL cluster" + type = string +} + +variable "cluster_backup_retention" { + description = "Days to retain backups for, Default is 1 day." + type = number + default = null +} + +variable "cluster_db_master_username" { + description = "Username for the master DB user, must not use rdsadmin as that is reserved." + type = string +} + +variable "cluster_db_master_password" { + description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage_master_user_password is set to true" + type = string +} + +variable "cluster_network_type" { + description = " Network type of the cluster. Valid values: IPV4, DUAL" + type = string + default = null +} + +variable "cluster_db_subnet_group_name" { + description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available." + type = string + default = null +} + +variable "cluster_vpc_security_group_ids" { + description = "List of VPC security groups to associate." + type = list(any) + default = null +} + +variable "cluster_maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = null +} + +variable "cluster_final_snapshot" { + description = "Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final_snapshot_identifier. Default is false" + type = bool + default = null +} + +variable "cluster_db_port" { + description = "Port on which the DB accepts connections." + type = number + default = null +} + +variable "cluster_apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = null +} + +variable "cluster_parameter_group_name" { + description = "Cluster parameter group associated with the cluster" + type = string + default = null +} + +variable "instance_identifier" { + description = "The name of the aurora mysql cluster instance" + type = string +} + +variable "instance_publicly_accessible" { + description = "If instance is publicly accessible. Default false" + type = bool + default = null +} + +variable "db_instance_class" { + description = "The instance type of the RDS cluster. Supported instance classes for database activity streams can be found at https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.Overview.html#DBActivityStreams.Overview.requirements.classes." + type = string + default = "db.r5.large" + validation { + # Class must be one of supported for database activity streams + condition = ( + can(regex("^db.r7g.*large$", var.db_instance_class)) || + can(regex("^db.r6g.*large$", var.db_instance_class)) || + can(regex("^db.r6i.*large$", var.db_instance_class)) || + can(regex("^db.r5.*large$", var.db_instance_class)) || + can(regex("^db.x2g.*$", var.db_instance_class)) + ) + error_message = "Invalid instance class for database activity streams. Supported instance classes for database activity streams can be found at https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.Overview.html#DBActivityStreams.Overview.requirements.classes." + } +} + +variable "instance_maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = null +} + +variable "instance_apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = true +} + +variable "instance_minor_version_upgrade" { + description = "Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window." + type = bool + default = null +} + +variable "key_custom_master_key_spec" { + description = "Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1." + type = string + default = "SYMMETRIC_DEFAULT" +} + +variable "key_deletion_window_in_days" { + description = "The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive." + type = number + default = 30 +} + +variable "key_description" { + description = "The description of the key as viewed in AWS console." + type = string + default = "AWS KMS Key to encrypt Aurora MySQL Database Activity Stream." +} + +variable "key_is_enabled" { + description = "Specifies whether the key is enabled." + type = bool + default = true +} + +variable "key_usage" { + description = "Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, GENERATE_VERIFY_MAC." + type = string + default = "ENCRYPT_DECRYPT" +} + +variable "key_multi_region" { + description = " Indicates whether the KMS key is a multi-Region (true) or regional (false) key." + type = bool + default = false +} + +variable "key_tags" { + description = "A map of tags to assign to the object." + type = map(string) + default = null +} + +variable "stream_mode" { + description = "Specifies the mode of the database activity stream. Database events such as a change or access generate an activity stream event. The database session can handle these events either synchronously or asynchronously. One of: sync, async." + type = string + default = "async" + validation { + condition = contains(["sync", "async"], var.stream_mode) + error_message = "Invalid value, select either 'sync' or 'async'." + } +} + diff --git a/modules/onboard-aws-rds-aurora-mysql-slowquery/README.md b/modules/onboard-aws-rds-aurora-mysql-slowquery/README.md new file mode 100644 index 0000000..165ae34 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql-slowquery/README.md @@ -0,0 +1,83 @@ +# onboard-aws-rds-aurora-mysql-slowquery +Onboard Amazon Aurora MySQL Slow query to DSF Hub. + +## Notes +There is one prerequisite for using this module: +1. An AWS cloud account asset onboarded to your DSF Hub with permissions to pull from CloudWatch log groups. + +See the corresponding example for more details. + + +## Requirements + +No requirements. + +## Providers + +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aurora-mysql-cluster](#module\_aurora-mysql-cluster) | ../aws-rds-cluster | n/a | +| [aurora-mysql-cluster-parameter-group](#module\_aurora-mysql-cluster-parameter-group) | ../aws-rds-cluster-parameter-group | n/a | +| [aurora-mysql-instances](#module\_aurora-mysql-instances) | ../aws-rds-cluster-instance | n/a | +| [aurora-mysql-log-group](#module\_aurora-mysql-log-group) | ../aws-cloudwatch-log-group | n/a | +| [aurora-mysql-log-group-slowquery](#module\_aurora-mysql-log-group-slowquery) | ../aws-cloudwatch-log-group | n/a | +| [aws-log-group-asset](#module\_aws-log-group-asset) | ../dsfhub-aws-log-group | n/a | +| [aws-log-group-slowquery-asset](#module\_aws-log-group-slowquery-asset) | ../dsfhub-aws-log-group | n/a | +| [aws-rds-aurora-mysql-cluster-asset](#module\_aws-rds-aurora-mysql-cluster-asset) | ../dsfhub-aws-rds-aurora-mysql-cluster | n/a | + +## Resources + +No resources. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_aurora\_mysql\_cluster\_admin\_email](#input\_aws\_aurora\_mysql\_cluster\_admin\_email) | The email address to notify about the assets. | `string` | `null` | no | +| [aws\_aurora\_mysql\_cluster\_gateway\_id](#input\_aws\_aurora\_mysql\_cluster\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | `null` | no | +| [aws\_aurora\_mysql\_cluster\_parent\_asset\_id](#input\_aws\_aurora\_mysql\_cluster\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | `null` | no | +| [aws\_aurora\_mysql\_cluster\_region](#input\_aws\_aurora\_mysql\_cluster\_region) | AWS region containing the instance. | `string` | n/a | yes | +| [aws\_log\_group\_audit\_pull\_enabled](#input\_aws\_log\_group\_audit\_pull\_enabled) | Turn on/off auditing on the data source and log aggregator | `bool` | `false` | no | +| [aws\_log\_group\_audit\_type](#input\_aws\_log\_group\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `"LOG_GROUP"` | no | +| [cluster\_apply\_immediately](#input\_cluster\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `true` | no | +| [cluster\_backup\_retention](#input\_cluster\_backup\_retention) | Days to retain backups for, Default is 1 day. | `number` | `1` | no | +| [cluster\_cluster\_id](#input\_cluster\_cluster\_id) | The name of the aurora mysql cluster | `string` | n/a | yes | +| [cluster\_db\_enabled\_cloudwatch\_logs\_exports](#input\_cluster\_db\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery. | `list(any)` |
object({
name = string
apply_method = optional(string, "immediate")
value = any
})
)
[| no | +| [cluster\_db\_engine](#input\_cluster\_db\_engine) | Cluster engine i.e, aurora-mysql | `string` | `"aurora-mysql"` | no | +| [cluster\_db\_engine\_version](#input\_cluster\_db\_engine\_version) | Database engine version, i.e. 8.0.mysql\_aurora.3.05.1 | `string` | `"8.0.mysql_aurora.3.04.1"` | no | +| [cluster\_db\_master\_password](#input\_cluster\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | +| [cluster\_db\_master\_username](#input\_cluster\_db\_master\_username) | Username for the master DB user, must not use rdsadmin as that is reserved. | `string` | n/a | yes | +| [cluster\_db\_port](#input\_cluster\_db\_port) | Port on which the DB accepts connections. | `number` | `3306` | no | +| [cluster\_db\_subnet\_group\_name](#input\_cluster\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | +| [cluster\_final\_snapshot](#input\_cluster\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false | `bool` | `true` | no | +| [cluster\_maintenance\_schedule](#input\_cluster\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `"sun:18:00-sun:21:00"` | no | +| [cluster\_network\_type](#input\_cluster\_network\_type) | Network type of the cluster. Valid values: IPV4, DUAL | `string` | `"IPV4"` | no | +| [cluster\_parameter\_group\_description](#input\_cluster\_parameter\_group\_description) | The description of the DB cluster parameter group. | `string` | `"RDS aurora mysql cluster parameter group"` | no | +| [cluster\_parameter\_group\_family](#input\_cluster\_parameter\_group\_family) | The family of the DB cluster parameter group. | `string` | `"aurora-mysql8.0"` | no | +| [cluster\_parameter\_group\_name](#input\_cluster\_parameter\_group\_name) | The name of the DB cluster parameter group | `string` | n/a | yes | +| [cluster\_parameter\_group\_parameters](#input\_cluster\_parameter\_group\_parameters) | List of objects containing parameters for the DB cluster parameter group. |
"audit",
"slowquery"
]
list(|
object({
name = string
apply_method = optional(string, "immediate")
value = any
})
)
[| no | +| [cluster\_parameter\_group\_tags](#input\_cluster\_parameter\_group\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | +| [cluster\_vpc\_security\_group\_ids](#input\_cluster\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(any)` | `null` | no | +| [instance\_db\_instance\_class](#input\_instance\_db\_instance\_class) | The instance type of the RDS cluster. Example: 'db.t3.micro' | `string` | `"db.t3.medium"` | no | +| [instance\_identifier](#input\_instance\_identifier) | The name of the aurora mysql cluster instance | `string` | n/a | yes | +| [instance\_minor\_version\_upgrade](#input\_instance\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. | `bool` | `false` | no | +| [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | If instance is publicly accessible. Default false | `bool` | `false` | no | +| [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire. | `number` | `7` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [aws\_log\_group\_asset](#output\_aws\_log\_group\_asset) | AWS log group asset | +| [aws\_log\_group\_slowquery\_asset](#output\_aws\_log\_group\_slowquery\_asset) | AWS Slow Query log group asset | +| [aws\_rds\_aurora\_mysql\_cluster\_asset](#output\_aws\_rds\_aurora\_mysql\_cluster\_asset) | Aurora MySQL cluster asset | +| [cluster](#output\_cluster) | Aurora MySQL Cluster | +| [cluster\_parameter\_group](#output\_cluster\_parameter\_group) | Aurora MySQL Cluster parameter group | +| [instance](#output\_instance) | Aurora MySQL instance | +| [log\_group](#output\_log\_group) | Aurora MySQL log group | +| [log\_group\_slowquery](#output\_log\_group\_slowquery) | Aurora MySQL slow query log group | + \ No newline at end of file diff --git a/modules/onboard-aws-rds-aurora-mysql-slowquery/main.tf b/modules/onboard-aws-rds-aurora-mysql-slowquery/main.tf new file mode 100644 index 0000000..f1c60b7 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql-slowquery/main.tf @@ -0,0 +1,104 @@ +module "aurora-mysql-cluster-parameter-group" { + source = "../aws-rds-cluster-parameter-group" + + description = var.cluster_parameter_group_description + family = var.cluster_parameter_group_family + name = var.cluster_parameter_group_name + parameters = var.cluster_parameter_group_parameters + tags = var.cluster_parameter_group_tags +} + +module "aurora-mysql-cluster" { + depends_on = [module.aurora-mysql-cluster-parameter-group, module.aurora-mysql-log-group] + source = "../aws-rds-cluster" + + cluster_id = var.cluster_cluster_id + db_engine = var.cluster_db_engine + db_engine_version = var.cluster_db_engine_version + db_port = var.cluster_db_port + backup_retention = var.cluster_backup_retention + maintenance_schedule = var.cluster_maintenance_schedule + final_snapshot = var.cluster_final_snapshot + db_master_username = var.cluster_db_master_username + db_master_password = var.cluster_db_master_password + network_type = var.cluster_network_type + db_subnet_group_name = var.cluster_db_subnet_group_name + vpc_security_group_ids = var.cluster_vpc_security_group_ids + db_enabled_cloudwatch_logs_exports = var.cluster_db_enabled_cloudwatch_logs_exports + parameter_group_name = module.aurora-mysql-cluster-parameter-group.this.name + apply_immediately = var.cluster_apply_immediately +} + +module "aurora-mysql-instances" { + depends_on = [module.aurora-mysql-cluster] + source = "../aws-rds-cluster-instance" + + apply_immediately = var.cluster_apply_immediately + cluster_id = module.aurora-mysql-cluster.this.cluster_identifier + db_engine = module.aurora-mysql-cluster.this.engine + db_subnet_group_name = module.aurora-mysql-cluster.this.db_subnet_group_name + db_instance_class = var.instance_db_instance_class + identifier = var.instance_identifier + minor_version_upgrade = var.instance_minor_version_upgrade + maintenance_schedule = var.cluster_maintenance_schedule + publicly_accessible = var.instance_publicly_accessible +} + +module "aurora-mysql-log-group" { + source = "../aws-cloudwatch-log-group" + + name = "/aws/rds/cluster/${var.cluster_cluster_id}/audit" + retention_in_days = var.log_group_retention_in_days +} + +module "aurora-mysql-log-group-slowquery" { + source = "../aws-cloudwatch-log-group" + + name = "/aws/rds/cluster/${var.cluster_cluster_id}/slowquery" + retention_in_days = var.log_group_retention_in_days +} + + +module "aws-rds-aurora-mysql-cluster-asset" { + source = "../dsfhub-aws-rds-aurora-mysql-cluster" + + admin_email = var.aws_aurora_mysql_cluster_admin_email + asset_display_name = module.aurora-mysql-cluster.this.id + asset_id = module.aurora-mysql-cluster.this.arn + gateway_id = var.aws_aurora_mysql_cluster_gateway_id + server_host_name = module.aurora-mysql-cluster.this.endpoint + parent_asset_id = var.aws_aurora_mysql_cluster_parent_asset_id + region = var.aws_aurora_mysql_cluster_region + server_port = module.aurora-mysql-cluster.this.port + username = module.aurora-mysql-cluster.this.master_username + password = module.aurora-mysql-cluster.this.master_password +} + +module "aws-log-group-asset" { + depends_on = [module.aws-rds-aurora-mysql-cluster-asset] + source = "../dsfhub-aws-log-group" + + admin_email = var.aws_aurora_mysql_cluster_admin_email + asset_display_name = module.aurora-mysql-log-group.this.id + asset_id = "${module.aurora-mysql-log-group.this.arn}:*" + audit_pull_enabled = var.aws_log_group_audit_pull_enabled + gateway_id = var.aws_aurora_mysql_cluster_gateway_id + parent_asset_id = module.aws-rds-aurora-mysql-cluster-asset.this.asset_id + audit_type = var.aws_log_group_audit_type + region = var.aws_aurora_mysql_cluster_region +} + +module "aws-log-group-slowquery-asset" { + depends_on = [module.aws-rds-aurora-mysql-cluster-asset, module.aws-log-group-asset] + source = "../dsfhub-aws-log-group" + + admin_email = var.aws_aurora_mysql_cluster_admin_email + asset_display_name = module.aurora-mysql-log-group-slowquery.this.id + asset_id = "${module.aurora-mysql-log-group-slowquery.this.arn}:*" + audit_pull_enabled = var.aws_log_group_audit_pull_enabled + gateway_id = var.aws_aurora_mysql_cluster_gateway_id + parent_asset_id = module.aws-rds-aurora-mysql-cluster-asset.this.asset_id + audit_type = "AWS_RDS_AURORA_MYSQL_SLOW" + region = var.aws_aurora_mysql_cluster_region +} + diff --git a/modules/onboard-aws-rds-aurora-mysql-slowquery/outputs.tf b/modules/onboard-aws-rds-aurora-mysql-slowquery/outputs.tf new file mode 100644 index 0000000..e477eda --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql-slowquery/outputs.tf @@ -0,0 +1,39 @@ +output "cluster_parameter_group" { + description = "Aurora MySQL Cluster parameter group" + value = module.aurora-mysql-cluster-parameter-group.this +} + +output "cluster" { + description = "Aurora MySQL Cluster" + value = module.aurora-mysql-cluster.this +} + +output "instance" { + description = "Aurora MySQL instance" + value = module.aurora-mysql-instances.this +} + +output "log_group" { + description = "Aurora MySQL log group" + value = module.aurora-mysql-log-group.this +} + +output "log_group_slowquery" { + description = "Aurora MySQL slow query log group" + value = module.aurora-mysql-log-group-slowquery.this +} + +output "aws_rds_aurora_mysql_cluster_asset" { + description = "Aurora MySQL cluster asset" + value = module.aws-rds-aurora-mysql-cluster-asset.this +} + +output "aws_log_group_asset" { + description = "AWS log group asset" + value = module.aws-log-group-asset.this +} + +output "aws_log_group_slowquery_asset" { + description = "AWS Slow Query log group asset" + value = module.aws-log-group-slowquery-asset.this +} diff --git a/modules/onboard-aws-rds-aurora-mysql-slowquery/variables.tf b/modules/onboard-aws-rds-aurora-mysql-slowquery/variables.tf new file mode 100644 index 0000000..8930ca3 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql-slowquery/variables.tf @@ -0,0 +1,211 @@ +# Cluster Parameter group variables +variable "cluster_parameter_group_name" { + description = "The name of the DB cluster parameter group" + type = string +} + +variable "cluster_parameter_group_family" { + description = "The family of the DB cluster parameter group." + type = string + default = "aurora-mysql8.0" +} + +variable "cluster_parameter_group_description" { + description = "The description of the DB cluster parameter group." + type = string + default = "RDS aurora mysql cluster parameter group" +} + +variable "cluster_parameter_group_parameters" { + description = "List of objects containing parameters for the DB cluster parameter group." + type = list( + object({ + name = string + apply_method = optional(string, "immediate") + value = any + }) + ) + default = [ + { + name = "server_audit_logging" + value = 1 + }, + { + name = "server_audit_excl_users" + value = "rdsadmin" + }, + { + name = "server_audit_events" + value = "CONNECT,QUERY,QUERY_DCL,QUERY_DDL,QUERY_DML" + }, + { + name = "slow_query_log" + value = 1 + }, + { + name = "long_query_time" + value = 0 + }, + { + name = "log_slow_admin_statements" + value = 1 + } + ] +} + +variable "cluster_parameter_group_tags" { + description = "A map of tags to assign to the resource." + type = map(string) + default = null +} + +# Aurora MySQL Cluster variables +variable "cluster_db_enabled_cloudwatch_logs_exports" { + description = "Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery." + type = list(any) + default = ["audit", "slowquery"] +} + +variable "cluster_db_engine" { + description = "Cluster engine i.e, aurora-mysql" + type = string + default = "aurora-mysql" +} + +variable "cluster_db_engine_version" { + description = "Database engine version, i.e. 8.0.mysql_aurora.3.05.1" + type = string + default = "8.0.mysql_aurora.3.04.1" +} + +variable "cluster_cluster_id" { + description = "The name of the aurora mysql cluster" + type = string +} + +variable "cluster_backup_retention" { + description = "Days to retain backups for, Default is 1 day." + type = number + default = 1 +} + +variable "cluster_db_master_username" { + description = "Username for the master DB user, must not use rdsadmin as that is reserved." + type = string +} + +variable "cluster_db_master_password" { + description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage_master_user_password is set to true" + type = string +} + +variable "cluster_network_type" { + description = " Network type of the cluster. Valid values: IPV4, DUAL" + type = string + default = "IPV4" +} + +variable "cluster_db_subnet_group_name" { + description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available." + type = string + default = null +} + +variable "cluster_vpc_security_group_ids" { + description = "List of VPC security groups to associate." + type = list(any) + default = null +} + +variable "cluster_maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = "sun:18:00-sun:21:00" +} + +variable "cluster_final_snapshot" { + description = "Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final_snapshot_identifier. Default is false" + type = bool + default = true +} +variable "cluster_db_port" { + description = "Port on which the DB accepts connections." + type = number + default = 3306 +} +variable "cluster_apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = true +} + +# Aurora MySQL Instance variables +variable "instance_identifier" { + description = "The name of the aurora mysql cluster instance" + type = string +} + +variable "instance_db_instance_class" { + description = "The instance type of the RDS cluster. Example: 'db.t3.micro'" + type = string + default = "db.t3.medium" +} + +variable "instance_minor_version_upgrade" { + description = "Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window." + type = bool + default = false +} + +variable "instance_publicly_accessible" { + description = "If instance is publicly accessible. Default false" + type = bool + default = false +} + +# AWS CloudWatch variables +variable "log_group_retention_in_days" { + description = "Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire." + type = number + default = 7 +} + +# DSFHUB asset variables +variable "aws_aurora_mysql_cluster_admin_email" { + description = "The email address to notify about the assets." + type = string + default = null +} + +variable "aws_aurora_mysql_cluster_gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string + default = null +} + +variable "aws_aurora_mysql_cluster_parent_asset_id" { + description = "The asset_id of the cloud account with auth-mech such as key-pair, iam-role etc." + type = string + default = null +} + +variable "aws_aurora_mysql_cluster_region" { + description = "AWS region containing the instance." + type = string +} + +variable "aws_log_group_audit_type" { + description = "Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details" + type = string + default = "LOG_GROUP" + validation { + condition = contains(["AGGREGATED", "LOG_GROUP"], var.aws_log_group_audit_type) + error_message = "Invalid Value. Select from LOG_GROUP or AGGREGATED." + } +} + +variable "aws_log_group_audit_pull_enabled" { + description = "Turn on/off auditing on the data source and log aggregator" + type = bool + default = false +} diff --git a/modules/onboard-aws-rds-aurora-mysql/README.md b/modules/onboard-aws-rds-aurora-mysql/README.md new file mode 100644 index 0000000..198dae5 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql/README.md @@ -0,0 +1,79 @@ +# onboard-aws-rds-aurora-mysql +Onboard Amazon Aurora MySQL to DSF Hub. + +## Notes +There is one prerequisite for using this module: +1. An AWS cloud account asset onboarded to your DSF Hub with permissions to pull from CloudWatch log groups. + +See the corresponding example for more details. + + +## Requirements + +No requirements. + +## Providers + +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aurora-mysql-cluster](#module\_aurora-mysql-cluster) | ../aws-rds-cluster | n/a | +| [aurora-mysql-cluster-parameter-group](#module\_aurora-mysql-cluster-parameter-group) | ../aws-rds-cluster-parameter-group | n/a | +| [aurora-mysql-instances](#module\_aurora-mysql-instances) | ../aws-rds-cluster-instance | n/a | +| [aurora-mysql-log-group](#module\_aurora-mysql-log-group) | ../aws-cloudwatch-log-group | n/a | +| [aws-log-group-asset](#module\_aws-log-group-asset) | ../dsfhub-aws-log-group | n/a | +| [aws-rds-aurora-mysql-cluster-asset](#module\_aws-rds-aurora-mysql-cluster-asset) | ../dsfhub-aws-rds-aurora-mysql-cluster | n/a | + +## Resources + +No resources. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_aurora\_mysql\_cluster\_admin\_email](#input\_aws\_aurora\_mysql\_cluster\_admin\_email) | The email address to notify about the assets. | `string` | `null` | no | +| [aws\_aurora\_mysql\_cluster\_gateway\_id](#input\_aws\_aurora\_mysql\_cluster\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | `null` | no | +| [aws\_aurora\_mysql\_cluster\_parent\_asset\_id](#input\_aws\_aurora\_mysql\_cluster\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | `null` | no | +| [aws\_aurora\_mysql\_cluster\_region](#input\_aws\_aurora\_mysql\_cluster\_region) | AWS region containing the instance. | `string` | n/a | yes | +| [aws\_log\_group\_audit\_pull\_enabled](#input\_aws\_log\_group\_audit\_pull\_enabled) | Turn on/off auditing on the data source and log aggregator | `bool` | `false` | no | +| [aws\_log\_group\_audit\_type](#input\_aws\_log\_group\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `"LOG_GROUP"` | no | +| [cluster\_apply\_immediately](#input\_cluster\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `true` | no | +| [cluster\_backup\_retention](#input\_cluster\_backup\_retention) | Days to retain backups for, Default is 1 day. | `number` | `1` | no | +| [cluster\_cluster\_id](#input\_cluster\_cluster\_id) | The name of the aurora mysql cluster | `string` | n/a | yes | +| [cluster\_db\_enabled\_cloudwatch\_logs\_exports](#input\_cluster\_db\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery. | `list(any)` |
{
"name": "server_audit_logging",
"value": 1
},
{
"name": "server_audit_excl_users",
"value": "rdsadmin"
},
{
"name": "server_audit_events",
"value": "CONNECT,QUERY,QUERY_DCL,QUERY_DDL,QUERY_DML"
},
{
"name": "slow_query_log",
"value": 1
},
{
"name": "long_query_time",
"value": 0
},
{
"name": "log_slow_admin_statements",
"value": 1
}
]
[| no | +| [cluster\_db\_engine](#input\_cluster\_db\_engine) | Cluster engine i.e, aurora-mysql | `string` | `"aurora-mysql"` | no | +| [cluster\_db\_engine\_version](#input\_cluster\_db\_engine\_version) | Database engine version, i.e. 8.0.mysql\_aurora.3.05.1 | `string` | `"8.0.mysql_aurora.3.04.1"` | no | +| [cluster\_db\_master\_password](#input\_cluster\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | +| [cluster\_db\_master\_username](#input\_cluster\_db\_master\_username) | Username for the master DB user, must not use rdsadmin as that is reserved. | `string` | n/a | yes | +| [cluster\_db\_port](#input\_cluster\_db\_port) | Port on which the DB accepts connections. | `number` | `3306` | no | +| [cluster\_db\_subnet\_group\_name](#input\_cluster\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | +| [cluster\_final\_snapshot](#input\_cluster\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false | `bool` | `true` | no | +| [cluster\_maintenance\_schedule](#input\_cluster\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `"sun:18:00-sun:21:00"` | no | +| [cluster\_network\_type](#input\_cluster\_network\_type) | Network type of the cluster. Valid values: IPV4, DUAL | `string` | `"IPV4"` | no | +| [cluster\_parameter\_group\_description](#input\_cluster\_parameter\_group\_description) | The description of the DB cluster parameter group. | `string` | `"RDS aurora mysql cluster parameter group"` | no | +| [cluster\_parameter\_group\_family](#input\_cluster\_parameter\_group\_family) | The family of the DB cluster parameter group. | `string` | `"aurora-mysql8.0"` | no | +| [cluster\_parameter\_group\_name](#input\_cluster\_parameter\_group\_name) | The name of the DB cluster parameter group | `string` | n/a | yes | +| [cluster\_parameter\_group\_parameters](#input\_cluster\_parameter\_group\_parameters) | List of objects containing parameters for the DB cluster parameter group. |
"audit"
]
list(|
object({
name = string
apply_method = optional(string, "immediate")
value = any
})
)
[| no | +| [cluster\_parameter\_group\_tags](#input\_cluster\_parameter\_group\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | +| [cluster\_vpc\_security\_group\_ids](#input\_cluster\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(any)` | `null` | no | +| [instance\_db\_instance\_class](#input\_instance\_db\_instance\_class) | The instance type of the RDS cluster. Example: 'db.t3.micro' | `string` | `"db.t3.medium"` | no | +| [instance\_identifier](#input\_instance\_identifier) | The name of the aurora mysql cluster instance | `string` | n/a | yes | +| [instance\_minor\_version\_upgrade](#input\_instance\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. | `bool` | `false` | no | +| [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | If instance is publicly accessible. Default false | `bool` | `false` | no | +| [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire. | `number` | `7` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [aws\_log\_group\_asset](#output\_aws\_log\_group\_asset) | AWS log group asset | +| [aws\_rds\_aurora\_mysql\_cluster\_asset](#output\_aws\_rds\_aurora\_mysql\_cluster\_asset) | Aurora MySQL cluster asset | +| [cluster](#output\_cluster) | Aurora MySQL Cluster | +| [cluster\_parameter\_group](#output\_cluster\_parameter\_group) | Aurora MySQL Cluster parameter group | +| [instance](#output\_instance) | Aurora MySQL instance | +| [log\_group](#output\_log\_group) | Aurora MySQL log group | + \ No newline at end of file diff --git a/modules/onboard-aws-rds-aurora-mysql/main.tf b/modules/onboard-aws-rds-aurora-mysql/main.tf new file mode 100644 index 0000000..af57602 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql/main.tf @@ -0,0 +1,82 @@ +module "aurora-mysql-cluster-parameter-group" { + source = "../aws-rds-cluster-parameter-group" + + description = var.cluster_parameter_group_description + family = var.cluster_parameter_group_family + name = var.cluster_parameter_group_name + parameters = var.cluster_parameter_group_parameters + tags = var.cluster_parameter_group_tags +} + +module "aurora-mysql-cluster" { + depends_on = [module.aurora-mysql-cluster-parameter-group, module.aurora-mysql-log-group] + source = "../aws-rds-cluster" + + cluster_id = var.cluster_cluster_id + db_engine = "aurora-mysql" + db_engine_version = var.cluster_db_engine_version + db_port = var.cluster_db_port + backup_retention = var.cluster_backup_retention + maintenance_schedule = var.cluster_maintenance_schedule + final_snapshot = var.cluster_final_snapshot + db_master_username = var.cluster_db_master_username + db_master_password = var.cluster_db_master_password + network_type = var.cluster_network_type + db_subnet_group_name = var.cluster_db_subnet_group_name + vpc_security_group_ids = var.cluster_vpc_security_group_ids + db_enabled_cloudwatch_logs_exports = var.cluster_db_enabled_cloudwatch_logs_exports + parameter_group_name = module.aurora-mysql-cluster-parameter-group.this.name + apply_immediately = var.cluster_apply_immediately +} + +module "aurora-mysql-instances" { + depends_on = [module.aurora-mysql-cluster] + source = "../aws-rds-cluster-instance" + + apply_immediately = var.cluster_apply_immediately + cluster_id = module.aurora-mysql-cluster.this.cluster_identifier + db_engine = module.aurora-mysql-cluster.this.engine + db_instance_class = var.instance_db_instance_class + db_subnet_group_name = module.aurora-mysql-cluster.this.db_subnet_group_name + identifier = var.instance_identifier + maintenance_schedule = var.cluster_maintenance_schedule + minor_version_upgrade = var.instance_minor_version_upgrade + publicly_accessible = var.instance_publicly_accessible +} + +module "aurora-mysql-log-group" { + source = "../aws-cloudwatch-log-group" + + name = "/aws/rds/cluster/${var.cluster_cluster_id}/audit" + retention_in_days = var.log_group_retention_in_days +} + +module "aws-rds-aurora-mysql-cluster-asset" { + source = "../dsfhub-aws-rds-aurora-mysql-cluster" + + admin_email = var.aws_aurora_mysql_cluster_admin_email + asset_display_name = module.aurora-mysql-cluster.this.id + asset_id = module.aurora-mysql-cluster.this.arn + auth_mechanism = "password" + gateway_id = var.aws_aurora_mysql_cluster_gateway_id + server_host_name = module.aurora-mysql-cluster.this.endpoint + parent_asset_id = var.aws_aurora_mysql_cluster_parent_asset_id + region = var.aws_aurora_mysql_cluster_region + server_port = module.aurora-mysql-cluster.this.port + username = module.aurora-mysql-cluster.this.master_username + password = module.aurora-mysql-cluster.this.master_password +} + +module "aws-log-group-asset" { + depends_on = [module.aws-rds-aurora-mysql-cluster-asset] + source = "../dsfhub-aws-log-group" + + admin_email = var.aws_aurora_mysql_cluster_admin_email + asset_display_name = module.aurora-mysql-log-group.this.id + asset_id = "${module.aurora-mysql-log-group.this.arn}:*" + audit_pull_enabled = var.aws_log_group_audit_pull_enabled + gateway_id = var.aws_aurora_mysql_cluster_gateway_id + parent_asset_id = module.aws-rds-aurora-mysql-cluster-asset.this.asset_id + audit_type = var.aws_log_group_audit_type + region = var.aws_aurora_mysql_cluster_region +} diff --git a/modules/onboard-aws-rds-aurora-mysql/outputs.tf b/modules/onboard-aws-rds-aurora-mysql/outputs.tf new file mode 100644 index 0000000..a197da2 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql/outputs.tf @@ -0,0 +1,29 @@ +output "cluster_parameter_group" { + description = "Aurora MySQL Cluster parameter group" + value = module.aurora-mysql-cluster-parameter-group.this +} + +output "cluster" { + description = "Aurora MySQL Cluster" + value = module.aurora-mysql-cluster.this +} + +output "instance" { + description = "Aurora MySQL instance" + value = module.aurora-mysql-instances.this +} + +output "log_group" { + description = "Aurora MySQL log group" + value = module.aurora-mysql-log-group.this +} + +output "aws_rds_aurora_mysql_cluster_asset" { + description = "Aurora MySQL cluster asset" + value = module.aws-rds-aurora-mysql-cluster-asset.this +} + +output "aws_log_group_asset" { + description = "AWS log group asset" + value = module.aws-log-group-asset.this +} diff --git a/modules/onboard-aws-rds-aurora-mysql/variables.tf b/modules/onboard-aws-rds-aurora-mysql/variables.tf new file mode 100644 index 0000000..df5dc67 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql/variables.tf @@ -0,0 +1,201 @@ +# Cluster Parameter group variables +variable "cluster_parameter_group_name" { + description = "The name of the DB cluster parameter group" + type = string +} + +variable "cluster_parameter_group_family" { + description = "The family of the DB cluster parameter group." + type = string + default = "aurora-mysql8.0" +} + +variable "cluster_parameter_group_description" { + description = "The description of the DB cluster parameter group." + type = string + default = "RDS aurora mysql cluster parameter group" +} + +variable "cluster_parameter_group_parameters" { + description = "List of objects containing parameters for the DB cluster parameter group." + type = list( + object({ + name = string + apply_method = optional(string, "immediate") + value = any + }) + ) + default = [ + { + name = "server_audit_logging" + value = 1 + }, + { + name = "server_audit_excl_users" + value = "rdsadmin" + }, + { + name = "server_audit_events" + value = "CONNECT,QUERY,QUERY_DCL,QUERY_DDL,QUERY_DML" + } + ] +} + +variable "cluster_parameter_group_tags" { + description = "A map of tags to assign to the resource." + type = map(string) + default = null +} + +# Aurora MySQL Cluster variables +variable "cluster_db_enabled_cloudwatch_logs_exports" { + description = "Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery." + type = list(any) + default = ["audit"] +} + +variable "cluster_db_engine" { + description = "Cluster engine i.e, aurora-mysql" + type = string + default = "aurora-mysql" +} + +variable "cluster_db_engine_version" { + description = "Database engine version, i.e. 8.0.mysql_aurora.3.05.1" + type = string + default = "8.0.mysql_aurora.3.04.1" +} + +variable "cluster_cluster_id" { + description = "The name of the aurora mysql cluster" + type = string +} + +variable "cluster_backup_retention" { + description = "Days to retain backups for, Default is 1 day." + type = number + default = 1 +} + +variable "cluster_db_master_username" { + description = "Username for the master DB user, must not use rdsadmin as that is reserved." + type = string +} + +variable "cluster_db_master_password" { + description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage_master_user_password is set to true" + type = string +} + +variable "cluster_network_type" { + description = " Network type of the cluster. Valid values: IPV4, DUAL" + type = string + default = "IPV4" +} + +variable "cluster_db_subnet_group_name" { + description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available." + type = string + default = null +} + +variable "cluster_vpc_security_group_ids" { + description = "List of VPC security groups to associate." + type = list(any) + default = null +} + +variable "cluster_maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = "sun:18:00-sun:21:00" +} + +variable "cluster_final_snapshot" { + description = "Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final_snapshot_identifier. Default is false" + type = bool + default = true +} + +variable "cluster_db_port" { + description = "Port on which the DB accepts connections." + type = number + default = 3306 +} + +variable "cluster_apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = true +} + +# Aurora MySQL Instance variables +variable "instance_identifier" { + description = "The name of the aurora mysql cluster instance" + type = string +} + +variable "instance_db_instance_class" { + description = "The instance type of the RDS cluster. Example: 'db.t3.micro'" + type = string + default = "db.t3.medium" +} + +variable "instance_minor_version_upgrade" { + description = "Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window." + type = bool + default = false +} + +variable "instance_publicly_accessible" { + description = "If instance is publicly accessible. Default false" + type = bool + default = false +} + +# AWS CloudWatch variables +variable "log_group_retention_in_days" { + description = "Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire." + type = number + default = 7 +} + +# DSFHUB asset variables +variable "aws_aurora_mysql_cluster_admin_email" { + description = "The email address to notify about the assets." + type = string + default = null +} + +variable "aws_aurora_mysql_cluster_gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string + default = null +} + +variable "aws_aurora_mysql_cluster_parent_asset_id" { + description = "The asset_id of the cloud account with auth-mech such as key-pair, iam-role etc." + type = string + default = null +} + +variable "aws_aurora_mysql_cluster_region" { + description = "AWS region containing the instance." + type = string +} + +variable "aws_log_group_audit_type" { + description = "Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details" + type = string + default = "LOG_GROUP" + validation { + condition = contains(["AGGREGATED", "LOG_GROUP"], var.aws_log_group_audit_type) + error_message = "Invalid Value. Select from LOG_GROUP or AGGREGATED." + } +} + +variable "aws_log_group_audit_pull_enabled" { + description = "Turn on/off auditing on the data source and log aggregator" + type = bool + default = false +} diff --git a/modules/onboard-aws-rds-aurora-postgresql-kinesis/README.md b/modules/onboard-aws-rds-aurora-postgresql-kinesis/README.md new file mode 100644 index 0000000..6bd1be6 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-postgresql-kinesis/README.md @@ -0,0 +1,93 @@ +# onboard-aws-rds-aurora-postgresql-kinesis +Onboard Amazon Aurora PostgreSQL to DSF Hub using a kinesis stream. + +## Notes +There is one prerequisite for using this module: +1. An AWS cloud account asset onboarded to your DSF Hub with permissions to pull from Kinesis streams. + +See the corresponding example for more details. + + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aurora-postgresql-cluster](#module\_aurora-postgresql-cluster) | ../aws-rds-cluster | n/a | +| [aurora-postgresql-cluster-activity-stream](#module\_aurora-postgresql-cluster-activity-stream) | ../aws-rds-cluster-activity-stream | n/a | +| [aurora-postgresql-instance](#module\_aurora-postgresql-instance) | ../aws-rds-cluster-instance | n/a | +| [aws-kinesis-asset](#module\_aws-kinesis-asset) | ../dsfhub-aws-kinesis | n/a | +| [aws-kms-key](#module\_aws-kms-key) | ../aws-kms-key | n/a | +| [aws-rds-aurora-postgresql-cluster-asset](#module\_aws-rds-aurora-postgresql-cluster-asset) | ../dsfhub-aws-rds-aurora-postgresql-cluster | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_arn.aurora_postgresql_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_aurora\_postgresql\_cluster\_admin\_email](#input\_aws\_aurora\_postgresql\_cluster\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | +| [aws\_aurora\_postgresql\_cluster\_audit\_type](#input\_aws\_aurora\_postgresql\_cluster\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `"KINESIS"` | no | +| [aws\_aurora\_postgresql\_cluster\_gateway\_id](#input\_aws\_aurora\_postgresql\_cluster\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [aws\_aurora\_postgresql\_cluster\_parent\_asset\_id](#input\_aws\_aurora\_postgresql\_cluster\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | n/a | yes | +| [aws\_aurora\_postgresql\_cluster\_region](#input\_aws\_aurora\_postgresql\_cluster\_region) | AWS region containing the cluster. | `string` | `null` | no | +| [aws\_kinesis\_admin\_email](#input\_aws\_kinesis\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | +| [aws\_kinesis\_audit\_pull\_enabled](#input\_aws\_kinesis\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no | +| [aws\_kinesis\_gateway\_id](#input\_aws\_kinesis\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes | +| [aws\_kinesis\_reason](#input\_aws\_kinesis\_reason) | Used to differentiate connections that belong to the same asset | `string` | `"default"` | no | +| [aws\_kinesis\_region](#input\_aws\_kinesis\_region) | AWS region of the kinesis stream | `string` | `null` | no | +| [cluster\_apply\_immediately](#input\_cluster\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | +| [cluster\_backup\_retention](#input\_cluster\_backup\_retention) | Days to retain backups for, Default is 1 day. | `number` | `null` | no | +| [cluster\_db\_enabled\_cloudwatch\_logs\_exports](#input\_cluster\_db\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery. | `list(any)` | `null` | no | +| [cluster\_db\_engine\_version](#input\_cluster\_db\_engine\_version) | Database engine version, e.g., 16.1 | `string` | `"16.1"` | no | +| [cluster\_db\_master\_password](#input\_cluster\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | +| [cluster\_db\_master\_username](#input\_cluster\_db\_master\_username) | Username for the master DB user. | `string` | n/a | yes | +| [cluster\_db\_port](#input\_cluster\_db\_port) | Port on which the DB accepts connections. | `number` | `null` | no | +| [cluster\_db\_subnet\_group\_name](#input\_cluster\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | +| [cluster\_final\_snapshot](#input\_cluster\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false | `bool` | `null` | no | +| [cluster\_id](#input\_cluster\_id) | The name of the Aurora PostgreSQL cluster | `string` | n/a | yes | +| [cluster\_maintenance\_schedule](#input\_cluster\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | +| [cluster\_network\_type](#input\_cluster\_network\_type) | Network type of the cluster. Valid values: IPV4, DUAL | `string` | `null` | no | +| [cluster\_parameter\_group\_name](#input\_cluster\_parameter\_group\_name) | Cluster parameter group associated with the cluster | `string` | `null` | no | +| [cluster\_vpc\_security\_group\_ids](#input\_cluster\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(any)` | `null` | no | +| [instance\_apply\_immediately](#input\_instance\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | +| [instance\_class](#input\_instance\_class) | The instance type of the RDS cluster. Supported instance classes for database activity streams can be found at https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.Overview.html#DBActivityStreams.Overview.requirements.classes. | `string` | `"db.r5.large"` | no | +| [instance\_db\_subnet\_group\_name](#input\_instance\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | +| [instance\_identifier](#input\_instance\_identifier) | The name of the aurora cluster instance | `string` | n/a | yes | +| [instance\_maintenance\_schedule](#input\_instance\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | +| [instance\_minor\_version\_upgrade](#input\_instance\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. | `bool` | `null` | no | +| [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | If instance is publicly accessible. Default false | `bool` | `null` | no | +| [key\_custom\_master\_key\_spec](#input\_key\_custom\_master\_key\_spec) | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC\_DEFAULT, RSA\_2048, RSA\_3072, RSA\_4096, HMAC\_256, ECC\_NIST\_P256, ECC\_NIST\_P384, ECC\_NIST\_P521, or ECC\_SECG\_P256K1. | `string` | `"SYMMETRIC_DEFAULT"` | no | +| [key\_deletion\_window\_in\_days](#input\_key\_deletion\_window\_in\_days) | The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. | `number` | `30` | no | +| [key\_description](#input\_key\_description) | The description of the key as viewed in AWS console. | `string` | `"AWS KMS Key to encrypt Aurora PostgreSQL Database Activity Stream."` | no | +| [key\_is\_enabled](#input\_key\_is\_enabled) | Specifies whether the key is enabled. | `bool` | `true` | no | +| [key\_multi\_region](#input\_key\_multi\_region) | Indicates whether the KMS key is a multi-Region (true) or regional (false) key. | `bool` | `false` | no | +| [key\_tags](#input\_key\_tags) | A map of tags to assign to the object. | `map(string)` | `null` | no | +| [key\_usage](#input\_key\_usage) | Specifies the intended use of the key. Valid values: ENCRYPT\_DECRYPT, SIGN\_VERIFY, GENERATE\_VERIFY\_MAC. | `string` | `"ENCRYPT_DECRYPT"` | no | +| [stream\_mode](#input\_stream\_mode) | Specifies the mode of the database activity stream. Database events such as a change or access generate an activity stream event. The database session can handle these events either synchronously or asynchronously. One of: sync, async. | `string` | `"async"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [activity\_stream](#output\_activity\_stream) | Aurora PostgreSQL kinesis activity stream | +| [aws\_kinesis\_asset](#output\_aws\_kinesis\_asset) | AWS Kinesis stream asset | +| [aws\_rds\_aurora\_postgresql\_cluster\_asset](#output\_aws\_rds\_aurora\_postgresql\_cluster\_asset) | Aurora PostgreSQL cluster asset | +| [cluster](#output\_cluster) | Aurora PostgreSQL cluster | +| [instance](#output\_instance) | Aurora PostgreSQL instance | +| [kms\_key](#output\_kms\_key) | AWS KMS Key | + \ No newline at end of file diff --git a/modules/onboard-aws-rds-aurora-postgresql-kinesis/main.tf b/modules/onboard-aws-rds-aurora-postgresql-kinesis/main.tf new file mode 100644 index 0000000..2878a38 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-postgresql-kinesis/main.tf @@ -0,0 +1,87 @@ +module "aurora-postgresql-cluster" { + source = "../aws-rds-cluster" + + apply_immediately = var.cluster_apply_immediately + backup_retention = var.cluster_backup_retention + cluster_id = var.cluster_id + db_enabled_cloudwatch_logs_exports = var.cluster_db_enabled_cloudwatch_logs_exports + db_engine = "aurora-postgresql" + db_engine_version = var.cluster_db_engine_version + db_master_password = var.cluster_db_master_password + db_master_username = var.cluster_db_master_username + db_port = var.cluster_db_port + db_subnet_group_name = var.cluster_db_subnet_group_name + final_snapshot = var.cluster_final_snapshot + maintenance_schedule = var.cluster_maintenance_schedule + network_type = var.cluster_network_type + parameter_group_name = var.cluster_parameter_group_name + vpc_security_group_ids = var.cluster_vpc_security_group_ids +} + +module "aurora-postgresql-instance" { + source = "../aws-rds-cluster-instance" + + apply_immediately = var.instance_apply_immediately + cluster_id = module.aurora-postgresql-cluster.this.cluster_identifier + db_engine = module.aurora-postgresql-cluster.this.engine + db_instance_class = var.instance_class + db_subnet_group_name = module.aurora-postgresql-cluster.this.db_subnet_group_name + identifier = var.instance_identifier + maintenance_schedule = var.instance_maintenance_schedule + minor_version_upgrade = var.instance_minor_version_upgrade + publicly_accessible = var.instance_publicly_accessible +} + +module "aws-kms-key" { + source = "../aws-kms-key" + + custom_master_key_spec = var.key_custom_master_key_spec + deletion_window_in_days = var.key_deletion_window_in_days + description = var.key_description + is_enabled = var.key_is_enabled + key_usage = var.key_usage + multi_region = var.key_multi_region + tags = var.key_tags +} + +module "aurora-postgresql-cluster-activity-stream" { + source = "../aws-rds-cluster-activity-stream" + + engine_native_audit_fields_included = false + kms_key_id = module.aws-kms-key.this.arn + mode = var.stream_mode + resource_arn = module.aurora-postgresql-cluster.this.arn +} + +module "aws-rds-aurora-postgresql-cluster-asset" { + source = "../dsfhub-aws-rds-aurora-postgresql-cluster" + + admin_email = var.aws_aurora_postgresql_cluster_admin_email + asset_display_name = module.aurora-postgresql-cluster.this.id + asset_id = module.aurora-postgresql-cluster.this.arn + audit_type = var.aws_aurora_postgresql_cluster_audit_type + gateway_id = var.aws_aurora_postgresql_cluster_gateway_id + parent_asset_id = var.aws_aurora_postgresql_cluster_parent_asset_id + region = var.aws_aurora_postgresql_cluster_region + server_host_name = module.aurora-postgresql-cluster.this.endpoint + server_port = module.aurora-postgresql-cluster.this.port +} + +# Collect region and account info for kinesis asset_id +data "aws_region" "current" {} +data "aws_arn" "aurora_postgresql_cluster" { + arn = module.aurora-postgresql-cluster.this.arn +} + +module "aws-kinesis-asset" { + source = "../dsfhub-aws-kinesis" + + admin_email = var.aws_kinesis_admin_email + asset_display_name = "AWS Kinesis - ${module.aurora-postgresql-cluster-activity-stream.this.kinesis_stream_name}" + asset_id = "arn:aws:kinesis:${data.aws_region.current.name}:${data.aws_arn.aurora_postgresql_cluster.account}:stream/${module.aurora-postgresql-cluster-activity-stream.this.kinesis_stream_name}" + audit_pull_enabled = var.aws_kinesis_audit_pull_enabled + gateway_id = var.aws_kinesis_gateway_id + parent_asset_id = module.aws-rds-aurora-postgresql-cluster-asset.this.asset_id + reason = var.aws_kinesis_reason + region = var.aws_kinesis_region +} diff --git a/modules/onboard-aws-rds-aurora-postgresql-kinesis/outputs.tf b/modules/onboard-aws-rds-aurora-postgresql-kinesis/outputs.tf new file mode 100644 index 0000000..30401e6 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-postgresql-kinesis/outputs.tf @@ -0,0 +1,29 @@ +output "cluster" { + description = "Aurora PostgreSQL cluster" + value = module.aurora-postgresql-cluster.this +} + +output "instance" { + description = "Aurora PostgreSQL instance" + value = module.aurora-postgresql-instance.this +} + +output "kms_key" { + description = "AWS KMS Key" + value = module.aws-kms-key.this +} + +output "activity_stream" { + description = "Aurora PostgreSQL kinesis activity stream" + value = module.aurora-postgresql-cluster-activity-stream.this +} + +output "aws_rds_aurora_postgresql_cluster_asset" { + description = "Aurora PostgreSQL cluster asset" + value = module.aws-rds-aurora-postgresql-cluster-asset.this +} + +output "aws_kinesis_asset" { + description = "AWS Kinesis stream asset" + value = module.aws-kinesis-asset.this +} diff --git a/modules/onboard-aws-rds-aurora-postgresql-kinesis/variables.tf b/modules/onboard-aws-rds-aurora-postgresql-kinesis/variables.tf new file mode 100644 index 0000000..fa076ed --- /dev/null +++ b/modules/onboard-aws-rds-aurora-postgresql-kinesis/variables.tf @@ -0,0 +1,250 @@ +variable "aws_aurora_postgresql_cluster_admin_email" { + description = "The email address to notify about this asset" + type = string +} + +variable "aws_aurora_postgresql_cluster_audit_type" { + description = "Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details" + type = string + default = "KINESIS" + validation { + condition = contains(["KINESIS", "KINESIS_AGGREGATED"], var.aws_aurora_postgresql_cluster_audit_type) + error_message = "Invalida audit_type. Select from \"KINESIS\", \"KINESIS_AGGREGATED\"" + } +} + +variable "aws_aurora_postgresql_cluster_parent_asset_id" { + description = "The asset_id of the cloud account with auth-mech such as key-pair, iam-role etc." + type = string +} + +variable "aws_aurora_postgresql_cluster_region" { + description = "AWS region containing the cluster." + type = string + default = null +} + +variable "aws_aurora_postgresql_cluster_gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string +} + +variable "aws_kinesis_admin_email" { + description = "The email address to notify about the asset." + type = string +} + +variable "aws_kinesis_audit_pull_enabled" { + description = "If true, sonargateway will collect the audit logs for this system if it can." + type = bool + default = false +} + +variable "aws_kinesis_gateway_id" { + description = "The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'." + type = string +} + +variable "aws_kinesis_reason" { + description = "Used to differentiate connections that belong to the same asset" + type = string + default = "default" +} + +variable "aws_kinesis_region" { + description = "AWS region of the kinesis stream" + type = string + default = null +} + +variable "cluster_db_enabled_cloudwatch_logs_exports" { + description = "Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery." + type = list(any) + default = null +} + +variable "cluster_db_engine_version" { + description = "Database engine version, e.g., 16.1" + type = string + default = "16.1" +} + +variable "cluster_id" { + description = "The name of the Aurora PostgreSQL cluster" + type = string +} + +variable "cluster_backup_retention" { + description = "Days to retain backups for, Default is 1 day." + type = number + default = null +} + +variable "cluster_db_master_username" { + description = "Username for the master DB user." + type = string + validation { + condition = ( + var.cluster_db_master_username != "rdsadmin" && + var.cluster_db_master_username != "admin" + ) + error_message = "The aurora cluster master username must not be either \"rdsadmin\" or \"admin\". Please select another value." + } +} + +variable "cluster_db_master_password" { + description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage_master_user_password is set to true" + type = string +} + +variable "cluster_network_type" { + description = " Network type of the cluster. Valid values: IPV4, DUAL" + type = string + default = null +} + +variable "cluster_db_subnet_group_name" { + description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available." + type = string + default = null +} + +variable "cluster_vpc_security_group_ids" { + description = "List of VPC security groups to associate." + type = list(any) + default = null +} + +variable "cluster_maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = null +} + +variable "cluster_final_snapshot" { + description = "Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final_snapshot_identifier. Default is false" + type = bool + default = null +} + +variable "cluster_db_port" { + description = "Port on which the DB accepts connections." + type = number + default = null +} + +variable "cluster_apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = null +} + +variable "cluster_parameter_group_name" { + description = "Cluster parameter group associated with the cluster" + type = string + default = null +} + +variable "instance_identifier" { + description = "The name of the aurora cluster instance" + type = string +} + +variable "instance_publicly_accessible" { + description = "If instance is publicly accessible. Default false" + type = bool + default = null +} + +variable "instance_db_subnet_group_name" { + description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available." + type = string + default = null +} + +variable "instance_class" { + description = "The instance type of the RDS cluster. Supported instance classes for database activity streams can be found at https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.Overview.html#DBActivityStreams.Overview.requirements.classes." + type = string + default = "db.r5.large" + validation { + # Class must be one of supported for database activity streams + condition = ( + can(regex("^db.r7g.*large$", var.instance_class)) || + can(regex("^db.r6g.*large$", var.instance_class)) || + can(regex("^db.r6i.*large$", var.instance_class)) || + can(regex("^db.r5.*large$", var.instance_class)) || + can(regex("^db.x2g.*$", var.instance_class)) + ) + error_message = "Invalid instance class for database activity streams. Supported instance classes for database activity streams can be found at https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.Overview.html#DBActivityStreams.Overview.requirements.classes." + } +} + +variable "instance_maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = null +} + +variable "instance_apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = null +} + +variable "instance_minor_version_upgrade" { + description = "Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window." + type = bool + default = null +} + +variable "key_custom_master_key_spec" { + description = "Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1." + type = string + default = "SYMMETRIC_DEFAULT" +} + +variable "key_deletion_window_in_days" { + description = "The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive." + type = number + default = 30 +} + +variable "key_description" { + description = "The description of the key as viewed in AWS console." + type = string + default = "AWS KMS Key to encrypt Aurora PostgreSQL Database Activity Stream." +} + +variable "key_is_enabled" { + description = "Specifies whether the key is enabled." + type = bool + default = true +} + +variable "key_usage" { + description = "Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, GENERATE_VERIFY_MAC." + type = string + default = "ENCRYPT_DECRYPT" +} + +variable "key_multi_region" { + description = " Indicates whether the KMS key is a multi-Region (true) or regional (false) key." + type = bool + default = false +} + +variable "key_tags" { + description = "A map of tags to assign to the object." + type = map(string) + default = null +} + +variable "stream_mode" { + description = "Specifies the mode of the database activity stream. Database events such as a change or access generate an activity stream event. The database session can handle these events either synchronously or asynchronously. One of: sync, async." + type = string + default = "async" + validation { + condition = contains(["sync", "async"], var.stream_mode) + error_message = "Invalid value, select either 'sync' or 'async'." + } +} diff --git a/modules/onboard-aws-rds-aurora-postgresql/README.md b/modules/onboard-aws-rds-aurora-postgresql/README.md new file mode 100644 index 0000000..be3248e --- /dev/null +++ b/modules/onboard-aws-rds-aurora-postgresql/README.md @@ -0,0 +1,85 @@ +# onboard-aws-rds-aurora-postgresql +Onboard Amazon Aurora PostgreSQL to DSF Hub. + +## Notes +There are two prerequisites for using this module: +1. An AWS cloud account asset onboarded to your DSF Hub with permissions to pull from CloudWatch log groups. +2. A method to create the 'pgaudit' extension and 'rds_pgaudit' role on the postgres instance. + +See the corresponding example for more details. + + +## Requirements + +No requirements. + +## Providers + +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aurora-postgresql-cluster](#module\_aurora-postgresql-cluster) | ../aws-rds-cluster | n/a | +| [aurora-postgresql-cluster-parameter-group](#module\_aurora-postgresql-cluster-parameter-group) | ../aws-rds-cluster-parameter-group | n/a | +| [aurora-postgresql-instance](#module\_aurora-postgresql-instance) | ../aws-rds-cluster-instance | n/a | +| [aurora-postgresql-log-group](#module\_aurora-postgresql-log-group) | ../aws-cloudwatch-log-group | n/a | +| [aws-log-group-asset](#module\_aws-log-group-asset) | ../dsfhub-aws-log-group | n/a | +| [aws-rds-aurora-postgresql-cluster-asset](#module\_aws-rds-aurora-postgresql-cluster-asset) | ../dsfhub-aws-rds-aurora-postgresql-cluster | n/a | + +## Resources + +No resources. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_aurora\_postgresql\_cluster\_admin\_email](#input\_aws\_aurora\_postgresql\_cluster\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | +| [aws\_aurora\_postgresql\_cluster\_audit\_type](#input\_aws\_aurora\_postgresql\_cluster\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `"LOG_GROUP"` | no | +| [aws\_aurora\_postgresql\_cluster\_gateway\_id](#input\_aws\_aurora\_postgresql\_cluster\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [aws\_aurora\_postgresql\_cluster\_parent\_asset\_id](#input\_aws\_aurora\_postgresql\_cluster\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | n/a | yes | +| [aws\_aurora\_postgresql\_cluster\_region](#input\_aws\_aurora\_postgresql\_cluster\_region) | AWS region containing the cluster. | `string` | `null` | no | +| [aws\_log\_group\_admin\_email](#input\_aws\_log\_group\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | +| [aws\_log\_group\_audit\_pull\_enabled](#input\_aws\_log\_group\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no | +| [aws\_log\_group\_gateway\_id](#input\_aws\_log\_group\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes | +| [aws\_log\_group\_reason](#input\_aws\_log\_group\_reason) | Used to differentiate connections that belong to the same asset | `string` | `"default"` | no | +| [aws\_log\_group\_region](#input\_aws\_log\_group\_region) | AWS region of the log group | `string` | n/a | yes | +| [cluster\_apply\_immediately](#input\_cluster\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | +| [cluster\_backup\_retention](#input\_cluster\_backup\_retention) | Days to retain backups for, Default is 1 day. | `number` | `null` | no | +| [cluster\_db\_enabled\_cloudwatch\_logs\_exports](#input\_cluster\_db\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery. | `list(any)` |
{
"name": "server_audit_logging",
"value": 1
},
{
"name": "server_audit_excl_users",
"value": "rdsadmin"
},
{
"name": "server_audit_events",
"value": "CONNECT,QUERY,QUERY_DCL,QUERY_DDL,QUERY_DML"
}
]
[| no | +| [cluster\_db\_engine\_version](#input\_cluster\_db\_engine\_version) | Database engine version, e.g., 16.1 | `string` | `"16.1"` | no | +| [cluster\_db\_master\_password](#input\_cluster\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | +| [cluster\_db\_master\_username](#input\_cluster\_db\_master\_username) | Username for the master DB user. | `string` | n/a | yes | +| [cluster\_db\_port](#input\_cluster\_db\_port) | Port on which the DB accepts connections. | `number` | `null` | no | +| [cluster\_db\_subnet\_group\_name](#input\_cluster\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | +| [cluster\_final\_snapshot](#input\_cluster\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false | `bool` | `true` | no | +| [cluster\_id](#input\_cluster\_id) | The name of the RDS cluster | `string` | n/a | yes | +| [cluster\_maintenance\_schedule](#input\_cluster\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | +| [cluster\_network\_type](#input\_cluster\_network\_type) | Network type of the cluster. Valid values: IPV4, DUAL | `string` | `null` | no | +| [cluster\_parameter\_group\_description](#input\_cluster\_parameter\_group\_description) | The description of the DB cluster parameter group. | `string` | `null` | no | +| [cluster\_parameter\_group\_family](#input\_cluster\_parameter\_group\_family) | The family of the DB cluster parameter group. | `string` | `"aurora-postgresql16"` | no | +| [cluster\_parameter\_group\_name](#input\_cluster\_parameter\_group\_name) | The name of the DB cluster parameter group | `string` | n/a | yes | +| [cluster\_parameter\_group\_parameters](#input\_cluster\_parameter\_group\_parameters) | List of objects containing parameters for the DB cluster parameter group. |
"postgresql"
]
list(|
object({
name = string
apply_method = optional(string, "immediate")
value = any
})
)
[| no | +| [cluster\_parameter\_group\_tags](#input\_cluster\_parameter\_group\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | +| [cluster\_vpc\_security\_group\_ids](#input\_cluster\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(any)` | `null` | no | +| [instance\_apply\_immediately](#input\_instance\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | +| [instance\_db\_instance\_class](#input\_instance\_db\_instance\_class) | The instance type of the RDS cluster. Example: 'db.t3.micro' | `string` | `"db.t3.medium"` | no | +| [instance\_identifier](#input\_instance\_identifier) | The name of the aurora cluster instance | `string` | n/a | yes | +| [instance\_maintenance\_schedule](#input\_instance\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | +| [instance\_minor\_version\_upgrade](#input\_instance\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. | `bool` | `null` | no | +| [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | If instance is publicly accessible. Default false | `bool` | `null` | no | +| [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire. | `number` | `7` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [aws\_log\_group\_asset](#output\_aws\_log\_group\_asset) | AWS log group asset | +| [aws\_rds\_aurora\_postgresql\_cluster\_asset](#output\_aws\_rds\_aurora\_postgresql\_cluster\_asset) | Aurora PostgreSQL cluster asset | +| [cluster](#output\_cluster) | Aurora PostgreSQL Cluster | +| [cluster\_parameter\_group](#output\_cluster\_parameter\_group) | Aurora PostgreSQL Cluster parameter group | +| [instance](#output\_instance) | Aurora PostgreSQL instance | +| [log\_group](#output\_log\_group) | Aurora PostgreSQL log group | + \ No newline at end of file diff --git a/modules/onboard-aws-rds-aurora-postgresql/main.tf b/modules/onboard-aws-rds-aurora-postgresql/main.tf new file mode 100644 index 0000000..fc282ff --- /dev/null +++ b/modules/onboard-aws-rds-aurora-postgresql/main.tf @@ -0,0 +1,78 @@ +module "aurora-postgresql-cluster-parameter-group" { + source = "../aws-rds-cluster-parameter-group" + + description = var.cluster_parameter_group_description + family = var.cluster_parameter_group_family + name = var.cluster_parameter_group_name + parameters = var.cluster_parameter_group_parameters + tags = var.cluster_parameter_group_tags +} + +module "aurora-postgresql-cluster" { + depends_on = [module.aurora-postgresql-log-group] + source = "../aws-rds-cluster" + + apply_immediately = var.cluster_apply_immediately + backup_retention = var.cluster_backup_retention + cluster_id = var.cluster_id + db_enabled_cloudwatch_logs_exports = var.cluster_db_enabled_cloudwatch_logs_exports + db_engine = "aurora-postgresql" + db_engine_version = var.cluster_db_engine_version + db_master_password = var.cluster_db_master_password + db_master_username = var.cluster_db_master_username + db_port = var.cluster_db_port + db_subnet_group_name = var.cluster_db_subnet_group_name + final_snapshot = var.cluster_final_snapshot + maintenance_schedule = var.cluster_maintenance_schedule + network_type = var.cluster_network_type + parameter_group_name = module.aurora-postgresql-cluster-parameter-group.this.name + vpc_security_group_ids = var.cluster_vpc_security_group_ids +} + +module "aurora-postgresql-instance" { + source = "../aws-rds-cluster-instance" + + apply_immediately = var.instance_apply_immediately + cluster_id = module.aurora-postgresql-cluster.this.cluster_identifier + db_engine = module.aurora-postgresql-cluster.this.engine + db_instance_class = var.instance_db_instance_class + db_subnet_group_name = module.aurora-postgresql-cluster.this.db_subnet_group_name + identifier = var.instance_identifier + maintenance_schedule = var.instance_maintenance_schedule + minor_version_upgrade = var.instance_minor_version_upgrade + publicly_accessible = var.instance_publicly_accessible +} + +module "aurora-postgresql-log-group" { + source = "../aws-cloudwatch-log-group" + + name = "/aws/rds/cluster/${var.cluster_id}/postgresql" + retention_in_days = var.log_group_retention_in_days +} + +module "aws-rds-aurora-postgresql-cluster-asset" { + source = "../dsfhub-aws-rds-aurora-postgresql-cluster" + + admin_email = var.aws_aurora_postgresql_cluster_admin_email + asset_display_name = module.aurora-postgresql-cluster.this.id + asset_id = module.aurora-postgresql-cluster.this.arn + audit_type = var.aws_aurora_postgresql_cluster_audit_type + gateway_id = var.aws_aurora_postgresql_cluster_gateway_id + parent_asset_id = var.aws_aurora_postgresql_cluster_parent_asset_id + region = var.aws_aurora_postgresql_cluster_region + server_host_name = module.aurora-postgresql-cluster.this.endpoint + server_port = module.aurora-postgresql-cluster.this.port +} + +module "aws-log-group-asset" { + source = "../dsfhub-aws-log-group" + + admin_email = var.aws_log_group_admin_email + asset_display_name = "${module.aurora-postgresql-log-group.this.arn}:*" + asset_id = "${module.aurora-postgresql-log-group.this.arn}:*" + audit_pull_enabled = var.aws_log_group_audit_pull_enabled + gateway_id = var.aws_log_group_gateway_id + parent_asset_id = module.aws-rds-aurora-postgresql-cluster-asset.this.asset_id + reason = var.aws_log_group_reason + region = var.aws_log_group_region +} diff --git a/modules/onboard-aws-rds-aurora-postgresql/outputs.tf b/modules/onboard-aws-rds-aurora-postgresql/outputs.tf new file mode 100644 index 0000000..4cee4fb --- /dev/null +++ b/modules/onboard-aws-rds-aurora-postgresql/outputs.tf @@ -0,0 +1,29 @@ +output "cluster_parameter_group" { + description = "Aurora PostgreSQL Cluster parameter group" + value = module.aurora-postgresql-cluster-parameter-group.this +} + +output "cluster" { + description = "Aurora PostgreSQL Cluster" + value = module.aurora-postgresql-cluster.this +} + +output "instance" { + description = "Aurora PostgreSQL instance" + value = module.aurora-postgresql-instance.this +} + +output "log_group" { + description = "Aurora PostgreSQL log group" + value = module.aurora-postgresql-log-group.this +} + +output "aws_rds_aurora_postgresql_cluster_asset" { + description = "Aurora PostgreSQL cluster asset" + value = module.aws-rds-aurora-postgresql-cluster-asset.this +} + +output "aws_log_group_asset" { + description = "AWS log group asset" + value = module.aws-log-group-asset.this +} diff --git a/modules/onboard-aws-rds-aurora-postgresql/variables.tf b/modules/onboard-aws-rds-aurora-postgresql/variables.tf new file mode 100644 index 0000000..89872ab --- /dev/null +++ b/modules/onboard-aws-rds-aurora-postgresql/variables.tf @@ -0,0 +1,241 @@ +variable "aws_aurora_postgresql_cluster_admin_email" { + description = "The email address to notify about this asset" + type = string +} + +variable "aws_aurora_postgresql_cluster_audit_type" { + description = "Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details" + type = string + default = "LOG_GROUP" + validation { + condition = contains(["LOG_GROUP", "AGGREGATED"], var.aws_aurora_postgresql_cluster_audit_type) + error_message = "Invalid Value. Select from LOG_GROUP, or AGGREGATED." + } +} + +variable "aws_aurora_postgresql_cluster_parent_asset_id" { + description = "The asset_id of the cloud account with auth-mech such as key-pair, iam-role etc." + type = string +} + +variable "aws_aurora_postgresql_cluster_region" { + description = "AWS region containing the cluster." + type = string + default = null +} + +variable "aws_aurora_postgresql_cluster_gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string +} + +variable "aws_log_group_admin_email" { + description = "The email address to notify about the asset." + type = string +} + +variable "aws_log_group_audit_pull_enabled" { + description = "If true, sonargateway will collect the audit logs for this system if it can." + type = bool + default = false +} + +variable "aws_log_group_gateway_id" { + description = "The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'." + type = string +} + +variable "aws_log_group_reason" { + description = "Used to differentiate connections that belong to the same asset" + type = string + default = "default" +} + +variable "aws_log_group_region" { + description = "AWS region of the log group" + type = string +} + +variable "cluster_db_enabled_cloudwatch_logs_exports" { + description = "Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery." + type = list(any) + default = ["postgresql"] +} + +variable "cluster_db_engine_version" { + description = "Database engine version, e.g., 16.1" + type = string + default = "16.1" +} + +variable "cluster_id" { + description = "The name of the RDS cluster" + type = string +} + +variable "cluster_backup_retention" { + description = "Days to retain backups for, Default is 1 day." + type = number + default = null +} + +variable "cluster_db_master_username" { + description = "Username for the master DB user." + type = string + validation { + condition = ( + var.cluster_db_master_username != "rdsadmin" && + var.cluster_db_master_username != "admin" + ) + error_message = "The aurora cluster master username must not be either \"rdsadmin\" or \"admin\". Please select another value." + } +} + +variable "cluster_db_master_password" { + description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage_master_user_password is set to true" + type = string +} + +variable "cluster_network_type" { + description = " Network type of the cluster. Valid values: IPV4, DUAL" + type = string + default = null +} + +variable "cluster_db_subnet_group_name" { + description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available." + type = string + default = null +} + +variable "cluster_vpc_security_group_ids" { + description = "List of VPC security groups to associate." + type = list(any) + default = null +} + +variable "cluster_maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = null +} + +variable "cluster_final_snapshot" { + description = "Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final_snapshot_identifier. Default is false" + type = bool + default = true +} + +variable "cluster_db_port" { + description = "Port on which the DB accepts connections." + type = number + default = null +} + +variable "cluster_apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = null +} + +variable "cluster_parameter_group_name" { + description = "The name of the DB cluster parameter group" + type = string +} + +variable "cluster_parameter_group_family" { + description = "The family of the DB cluster parameter group." + type = string + default = "aurora-postgresql16" +} + +variable "cluster_parameter_group_description" { + description = "The description of the DB cluster parameter group." + type = string + default = null +} + +variable "cluster_parameter_group_parameters" { + description = "List of objects containing parameters for the DB cluster parameter group." + type = list( + object({ + name = string + apply_method = optional(string, "immediate") + value = any + }) + ) + default = [ + { + name = "log_connections" + value = 1 + }, + { + name = "log_disconnections" + value = 1 + }, + { + name = "log_error_verbosity" + value = "verbose" + }, + { + name = "pgaudit.log" + value = "all" + }, + { + name = "pgaudit.role" + value = "rds_pgaudit" + }, + { + name = "shared_preload_libraries" + value = "pgaudit,pg_stat_statements" + apply_method = "pending-reboot" + } + ] +} + +variable "cluster_parameter_group_tags" { + description = "A map of tags to assign to the resource." + type = map(string) + default = null +} + +variable "instance_identifier" { + description = "The name of the aurora cluster instance" + type = string +} + +variable "instance_publicly_accessible" { + description = "If instance is publicly accessible. Default false" + type = bool + default = null +} + +variable "instance_db_instance_class" { + description = "The instance type of the RDS cluster. Example: 'db.t3.micro'" + type = string + default = "db.t3.medium" +} + +variable "instance_maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = null +} + +variable "instance_apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = null +} + +variable "instance_minor_version_upgrade" { + description = "Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window." + type = bool + default = null +} + +variable "log_group_retention_in_days" { + description = "Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire." + type = number + default = 7 +}
{
"name": "log_connections",
"value": 1
},
{
"name": "log_disconnections",
"value": 1
},
{
"name": "log_error_verbosity",
"value": "verbose"
},
{
"name": "pgaudit.log",
"value": "all"
},
{
"name": "pgaudit.role",
"value": "rds_pgaudit"
},
{
"apply_method": "pending-reboot",
"name": "shared_preload_libraries",
"value": "pgaudit,pg_stat_statements"
}
]