From 4357b7b0037fbbc4b03d24a5f69114e7e20a062e Mon Sep 17 00:00:00 2001 From: Petal Vitis Date: Mon, 22 Jul 2024 14:36:56 -0700 Subject: [PATCH 1/7] initial add of aws aurora modules --- CHANGELOG.md | 9 + DSF_VERSION_COMPATABILITY.md | 20 ++ .../README.md | 28 ++ .../main.tf | 76 ++++++ .../README.md | 28 ++ .../main.tf | 101 +++++++ .../onboard-aws-rds-aurora-mysql/README.md | 28 ++ examples/onboard-aws-rds-aurora-mysql/main.tf | 75 ++++++ .../README.md | 28 ++ .../main.tf | 106 ++++++++ .../README.md | 45 ++++ .../configure_database.sh | 38 +++ .../configure_database.sql | 18 ++ .../onboard-aws-rds-aurora-postgresql/main.tf | 133 ++++++++++ modules/aws-kms-key/README.md | 35 +++ modules/aws-kms-key/main.tf | 9 + modules/aws-kms-key/outputs.tf | 4 + modules/aws-kms-key/variables.tf | 41 +++ .../aws-rds-cluster-activity-stream/README.md | 32 +++ .../aws-rds-cluster-activity-stream/main.tf | 6 + .../outputs.tf | 4 + .../variables.tf | 24 ++ modules/aws-rds-cluster-instance/README.md | 37 +++ modules/aws-rds-cluster-instance/main.tf | 12 + modules/aws-rds-cluster-instance/outputs.tf | 4 + modules/aws-rds-cluster-instance/variables.tf | 52 ++++ .../aws-rds-cluster-parameter-group/README.md | 33 +++ .../aws-rds-cluster-parameter-group/main.tf | 15 ++ .../outputs.tf | 4 + .../variables.tf | 33 +++ modules/aws-rds-cluster/README.md | 43 +++ modules/aws-rds-cluster/main.tf | 25 ++ modules/aws-rds-cluster/outputs.tf | 4 + modules/aws-rds-cluster/variables.tf | 86 ++++++ modules/dsfhub-aws-kinesis/README.md | 37 +++ modules/dsfhub-aws-kinesis/main.tf | 27 ++ modules/dsfhub-aws-kinesis/outputs.tf | 4 + modules/dsfhub-aws-kinesis/variables.tf | 48 ++++ .../README.md | 39 +++ .../main.tf | 32 +++ .../outputs.tf | 4 + .../variables.tf | 68 +++++ .../README.md | 40 +++ .../main.tf | 33 +++ .../outputs.tf | 4 + .../variables.tf | 74 ++++++ .../README.md | 89 +++++++ .../main.tf | 87 ++++++ .../outputs.tf | 29 ++ .../variables.tf | 228 ++++++++++++++++ .../README.md | 73 +++++ .../main.tf | 104 ++++++++ .../outputs.tf | 39 +++ .../variables.tf | 211 +++++++++++++++ .../onboard-aws-rds-aurora-mysql/README.md | 69 +++++ modules/onboard-aws-rds-aurora-mysql/main.tf | 82 ++++++ .../onboard-aws-rds-aurora-mysql/outputs.tf | 29 ++ .../onboard-aws-rds-aurora-mysql/variables.tf | 201 ++++++++++++++ .../README.md | 91 +++++++ .../main.tf | 87 ++++++ .../outputs.tf | 29 ++ .../variables.tf | 250 ++++++++++++++++++ .../README.md | 75 ++++++ .../onboard-aws-rds-aurora-postgresql/main.tf | 78 ++++++ .../outputs.tf | 29 ++ .../variables.tf | 241 +++++++++++++++++ 66 files changed, 3767 insertions(+) create mode 100644 examples/onboard-aws-rds-aurora-mysql-kinesis/README.md create mode 100644 examples/onboard-aws-rds-aurora-mysql-kinesis/main.tf create mode 100644 examples/onboard-aws-rds-aurora-mysql-slowquery/README.md create mode 100644 examples/onboard-aws-rds-aurora-mysql-slowquery/main.tf create mode 100644 examples/onboard-aws-rds-aurora-mysql/README.md create mode 100644 examples/onboard-aws-rds-aurora-mysql/main.tf create mode 100644 examples/onboard-aws-rds-aurora-postgresql-kinesis/README.md create mode 100644 examples/onboard-aws-rds-aurora-postgresql-kinesis/main.tf create mode 100644 examples/onboard-aws-rds-aurora-postgresql/README.md create mode 100755 examples/onboard-aws-rds-aurora-postgresql/configure_database.sh create mode 100644 examples/onboard-aws-rds-aurora-postgresql/configure_database.sql create mode 100644 examples/onboard-aws-rds-aurora-postgresql/main.tf create mode 100644 modules/aws-kms-key/README.md create mode 100644 modules/aws-kms-key/main.tf create mode 100644 modules/aws-kms-key/outputs.tf create mode 100644 modules/aws-kms-key/variables.tf create mode 100644 modules/aws-rds-cluster-activity-stream/README.md create mode 100644 modules/aws-rds-cluster-activity-stream/main.tf create mode 100644 modules/aws-rds-cluster-activity-stream/outputs.tf create mode 100644 modules/aws-rds-cluster-activity-stream/variables.tf create mode 100644 modules/aws-rds-cluster-instance/README.md create mode 100644 modules/aws-rds-cluster-instance/main.tf create mode 100644 modules/aws-rds-cluster-instance/outputs.tf create mode 100644 modules/aws-rds-cluster-instance/variables.tf create mode 100644 modules/aws-rds-cluster-parameter-group/README.md create mode 100644 modules/aws-rds-cluster-parameter-group/main.tf create mode 100644 modules/aws-rds-cluster-parameter-group/outputs.tf create mode 100644 modules/aws-rds-cluster-parameter-group/variables.tf create mode 100644 modules/aws-rds-cluster/README.md create mode 100644 modules/aws-rds-cluster/main.tf create mode 100644 modules/aws-rds-cluster/outputs.tf create mode 100644 modules/aws-rds-cluster/variables.tf create mode 100644 modules/dsfhub-aws-kinesis/README.md create mode 100644 modules/dsfhub-aws-kinesis/main.tf create mode 100644 modules/dsfhub-aws-kinesis/outputs.tf create mode 100644 modules/dsfhub-aws-kinesis/variables.tf create mode 100644 modules/dsfhub-aws-rds-aurora-mysql-cluster/README.md create mode 100644 modules/dsfhub-aws-rds-aurora-mysql-cluster/main.tf create mode 100644 modules/dsfhub-aws-rds-aurora-mysql-cluster/outputs.tf create mode 100644 modules/dsfhub-aws-rds-aurora-mysql-cluster/variables.tf create mode 100644 modules/dsfhub-aws-rds-aurora-postgresql-cluster/README.md create mode 100644 modules/dsfhub-aws-rds-aurora-postgresql-cluster/main.tf create mode 100644 modules/dsfhub-aws-rds-aurora-postgresql-cluster/outputs.tf create mode 100644 modules/dsfhub-aws-rds-aurora-postgresql-cluster/variables.tf create mode 100644 modules/onboard-aws-rds-aurora-mysql-kinesis/README.md create mode 100644 modules/onboard-aws-rds-aurora-mysql-kinesis/main.tf create mode 100644 modules/onboard-aws-rds-aurora-mysql-kinesis/outputs.tf create mode 100644 modules/onboard-aws-rds-aurora-mysql-kinesis/variables.tf create mode 100644 modules/onboard-aws-rds-aurora-mysql-slowquery/README.md create mode 100644 modules/onboard-aws-rds-aurora-mysql-slowquery/main.tf create mode 100644 modules/onboard-aws-rds-aurora-mysql-slowquery/outputs.tf create mode 100644 modules/onboard-aws-rds-aurora-mysql-slowquery/variables.tf create mode 100644 modules/onboard-aws-rds-aurora-mysql/README.md create mode 100644 modules/onboard-aws-rds-aurora-mysql/main.tf create mode 100644 modules/onboard-aws-rds-aurora-mysql/outputs.tf create mode 100644 modules/onboard-aws-rds-aurora-mysql/variables.tf create mode 100644 modules/onboard-aws-rds-aurora-postgresql-kinesis/README.md create mode 100644 modules/onboard-aws-rds-aurora-postgresql-kinesis/main.tf create mode 100644 modules/onboard-aws-rds-aurora-postgresql-kinesis/outputs.tf create mode 100644 modules/onboard-aws-rds-aurora-postgresql-kinesis/variables.tf create mode 100644 modules/onboard-aws-rds-aurora-postgresql/README.md create mode 100644 modules/onboard-aws-rds-aurora-postgresql/main.tf create mode 100644 modules/onboard-aws-rds-aurora-postgresql/outputs.tf create mode 100644 modules/onboard-aws-rds-aurora-postgresql/variables.tf diff --git a/CHANGELOG.md b/CHANGELOG.md index 3fa9a55..4a25cd7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,14 @@ # Changelog +## 1.0.3 (2024-07-22) + +### Features +- Amazon RDS Aurora MySQL module +- Amazon RDS Aurora MySQL Kinesis module +- Amazon RDS Aurora MySQL Slow query module +- Amazon RDS Aurora PostgreSQL module +- Amazon RDS Aurora PostgreSQL Kinesis module + ## 1.0.2 (2024-07-12) ### Features diff --git a/DSF_VERSION_COMPATABILITY.md b/DSF_VERSION_COMPATABILITY.md index b041104..daea41b 100644 --- a/DSF_VERSION_COMPATABILITY.md +++ b/DSF_VERSION_COMPATABILITY.md @@ -18,6 +18,26 @@ The following table lists the DSF versions that each module is tested and mainta onboard-aws-rds-neptune-slow-query 4.17+ + + + onboard-aws-rds-aurora-mysql + 4.17+ + + + onboard-aws-rds-aurora-mysql-kinesis + 4.17+ + + + onboard-aws-rds-aurora-mysql-slowquery + 4.17+ + + + onboard-aws-rds-aurora-postgresql + 4.17+ + + + onboard-aws-rds-aurora-postgresql-kinesis + 4.17+ onboard-aws-rds-mariadb diff --git a/examples/onboard-aws-rds-aurora-mysql-kinesis/README.md b/examples/onboard-aws-rds-aurora-mysql-kinesis/README.md new file mode 100644 index 0000000..0256407 --- /dev/null +++ b/examples/onboard-aws-rds-aurora-mysql-kinesis/README.md @@ -0,0 +1,28 @@ +# Onboard Amazon Aurora MySQL via Kinesis example +This example includes additional prerequisites that will need to be completed to fully utilize the module. More details can be found in the [onboarding documentation](https://docs.imperva.com/bundle/onboarding-databases-to-sonar-reference-guide/page/Amazon-Aurora-MySQL-Onboarding-Steps_48366913.html). + +It creates both 'aws' and 'dsfhub' resources. More information regarding authentication to each one can be found in the relevant provider documentation: +- [aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) +- [dsfhub](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs) + +## Prerequisites +### Account Asset Permissions +An AWS account asset will need to be onboarded to your DSF hub prior to using this module. The account asset will need to be granted permissions to be able to read from the newly created kinesis stream. + + + + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aws-aurora-mysql-kinesis](#module\_aws-aurora-mysql-kinesis) | ../../modules/onboard-aws-rds-aurora-mysql-kinesis | n/a | +| [aws-default-account-asset](#module\_aws-default-account-asset) | ../../modules/dsfhub-aws-cloud-account | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes | +| [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes | + \ No newline at end of file diff --git a/examples/onboard-aws-rds-aurora-mysql-kinesis/main.tf b/examples/onboard-aws-rds-aurora-mysql-kinesis/main.tf new file mode 100644 index 0000000..cc523d3 --- /dev/null +++ b/examples/onboard-aws-rds-aurora-mysql-kinesis/main.tf @@ -0,0 +1,76 @@ +locals { + aws_region = "us-east-2" + apply_immediately = true + master_user = "admin" + master_password = "Abcd1234" + + admin_email = "test@example.com" + gateway_id = "a1b2c3d4-e5f6-g8h9-wxyz-123456790" +} + +################################################################################ +# Providers +################################################################################ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +provider "aws" { + region = local.aws_region +} + +variable "dsfhub_host" {} # TF_VAR_dsfhub_host env variable +variable "dsfhub_token" {} # TF_VAR_dsfhub_token env variable + +provider "dsfhub" { + dsfhub_host = var.dsfhub_host + dsfhub_token = var.dsfhub_token +} + +################################################################################ +# Prerequisites +# 1. AWS cloud account +################################################################################ +# 1. AWS cloud account +module "aws-default-account-asset" { + source = "../../modules/dsfhub-aws-cloud-account" + + admin_email = local.admin_email + asset_display_name = "aws-account-asset" + asset_id = "arn:aws:iam::1234567890" + auth_mechanism = "default" + gateway_id = local.gateway_id + region = local.aws_region +} + +################################################################################ +# Amazon Aurora MySQL via kinesis stream +################################################################################ +module "aws-aurora-mysql-kinesis" { + source = "../../modules/onboard-aws-rds-aurora-mysql-kinesis" + + aws_aurora_mysql_cluster_admin_email = local.admin_email + aws_aurora_mysql_cluster_gateway_id = local.gateway_id + aws_aurora_mysql_cluster_parent_asset_id = module.aws-default-account-asset.this.asset_id + aws_aurora_mysql_cluster_region = local.aws_region + + aws_kinesis_admin_email = local.admin_email + aws_kinesis_audit_pull_enabled = true + aws_kinesis_gateway_id = local.gateway_id + aws_kinesis_reason = "default" + aws_kinesis_region = local.aws_region + + cluster_apply_immediately = local.apply_immediately + cluster_db_master_password = local.master_password + cluster_db_master_username = local.master_user + cluster_id = "tf-aurora-mysql-kinesis-cluster" + cluster_final_snapshot = true + + instance_apply_immediately = local.apply_immediately + instance_identifier = "tf-aurora-mysql-kinesis-instance" + instance_publicly_accessible = true +} diff --git a/examples/onboard-aws-rds-aurora-mysql-slowquery/README.md b/examples/onboard-aws-rds-aurora-mysql-slowquery/README.md new file mode 100644 index 0000000..1ecc26a --- /dev/null +++ b/examples/onboard-aws-rds-aurora-mysql-slowquery/README.md @@ -0,0 +1,28 @@ +# Onboard Amazon Aurora MySQL Slow Query example +This example includes additional prerequisites that will need to be completed to fully utilize the module. More details can be found in the [onboarding documentation](https://docs.imperva.com/bundle/onboarding-databases-to-sonar-reference-guide/page/Amazon-Aurora-MySQL-Onboarding-Steps_48366913.html). + +This example creates both 'aws' and 'dsfhub' resources. More information regarding authentication to each can be found in the relevant provider documentation: +- [aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) +- [dsfhub](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs) + +## Prerequisites +### Account Asset Permissions +An AWS account asset will need to be onboarded to your DSF hub prior to using this module. The account asset will need to be granted permissions to be able to read from the newly created CloudWatch log group. + + + + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aws-aurora-mysql-slowquery](#module\_aws-aurora-mysql-slowquery) | ../../modules/onboard-aws-rds-aurora-mysql-slowquery | n/a | +| [aws-default-account-asset](#module\_aws-default-account-asset) | ../../modules/dsfhub-aws-cloud-account | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes | +| [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes | + \ No newline at end of file diff --git a/examples/onboard-aws-rds-aurora-mysql-slowquery/main.tf b/examples/onboard-aws-rds-aurora-mysql-slowquery/main.tf new file mode 100644 index 0000000..1d5f97f --- /dev/null +++ b/examples/onboard-aws-rds-aurora-mysql-slowquery/main.tf @@ -0,0 +1,101 @@ +locals { + aws_region = "us-east-2" + vpc_security_group_ids = [ + "sg-12a345678912b1c2a", + "sg-34b456789c12b231e" + ] + subnet_group_name = "my-subnet-group" + admin_email = "person@example.com" + gateway_id = "a1b2c3d4-1234-5678-9123-cd1edcef7642" +} + +################################################################################ +# Providers +################################################################################ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +provider "aws" { + region = local.aws_region +} + +variable "dsfhub_host" {} # TF_VAR_dsfhub_host env variable +variable "dsfhub_token" {} # TF_VAR_dsfhub_token env variable + +provider "dsfhub" { + dsfhub_host = var.dsfhub_host + dsfhub_token = var.dsfhub_token +} + +################################################################################ +# Prerequisites +# AWS cloud account +################################################################################ + +module "aws-default-account-asset" { + source = "../../modules/dsfhub-aws-cloud-account" + + admin_email = local.admin_email + asset_display_name = "aws-account-asset" + asset_id = "arn:aws:iam::123456789101:role/iam-role" + auth_mechanism = "default" + gateway_id = local.gateway_id + region = local.aws_region +} + +################################################################################ +# Amazon Aurora MySQL Slowquery +################################################################################ + +module "aws-aurora-mysql-slowquery" { + source = "../../modules/onboard-aws-rds-aurora-mysql-slowquery" + + cluster_parameter_group_name = "aurora-mysql-cpg-tf" + cluster_parameter_group_parameters = [ + { + name = "server_audit_logging" + value = 1 + }, + { + name = "server_audit_excl_users" + value = "rdsadmin" + }, + { + name = "server_audit_events" + value = "CONNECT,QUERY,QUERY_DCL,QUERY_DDL,QUERY_DML" + }, + { + name = "slow_query_log" + value = 1 + }, + { + name = "long_query_time" + value = 5 + }, + { + name = "log_slow_admin_statements" + value = 1 + } + ] + + cluster_cluster_id = "aurora-mysql-cluster" + cluster_db_master_username = "admin" + cluster_db_master_password = "mypassword" + cluster_db_subnet_group_name = local.subnet_group_name + cluster_vpc_security_group_ids = local.vpc_security_group_ids + + instance_identifier = "aurora-mysql-inst" + instance_publicly_accessible = false + + aws_aurora_mysql_cluster_admin_email = local.admin_email + aws_aurora_mysql_cluster_gateway_id = local.gateway_id + aws_aurora_mysql_cluster_parent_asset_id = module.aws-default-account-asset.this.asset_id + aws_aurora_mysql_cluster_region = local.aws_region + + aws_log_group_audit_pull_enabled = true +} diff --git a/examples/onboard-aws-rds-aurora-mysql/README.md b/examples/onboard-aws-rds-aurora-mysql/README.md new file mode 100644 index 0000000..76c3df3 --- /dev/null +++ b/examples/onboard-aws-rds-aurora-mysql/README.md @@ -0,0 +1,28 @@ +# Onboard Amazon Aurora MySQL example +This example includes additional prerequisites that will need to be completed to fully utilize the module. More details can be found in the [onboarding documentation](https://docs.imperva.com/bundle/onboarding-databases-to-sonar-reference-guide/page/Amazon-Aurora-MySQL-Onboarding-Steps_48366913.html). + +This example creates both 'aws' and 'dsfhub' resources. More information regarding authentication to each can be found in the relevant provider documentation: +- [aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) +- [dsfhub](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs) + +## Prerequisites +### Account Asset Permissions +An AWS account asset will need to be onboarded to your DSF hub prior to using this module. The account asset will need to be granted permissions to be able to read from the newly created CloudWatch log group. + + + + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aws-aurora-mysql](#module\_aws-aurora-mysql) | ../../modules/onboard-aws-rds-aurora-mysql | n/a | +| [aws-default-account-asset](#module\_aws-default-account-asset) | ../../modules/dsfhub-aws-cloud-account | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes | +| [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes | + \ No newline at end of file diff --git a/examples/onboard-aws-rds-aurora-mysql/main.tf b/examples/onboard-aws-rds-aurora-mysql/main.tf new file mode 100644 index 0000000..f18b2a3 --- /dev/null +++ b/examples/onboard-aws-rds-aurora-mysql/main.tf @@ -0,0 +1,75 @@ +locals { + aws_region = "us-east-2" + vpc_security_group_ids = [ + "sg-12a345678912b1c2a", + "sg-34b456789c12b231e" + ] + subnet_group_name = "my-subnet-group" + admin_email = "person@example.com" + gateway_id = "a1b2c3d4-1234-5678-9123-cd1edcef7642" +} + +################################################################################ +# Providers +################################################################################ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +provider "aws" { + region = local.aws_region +} + +variable "dsfhub_host" {} # TF_VAR_dsfhub_host env variable +variable "dsfhub_token" {} # TF_VAR_dsfhub_token env variable + +provider "dsfhub" { + dsfhub_host = var.dsfhub_host + dsfhub_token = var.dsfhub_token +} + +################################################################################ +# Prerequisites +# AWS cloud account +################################################################################ + +module "aws-default-account-asset" { + source = "../../modules/dsfhub-aws-cloud-account" + + admin_email = local.admin_email + asset_display_name = "aws-account-asset" + asset_id = "arn:aws:iam::123456789101:role/iam-role" + auth_mechanism = "default" + gateway_id = local.gateway_id + region = local.aws_region +} + +################################################################################ +# Amazon Aurora Mysql +################################################################################ + +module "aws-aurora-mysql" { + source = "../../modules/onboard-aws-rds-aurora-mysql" + + cluster_parameter_group_name = "aurora-mysql-cpg-tf" + + cluster_cluster_id = "aurora-mysql-cluster" + cluster_db_master_username = "admin" + cluster_db_master_password = "mypassword" + cluster_db_subnet_group_name = local.subnet_group_name + cluster_vpc_security_group_ids = local.vpc_security_group_ids + + instance_identifier = "aurora-mysql-inst" + instance_publicly_accessible = false + + aws_aurora_mysql_cluster_admin_email = local.admin_email + aws_aurora_mysql_cluster_gateway_id = local.gateway_id + aws_aurora_mysql_cluster_parent_asset_id = module.aws-default-account-asset.this.asset_id + aws_aurora_mysql_cluster_region = local.aws_region + + aws_log_group_audit_pull_enabled = true +} diff --git a/examples/onboard-aws-rds-aurora-postgresql-kinesis/README.md b/examples/onboard-aws-rds-aurora-postgresql-kinesis/README.md new file mode 100644 index 0000000..c12872b --- /dev/null +++ b/examples/onboard-aws-rds-aurora-postgresql-kinesis/README.md @@ -0,0 +1,28 @@ +# Onboard Amazon Aurora PostgreSQL via Kinesis example +This example includes additional prerequisites that will need to be completed to fully utilize the module. More details can be found in the [onboarding documentation](https://docs.imperva.com/bundle/onboarding-databases-to-sonar-reference-guide/page/Amazon-Aurora-PostgreSQL-Onboarding-Steps_48366929.html). + +It creates both 'aws' and 'dsfhub' resources. More information regarding authentication to each one can be found in the relevant provider documentation: +- [aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) +- [dsfhub](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs) + +## Prerequisites +### Account Asset Permissions +An AWS account asset will need to be onboarded to your DSF hub prior to using this module. The account asset will need to be granted permissions to be able to read from the newly created kinesis stream. + + + + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aws-aurora-postgresql-kinesis](#module\_aws-aurora-postgresql-kinesis) | ../../modules/onboard-aws-rds-aurora-postgresql-kinesis | n/a | +| [aws-default-account-asset](#module\_aws-default-account-asset) | ../../modules/dsfhub-aws-cloud-account | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes | +| [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes | + \ No newline at end of file diff --git a/examples/onboard-aws-rds-aurora-postgresql-kinesis/main.tf b/examples/onboard-aws-rds-aurora-postgresql-kinesis/main.tf new file mode 100644 index 0000000..354bc4c --- /dev/null +++ b/examples/onboard-aws-rds-aurora-postgresql-kinesis/main.tf @@ -0,0 +1,106 @@ +locals { + aws_region = "us-east-2" + apply_immediately = true + master_user = "PGadmin" + master_password = "Abcd1234" + + admin_email = "test@example.com" + gateway_id = "a1b2c3d4-e5f6-g8h9-wxyz-123456790" +} + +################################################################################ +# Providers +################################################################################ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +provider "aws" { + region = local.aws_region +} + +variable "dsfhub_host" {} # TF_VAR_dsfhub_host env variable +variable "dsfhub_token" {} # TF_VAR_dsfhub_token env variable + +provider "dsfhub" { + dsfhub_host = var.dsfhub_host + dsfhub_token = var.dsfhub_token +} + +################################################################################ +# Prerequisites +# 1. AWS cloud account +################################################################################ +# 1. AWS cloud account +module "aws-default-account-asset" { + source = "../../modules/dsfhub-aws-cloud-account" + + admin_email = local.admin_email + asset_display_name = "aws-account-asset" + asset_id = "arn:aws:iam::1234567890" + auth_mechanism = "default" + gateway_id = local.gateway_id + region = local.aws_region +} + +################################################################################ +# Amazon Aurora PostgreSQL 16 via kinesis stream +################################################################################ +module "aws-aurora-postgresql-kinesis" { + source = "../../modules/onboard-aws-rds-aurora-postgresql-kinesis" + + aws_aurora_postgresql_cluster_admin_email = local.admin_email + aws_aurora_postgresql_cluster_audit_type = "KINESIS" + aws_aurora_postgresql_cluster_gateway_id = local.gateway_id + aws_aurora_postgresql_cluster_parent_asset_id = module.aws-default-account-asset.this.asset_id + aws_aurora_postgresql_cluster_region = local.aws_region + + aws_kinesis_admin_email = local.admin_email + aws_kinesis_audit_pull_enabled = true + aws_kinesis_gateway_id = local.gateway_id + aws_kinesis_region = local.aws_region + + cluster_apply_immediately = true + cluster_db_engine_version = "16" + cluster_db_master_password = local.master_password + cluster_db_master_username = local.master_user + cluster_id = "tf-aurora-postgresql-kinesis-cluster" + + instance_apply_immediately = true + instance_class = "db.r5.large" + instance_identifier = "tf-aurora-postgresql-kinesis-instance" + instance_publicly_accessible = true +} + +################################################################################ +# Amazon Aurora PostgreSQL 16 via kinesis stream aggregated +################################################################################ +module "aws-aurora-postgresql-kinesis" { + source = "../../modules/onboard-aws-rds-aurora-postgresql-kinesis" + + aws_aurora_postgresql_cluster_admin_email = local.admin_email + aws_aurora_postgresql_cluster_audit_type = "KINESIS_AGGREGATED" + aws_aurora_postgresql_cluster_gateway_id = local.gateway_id + aws_aurora_postgresql_cluster_parent_asset_id = module.aws-default-account-asset.this.asset_id + aws_aurora_postgresql_cluster_region = local.aws_region + + aws_kinesis_admin_email = local.admin_email + aws_kinesis_audit_pull_enabled = true + aws_kinesis_gateway_id = local.gateway_id + aws_kinesis_region = local.aws_region + + cluster_apply_immediately = true + cluster_db_engine_version = "16" + cluster_db_master_password = local.master_password + cluster_db_master_username = local.master_user + cluster_id = "tf-aurora-postgresql-kinesis-cluster" + + instance_apply_immediately = true + instance_class = "db.r5.large" + instance_identifier = "tf-aurora-postgresql-kinesis-instance" + instance_publicly_accessible = true +} diff --git a/examples/onboard-aws-rds-aurora-postgresql/README.md b/examples/onboard-aws-rds-aurora-postgresql/README.md new file mode 100644 index 0000000..43676b1 --- /dev/null +++ b/examples/onboard-aws-rds-aurora-postgresql/README.md @@ -0,0 +1,45 @@ +# Onboard Amazon Aurora PostgreSQL example +This example includes additional prerequisites that will need to be completed to fully utilize the module. More details can be found in the [onboarding documentation](https://docs.imperva.com/bundle/onboarding-databases-to-sonar-reference-guide/page/Amazon-Aurora-PostgreSQL-Onboarding-Steps_48366929.html). + +This example creates both 'aws' and 'dsfhub' resources. More information regarding authentication to each can be found in the relevant provider documentation: +- [aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) +- [dsfhub](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs) + +## Prerequisites +### Account Asset Permissions +An AWS account asset will need to be onboarded to your DSF hub prior to using this module. The account asset will need to be granted permissions to be able to read from the newly created CloudWatch log group. + +### Database Configuration +Part of the onboarding process involves connecting to your Aurora PostgreSQL cluster and running SQL commands to create both a role and an extension. This module includes an example for how to connect to the instance from your local machine and create both of these. + +**Note:** This example requires the ``psql`` client to be installed, as well as for the newly created Aurora cluster to be accessible from your local machine. + + + + +## Providers + +| Name | Version | +|------|---------| +| [terraform](#provider\_terraform) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aurora-postgresql](#module\_aurora-postgresql) | ../../modules/onboard-aws-rds-aurora-postgresql | n/a | +| [aws-default-account-asset](#module\_aws-default-account-asset) | ../../modules/dsfhub-aws-cloud-account | n/a | + +## Resources + +| Name | Type | +|------|------| +| [terraform_data.configure_database](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes | +| [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes | + \ No newline at end of file diff --git a/examples/onboard-aws-rds-aurora-postgresql/configure_database.sh b/examples/onboard-aws-rds-aurora-postgresql/configure_database.sh new file mode 100755 index 0000000..c864119 --- /dev/null +++ b/examples/onboard-aws-rds-aurora-postgresql/configure_database.sh @@ -0,0 +1,38 @@ +#!/bin/bash +# Configures Aurora Postgresql database for auditing by connecting to the +# database using 'psql' +# +# Connection to the database uses PG environment variables +# See postgres documentation for more information: +# https://www.postgresql.org/docs/current/libpq-envars.html +################################################################################ + +# Settings +current_directory=$(dirname "$(realpath "${BASH_SOURCE[0]}")") +sql_file="${current_directory}/configure_database.sql" + +# Functions +function is_pkg_installed { + local pkg="$1" + if ! command -v "${pkg}" &> /dev/null + then + echo "Package '${pkg}' is not installed." + echo "Install on MacOS: brew install libpq" + echo "Install on Ubuntu: apt-get install -y libpq-dev" + echo "Install on CentOS: yum install -y libpq" + echo "Exiting..." + exit 1 + else + return 0 + fi +} + +################################################################################ +is_pkg_installed "psql" +if [ ! -r "${sql_file}" ]; then + echo "Unable to read ${sql_file}" + echo "Exiting..." + exit 1 +else + psql --file="${sql_file}" +fi diff --git a/examples/onboard-aws-rds-aurora-postgresql/configure_database.sql b/examples/onboard-aws-rds-aurora-postgresql/configure_database.sql new file mode 100644 index 0000000..4486147 --- /dev/null +++ b/examples/onboard-aws-rds-aurora-postgresql/configure_database.sql @@ -0,0 +1,18 @@ +DO +$$ +BEGIN + RAISE NOTICE 'Creating auditor role "rds_pgaudit".'; + IF EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'rds_pgaudit') THEN + RAISE NOTICE 'Role "rds_pgaudit" already exists. Skipping.'; + ELSE + CREATE ROLE rds_pgaudit; + END IF; + + RAISE NOTICE 'Creating audit extension "pgaudit".'; + IF EXISTS (SELECT FROM pg_catalog.pg_extension WHERE extname = 'pgaudit') THEN + RAISE NOTICE 'Audit extension "pgaudit" already exists. Skipping.'; + ELSE + CREATE EXTENSION pgaudit; + END IF; +END +$$; diff --git a/examples/onboard-aws-rds-aurora-postgresql/main.tf b/examples/onboard-aws-rds-aurora-postgresql/main.tf new file mode 100644 index 0000000..a783934 --- /dev/null +++ b/examples/onboard-aws-rds-aurora-postgresql/main.tf @@ -0,0 +1,133 @@ +locals { + aws_region = "us-east-2" + apply_immediately = true + master_user = "admin" + master_password = "Abcd1234" + subnet_group_name = "default" + vpc_security_groups = ["sg-0123456789abcdefg"] + + admin_email = "test@example.com" + gateway_id = "a1b2c3d4-e5f6-g8h9-wxyz-123456790" +} + +################################################################################ +# Providers +################################################################################ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +provider "aws" { + region = local.aws_region +} + +variable "dsfhub_host" {} # TF_VAR_dsfhub_host env variable +variable "dsfhub_token" {} # TF_VAR_dsfhub_token env variable + +provider "dsfhub" { + dsfhub_host = var.dsfhub_host + dsfhub_token = var.dsfhub_token +} + +################################################################################ +# Prerequisites +# 1. AWS cloud account +# 2. Method to create 'pgaudit' extension and 'rds_pgaudit' role on the postgres +# cluster. +################################################################################ +# 1. AWS cloud account +module "aws-default-account-asset" { + source = "../../modules/dsfhub-aws-cloud-account" + + admin_email = local.admin_email + asset_display_name = "aws-account-asset" + asset_id = "arn:aws:iam::1234567890" + auth_mechanism = "default" + gateway_id = local.gateway_id + region = local.aws_region +} + +# 2. Run shell script locally to create extension and role on the newly created +# postgres cluster. +resource "terraform_data" "configure_database" { + depends_on = [module.aurora-postgresql] + + provisioner "local-exec" { + environment = { + PGHOST = module.aurora-postgresql.cluster.endpoint + PGUSER = local.master_user + PGPASSWORD = local.master_password + PGPORT = module.aurora-postgresql.cluster.port + PGDATABASE = "postgres" + } + + command = "./configure_database.sh" + + on_failure = fail + } +} + +################################################################################ +# Amazon Aurora PostgreSQL 16.1 +################################################################################ +module "aurora-postgresql" { + source = "../../modules/onboard-aws-rds-aurora-postgresql" + + aws_aurora_postgresql_cluster_admin_email = local.admin_email + aws_aurora_postgresql_cluster_gateway_id = local.gateway_id + aws_aurora_postgresql_cluster_parent_asset_id = module.aws-default-account-asset.this.asset_id + aws_aurora_postgresql_cluster_region = local.aws_region + + aws_log_group_admin_email = local.admin_email + aws_log_group_audit_pull_enabled = true + aws_log_group_gateway_id = local.gateway_id + aws_log_group_region = local.aws_region + + cluster_db_engine_version = "16.1" + cluster_db_master_password = local.master_password + cluster_db_master_username = local.master_user + cluster_db_subnet_group_name = local.subnet_group_name + cluster_final_snapshot = true + cluster_id = "tf-aurora-postgresql-cluster" + cluster_parameter_group_name = "tf-aurora-postgresql-instance-pg" + cluster_vpc_security_group_ids = local.vpc_security_groups + + instance_apply_immediately = local.apply_immediately + instance_identifier = "tf-aurora-postgresql-instance" + instance_publicly_accessible = true +} + +################################################################################ +# Amazon Aurora PostgreSQL 16.1 Aggregated +################################################################################ +module "aurora-postgresql" { + source = "../../modules/onboard-aws-rds-aurora-postgresql" + + aws_aurora_postgresql_cluster_admin_email = local.admin_email + aws_aurora_postgresql_cluster_audit_type = "AGGREGATED" + aws_aurora_postgresql_cluster_gateway_id = local.gateway_id + aws_aurora_postgresql_cluster_parent_asset_id = module.aws-default-account-asset.this.asset_id + aws_aurora_postgresql_cluster_region = local.aws_region + + aws_log_group_admin_email = local.admin_email + aws_log_group_audit_pull_enabled = true + aws_log_group_gateway_id = local.gateway_id + aws_log_group_region = local.aws_region + + cluster_db_engine_version = "16.1" + cluster_db_master_password = local.master_password + cluster_db_master_username = local.master_user + cluster_db_subnet_group_name = local.subnet_group_name + cluster_final_snapshot = true + cluster_id = "tf-aurora-postgresql-cluster" + cluster_parameter_group_name = "tf-aurora-postgresql-instance-pg" + cluster_vpc_security_group_ids = local.vpc_security_groups + + instance_apply_immediately = local.apply_immediately + instance_identifier = "tf-aurora-postgresql-instance" + instance_publicly_accessible = true +} diff --git a/modules/aws-kms-key/README.md b/modules/aws-kms-key/README.md new file mode 100644 index 0000000..36de536 --- /dev/null +++ b/modules/aws-kms-key/README.md @@ -0,0 +1,35 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [custom\_master\_key\_spec](#input\_custom\_master\_key\_spec) | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC\_DEFAULT, RSA\_2048, RSA\_3072, RSA\_4096, HMAC\_256, ECC\_NIST\_P256, ECC\_NIST\_P384, ECC\_NIST\_P521, or ECC\_SECG\_P256K1. | `string` | `null` | no | +| [deletion\_window\_in\_days](#input\_deletion\_window\_in\_days) | The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. | `number` | `null` | no | +| [description](#input\_description) | The description of the key as viewed in AWS console. | `string` | `null` | no | +| [is\_enabled](#input\_is\_enabled) | Specifies whether the key is enabled. | `bool` | `null` | no | +| [key\_usage](#input\_key\_usage) | Specifies the intended use of the key. Valid values: ENCRYPT\_DECRYPT, SIGN\_VERIFY, GENERATE\_VERIFY\_MAC. | `string` | `null` | no | +| [multi\_region](#input\_multi\_region) | Indicates whether the KMS key is a multi-Region (true) or regional (false) key. | `bool` | `null` | no | +| [tags](#input\_tags) | A map of tags to assign to the object. | `map(string)` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | AWS KMS key | + \ No newline at end of file diff --git a/modules/aws-kms-key/main.tf b/modules/aws-kms-key/main.tf new file mode 100644 index 0000000..fad1072 --- /dev/null +++ b/modules/aws-kms-key/main.tf @@ -0,0 +1,9 @@ +resource "aws_kms_key" "this" { + customer_master_key_spec = var.custom_master_key_spec + deletion_window_in_days = var.deletion_window_in_days + description = var.description + is_enabled = var.is_enabled + key_usage = var.key_usage + multi_region = var.multi_region + tags = var.tags +} diff --git a/modules/aws-kms-key/outputs.tf b/modules/aws-kms-key/outputs.tf new file mode 100644 index 0000000..236cd0d --- /dev/null +++ b/modules/aws-kms-key/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "AWS KMS key" + value = aws_kms_key.this +} diff --git a/modules/aws-kms-key/variables.tf b/modules/aws-kms-key/variables.tf new file mode 100644 index 0000000..bb0d055 --- /dev/null +++ b/modules/aws-kms-key/variables.tf @@ -0,0 +1,41 @@ +variable "custom_master_key_spec" { + description = "Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1." + type = string + default = null +} + +variable "deletion_window_in_days" { + description = "The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive." + type = number + default = null +} + +variable "description" { + description = "The description of the key as viewed in AWS console." + type = string + default = null +} + +variable "is_enabled" { + description = "Specifies whether the key is enabled." + type = bool + default = null +} + +variable "key_usage" { + description = "Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, GENERATE_VERIFY_MAC." + type = string + default = null +} + +variable "multi_region" { + description = " Indicates whether the KMS key is a multi-Region (true) or regional (false) key." + type = bool + default = null +} + +variable "tags" { + description = "A map of tags to assign to the object." + type = map(string) + default = null +} diff --git a/modules/aws-rds-cluster-activity-stream/README.md b/modules/aws-rds-cluster-activity-stream/README.md new file mode 100644 index 0000000..d43545c --- /dev/null +++ b/modules/aws-rds-cluster-activity-stream/README.md @@ -0,0 +1,32 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_rds_cluster_activity_stream.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_activity_stream) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [kms\_key\_id](#input\_kms\_key\_id) | The AWS KMS key identifier for encrypting messages in the database activity stream. The AWS KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. | `string` | n/a | yes | +| [mode](#input\_mode) | Specifies the mode of the database activity stream. Database events such as a change or access generate an activity stream event. The database session can handle these events either synchronously or asynchronously. One of: sync, async. | `string` | n/a | yes | +| [resource\_arn](#input\_resource\_arn) | The Amazon Resource Name (ARN) of the DB cluster | `string` | n/a | yes | +| [engine\_native\_audit\_fields\_included](#input\_engine\_native\_audit\_fields\_included) | Specifies whether the database activity stream includes engine-native audit fields. This option only applies to an Oracle DB instance. By default, no engine-native audit fields are included. | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | RDS cluster activity stream | + \ No newline at end of file diff --git a/modules/aws-rds-cluster-activity-stream/main.tf b/modules/aws-rds-cluster-activity-stream/main.tf new file mode 100644 index 0000000..62d69e9 --- /dev/null +++ b/modules/aws-rds-cluster-activity-stream/main.tf @@ -0,0 +1,6 @@ +resource "aws_rds_cluster_activity_stream" "this" { + resource_arn = var.resource_arn + mode = var.mode + kms_key_id = var.kms_key_id + engine_native_audit_fields_included = var.engine_native_audit_fields_included # oracle specific +} diff --git a/modules/aws-rds-cluster-activity-stream/outputs.tf b/modules/aws-rds-cluster-activity-stream/outputs.tf new file mode 100644 index 0000000..3414fcc --- /dev/null +++ b/modules/aws-rds-cluster-activity-stream/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "RDS Cluster activity stream" + value = aws_rds_cluster_activity_stream.this +} diff --git a/modules/aws-rds-cluster-activity-stream/variables.tf b/modules/aws-rds-cluster-activity-stream/variables.tf new file mode 100644 index 0000000..9f84a49 --- /dev/null +++ b/modules/aws-rds-cluster-activity-stream/variables.tf @@ -0,0 +1,24 @@ +variable "resource_arn" { + description = "The Amazon Resource Name (ARN) of the DB cluster" + type = string +} + +variable "mode" { + description = "Specifies the mode of the database activity stream. Database events such as a change or access generate an activity stream event. The database session can handle these events either synchronously or asynchronously. One of: sync, async." + type = string + validation { + condition = contains(["sync", "async"], var.mode) + error_message = "Invalid value, select either 'sync' or 'async'." + } +} + +variable "kms_key_id" { + description = "The AWS KMS key identifier for encrypting messages in the database activity stream. The AWS KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key." + type = string +} + +variable "engine_native_audit_fields_included" { + description = "Specifies whether the database activity stream includes engine-native audit fields. This option only applies to an Oracle DB instance. By default, no engine-native audit fields are included." + type = string + default = null +} diff --git a/modules/aws-rds-cluster-instance/README.md b/modules/aws-rds-cluster-instance/README.md new file mode 100644 index 0000000..56337c1 --- /dev/null +++ b/modules/aws-rds-cluster-instance/README.md @@ -0,0 +1,37 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_rds_cluster_instance.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [cluster\_id](#input\_cluster\_id) | The name of the RDS cluster | `string` | n/a | yes | +| [identifier](#input\_identifier) | The name of the aurora cluster instance | `string` | n/a | yes | +| [apply\_immediately](#input\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | +| [db\_engine](#input\_db\_engine) | Cluster engine e.g., aurora-mysql | `string` | `null` | no | +| [db\_instance\_class](#input\_db\_instance\_class) | The instance type of the RDS cluster. Example: 'db.t3.micro' | `string` | `null` | no | +| [db\_subnet\_group\_name](#input\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | +| [maintenance\_schedule](#input\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | +| [minor\_version\_upgrade](#input\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. | `bool` | `null` | no | +| [publicly\_accessible](#input\_publicly\_accessible) | If instance is publicly accessible. Default false | `bool` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | aurora mysql cluster instance | + \ No newline at end of file diff --git a/modules/aws-rds-cluster-instance/main.tf b/modules/aws-rds-cluster-instance/main.tf new file mode 100644 index 0000000..5343fe1 --- /dev/null +++ b/modules/aws-rds-cluster-instance/main.tf @@ -0,0 +1,12 @@ +resource "aws_rds_cluster_instance" "this" { + + apply_immediately = var.apply_immediately + auto_minor_version_upgrade = var.minor_version_upgrade + cluster_identifier = var.cluster_id + db_subnet_group_name = var.db_subnet_group_name + identifier = var.identifier + instance_class = var.db_instance_class + engine = var.db_engine + preferred_maintenance_window = var.maintenance_schedule + publicly_accessible = var.publicly_accessible +} diff --git a/modules/aws-rds-cluster-instance/outputs.tf b/modules/aws-rds-cluster-instance/outputs.tf new file mode 100644 index 0000000..f57e416 --- /dev/null +++ b/modules/aws-rds-cluster-instance/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "Aurora MySQL Cluster instance" + value = aws_rds_cluster_instance.this +} diff --git a/modules/aws-rds-cluster-instance/variables.tf b/modules/aws-rds-cluster-instance/variables.tf new file mode 100644 index 0000000..597c46b --- /dev/null +++ b/modules/aws-rds-cluster-instance/variables.tf @@ -0,0 +1,52 @@ +variable "identifier" { + description = "The name of the aurora cluster instance" + type = string +} + +variable "db_engine" { + description = "Cluster engine e.g., aurora-mysql" + type = string + default = null +} + +variable "cluster_id" { + description = "The name of the RDS cluster" + type = string +} + +variable "publicly_accessible" { + description = "If instance is publicly accessible. Default false" + type = bool + default = null +} + +variable "db_subnet_group_name" { + description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available." + type = string + default = null +} + +variable "db_instance_class" { + description = "The instance type of the RDS cluster. Example: 'db.t3.micro'" + type = string + default = null +} + +variable "maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = null +} + +variable "apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = null +} + +variable "minor_version_upgrade" { + description = "Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window." + type = bool + default = null +} + diff --git a/modules/aws-rds-cluster-parameter-group/README.md b/modules/aws-rds-cluster-parameter-group/README.md new file mode 100644 index 0000000..39682ab --- /dev/null +++ b/modules/aws-rds-cluster-parameter-group/README.md @@ -0,0 +1,33 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_rds_cluster_parameter_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_parameter_group) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [family](#input\_family) | The family of the DB cluster parameter group. | `string` | n/a | yes | +| [name](#input\_name) | The name of the DB cluster parameter group | `string` | n/a | yes | +| [description](#input\_description) | The description of the DB cluster parameter group. | `string` | `null` | no | +| [parameters](#input\_parameters) | List of objects containing parameters for the DB cluster parameter group. | 
list(
    object({
      name         = string
      apply_method = optional(string, "immediate")
      value        = any
    })
  )
| `null` | no | +| [tags](#input\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | AWS RDS cluster parameter group | + \ No newline at end of file diff --git a/modules/aws-rds-cluster-parameter-group/main.tf b/modules/aws-rds-cluster-parameter-group/main.tf new file mode 100644 index 0000000..3b3bc5d --- /dev/null +++ b/modules/aws-rds-cluster-parameter-group/main.tf @@ -0,0 +1,15 @@ +resource "aws_rds_cluster_parameter_group" "this" { + name = var.name + family = var.family + description = var.description + + dynamic "parameter" { + for_each = var.parameters + + content { + name = parameter.value.name + value = parameter.value.value + apply_method = parameter.value.apply_method != null ? parameter.value.apply_method : null + } + } +} \ No newline at end of file diff --git a/modules/aws-rds-cluster-parameter-group/outputs.tf b/modules/aws-rds-cluster-parameter-group/outputs.tf new file mode 100644 index 0000000..eb47aeb --- /dev/null +++ b/modules/aws-rds-cluster-parameter-group/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "AWS RDS cluster parameter group" + value = aws_rds_cluster_parameter_group.this +} \ No newline at end of file diff --git a/modules/aws-rds-cluster-parameter-group/variables.tf b/modules/aws-rds-cluster-parameter-group/variables.tf new file mode 100644 index 0000000..e6da6c7 --- /dev/null +++ b/modules/aws-rds-cluster-parameter-group/variables.tf @@ -0,0 +1,33 @@ +variable "name" { + description = "The name of the DB cluster parameter group" + type = string +} + +variable "family" { + description = "The family of the DB cluster parameter group." + type = string +} + +variable "description" { + description = "The description of the DB cluster parameter group." + type = string + default = null +} + +variable "parameters" { + description = "List of objects containing parameters for the DB cluster parameter group." + type = list( + object({ + name = string + apply_method = optional(string, "immediate") + value = any + }) + ) + default = null +} + +variable "tags" { + description = "A map of tags to assign to the resource." + type = map(string) + default = null +} diff --git a/modules/aws-rds-cluster/README.md b/modules/aws-rds-cluster/README.md new file mode 100644 index 0000000..20d5064 --- /dev/null +++ b/modules/aws-rds-cluster/README.md @@ -0,0 +1,43 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_rds_cluster.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [cluster\_id](#input\_cluster\_id) | The name of the RDS cluster | `string` | n/a | yes | +| [db\_master\_password](#input\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | +| [db\_master\_username](#input\_db\_master\_username) | Username for the master DB user, must not use rdsadmin as that is reserved. | `string` | n/a | yes | +| [apply\_immediately](#input\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | +| [backup\_retention](#input\_backup\_retention) | Days to retain backups for, Default is 1 day. | `number` | `null` | no | +| [db\_enabled\_cloudwatch\_logs\_exports](#input\_db\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery. | `list(any)` | `null` | no | +| [db\_engine](#input\_db\_engine) | Cluster engine e.g., aurora-mysql | `string` | `null` | no | +| [db\_engine\_version](#input\_db\_engine\_version) | Database engine version, e.g., 8.0.mysql\_aurora.3.05.1 | `string` | `null` | no | +| [db\_port](#input\_db\_port) | Port on which the DB accepts connections. | `number` | `null` | no | +| [db\_subnet\_group\_name](#input\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | +| [final\_snapshot](#input\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false | `bool` | `null` | no | +| [maintenance\_schedule](#input\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | +| [network\_type](#input\_network\_type) | Network type of the cluster. Valid values: IPV4, DUAL | `string` | `null` | no | +| [parameter\_group\_name](#input\_parameter\_group\_name) | Cluster parameter group associated with the cluster | `string` | `null` | no | +| [vpc\_security\_group\_ids](#input\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(any)` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | Aurora Mysql cluster | + \ No newline at end of file diff --git a/modules/aws-rds-cluster/main.tf b/modules/aws-rds-cluster/main.tf new file mode 100644 index 0000000..88e1a8a --- /dev/null +++ b/modules/aws-rds-cluster/main.tf @@ -0,0 +1,25 @@ +resource "aws_rds_cluster" "this" { + + # Cluster settings + cluster_identifier = var.cluster_id + engine = var.db_engine + engine_version = var.db_engine_version + port = var.db_port + backup_retention_period = var.backup_retention + preferred_maintenance_window = var.maintenance_schedule + skip_final_snapshot = var.final_snapshot + + # credentials + master_username = var.db_master_username + master_password = var.db_master_password + + # network + network_type = var.network_type + db_subnet_group_name = var.db_subnet_group_name + vpc_security_group_ids = var.vpc_security_group_ids + + # audit + enabled_cloudwatch_logs_exports = var.db_enabled_cloudwatch_logs_exports + db_cluster_parameter_group_name = var.parameter_group_name + apply_immediately = var.apply_immediately +} diff --git a/modules/aws-rds-cluster/outputs.tf b/modules/aws-rds-cluster/outputs.tf new file mode 100644 index 0000000..552ac2a --- /dev/null +++ b/modules/aws-rds-cluster/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "Aurora MySQL cluster" + value = aws_rds_cluster.this +} diff --git a/modules/aws-rds-cluster/variables.tf b/modules/aws-rds-cluster/variables.tf new file mode 100644 index 0000000..eae236f --- /dev/null +++ b/modules/aws-rds-cluster/variables.tf @@ -0,0 +1,86 @@ +variable "db_enabled_cloudwatch_logs_exports" { + description = "Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery." + type = list(any) + default = null +} + +variable "db_engine" { + description = "Cluster engine e.g., aurora-mysql" + type = string + default = null +} +variable "db_engine_version" { + description = "Database engine version, e.g., 8.0.mysql_aurora.3.05.1" + type = string + default = null +} + +variable "cluster_id" { + description = "The name of the RDS cluster" + type = string +} + + +variable "backup_retention" { + description = "Days to retain backups for, Default is 1 day." + type = number + default = null +} + +variable "db_master_username" { + description = "Username for the master DB user, must not use rdsadmin as that is reserved." + type = string +} + +variable "db_master_password" { + description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage_master_user_password is set to true" + type = string +} + +variable "network_type" { + description = " Network type of the cluster. Valid values: IPV4, DUAL" + type = string + default = null +} + +variable "db_subnet_group_name" { + description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available." + type = string + default = null +} + +variable "vpc_security_group_ids" { + description = "List of VPC security groups to associate." + type = list(any) + default = null +} + +variable "maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = null +} + +variable "final_snapshot" { + description = "Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final_snapshot_identifier. Default is false" + type = bool + default = null +} + +variable "db_port" { + description = "Port on which the DB accepts connections." + type = number + default = null +} + +variable "apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = null +} + +variable "parameter_group_name" { + description = "Cluster parameter group associated with the cluster" + type = string + default = null +} diff --git a/modules/dsfhub-aws-kinesis/README.md b/modules/dsfhub-aws-kinesis/README.md new file mode 100644 index 0000000..ab294b4 --- /dev/null +++ b/modules/dsfhub-aws-kinesis/README.md @@ -0,0 +1,37 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [dsfhub](#provider\_dsfhub) | n/a | + +## Resources + +| Name | Type | +|------|------| +| [dsfhub_log_aggregator.this](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs/resources/log_aggregator) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [admin\_email](#input\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | +| [asset\_display\_name](#input\_asset\_display\_name) | User-friendly name of the asset, defined by user | `string` | n/a | yes | +| [asset\_id](#input\_asset\_id) | AWS kinesis stream ARN | `string` | n/a | yes | +| [gateway\_id](#input\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes | +| [parent\_asset\_id](#input\_parent\_asset\_id) | The asset\_id that contains this asset (e.g. Asset ID of the database sending audit events). The parent must either be an AWS account, or have a parent which is an AWS account. | `string` | n/a | yes | +| [audit\_pull\_enabled](#input\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no | +| [audit\_type](#input\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `null` | no | +| [reason](#input\_reason) | Used to differentiate connections that belong to the same asset | `string` | `"default"` | no | +| [region](#input\_region) | AWS region of the kinesis stream | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | AWS Kinesis asset | + \ No newline at end of file diff --git a/modules/dsfhub-aws-kinesis/main.tf b/modules/dsfhub-aws-kinesis/main.tf new file mode 100644 index 0000000..511981e --- /dev/null +++ b/modules/dsfhub-aws-kinesis/main.tf @@ -0,0 +1,27 @@ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +resource "dsfhub_log_aggregator" "this" { + server_type = "AWS KINESIS" + + admin_email = var.admin_email + asset_display_name = var.asset_display_name + asset_id = var.asset_id + audit_pull_enabled = var.audit_pull_enabled + audit_type = var.audit_type + gateway_id = var.gateway_id + parent_asset_id = var.parent_asset_id + + asset_connection { + auth_mechanism = "default" + + reason = var.reason + region = var.region + + } +} diff --git a/modules/dsfhub-aws-kinesis/outputs.tf b/modules/dsfhub-aws-kinesis/outputs.tf new file mode 100644 index 0000000..db98ba8 --- /dev/null +++ b/modules/dsfhub-aws-kinesis/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "AWS Kinesis asset" + value = dsfhub_log_aggregator.this +} diff --git a/modules/dsfhub-aws-kinesis/variables.tf b/modules/dsfhub-aws-kinesis/variables.tf new file mode 100644 index 0000000..ca26f91 --- /dev/null +++ b/modules/dsfhub-aws-kinesis/variables.tf @@ -0,0 +1,48 @@ +variable "admin_email" { + description = "The email address to notify about the asset." + type = string +} + +variable "asset_display_name" { + description = "User-friendly name of the asset, defined by user" + type = string +} + +variable "asset_id" { + description = "AWS kinesis stream ARN" + type = string +} + +variable "audit_pull_enabled" { + description = "If true, sonargateway will collect the audit logs for this system if it can." + type = bool + default = false +} + +variable "audit_type" { + description = "Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details" + type = string + default = null +} + +variable "gateway_id" { + description = "The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'." + type = string +} + +variable "parent_asset_id" { + description = "The asset_id that contains this asset (e.g. Asset ID of the database sending audit events). The parent must either be an AWS account, or have a parent which is an AWS account." + type = string +} + +variable "reason" { + description = "Used to differentiate connections that belong to the same asset" + type = string + default = "default" +} + +variable "region" { + description = "AWS region of the kinesis stream" + type = string + default = null +} diff --git a/modules/dsfhub-aws-rds-aurora-mysql-cluster/README.md b/modules/dsfhub-aws-rds-aurora-mysql-cluster/README.md new file mode 100644 index 0000000..4513be6 --- /dev/null +++ b/modules/dsfhub-aws-rds-aurora-mysql-cluster/README.md @@ -0,0 +1,39 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [dsfhub](#provider\_dsfhub) | n/a | + +## Resources + +| Name | Type | +|------|------| +| [dsfhub_data_source.this](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs/resources/data_source) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [admin\_email](#input\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | +| [asset\_display\_name](#input\_asset\_display\_name) | User-friendly name of the asset, defined by user | `string` | n/a | yes | +| [asset\_id](#input\_asset\_id) | AWS ARN, e.g. "arn:aws:rds:us-east-2:123456790:cluster:db-name" | `string` | n/a | yes | +| [gateway\_id](#input\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [parent\_asset\_id](#input\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | n/a | yes | +| [auth\_mechanism](#input\_auth\_mechanism) | Specifies the auth mechanism used by the connection | `string` | `null` | no | +| [password](#input\_password) | User's password | `string` | `null` | no | +| [region](#input\_region) | AWS region containing the cluster. | `string` | `null` | no | +| [server\_host\_name](#input\_server\_host\_name) | Endpoint URL | `string` | `null` | no | +| [server\_port](#input\_server\_port) | Port of the cluster for connection | `string` | `null` | no | +| [username](#input\_username) | Username to connect to the cluster with | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | Aurora Mysql cluster DSF asset | + \ No newline at end of file diff --git a/modules/dsfhub-aws-rds-aurora-mysql-cluster/main.tf b/modules/dsfhub-aws-rds-aurora-mysql-cluster/main.tf new file mode 100644 index 0000000..c106077 --- /dev/null +++ b/modules/dsfhub-aws-rds-aurora-mysql-cluster/main.tf @@ -0,0 +1,32 @@ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +resource "dsfhub_data_source" "this" { + server_type = "AWS RDS AURORA MYSQL CLUSTER" + + admin_email = var.admin_email + asset_display_name = var.asset_display_name + asset_id = var.asset_id + gateway_id = var.gateway_id + server_host_name = var.server_host_name + parent_asset_id = var.parent_asset_id + region = var.region + server_port = var.server_port + + dynamic "asset_connection" { + # If auth_mechanism is not defined, do not create a connection + for_each = var.auth_mechanism != null ? [0] : [] + + content { + auth_mechanism = var.auth_mechanism != null ? var.auth_mechanism : null + username = var.username + password = var.password + reason = "default" + } + } +} diff --git a/modules/dsfhub-aws-rds-aurora-mysql-cluster/outputs.tf b/modules/dsfhub-aws-rds-aurora-mysql-cluster/outputs.tf new file mode 100644 index 0000000..8c46e7f --- /dev/null +++ b/modules/dsfhub-aws-rds-aurora-mysql-cluster/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "Aurora MySQL cluster DSF asset" + value = dsfhub_data_source.this +} diff --git a/modules/dsfhub-aws-rds-aurora-mysql-cluster/variables.tf b/modules/dsfhub-aws-rds-aurora-mysql-cluster/variables.tf new file mode 100644 index 0000000..30ca5a2 --- /dev/null +++ b/modules/dsfhub-aws-rds-aurora-mysql-cluster/variables.tf @@ -0,0 +1,68 @@ +variable "admin_email" { + description = "The email address to notify about this asset" + type = string +} + +variable "asset_display_name" { + description = "User-friendly name of the asset, defined by user" + type = string +} + +variable "asset_id" { + description = "AWS ARN, e.g. \"arn:aws:rds:us-east-2:123456790:cluster:db-name\"" + type = string +} + +variable "auth_mechanism" { + description = "Specifies the auth mechanism used by the connection" + type = string + default = null + validation { + condition = ( + # auth_mechanism can either be null, or one of the supported values + var.auth_mechanism == null || + can(contains(["password"], var.auth_mechanism)) + ) + error_message = "Incorrect auth_mechanism. Supported auth_mechanisms: password." + } +} + +variable "parent_asset_id" { + description = "The asset_id of the cloud account with auth-mech such as key-pair, iam-role etc." + type = string +} + +variable "region" { + description = "AWS region containing the cluster." + type = string + default = null +} + +variable "server_host_name" { + description = "Endpoint URL" + type = string + default = null +} + +variable "server_port" { + description = "Port of the cluster for connection" + type = string + default = null +} + +variable "gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string +} + +variable "username" { + description = "Username to use to connect to the cluster." + type = string + default = null +} + +variable "password" { + description = "User's password" + type = string + default = null +} diff --git a/modules/dsfhub-aws-rds-aurora-postgresql-cluster/README.md b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/README.md new file mode 100644 index 0000000..e8a0fc8 --- /dev/null +++ b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/README.md @@ -0,0 +1,40 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [dsfhub](#provider\_dsfhub) | n/a | + +## Resources + +| Name | Type | +|------|------| +| [dsfhub_data_source.this](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs/resources/data_source) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [admin\_email](#input\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | +| [asset\_display\_name](#input\_asset\_display\_name) | User-friendly name of the asset, defined by user | `string` | n/a | yes | +| [asset\_id](#input\_asset\_id) | AWS ARN, e.g. "arn:aws:rds:us-east-2:123456790:cluster:db-name" | `string` | n/a | yes | +| [gateway\_id](#input\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [parent\_asset\_id](#input\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | n/a | yes | +| [audit\_type](#input\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `null` | no | +| [auth\_mechanism](#input\_auth\_mechanism) | Specifies the auth mechanism used by the connection | `string` | `null` | no | +| [password](#input\_password) | User's password | `string` | `null` | no | +| [region](#input\_region) | AWS region containing the cluster. | `string` | `null` | no | +| [server\_host\_name](#input\_server\_host\_name) | Endpoint URL | `string` | `null` | no | +| [server\_port](#input\_server\_port) | Port of the cluster for connection | `string` | `null` | no | +| [username](#input\_username) | Username to connect to the cluster with | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | Aurora PostgreSQL DSF asset | + \ No newline at end of file diff --git a/modules/dsfhub-aws-rds-aurora-postgresql-cluster/main.tf b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/main.tf new file mode 100644 index 0000000..53b444f --- /dev/null +++ b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/main.tf @@ -0,0 +1,33 @@ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +resource "dsfhub_data_source" "this" { + server_type = "AWS RDS AURORA POSTGRESQL CLUSTER" + + admin_email = var.admin_email + asset_display_name = var.asset_display_name + asset_id = var.asset_id + audit_type = var.audit_type + gateway_id = var.gateway_id + server_host_name = var.server_host_name + parent_asset_id = var.parent_asset_id + region = var.region + server_port = var.server_port + + dynamic "asset_connection" { + # If auth_mechanism is not defined, do not create a connection + for_each = var.auth_mechanism != null ? [0] : [] + + content { + auth_mechanism = var.auth_mechanism != null ? var.auth_mechanism : null + username = var.username + password = var.password + reason = "default" + } + } +} diff --git a/modules/dsfhub-aws-rds-aurora-postgresql-cluster/outputs.tf b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/outputs.tf new file mode 100644 index 0000000..555a870 --- /dev/null +++ b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "Aurora PostgreSQL DSF asset" + value = dsfhub_data_source.this +} diff --git a/modules/dsfhub-aws-rds-aurora-postgresql-cluster/variables.tf b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/variables.tf new file mode 100644 index 0000000..5280ea6 --- /dev/null +++ b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/variables.tf @@ -0,0 +1,74 @@ +variable "admin_email" { + description = "The email address to notify about this asset" + type = string +} + +variable "asset_display_name" { + description = "User-friendly name of the asset, defined by user" + type = string +} + +variable "asset_id" { + description = "AWS ARN, e.g. \"arn:aws:rds:us-east-2:123456790:cluster:db-name\"" + type = string +} + +variable "audit_type" { + description = "Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details" + type = string + default = null +} + +variable "auth_mechanism" { + description = "Specifies the auth mechanism used by the connection" + type = string + default = null + validation { + condition = ( + # auth_mechanism can either be null, or one of the supported values + var.auth_mechanism == null || + can(contains(["password"], var.auth_mechanism)) + ) + error_message = "Incorrect auth_mechanism. Supported auth_mechanisms: password." + } +} + +variable "parent_asset_id" { + description = "The asset_id of the cloud account with auth-mech such as key-pair, iam-role etc." + type = string +} + +variable "region" { + description = "AWS region containing the cluster." + type = string + default = null +} + +variable "server_host_name" { + description = "Endpoint URL" + type = string + default = null +} + +variable "server_port" { + description = "Port of the cluster for connection" + type = string + default = null +} + +variable "gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string +} + +variable "username" { + description = "Username to use to connect to the cluster." + type = string + default = null +} + +variable "password" { + description = "User's password" + type = string + default = null +} diff --git a/modules/onboard-aws-rds-aurora-mysql-kinesis/README.md b/modules/onboard-aws-rds-aurora-mysql-kinesis/README.md new file mode 100644 index 0000000..e49f332 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql-kinesis/README.md @@ -0,0 +1,89 @@ +# onboard-aws-rds-aurora-mysql-kinesis +Onboard Amazon Aurora MySQL to DSF Hub using a kinesis stream. + +## Notes +There is one prerequisite for using this module: +1. An AWS cloud account asset onboarded to your DSF Hub with permissions to pull from Kinesis streams. + +See the corresponding example for more details. + + + + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aurora-mysql-cluster](#module\_aurora-mysql-cluster) | ../aws-rds-cluster | n/a | +| [aurora-mysql-cluster-activity-stream](#module\_aurora-mysql-cluster-activity-stream) | ../aws-rds-cluster-activity-stream | n/a | +| [aurora-mysql-instance](#module\_aurora-mysql-instance) | ../aws-rds-cluster-instance | n/a | +| [aws-kinesis-asset](#module\_aws-kinesis-asset) | ../dsfhub-aws-kinesis | n/a | +| [aws-kms-key](#module\_aws-kms-key) | ../aws-kms-key | n/a | +| [aws-rds-aurora-mysql-cluster-asset](#module\_aws-rds-aurora-mysql-cluster-asset) | ../dsfhub-aws-rds-aurora-mysql-cluster | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_arn.aurora_mysql_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_aurora\_mysql\_cluster\_admin\_email](#input\_aws\_aurora\_mysql\_cluster\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | +| [aws\_aurora\_mysql\_cluster\_gateway\_id](#input\_aws\_aurora\_mysql\_cluster\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [aws\_aurora\_mysql\_cluster\_parent\_asset\_id](#input\_aws\_aurora\_mysql\_cluster\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | n/a | yes | +| [aws\_kinesis\_admin\_email](#input\_aws\_kinesis\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | +| [aws\_kinesis\_gateway\_id](#input\_aws\_kinesis\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes | +| [cluster\_db\_master\_password](#input\_cluster\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | +| [cluster\_db\_master\_username](#input\_cluster\_db\_master\_username) | Username for the master DB user, must not use rdsadmin as that is reserved. | `string` | n/a | yes | +| [cluster\_id](#input\_cluster\_id) | The name of the Aurora MySQL cluster | `string` | n/a | yes | +| [instance\_identifier](#input\_instance\_identifier) | The name of the aurora mysql cluster instance | `string` | n/a | yes | +| [aws\_aurora\_mysql\_cluster\_region](#input\_aws\_aurora\_mysql\_cluster\_region) | AWS region containing the cluster. | `string` | `null` | no | +| [aws\_kinesis\_audit\_pull\_enabled](#input\_aws\_kinesis\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no | +| [aws\_kinesis\_reason](#input\_aws\_kinesis\_reason) | Used to differentiate connections that belong to the same asset | `string` | `"default"` | no | +| [aws\_kinesis\_region](#input\_aws\_kinesis\_region) | AWS region of the kinesis stream | `string` | `null` | no | +| [cluster\_apply\_immediately](#input\_cluster\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | +| [cluster\_backup\_retention](#input\_cluster\_backup\_retention) | Days to retain backups for, Default is 1 day. | `number` | `null` | no | +| [cluster\_db\_enabled\_cloudwatch\_logs\_exports](#input\_cluster\_db\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery. | `list(any)` | `null` | no | +| [cluster\_db\_engine\_version](#input\_cluster\_db\_engine\_version) | Database engine version, i.e. 8.0.mysql\_aurora.3.05.1 | `string` | `null` | no | +| [cluster\_db\_port](#input\_cluster\_db\_port) | Port on which the DB accepts connections. | `number` | `null` | no | +| [cluster\_db\_subnet\_group\_name](#input\_cluster\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | +| [cluster\_final\_snapshot](#input\_cluster\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false | `bool` | `null` | no | +| [cluster\_maintenance\_schedule](#input\_cluster\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | +| [cluster\_network\_type](#input\_cluster\_network\_type) | Network type of the cluster. Valid values: IPV4, DUAL | `string` | `null` | no | +| [cluster\_parameter\_group\_name](#input\_cluster\_parameter\_group\_name) | Cluster parameter group associated with the cluster | `string` | `null` | no | +| [cluster\_vpc\_security\_group\_ids](#input\_cluster\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(any)` | `null` | no | +| [db\_instance\_class](#input\_db\_instance\_class) | The instance type of the RDS cluster. Supported instance classes for database activity streams can be found at https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.Overview.html#DBActivityStreams.Overview.requirements.classes. | `string` | `"db.r5.large"` | no | +| [instance\_apply\_immediately](#input\_instance\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `true` | no | +| [instance\_maintenance\_schedule](#input\_instance\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | +| [instance\_minor\_version\_upgrade](#input\_instance\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. | `bool` | `null` | no | +| [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | If instance is publicly accessible. Default false | `bool` | `null` | no | +| [key\_custom\_master\_key\_spec](#input\_key\_custom\_master\_key\_spec) | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC\_DEFAULT, RSA\_2048, RSA\_3072, RSA\_4096, HMAC\_256, ECC\_NIST\_P256, ECC\_NIST\_P384, ECC\_NIST\_P521, or ECC\_SECG\_P256K1. | `string` | `"SYMMETRIC_DEFAULT"` | no | +| [key\_deletion\_window\_in\_days](#input\_key\_deletion\_window\_in\_days) | The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. | `number` | `30` | no | +| [key\_description](#input\_key\_description) | The description of the key as viewed in AWS console. | `string` | `"AWS KMS Key to encrypt Aurora Mysql Database Activity Stream."` | no | +| [key\_is\_enabled](#input\_key\_is\_enabled) | Specifies whether the key is enabled. | `bool` | `true` | no | +| [key\_multi\_region](#input\_key\_multi\_region) | Indicates whether the KMS key is a multi-Region (true) or regional (false) key. | `bool` | `false` | no | +| [key\_tags](#input\_key\_tags) | A map of tags to assign to the object. | `map(string)` | `null` | no | +| [key\_usage](#input\_key\_usage) | Specifies the intended use of the key. Valid values: ENCRYPT\_DECRYPT, SIGN\_VERIFY, GENERATE\_VERIFY\_MAC. | `string` | `"ENCRYPT_DECRYPT"` | no | +| [stream\_mode](#input\_stream\_mode) | Specifies the mode of the database activity stream. Database events such as a change or access generate an activity stream event. The database session can handle these events either synchronously or asynchronously. One of: sync, async. | `string` | `"async"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [activity\_stream](#output\_activity\_stream) | Aurora MySQL kinesis activity stream | +| [aws\_kinesis\_asset](#output\_aws\_kinesis\_asset) | AWS Kinesis stream asset | +| [aws\_rds\_aurora\_mysql\_cluster\_asset](#output\_aws\_rds\_aurora\_mysql\_cluster\_asset) | Aurora MySQL cluster asset | +| [cluster](#output\_cluster) | Aurora MySQL Cluster | +| [instance](#output\_instance) | Aurora MySQL Cluster instance | +| [kms\_key](#output\_kms\_key) | AWS KMS Key | + \ No newline at end of file diff --git a/modules/onboard-aws-rds-aurora-mysql-kinesis/main.tf b/modules/onboard-aws-rds-aurora-mysql-kinesis/main.tf new file mode 100644 index 0000000..f3def54 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql-kinesis/main.tf @@ -0,0 +1,87 @@ +module "aurora-mysql-cluster" { + source = "../aws-rds-cluster" + + apply_immediately = var.cluster_apply_immediately + backup_retention = var.cluster_backup_retention + cluster_id = var.cluster_id + db_enabled_cloudwatch_logs_exports = var.cluster_db_enabled_cloudwatch_logs_exports + db_engine = "aurora-mysql" + db_engine_version = var.cluster_db_engine_version + db_master_password = var.cluster_db_master_password + db_master_username = var.cluster_db_master_username + db_port = var.cluster_db_port + db_subnet_group_name = var.cluster_db_subnet_group_name + final_snapshot = var.cluster_final_snapshot + maintenance_schedule = var.cluster_maintenance_schedule + network_type = var.cluster_network_type + parameter_group_name = var.cluster_parameter_group_name + vpc_security_group_ids = var.cluster_vpc_security_group_ids +} + +module "aurora-mysql-instance" { + source = "../aws-rds-cluster-instance" + + apply_immediately = var.instance_apply_immediately + cluster_id = module.aurora-mysql-cluster.this.cluster_identifier + db_engine = "aurora-mysql" + db_instance_class = var.db_instance_class + db_subnet_group_name = module.aurora-mysql-cluster.this.db_subnet_group_name + identifier = var.instance_identifier + maintenance_schedule = var.instance_maintenance_schedule + minor_version_upgrade = var.instance_minor_version_upgrade + publicly_accessible = var.instance_publicly_accessible +} + +module "aws-kms-key" { + source = "../aws-kms-key" + + custom_master_key_spec = var.key_custom_master_key_spec + deletion_window_in_days = var.key_deletion_window_in_days + description = var.key_description + is_enabled = var.key_is_enabled + key_usage = var.key_usage + multi_region = var.key_multi_region + tags = var.key_tags +} + +module "aurora-mysql-cluster-activity-stream" { + source = "../aws-rds-cluster-activity-stream" + + engine_native_audit_fields_included = false + kms_key_id = module.aws-kms-key.this.arn + mode = var.stream_mode + resource_arn = module.aurora-mysql-cluster.this.arn +} + +module "aws-rds-aurora-mysql-cluster-asset" { + source = "../dsfhub-aws-rds-aurora-mysql-cluster" + + admin_email = var.aws_aurora_mysql_cluster_admin_email + asset_display_name = module.aurora-mysql-cluster.this.cluster_identifier + asset_id = module.aurora-mysql-cluster.this.arn + gateway_id = var.aws_aurora_mysql_cluster_gateway_id + parent_asset_id = var.aws_aurora_mysql_cluster_parent_asset_id + region = var.aws_aurora_mysql_cluster_region + server_host_name = module.aurora-mysql-cluster.this.endpoint + server_port = module.aurora-mysql-cluster.this.port +} + +# Collect region and account info for kinesis asset_id +data "aws_region" "current" {} +data "aws_arn" "aurora_mysql_cluster" { + arn = module.aurora-mysql-cluster.this.arn +} + +module "aws-kinesis-asset" { + source = "../dsfhub-aws-kinesis" + + admin_email = var.aws_kinesis_admin_email + asset_display_name = "AWS Kinesis - ${module.aurora-mysql-cluster-activity-stream.this.kinesis_stream_name}" + asset_id = "arn:aws:kinesis:${data.aws_region.current.name}:${data.aws_arn.aurora_mysql_cluster.account}:stream/${module.aurora-mysql-cluster-activity-stream.this.kinesis_stream_name}" + audit_pull_enabled = var.aws_kinesis_audit_pull_enabled + audit_type = "KINESIS" + gateway_id = var.aws_kinesis_gateway_id + parent_asset_id = module.aws-rds-aurora-mysql-cluster-asset.this.asset_id + reason = var.aws_kinesis_reason + region = var.aws_kinesis_region +} diff --git a/modules/onboard-aws-rds-aurora-mysql-kinesis/outputs.tf b/modules/onboard-aws-rds-aurora-mysql-kinesis/outputs.tf new file mode 100644 index 0000000..d3fcba7 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql-kinesis/outputs.tf @@ -0,0 +1,29 @@ +output "cluster" { + description = "Aurora MySQL Cluster" + value = module.aurora-mysql-cluster.this +} + +output "instance" { + description = "Aurora MySQL Cluster instance" + value = module.aurora-mysql-instance.this +} + +output "kms_key" { + description = "AWS KMS Key" + value = module.aws-kms-key.this +} + +output "activity_stream" { + description = "Aurora MySQL kinesis activity stream" + value = module.aurora-mysql-cluster-activity-stream.this +} + +output "aws_rds_aurora_mysql_cluster_asset" { + description = "Aurora MySQL cluster asset" + value = module.aws-rds-aurora-mysql-cluster-asset.this +} + +output "aws_kinesis_asset" { + description = "AWS Kinesis stream asset" + value = module.aws-kinesis-asset.this +} diff --git a/modules/onboard-aws-rds-aurora-mysql-kinesis/variables.tf b/modules/onboard-aws-rds-aurora-mysql-kinesis/variables.tf new file mode 100644 index 0000000..0232784 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql-kinesis/variables.tf @@ -0,0 +1,228 @@ +variable "aws_aurora_mysql_cluster_admin_email" { + description = "The email address to notify about this asset" + type = string +} + +variable "aws_aurora_mysql_cluster_parent_asset_id" { + description = "The asset_id of the cloud account with auth-mech such as key-pair, iam-role etc." + type = string +} + +variable "aws_aurora_mysql_cluster_region" { + description = "AWS region containing the cluster." + type = string + default = null +} + +variable "aws_aurora_mysql_cluster_gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string +} + +variable "aws_kinesis_admin_email" { + description = "The email address to notify about the asset." + type = string +} + +variable "aws_kinesis_audit_pull_enabled" { + description = "If true, sonargateway will collect the audit logs for this system if it can." + type = bool + default = false +} + +variable "aws_kinesis_gateway_id" { + description = "The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'." + type = string +} + +variable "aws_kinesis_reason" { + description = "Used to differentiate connections that belong to the same asset" + type = string + default = "default" +} + +variable "aws_kinesis_region" { + description = "AWS region of the kinesis stream" + type = string + default = null +} + +variable "cluster_db_enabled_cloudwatch_logs_exports" { + description = "Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery." + type = list(any) + default = null +} + +variable "cluster_db_engine_version" { + description = "Database engine version, i.e. 8.0.mysql_aurora.3.05.1" + type = string + default = null +} + +variable "cluster_id" { + description = "The name of the Aurora MySQL cluster" + type = string +} + +variable "cluster_backup_retention" { + description = "Days to retain backups for, Default is 1 day." + type = number + default = null +} + +variable "cluster_db_master_username" { + description = "Username for the master DB user, must not use rdsadmin as that is reserved." + type = string +} + +variable "cluster_db_master_password" { + description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage_master_user_password is set to true" + type = string +} + +variable "cluster_network_type" { + description = " Network type of the cluster. Valid values: IPV4, DUAL" + type = string + default = null +} + +variable "cluster_db_subnet_group_name" { + description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available." + type = string + default = null +} + +variable "cluster_vpc_security_group_ids" { + description = "List of VPC security groups to associate." + type = list(any) + default = null +} + +variable "cluster_maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = null +} + +variable "cluster_final_snapshot" { + description = "Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final_snapshot_identifier. Default is false" + type = bool + default = null +} + +variable "cluster_db_port" { + description = "Port on which the DB accepts connections." + type = number + default = null +} + +variable "cluster_apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = null +} + +variable "cluster_parameter_group_name" { + description = "Cluster parameter group associated with the cluster" + type = string + default = null +} + +variable "instance_identifier" { + description = "The name of the aurora mysql cluster instance" + type = string +} + +variable "instance_publicly_accessible" { + description = "If instance is publicly accessible. Default false" + type = bool + default = null +} + +variable "db_instance_class" { + description = "The instance type of the RDS cluster. Supported instance classes for database activity streams can be found at https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.Overview.html#DBActivityStreams.Overview.requirements.classes." + type = string + default = "db.r5.large" + validation { + # Class must be one of supported for database activity streams + condition = ( + can(regex("^db.r7g.*large$", var.db_instance_class)) || + can(regex("^db.r6g.*large$", var.db_instance_class)) || + can(regex("^db.r6i.*large$", var.db_instance_class)) || + can(regex("^db.r5.*large$", var.db_instance_class)) || + can(regex("^db.x2g.*$", var.db_instance_class)) + ) + error_message = "Invalid instance class for database activity streams. Supported instance classes for database activity streams can be found at https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.Overview.html#DBActivityStreams.Overview.requirements.classes." + } +} + +variable "instance_maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = null +} + +variable "instance_apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = true +} + +variable "instance_minor_version_upgrade" { + description = "Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window." + type = bool + default = null +} + +variable "key_custom_master_key_spec" { + description = "Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1." + type = string + default = "SYMMETRIC_DEFAULT" +} + +variable "key_deletion_window_in_days" { + description = "The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive." + type = number + default = 30 +} + +variable "key_description" { + description = "The description of the key as viewed in AWS console." + type = string + default = "AWS KMS Key to encrypt Aurora Mysql Database Activity Stream." +} + +variable "key_is_enabled" { + description = "Specifies whether the key is enabled." + type = bool + default = true +} + +variable "key_usage" { + description = "Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, GENERATE_VERIFY_MAC." + type = string + default = "ENCRYPT_DECRYPT" +} + +variable "key_multi_region" { + description = " Indicates whether the KMS key is a multi-Region (true) or regional (false) key." + type = bool + default = false +} + +variable "key_tags" { + description = "A map of tags to assign to the object." + type = map(string) + default = null +} + +variable "stream_mode" { + description = "Specifies the mode of the database activity stream. Database events such as a change or access generate an activity stream event. The database session can handle these events either synchronously or asynchronously. One of: sync, async." + type = string + default = "async" + validation { + condition = contains(["sync", "async"], var.stream_mode) + error_message = "Invalid value, select either 'sync' or 'async'." + } +} + diff --git a/modules/onboard-aws-rds-aurora-mysql-slowquery/README.md b/modules/onboard-aws-rds-aurora-mysql-slowquery/README.md new file mode 100644 index 0000000..b019026 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql-slowquery/README.md @@ -0,0 +1,73 @@ +# onboard-aws-rds-aurora-mysql-slowquery +Onboard Amazon Aurora MySQL Slowquery to DSF Hub. + +## Notes +There is one prerequisite for using this module: +1. An AWS cloud account asset onboarded to your DSF Hub with permissions to pull from CloudWatch log groups. + +See the corresponding example for more details. + + + + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aurora-mysql-cluster](#module\_aurora-mysql-cluster) | ../aws-rds-cluster | n/a | +| [aurora-mysql-cluster-parameter-group](#module\_aurora-mysql-cluster-parameter-group) | ../aws-rds-cluster-parameter-group | n/a | +| [aurora-mysql-instances](#module\_aurora-mysql-instances) | ../aws-rds-cluster-instance | n/a | +| [aurora-mysql-log-group](#module\_aurora-mysql-log-group) | ../aws-cloudwatch-log-group | n/a | +| [aurora-mysql-log-group-slowquery](#module\_aurora-mysql-log-group-slowquery) | ../aws-cloudwatch-log-group | n/a | +| [aws-log-group-asset](#module\_aws-log-group-asset) | ../dsfhub-aws-log-group | n/a | +| [aws-log-group-slowquery-asset](#module\_aws-log-group-slowquery-asset) | ../dsfhub-aws-log-group | n/a | +| [aws-rds-aurora-mysql-cluster-asset](#module\_aws-rds-aurora-mysql-cluster-asset) | ../dsfhub-aws-rds-aurora-mysql-cluster | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_aurora\_mysql\_cluster\_region](#input\_aws\_aurora\_mysql\_cluster\_region) | AWS region containing the instance. | `string` | n/a | yes | +| [cluster\_cluster\_id](#input\_cluster\_cluster\_id) | The name of the aurora mysql cluster | `string` | n/a | yes | +| [cluster\_db\_master\_password](#input\_cluster\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | +| [cluster\_db\_master\_username](#input\_cluster\_db\_master\_username) | Username for the master DB user, must not use rdsadmin as that is reserved. | `string` | n/a | yes | +| [cluster\_parameter\_group\_name](#input\_cluster\_parameter\_group\_name) | The name of the DB cluster parameter group | `string` | n/a | yes | +| [instance\_identifier](#input\_instance\_identifier) | The name of the aurora mysql cluster instance | `string` | n/a | yes | +| [aws\_aurora\_mysql\_cluster\_admin\_email](#input\_aws\_aurora\_mysql\_cluster\_admin\_email) | The email address to notify about the assets. | `string` | `null` | no | +| [aws\_aurora\_mysql\_cluster\_gateway\_id](#input\_aws\_aurora\_mysql\_cluster\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | `null` | no | +| [aws\_aurora\_mysql\_cluster\_parent\_asset\_id](#input\_aws\_aurora\_mysql\_cluster\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | `null` | no | +| [aws\_log\_group\_audit\_pull\_enabled](#input\_aws\_log\_group\_audit\_pull\_enabled) | Turn on/off auditing on the data source and log aggregator | `bool` | `false` | no | +| [aws\_log\_group\_audit\_type](#input\_aws\_log\_group\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `"LOG_GROUP"` | no | +| [cluster\_apply\_immediately](#input\_cluster\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `true` | no | +| [cluster\_backup\_retention](#input\_cluster\_backup\_retention) | Days to retain backups for, Default is 1 day. | `number` | `1` | no | +| [cluster\_db\_enabled\_cloudwatch\_logs\_exports](#input\_cluster\_db\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery. | `list(any)` | 
[
  "audit",
  "slowquery"
]
| no | +| [cluster\_db\_engine](#input\_cluster\_db\_engine) | Cluster engine i.e, aurora-mysql | `string` | `"aurora-mysql"` | no | +| [cluster\_db\_engine\_version](#input\_cluster\_db\_engine\_version) | Database engine version, i.e. 8.0.mysql\_aurora.3.05.1 | `string` | `"8.0.mysql_aurora.3.04.1"` | no | +| [cluster\_db\_port](#input\_cluster\_db\_port) | Port on which the DB accepts connections. | `number` | `3306` | no | +| [cluster\_db\_subnet\_group\_name](#input\_cluster\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | +| [cluster\_final\_snapshot](#input\_cluster\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false | `bool` | `true` | no | +| [cluster\_maintenance\_schedule](#input\_cluster\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `"sun:18:00-sun:21:00"` | no | +| [cluster\_network\_type](#input\_cluster\_network\_type) | Network type of the cluster. Valid values: IPV4, DUAL | `string` | `"IPV4"` | no | +| [cluster\_parameter\_group\_description](#input\_cluster\_parameter\_group\_description) | The description of the DB cluster parameter group. | `string` | `"RDS aurora mysql cluster parameter group"` | no | +| [cluster\_parameter\_group\_family](#input\_cluster\_parameter\_group\_family) | The family of the DB cluster parameter group. | `string` | `"aurora-mysql8.0"` | no | +| [cluster\_parameter\_group\_parameters](#input\_cluster\_parameter\_group\_parameters) | List of objects containing parameters for the DB cluster parameter group. | 
list(
    object({
      name         = string
      apply_method = optional(string, "immediate")
      value        = any
    })
  )
| 
[
  {
    "name": "server_audit_logging",
    "value": 1
  },
  {
    "name": "server_audit_excl_users",
    "value": "rdsadmin"
  },
  {
    "name": "server_audit_events",
    "value": "CONNECT,QUERY,QUERY_DCL,QUERY_DDL,QUERY_DML"
  },
  {
    "name": "slow_query_log",
    "value": 1
  },
  {
    "name": "long_query_time",
    "value": 0
  },
  {
    "name": "log_slow_admin_statements",
    "value": 1
  }
]
| no | +| [cluster\_parameter\_group\_tags](#input\_cluster\_parameter\_group\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | +| [cluster\_vpc\_security\_group\_ids](#input\_cluster\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(any)` | `null` | no | +| [instance\_db\_instance\_class](#input\_instance\_db\_instance\_class) | The instance type of the RDS cluster. Example: 'db.t3.micro' | `string` | `"db.t3.medium"` | no | +| [instance\_minor\_version\_upgrade](#input\_instance\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. | `bool` | `false` | no | +| [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | If instance is publicly accessible. Default false | `bool` | `false` | no | +| [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire. | `number` | `7` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [cluster](#output\_cluster) | Aurora Mysql Cluster | +| [cluster\_parameter\_group](#output\_cluster\_parameter\_group) | Aurora Mysql Cluster parameter group | +| [dsf\_aurora\_mysql\_cluster](#output\_dsf\_aurora\_mysql\_cluster) | Aurora Mysql cluster DSF asset | +| [dsf\_aurora\_mysql\_log\_group](#output\_dsf\_aurora\_mysql\_log\_group) | DSF Aurora Mysql log group asset | +| [dsf\_aurora\_mysql\_log\_group\_slowquery](#output\_dsf\_aurora\_mysql\_log\_group\_slowquery) | DSF Aurora Mysql slow query log group asset | +| [instance](#output\_instance) | Aurora Mysql instance | +| [log\_group](#output\_log\_group) | Aurora Mysql log group | +| [log\_group\_slowquery](#output\_log\_group\_slowquery) | Aurora Mysql slow query log group | + \ No newline at end of file diff --git a/modules/onboard-aws-rds-aurora-mysql-slowquery/main.tf b/modules/onboard-aws-rds-aurora-mysql-slowquery/main.tf new file mode 100644 index 0000000..f1c60b7 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql-slowquery/main.tf @@ -0,0 +1,104 @@ +module "aurora-mysql-cluster-parameter-group" { + source = "../aws-rds-cluster-parameter-group" + + description = var.cluster_parameter_group_description + family = var.cluster_parameter_group_family + name = var.cluster_parameter_group_name + parameters = var.cluster_parameter_group_parameters + tags = var.cluster_parameter_group_tags +} + +module "aurora-mysql-cluster" { + depends_on = [module.aurora-mysql-cluster-parameter-group, module.aurora-mysql-log-group] + source = "../aws-rds-cluster" + + cluster_id = var.cluster_cluster_id + db_engine = var.cluster_db_engine + db_engine_version = var.cluster_db_engine_version + db_port = var.cluster_db_port + backup_retention = var.cluster_backup_retention + maintenance_schedule = var.cluster_maintenance_schedule + final_snapshot = var.cluster_final_snapshot + db_master_username = var.cluster_db_master_username + db_master_password = var.cluster_db_master_password + network_type = var.cluster_network_type + db_subnet_group_name = var.cluster_db_subnet_group_name + vpc_security_group_ids = var.cluster_vpc_security_group_ids + db_enabled_cloudwatch_logs_exports = var.cluster_db_enabled_cloudwatch_logs_exports + parameter_group_name = module.aurora-mysql-cluster-parameter-group.this.name + apply_immediately = var.cluster_apply_immediately +} + +module "aurora-mysql-instances" { + depends_on = [module.aurora-mysql-cluster] + source = "../aws-rds-cluster-instance" + + apply_immediately = var.cluster_apply_immediately + cluster_id = module.aurora-mysql-cluster.this.cluster_identifier + db_engine = module.aurora-mysql-cluster.this.engine + db_subnet_group_name = module.aurora-mysql-cluster.this.db_subnet_group_name + db_instance_class = var.instance_db_instance_class + identifier = var.instance_identifier + minor_version_upgrade = var.instance_minor_version_upgrade + maintenance_schedule = var.cluster_maintenance_schedule + publicly_accessible = var.instance_publicly_accessible +} + +module "aurora-mysql-log-group" { + source = "../aws-cloudwatch-log-group" + + name = "/aws/rds/cluster/${var.cluster_cluster_id}/audit" + retention_in_days = var.log_group_retention_in_days +} + +module "aurora-mysql-log-group-slowquery" { + source = "../aws-cloudwatch-log-group" + + name = "/aws/rds/cluster/${var.cluster_cluster_id}/slowquery" + retention_in_days = var.log_group_retention_in_days +} + + +module "aws-rds-aurora-mysql-cluster-asset" { + source = "../dsfhub-aws-rds-aurora-mysql-cluster" + + admin_email = var.aws_aurora_mysql_cluster_admin_email + asset_display_name = module.aurora-mysql-cluster.this.id + asset_id = module.aurora-mysql-cluster.this.arn + gateway_id = var.aws_aurora_mysql_cluster_gateway_id + server_host_name = module.aurora-mysql-cluster.this.endpoint + parent_asset_id = var.aws_aurora_mysql_cluster_parent_asset_id + region = var.aws_aurora_mysql_cluster_region + server_port = module.aurora-mysql-cluster.this.port + username = module.aurora-mysql-cluster.this.master_username + password = module.aurora-mysql-cluster.this.master_password +} + +module "aws-log-group-asset" { + depends_on = [module.aws-rds-aurora-mysql-cluster-asset] + source = "../dsfhub-aws-log-group" + + admin_email = var.aws_aurora_mysql_cluster_admin_email + asset_display_name = module.aurora-mysql-log-group.this.id + asset_id = "${module.aurora-mysql-log-group.this.arn}:*" + audit_pull_enabled = var.aws_log_group_audit_pull_enabled + gateway_id = var.aws_aurora_mysql_cluster_gateway_id + parent_asset_id = module.aws-rds-aurora-mysql-cluster-asset.this.asset_id + audit_type = var.aws_log_group_audit_type + region = var.aws_aurora_mysql_cluster_region +} + +module "aws-log-group-slowquery-asset" { + depends_on = [module.aws-rds-aurora-mysql-cluster-asset, module.aws-log-group-asset] + source = "../dsfhub-aws-log-group" + + admin_email = var.aws_aurora_mysql_cluster_admin_email + asset_display_name = module.aurora-mysql-log-group-slowquery.this.id + asset_id = "${module.aurora-mysql-log-group-slowquery.this.arn}:*" + audit_pull_enabled = var.aws_log_group_audit_pull_enabled + gateway_id = var.aws_aurora_mysql_cluster_gateway_id + parent_asset_id = module.aws-rds-aurora-mysql-cluster-asset.this.asset_id + audit_type = "AWS_RDS_AURORA_MYSQL_SLOW" + region = var.aws_aurora_mysql_cluster_region +} + diff --git a/modules/onboard-aws-rds-aurora-mysql-slowquery/outputs.tf b/modules/onboard-aws-rds-aurora-mysql-slowquery/outputs.tf new file mode 100644 index 0000000..3cdc2d9 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql-slowquery/outputs.tf @@ -0,0 +1,39 @@ +output "cluster_parameter_group" { + description = "Aurora MySQL Cluster parameter group" + value = module.aurora-mysql-cluster-parameter-group.this +} + +output "cluster" { + description = "Aurora MySQL Cluster" + value = module.aurora-mysql-cluster.this +} + +output "instance" { + description = "Aurora MySQL instance" + value = module.aurora-mysql-instances.this +} + +output "log_group" { + description = "Aurora MySQL log group" + value = module.aurora-mysql-log-group.this +} + +output "log_group_slowquery" { + description = "Aurora MySQL slow query log group" + value = module.aurora-mysql-log-group-slowquery.this +} + +output "dsf_aurora_mysql_cluster" { + description = "Aurora MySQL cluster DSF asset" + value = module.aws-rds-aurora-mysql-cluster-asset.this +} + +output "dsf_aurora_mysql_log_group" { + description = "Aurora MySQL log group asset" + value = module.aws-log-group-asset.this +} + +output "dsf_aurora_mysql_log_group_slowquery" { + description = "Aurora MySQL slow query log group asset" + value = module.aws-log-group-slowquery-asset.this +} diff --git a/modules/onboard-aws-rds-aurora-mysql-slowquery/variables.tf b/modules/onboard-aws-rds-aurora-mysql-slowquery/variables.tf new file mode 100644 index 0000000..a300bf2 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql-slowquery/variables.tf @@ -0,0 +1,211 @@ +# Cluster Parameter group variables +variable "cluster_parameter_group_name" { + description = "The name of the DB cluster parameter group" + type = string +} + +variable "cluster_parameter_group_family" { + description = "The family of the DB cluster parameter group." + type = string + default = "aurora-mysql8.0" +} + +variable "cluster_parameter_group_description" { + description = "The description of the DB cluster parameter group." + type = string + default = "RDS aurora mysql cluster parameter group" +} + +variable "cluster_parameter_group_parameters" { + description = "List of objects containing parameters for the DB cluster parameter group." + type = list( + object({ + name = string + apply_method = optional(string, "immediate") + value = any + }) + ) + default = [ + { + name = "server_audit_logging" + value = 1 + }, + { + name = "server_audit_excl_users" + value = "rdsadmin" + }, + { + name = "server_audit_events" + value = "CONNECT,QUERY,QUERY_DCL,QUERY_DDL,QUERY_DML" + }, + { + name = "slow_query_log" + value = 1 + }, + { + name = "long_query_time" + value = 0 + }, + { + name = "log_slow_admin_statements" + value = 1 + } + ] +} + +variable "cluster_parameter_group_tags" { + description = "A map of tags to assign to the resource." + type = map(string) + default = null +} + +# Aurora Mysql Cluster variables +variable "cluster_db_enabled_cloudwatch_logs_exports" { + description = "Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery." + type = list(any) + default = ["audit", "slowquery"] +} + +variable "cluster_db_engine" { + description = "Cluster engine i.e, aurora-mysql" + type = string + default = "aurora-mysql" +} + +variable "cluster_db_engine_version" { + description = "Database engine version, i.e. 8.0.mysql_aurora.3.05.1" + type = string + default = "8.0.mysql_aurora.3.04.1" +} + +variable "cluster_cluster_id" { + description = "The name of the aurora mysql cluster" + type = string +} + +variable "cluster_backup_retention" { + description = "Days to retain backups for, Default is 1 day." + type = number + default = 1 +} + +variable "cluster_db_master_username" { + description = "Username for the master DB user, must not use rdsadmin as that is reserved." + type = string +} + +variable "cluster_db_master_password" { + description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage_master_user_password is set to true" + type = string +} + +variable "cluster_network_type" { + description = " Network type of the cluster. Valid values: IPV4, DUAL" + type = string + default = "IPV4" +} + +variable "cluster_db_subnet_group_name" { + description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available." + type = string + default = null +} + +variable "cluster_vpc_security_group_ids" { + description = "List of VPC security groups to associate." + type = list(any) + default = null +} + +variable "cluster_maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = "sun:18:00-sun:21:00" +} + +variable "cluster_final_snapshot" { + description = "Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final_snapshot_identifier. Default is false" + type = bool + default = true +} +variable "cluster_db_port" { + description = "Port on which the DB accepts connections." + type = number + default = 3306 +} +variable "cluster_apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = true +} + +# Aurora Mysql Instance variables +variable "instance_identifier" { + description = "The name of the aurora mysql cluster instance" + type = string +} + +variable "instance_db_instance_class" { + description = "The instance type of the RDS cluster. Example: 'db.t3.micro'" + type = string + default = "db.t3.medium" +} + +variable "instance_minor_version_upgrade" { + description = "Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window." + type = bool + default = false +} + +variable "instance_publicly_accessible" { + description = "If instance is publicly accessible. Default false" + type = bool + default = false +} + +#AWS cloudwatch variables +variable "log_group_retention_in_days" { + description = "Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire." + type = number + default = 7 +} + +# DSFHUB asset variables +variable "aws_aurora_mysql_cluster_admin_email" { + description = "The email address to notify about the assets." + type = string + default = null +} + +variable "aws_aurora_mysql_cluster_gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string + default = null +} + +variable "aws_aurora_mysql_cluster_parent_asset_id" { + description = "The asset_id of the cloud account with auth-mech such as key-pair, iam-role etc." + type = string + default = null +} + +variable "aws_aurora_mysql_cluster_region" { + description = "AWS region containing the instance." + type = string +} + +variable "aws_log_group_audit_type" { + description = "Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details" + type = string + default = "LOG_GROUP" + validation { + condition = contains(["AGGREGATED", "LOG_GROUP"], var.aws_log_group_audit_type) + error_message = "Invalid Value. Select from LOG_GROUP or AGGREGATED." + } +} + +variable "aws_log_group_audit_pull_enabled" { + description = "Turn on/off auditing on the data source and log aggregator" + type = bool + default = false +} diff --git a/modules/onboard-aws-rds-aurora-mysql/README.md b/modules/onboard-aws-rds-aurora-mysql/README.md new file mode 100644 index 0000000..b94eca0 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql/README.md @@ -0,0 +1,69 @@ +# onboard-aws-rds-aurora-mysql +Onboard Amazon Aurora MySQL to DSF Hub. + +## Notes +There is one prerequisite for using this module: +1. An AWS cloud account asset onboarded to your DSF Hub with permissions to pull from CloudWatch log groups. + +See the corresponding example for more details. + + + + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aurora-mysql-cluster](#module\_aurora-mysql-cluster) | ../aws-rds-cluster | n/a | +| [aurora-mysql-cluster-parameter-group](#module\_aurora-mysql-cluster-parameter-group) | ../aws-rds-cluster-parameter-group | n/a | +| [aurora-mysql-instances](#module\_aurora-mysql-instances) | ../aws-rds-cluster-instance | n/a | +| [aurora-mysql-log-group](#module\_aurora-mysql-log-group) | ../aws-cloudwatch-log-group | n/a | +| [aws-log-group-asset](#module\_aws-log-group-asset) | ../dsfhub-aws-log-group | n/a | +| [aws-rds-aurora-mysql-cluster-asset](#module\_aws-rds-aurora-mysql-cluster-asset) | ../dsfhub-aws-rds-aurora-mysql-cluster | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_aurora\_mysql\_cluster\_region](#input\_aws\_aurora\_mysql\_cluster\_region) | AWS region containing the instance. | `string` | n/a | yes | +| [cluster\_cluster\_id](#input\_cluster\_cluster\_id) | The name of the aurora mysql cluster | `string` | n/a | yes | +| [cluster\_db\_master\_password](#input\_cluster\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | +| [cluster\_db\_master\_username](#input\_cluster\_db\_master\_username) | Username for the master DB user, must not use rdsadmin as that is reserved. | `string` | n/a | yes | +| [cluster\_parameter\_group\_name](#input\_cluster\_parameter\_group\_name) | The name of the DB cluster parameter group | `string` | n/a | yes | +| [instance\_identifier](#input\_instance\_identifier) | The name of the aurora mysql cluster instance | `string` | n/a | yes | +| [aws\_aurora\_mysql\_cluster\_admin\_email](#input\_aws\_aurora\_mysql\_cluster\_admin\_email) | The email address to notify about the assets. | `string` | `null` | no | +| [aws\_aurora\_mysql\_cluster\_gateway\_id](#input\_aws\_aurora\_mysql\_cluster\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | `null` | no | +| [aws\_aurora\_mysql\_cluster\_parent\_asset\_id](#input\_aws\_aurora\_mysql\_cluster\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | `null` | no | +| [aws\_log\_group\_audit\_pull\_enabled](#input\_aws\_log\_group\_audit\_pull\_enabled) | Turn on/off auditing on the data source and log aggregator | `bool` | `false` | no | +| [aws\_log\_group\_audit\_type](#input\_aws\_log\_group\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `"LOG_GROUP"` | no | +| [cluster\_apply\_immediately](#input\_cluster\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `true` | no | +| [cluster\_backup\_retention](#input\_cluster\_backup\_retention) | Days to retain backups for, Default is 1 day. | `number` | `1` | no | +| [cluster\_db\_enabled\_cloudwatch\_logs\_exports](#input\_cluster\_db\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery. | `list(any)` | 
[
  "audit"
]
| no | +| [cluster\_db\_engine](#input\_cluster\_db\_engine) | Cluster engine i.e, aurora-mysql | `string` | `"aurora-mysql"` | no | +| [cluster\_db\_engine\_version](#input\_cluster\_db\_engine\_version) | Database engine version, i.e. 8.0.mysql\_aurora.3.05.1 | `string` | `"8.0.mysql_aurora.3.04.1"` | no | +| [cluster\_db\_port](#input\_cluster\_db\_port) | Port on which the DB accepts connections. | `number` | `3306` | no | +| [cluster\_db\_subnet\_group\_name](#input\_cluster\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | +| [cluster\_final\_snapshot](#input\_cluster\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false | `bool` | `true` | no | +| [cluster\_maintenance\_schedule](#input\_cluster\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `"sun:18:00-sun:21:00"` | no | +| [cluster\_network\_type](#input\_cluster\_network\_type) | Network type of the cluster. Valid values: IPV4, DUAL | `string` | `"IPV4"` | no | +| [cluster\_parameter\_group\_description](#input\_cluster\_parameter\_group\_description) | The description of the DB cluster parameter group. | `string` | `"RDS aurora mysql cluster parameter group"` | no | +| [cluster\_parameter\_group\_family](#input\_cluster\_parameter\_group\_family) | The family of the DB cluster parameter group. | `string` | `"aurora-mysql8.0"` | no | +| [cluster\_parameter\_group\_parameters](#input\_cluster\_parameter\_group\_parameters) | List of objects containing parameters for the DB cluster parameter group. | 
list(
    object({
      name         = string
      apply_method = optional(string, "immediate")
      value        = any
    })
  )
| 
[
  {
    "name": "server_audit_logging",
    "value": 1
  },
  {
    "name": "server_audit_excl_users",
    "value": "rdsadmin"
  },
  {
    "name": "server_audit_events",
    "value": "CONNECT,QUERY,QUERY_DCL,QUERY_DDL,QUERY_DML"
  }
]
| no | +| [cluster\_parameter\_group\_tags](#input\_cluster\_parameter\_group\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | +| [cluster\_vpc\_security\_group\_ids](#input\_cluster\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(any)` | `null` | no | +| [instance\_db\_instance\_class](#input\_instance\_db\_instance\_class) | The instance type of the RDS cluster. Example: 'db.t3.micro' | `string` | `"db.t3.medium"` | no | +| [instance\_minor\_version\_upgrade](#input\_instance\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. | `bool` | `false` | no | +| [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | If instance is publicly accessible. Default false | `bool` | `false` | no | +| [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire. | `number` | `7` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [cluster](#output\_cluster) | Aurora Mysql Cluster | +| [cluster\_parameter\_group](#output\_cluster\_parameter\_group) | Aurora Mysql Cluster parameter group | +| [dsf\_aurora\_mysql\_cluster](#output\_dsf\_aurora\_mysql\_cluster) | Aurora Mysql cluster DSF asset | +| [dsf\_aurora\_mysql\_log\_group](#output\_dsf\_aurora\_mysql\_log\_group) | DSF Aurora Mysql log group asset | +| [instance](#output\_instance) | Aurora Mysql instance | +| [log\_group](#output\_log\_group) | Aurora Mysql log group | + \ No newline at end of file diff --git a/modules/onboard-aws-rds-aurora-mysql/main.tf b/modules/onboard-aws-rds-aurora-mysql/main.tf new file mode 100644 index 0000000..af57602 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql/main.tf @@ -0,0 +1,82 @@ +module "aurora-mysql-cluster-parameter-group" { + source = "../aws-rds-cluster-parameter-group" + + description = var.cluster_parameter_group_description + family = var.cluster_parameter_group_family + name = var.cluster_parameter_group_name + parameters = var.cluster_parameter_group_parameters + tags = var.cluster_parameter_group_tags +} + +module "aurora-mysql-cluster" { + depends_on = [module.aurora-mysql-cluster-parameter-group, module.aurora-mysql-log-group] + source = "../aws-rds-cluster" + + cluster_id = var.cluster_cluster_id + db_engine = "aurora-mysql" + db_engine_version = var.cluster_db_engine_version + db_port = var.cluster_db_port + backup_retention = var.cluster_backup_retention + maintenance_schedule = var.cluster_maintenance_schedule + final_snapshot = var.cluster_final_snapshot + db_master_username = var.cluster_db_master_username + db_master_password = var.cluster_db_master_password + network_type = var.cluster_network_type + db_subnet_group_name = var.cluster_db_subnet_group_name + vpc_security_group_ids = var.cluster_vpc_security_group_ids + db_enabled_cloudwatch_logs_exports = var.cluster_db_enabled_cloudwatch_logs_exports + parameter_group_name = module.aurora-mysql-cluster-parameter-group.this.name + apply_immediately = var.cluster_apply_immediately +} + +module "aurora-mysql-instances" { + depends_on = [module.aurora-mysql-cluster] + source = "../aws-rds-cluster-instance" + + apply_immediately = var.cluster_apply_immediately + cluster_id = module.aurora-mysql-cluster.this.cluster_identifier + db_engine = module.aurora-mysql-cluster.this.engine + db_instance_class = var.instance_db_instance_class + db_subnet_group_name = module.aurora-mysql-cluster.this.db_subnet_group_name + identifier = var.instance_identifier + maintenance_schedule = var.cluster_maintenance_schedule + minor_version_upgrade = var.instance_minor_version_upgrade + publicly_accessible = var.instance_publicly_accessible +} + +module "aurora-mysql-log-group" { + source = "../aws-cloudwatch-log-group" + + name = "/aws/rds/cluster/${var.cluster_cluster_id}/audit" + retention_in_days = var.log_group_retention_in_days +} + +module "aws-rds-aurora-mysql-cluster-asset" { + source = "../dsfhub-aws-rds-aurora-mysql-cluster" + + admin_email = var.aws_aurora_mysql_cluster_admin_email + asset_display_name = module.aurora-mysql-cluster.this.id + asset_id = module.aurora-mysql-cluster.this.arn + auth_mechanism = "password" + gateway_id = var.aws_aurora_mysql_cluster_gateway_id + server_host_name = module.aurora-mysql-cluster.this.endpoint + parent_asset_id = var.aws_aurora_mysql_cluster_parent_asset_id + region = var.aws_aurora_mysql_cluster_region + server_port = module.aurora-mysql-cluster.this.port + username = module.aurora-mysql-cluster.this.master_username + password = module.aurora-mysql-cluster.this.master_password +} + +module "aws-log-group-asset" { + depends_on = [module.aws-rds-aurora-mysql-cluster-asset] + source = "../dsfhub-aws-log-group" + + admin_email = var.aws_aurora_mysql_cluster_admin_email + asset_display_name = module.aurora-mysql-log-group.this.id + asset_id = "${module.aurora-mysql-log-group.this.arn}:*" + audit_pull_enabled = var.aws_log_group_audit_pull_enabled + gateway_id = var.aws_aurora_mysql_cluster_gateway_id + parent_asset_id = module.aws-rds-aurora-mysql-cluster-asset.this.asset_id + audit_type = var.aws_log_group_audit_type + region = var.aws_aurora_mysql_cluster_region +} diff --git a/modules/onboard-aws-rds-aurora-mysql/outputs.tf b/modules/onboard-aws-rds-aurora-mysql/outputs.tf new file mode 100644 index 0000000..b69ff6f --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql/outputs.tf @@ -0,0 +1,29 @@ +output "cluster_parameter_group" { + description = "Aurora MySQL Cluster parameter group" + value = module.aurora-mysql-cluster-parameter-group.this +} + +output "cluster" { + description = "Aurora MySQL Cluster" + value = module.aurora-mysql-cluster.this +} + +output "instance" { + description = "Aurora MySQL instance" + value = module.aurora-mysql-instances.this +} + +output "log_group" { + description = "Aurora MySQL log group" + value = module.aurora-mysql-log-group.this +} + +output "dsf_aurora_mysql_cluster" { + description = "Aurora MySQL cluster asset" + value = module.aws-rds-aurora-mysql-cluster-asset.this +} + +output "dsf_aurora_mysql_log_group" { + description = "Aurora MySQL log group asset" + value = module.aws-log-group-asset.this +} diff --git a/modules/onboard-aws-rds-aurora-mysql/variables.tf b/modules/onboard-aws-rds-aurora-mysql/variables.tf new file mode 100644 index 0000000..e443141 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-mysql/variables.tf @@ -0,0 +1,201 @@ +# Cluster Parameter group variables +variable "cluster_parameter_group_name" { + description = "The name of the DB cluster parameter group" + type = string +} + +variable "cluster_parameter_group_family" { + description = "The family of the DB cluster parameter group." + type = string + default = "aurora-mysql8.0" +} + +variable "cluster_parameter_group_description" { + description = "The description of the DB cluster parameter group." + type = string + default = "RDS aurora mysql cluster parameter group" +} + +variable "cluster_parameter_group_parameters" { + description = "List of objects containing parameters for the DB cluster parameter group." + type = list( + object({ + name = string + apply_method = optional(string, "immediate") + value = any + }) + ) + default = [ + { + name = "server_audit_logging" + value = 1 + }, + { + name = "server_audit_excl_users" + value = "rdsadmin" + }, + { + name = "server_audit_events" + value = "CONNECT,QUERY,QUERY_DCL,QUERY_DDL,QUERY_DML" + } + ] +} + +variable "cluster_parameter_group_tags" { + description = "A map of tags to assign to the resource." + type = map(string) + default = null +} + +# Aurora Mysql Cluster variables +variable "cluster_db_enabled_cloudwatch_logs_exports" { + description = "Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery." + type = list(any) + default = ["audit"] +} + +variable "cluster_db_engine" { + description = "Cluster engine i.e, aurora-mysql" + type = string + default = "aurora-mysql" +} + +variable "cluster_db_engine_version" { + description = "Database engine version, i.e. 8.0.mysql_aurora.3.05.1" + type = string + default = "8.0.mysql_aurora.3.04.1" +} + +variable "cluster_cluster_id" { + description = "The name of the aurora mysql cluster" + type = string +} + +variable "cluster_backup_retention" { + description = "Days to retain backups for, Default is 1 day." + type = number + default = 1 +} + +variable "cluster_db_master_username" { + description = "Username for the master DB user, must not use rdsadmin as that is reserved." + type = string +} + +variable "cluster_db_master_password" { + description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage_master_user_password is set to true" + type = string +} + +variable "cluster_network_type" { + description = " Network type of the cluster. Valid values: IPV4, DUAL" + type = string + default = "IPV4" +} + +variable "cluster_db_subnet_group_name" { + description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available." + type = string + default = null +} + +variable "cluster_vpc_security_group_ids" { + description = "List of VPC security groups to associate." + type = list(any) + default = null +} + +variable "cluster_maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = "sun:18:00-sun:21:00" +} + +variable "cluster_final_snapshot" { + description = "Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final_snapshot_identifier. Default is false" + type = bool + default = true +} + +variable "cluster_db_port" { + description = "Port on which the DB accepts connections." + type = number + default = 3306 +} + +variable "cluster_apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = true +} + +# Aurora Mysql Instance variables +variable "instance_identifier" { + description = "The name of the aurora mysql cluster instance" + type = string +} + +variable "instance_db_instance_class" { + description = "The instance type of the RDS cluster. Example: 'db.t3.micro'" + type = string + default = "db.t3.medium" +} + +variable "instance_minor_version_upgrade" { + description = "Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window." + type = bool + default = false +} + +variable "instance_publicly_accessible" { + description = "If instance is publicly accessible. Default false" + type = bool + default = false +} + +#AWS cloudwatch variables +variable "log_group_retention_in_days" { + description = "Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire." + type = number + default = 7 +} + +# DSFHUB asset variables +variable "aws_aurora_mysql_cluster_admin_email" { + description = "The email address to notify about the assets." + type = string + default = null +} + +variable "aws_aurora_mysql_cluster_gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string + default = null +} + +variable "aws_aurora_mysql_cluster_parent_asset_id" { + description = "The asset_id of the cloud account with auth-mech such as key-pair, iam-role etc." + type = string + default = null +} + +variable "aws_aurora_mysql_cluster_region" { + description = "AWS region containing the instance." + type = string +} + +variable "aws_log_group_audit_type" { + description = "Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details" + type = string + default = "LOG_GROUP" + validation { + condition = contains(["AGGREGATED", "LOG_GROUP"], var.aws_log_group_audit_type) + error_message = "Invalid Value. Select from LOG_GROUP or AGGREGATED." + } +} + +variable "aws_log_group_audit_pull_enabled" { + description = "Turn on/off auditing on the data source and log aggregator" + type = bool + default = false +} \ No newline at end of file diff --git a/modules/onboard-aws-rds-aurora-postgresql-kinesis/README.md b/modules/onboard-aws-rds-aurora-postgresql-kinesis/README.md new file mode 100644 index 0000000..9eb4dfa --- /dev/null +++ b/modules/onboard-aws-rds-aurora-postgresql-kinesis/README.md @@ -0,0 +1,91 @@ +# onboard-aws-rds-aurora-postgresql-kinesis +Onboard Amazon Aurora PostgreSQL to DSF Hub using a kinesis stream. + +## Notes +There is one prerequisite for using this module: +1. An AWS cloud account asset onboarded to your DSF Hub with permissions to pull from Kinesis streams. + +See the corresponding example for more details. + + + + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aurora-postgresql-cluster](#module\_aurora-postgresql-cluster) | ../aws-rds-cluster | n/a | +| [aurora-postgresql-cluster-activity-stream](#module\_aurora-postgresql-cluster-activity-stream) | ../aws-rds-cluster-activity-stream | n/a | +| [aurora-postgresql-instance](#module\_aurora-postgresql-instance) | ../aws-rds-cluster-instance | n/a | +| [aws-kinesis-asset](#module\_aws-kinesis-asset) | ../dsfhub-aws-kinesis | n/a | +| [aws-kms-key](#module\_aws-kms-key) | ../aws-kms-key | n/a | +| [aws-rds-aurora-postgresql-cluster-asset](#module\_aws-rds-aurora-postgresql-cluster-asset) | ../dsfhub-aws-rds-aurora-postgresql-cluster | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_arn.aurora_postgresql_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_aurora\_postgresql\_cluster\_admin\_email](#input\_aws\_aurora\_postgresql\_cluster\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | +| [aws\_aurora\_postgresql\_cluster\_gateway\_id](#input\_aws\_aurora\_postgresql\_cluster\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [aws\_aurora\_postgresql\_cluster\_parent\_asset\_id](#input\_aws\_aurora\_postgresql\_cluster\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | n/a | yes | +| [aws\_kinesis\_admin\_email](#input\_aws\_kinesis\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | +| [aws\_kinesis\_gateway\_id](#input\_aws\_kinesis\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes | +| [cluster\_db\_master\_password](#input\_cluster\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | +| [cluster\_db\_master\_username](#input\_cluster\_db\_master\_username) | Username for the master DB user. | `string` | n/a | yes | +| [cluster\_id](#input\_cluster\_id) | The name of the Aurora PostgreSQL cluster | `string` | n/a | yes | +| [instance\_identifier](#input\_instance\_identifier) | The name of the aurora cluster instance | `string` | n/a | yes | +| [aws\_aurora\_postgresql\_cluster\_audit\_type](#input\_aws\_aurora\_postgresql\_cluster\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `"KINESIS"` | no | +| [aws\_aurora\_postgresql\_cluster\_region](#input\_aws\_aurora\_postgresql\_cluster\_region) | AWS region containing the cluster. | `string` | `null` | no | +| [aws\_kinesis\_audit\_pull\_enabled](#input\_aws\_kinesis\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no | +| [aws\_kinesis\_reason](#input\_aws\_kinesis\_reason) | Used to differentiate connections that belong to the same asset | `string` | `"default"` | no | +| [aws\_kinesis\_region](#input\_aws\_kinesis\_region) | AWS region of the kinesis stream | `string` | `null` | no | +| [cluster\_apply\_immediately](#input\_cluster\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | +| [cluster\_backup\_retention](#input\_cluster\_backup\_retention) | Days to retain backups for, Default is 1 day. | `number` | `null` | no | +| [cluster\_db\_enabled\_cloudwatch\_logs\_exports](#input\_cluster\_db\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery. | `list(any)` | `null` | no | +| [cluster\_db\_engine\_version](#input\_cluster\_db\_engine\_version) | Database engine version, e.g., 16.1 | `string` | `"16.1"` | no | +| [cluster\_db\_port](#input\_cluster\_db\_port) | Port on which the DB accepts connections. | `number` | `null` | no | +| [cluster\_db\_subnet\_group\_name](#input\_cluster\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | +| [cluster\_final\_snapshot](#input\_cluster\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false | `bool` | `null` | no | +| [cluster\_maintenance\_schedule](#input\_cluster\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | +| [cluster\_network\_type](#input\_cluster\_network\_type) | Network type of the cluster. Valid values: IPV4, DUAL | `string` | `null` | no | +| [cluster\_parameter\_group\_name](#input\_cluster\_parameter\_group\_name) | Cluster parameter group associated with the cluster | `string` | `null` | no | +| [cluster\_vpc\_security\_group\_ids](#input\_cluster\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(any)` | `null` | no | +| [instance\_apply\_immediately](#input\_instance\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | +| [instance\_class](#input\_instance\_class) | The instance type of the RDS cluster. Supported instance classes for database activity streams can be found at https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.Overview.html#DBActivityStreams.Overview.requirements.classes. | `string` | `"db.r5.large"` | no | +| [instance\_db\_subnet\_group\_name](#input\_instance\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | +| [instance\_maintenance\_schedule](#input\_instance\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | +| [instance\_minor\_version\_upgrade](#input\_instance\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. | `bool` | `null` | no | +| [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | If instance is publicly accessible. Default false | `bool` | `null` | no | +| [key\_custom\_master\_key\_spec](#input\_key\_custom\_master\_key\_spec) | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC\_DEFAULT, RSA\_2048, RSA\_3072, RSA\_4096, HMAC\_256, ECC\_NIST\_P256, ECC\_NIST\_P384, ECC\_NIST\_P521, or ECC\_SECG\_P256K1. | `string` | `"SYMMETRIC_DEFAULT"` | no | +| [key\_deletion\_window\_in\_days](#input\_key\_deletion\_window\_in\_days) | The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. | `number` | `30` | no | +| [key\_description](#input\_key\_description) | The description of the key as viewed in AWS console. | `string` | `"AWS KMS Key to encrypt Aurora PostgreSQL Database Activity Stream."` | no | +| [key\_is\_enabled](#input\_key\_is\_enabled) | Specifies whether the key is enabled. | `bool` | `true` | no | +| [key\_multi\_region](#input\_key\_multi\_region) | Indicates whether the KMS key is a multi-Region (true) or regional (false) key. | `bool` | `false` | no | +| [key\_tags](#input\_key\_tags) | A map of tags to assign to the object. | `map(string)` | `null` | no | +| [key\_usage](#input\_key\_usage) | Specifies the intended use of the key. Valid values: ENCRYPT\_DECRYPT, SIGN\_VERIFY, GENERATE\_VERIFY\_MAC. | `string` | `"ENCRYPT_DECRYPT"` | no | +| [stream\_mode](#input\_stream\_mode) | Specifies the mode of the database activity stream. Database events such as a change or access generate an activity stream event. The database session can handle these events either synchronously or asynchronously. One of: sync, async. | `string` | `"async"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [activity\_stream](#output\_activity\_stream) | Aurora PostgreSQL kinesis activity stream | +| [aws\_kinesis\_asset](#output\_aws\_kinesis\_asset) | AWS Kinesis stream asset | +| [aws\_rds\_aurora\_postgresql\_cluster\_asset](#output\_aws\_rds\_aurora\_postgresql\_cluster\_asset) | Aurora PostgreSQL cluster asset | +| [cluster](#output\_cluster) | Aurora PostgreSQL cluster | +| [instance](#output\_instance) | Aurora PostgreSQL instance | +| [kms\_key](#output\_kms\_key) | AWS KMS Key | + \ No newline at end of file diff --git a/modules/onboard-aws-rds-aurora-postgresql-kinesis/main.tf b/modules/onboard-aws-rds-aurora-postgresql-kinesis/main.tf new file mode 100644 index 0000000..5047956 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-postgresql-kinesis/main.tf @@ -0,0 +1,87 @@ +module "aurora-postgresql-cluster" { + source = "../aws-rds-cluster" + + apply_immediately = var.cluster_apply_immediately + backup_retention = var.cluster_backup_retention + cluster_id = var.cluster_id + db_enabled_cloudwatch_logs_exports = var.cluster_db_enabled_cloudwatch_logs_exports + db_engine = "aurora-postgresql" + db_engine_version = var.cluster_db_engine_version + db_master_password = var.cluster_db_master_password + db_master_username = var.cluster_db_master_username + db_port = var.cluster_db_port + db_subnet_group_name = var.cluster_db_subnet_group_name + final_snapshot = var.cluster_final_snapshot + maintenance_schedule = var.cluster_maintenance_schedule + network_type = var.cluster_network_type + parameter_group_name = var.cluster_parameter_group_name + vpc_security_group_ids = var.cluster_vpc_security_group_ids +} + +module "aurora-postgresql-instance" { + source = "../aws-rds-cluster-instance" + + apply_immediately = var.instance_apply_immediately + cluster_id = module.aurora-postgresql-cluster.this.cluster_identifier + db_engine = module.aurora-postgresql-cluster.this.engine + db_instance_class = var.instance_class + db_subnet_group_name = module.aurora-postgresql-cluster.this.db_subnet_group_name + identifier = var.instance_identifier + maintenance_schedule = var.instance_maintenance_schedule + minor_version_upgrade = var.instance_minor_version_upgrade + publicly_accessible = var.instance_publicly_accessible +} + +module "aws-kms-key" { + source = "../aws-kms-key" + + custom_master_key_spec = var.key_custom_master_key_spec + deletion_window_in_days = var.key_deletion_window_in_days + description = var.key_description + is_enabled = var.key_is_enabled + key_usage = var.key_usage + multi_region = var.key_multi_region + tags = var.key_tags +} + +module "aurora-postgresql-cluster-activity-stream" { + source = "../aws-rds-cluster-activity-stream" + + engine_native_audit_fields_included = false + kms_key_id = module.aws-kms-key.this.arn + mode = var.stream_mode + resource_arn = module.aurora-postgresql-cluster.this.arn +} + +module "aws-rds-aurora-postgresql-cluster-asset" { + source = "../dsfhub-aws-rds-aurora-postgresql-cluster" + + admin_email = var.aws_aurora_postgresql_cluster_admin_email + asset_display_name = module.aurora-postgresql-cluster.this.id + asset_id = module.aurora-postgresql-cluster.this.arn + audit_type = var.aws_aurora_postgresql_cluster_audit_type + gateway_id = var.aws_aurora_postgresql_cluster_gateway_id + parent_asset_id = var.aws_aurora_postgresql_cluster_parent_asset_id + region = var.aws_aurora_postgresql_cluster_region + server_host_name = module.aurora-postgresql-cluster.this.endpoint + server_port = module.aurora-postgresql-cluster.this.port +} + +# Collect region and account info for kinesis asset_id +data "aws_region" "current" {} +data "aws_arn" "aurora_postgresql_cluster" { + arn = module.aurora-postgresql-cluster.this.arn +} + +module "aws-kinesis-asset" { + source = "../dsfhub-aws-kinesis" + + admin_email = var.aws_kinesis_admin_email + asset_display_name = "AWS Kinesis - ${module.aurora-postgresql-cluster-activity-stream.this.kinesis_stream_name}" + asset_id = "arn:aws:kinesis:${data.aws_region.current.name}:${data.aws_arn.aurora_postgresql_cluster.account}:stream/${module.aurora-postgresql-cluster-activity-stream.this.kinesis_stream_name}" + audit_pull_enabled = var.aws_kinesis_audit_pull_enabled + gateway_id = var.aws_kinesis_gateway_id + parent_asset_id = module.aws-rds-aurora-postgresql-cluster-asset.this.asset_id + reason = var.aws_kinesis_reason + region = var.aws_kinesis_region +} diff --git a/modules/onboard-aws-rds-aurora-postgresql-kinesis/outputs.tf b/modules/onboard-aws-rds-aurora-postgresql-kinesis/outputs.tf new file mode 100644 index 0000000..30401e6 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-postgresql-kinesis/outputs.tf @@ -0,0 +1,29 @@ +output "cluster" { + description = "Aurora PostgreSQL cluster" + value = module.aurora-postgresql-cluster.this +} + +output "instance" { + description = "Aurora PostgreSQL instance" + value = module.aurora-postgresql-instance.this +} + +output "kms_key" { + description = "AWS KMS Key" + value = module.aws-kms-key.this +} + +output "activity_stream" { + description = "Aurora PostgreSQL kinesis activity stream" + value = module.aurora-postgresql-cluster-activity-stream.this +} + +output "aws_rds_aurora_postgresql_cluster_asset" { + description = "Aurora PostgreSQL cluster asset" + value = module.aws-rds-aurora-postgresql-cluster-asset.this +} + +output "aws_kinesis_asset" { + description = "AWS Kinesis stream asset" + value = module.aws-kinesis-asset.this +} diff --git a/modules/onboard-aws-rds-aurora-postgresql-kinesis/variables.tf b/modules/onboard-aws-rds-aurora-postgresql-kinesis/variables.tf new file mode 100644 index 0000000..fa076ed --- /dev/null +++ b/modules/onboard-aws-rds-aurora-postgresql-kinesis/variables.tf @@ -0,0 +1,250 @@ +variable "aws_aurora_postgresql_cluster_admin_email" { + description = "The email address to notify about this asset" + type = string +} + +variable "aws_aurora_postgresql_cluster_audit_type" { + description = "Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details" + type = string + default = "KINESIS" + validation { + condition = contains(["KINESIS", "KINESIS_AGGREGATED"], var.aws_aurora_postgresql_cluster_audit_type) + error_message = "Invalida audit_type. Select from \"KINESIS\", \"KINESIS_AGGREGATED\"" + } +} + +variable "aws_aurora_postgresql_cluster_parent_asset_id" { + description = "The asset_id of the cloud account with auth-mech such as key-pair, iam-role etc." + type = string +} + +variable "aws_aurora_postgresql_cluster_region" { + description = "AWS region containing the cluster." + type = string + default = null +} + +variable "aws_aurora_postgresql_cluster_gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string +} + +variable "aws_kinesis_admin_email" { + description = "The email address to notify about the asset." + type = string +} + +variable "aws_kinesis_audit_pull_enabled" { + description = "If true, sonargateway will collect the audit logs for this system if it can." + type = bool + default = false +} + +variable "aws_kinesis_gateway_id" { + description = "The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'." + type = string +} + +variable "aws_kinesis_reason" { + description = "Used to differentiate connections that belong to the same asset" + type = string + default = "default" +} + +variable "aws_kinesis_region" { + description = "AWS region of the kinesis stream" + type = string + default = null +} + +variable "cluster_db_enabled_cloudwatch_logs_exports" { + description = "Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery." + type = list(any) + default = null +} + +variable "cluster_db_engine_version" { + description = "Database engine version, e.g., 16.1" + type = string + default = "16.1" +} + +variable "cluster_id" { + description = "The name of the Aurora PostgreSQL cluster" + type = string +} + +variable "cluster_backup_retention" { + description = "Days to retain backups for, Default is 1 day." + type = number + default = null +} + +variable "cluster_db_master_username" { + description = "Username for the master DB user." + type = string + validation { + condition = ( + var.cluster_db_master_username != "rdsadmin" && + var.cluster_db_master_username != "admin" + ) + error_message = "The aurora cluster master username must not be either \"rdsadmin\" or \"admin\". Please select another value." + } +} + +variable "cluster_db_master_password" { + description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage_master_user_password is set to true" + type = string +} + +variable "cluster_network_type" { + description = " Network type of the cluster. Valid values: IPV4, DUAL" + type = string + default = null +} + +variable "cluster_db_subnet_group_name" { + description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available." + type = string + default = null +} + +variable "cluster_vpc_security_group_ids" { + description = "List of VPC security groups to associate." + type = list(any) + default = null +} + +variable "cluster_maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = null +} + +variable "cluster_final_snapshot" { + description = "Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final_snapshot_identifier. Default is false" + type = bool + default = null +} + +variable "cluster_db_port" { + description = "Port on which the DB accepts connections." + type = number + default = null +} + +variable "cluster_apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = null +} + +variable "cluster_parameter_group_name" { + description = "Cluster parameter group associated with the cluster" + type = string + default = null +} + +variable "instance_identifier" { + description = "The name of the aurora cluster instance" + type = string +} + +variable "instance_publicly_accessible" { + description = "If instance is publicly accessible. Default false" + type = bool + default = null +} + +variable "instance_db_subnet_group_name" { + description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available." + type = string + default = null +} + +variable "instance_class" { + description = "The instance type of the RDS cluster. Supported instance classes for database activity streams can be found at https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.Overview.html#DBActivityStreams.Overview.requirements.classes." + type = string + default = "db.r5.large" + validation { + # Class must be one of supported for database activity streams + condition = ( + can(regex("^db.r7g.*large$", var.instance_class)) || + can(regex("^db.r6g.*large$", var.instance_class)) || + can(regex("^db.r6i.*large$", var.instance_class)) || + can(regex("^db.r5.*large$", var.instance_class)) || + can(regex("^db.x2g.*$", var.instance_class)) + ) + error_message = "Invalid instance class for database activity streams. Supported instance classes for database activity streams can be found at https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.Overview.html#DBActivityStreams.Overview.requirements.classes." + } +} + +variable "instance_maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = null +} + +variable "instance_apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = null +} + +variable "instance_minor_version_upgrade" { + description = "Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window." + type = bool + default = null +} + +variable "key_custom_master_key_spec" { + description = "Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT, RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1." + type = string + default = "SYMMETRIC_DEFAULT" +} + +variable "key_deletion_window_in_days" { + description = "The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive." + type = number + default = 30 +} + +variable "key_description" { + description = "The description of the key as viewed in AWS console." + type = string + default = "AWS KMS Key to encrypt Aurora PostgreSQL Database Activity Stream." +} + +variable "key_is_enabled" { + description = "Specifies whether the key is enabled." + type = bool + default = true +} + +variable "key_usage" { + description = "Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, GENERATE_VERIFY_MAC." + type = string + default = "ENCRYPT_DECRYPT" +} + +variable "key_multi_region" { + description = " Indicates whether the KMS key is a multi-Region (true) or regional (false) key." + type = bool + default = false +} + +variable "key_tags" { + description = "A map of tags to assign to the object." + type = map(string) + default = null +} + +variable "stream_mode" { + description = "Specifies the mode of the database activity stream. Database events such as a change or access generate an activity stream event. The database session can handle these events either synchronously or asynchronously. One of: sync, async." + type = string + default = "async" + validation { + condition = contains(["sync", "async"], var.stream_mode) + error_message = "Invalid value, select either 'sync' or 'async'." + } +} diff --git a/modules/onboard-aws-rds-aurora-postgresql/README.md b/modules/onboard-aws-rds-aurora-postgresql/README.md new file mode 100644 index 0000000..29ab797 --- /dev/null +++ b/modules/onboard-aws-rds-aurora-postgresql/README.md @@ -0,0 +1,75 @@ +# onboard-aws-rds-aurora-postgresql +Onboard Amazon Aurora PostgreSQL to DSF Hub. + +## Notes +There are two prerequisites for using this module: +1. An AWS cloud account asset onboarded to your DSF Hub with permissions to pull from CloudWatch log groups. +2. A method to create the 'pgaudit' extension and 'rds_pgaudit' role on the postgres instance. + +See the corresponding example for more details. + + + + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [aurora-postgresql-cluster](#module\_aurora-postgresql-cluster) | ../aws-rds-cluster | n/a | +| [aurora-postgresql-cluster-parameter-group](#module\_aurora-postgresql-cluster-parameter-group) | ../aws-rds-cluster-parameter-group | n/a | +| [aurora-postgresql-instance](#module\_aurora-postgresql-instance) | ../aws-rds-cluster-instance | n/a | +| [aurora-postgresql-log-group](#module\_aurora-postgresql-log-group) | ../aws-cloudwatch-log-group | n/a | +| [aws-log-group-asset](#module\_aws-log-group-asset) | ../dsfhub-aws-log-group | n/a | +| [aws-rds-aurora-postgresql-cluster-asset](#module\_aws-rds-aurora-postgresql-cluster-asset) | ../dsfhub-aws-rds-aurora-postgresql-cluster | n/a | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aws\_aurora\_postgresql\_cluster\_admin\_email](#input\_aws\_aurora\_postgresql\_cluster\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | +| [aws\_aurora\_postgresql\_cluster\_gateway\_id](#input\_aws\_aurora\_postgresql\_cluster\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [aws\_aurora\_postgresql\_cluster\_parent\_asset\_id](#input\_aws\_aurora\_postgresql\_cluster\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | n/a | yes | +| [aws\_log\_group\_admin\_email](#input\_aws\_log\_group\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | +| [aws\_log\_group\_gateway\_id](#input\_aws\_log\_group\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes | +| [aws\_log\_group\_region](#input\_aws\_log\_group\_region) | AWS region of the log group | `string` | n/a | yes | +| [cluster\_db\_master\_password](#input\_cluster\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | +| [cluster\_db\_master\_username](#input\_cluster\_db\_master\_username) | Username for the master DB user. | `string` | n/a | yes | +| [cluster\_id](#input\_cluster\_id) | The name of the RDS cluster | `string` | n/a | yes | +| [cluster\_parameter\_group\_name](#input\_cluster\_parameter\_group\_name) | The name of the DB cluster parameter group | `string` | n/a | yes | +| [instance\_identifier](#input\_instance\_identifier) | The name of the aurora cluster instance | `string` | n/a | yes | +| [aws\_aurora\_postgresql\_cluster\_audit\_type](#input\_aws\_aurora\_postgresql\_cluster\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `"LOG_GROUP"` | no | +| [aws\_aurora\_postgresql\_cluster\_region](#input\_aws\_aurora\_postgresql\_cluster\_region) | AWS region containing the cluster. | `string` | `null` | no | +| [aws\_log\_group\_audit\_pull\_enabled](#input\_aws\_log\_group\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no | +| [aws\_log\_group\_reason](#input\_aws\_log\_group\_reason) | Used to differentiate connections that belong to the same asset | `string` | `"default"` | no | +| [cluster\_apply\_immediately](#input\_cluster\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | +| [cluster\_backup\_retention](#input\_cluster\_backup\_retention) | Days to retain backups for, Default is 1 day. | `number` | `null` | no | +| [cluster\_db\_enabled\_cloudwatch\_logs\_exports](#input\_cluster\_db\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery. | `list(any)` | 
[
  "postgresql"
]
| no | +| [cluster\_db\_engine\_version](#input\_cluster\_db\_engine\_version) | Database engine version, e.g., 16.1 | `string` | `"16.1"` | no | +| [cluster\_db\_port](#input\_cluster\_db\_port) | Port on which the DB accepts connections. | `number` | `null` | no | +| [cluster\_db\_subnet\_group\_name](#input\_cluster\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | +| [cluster\_final\_snapshot](#input\_cluster\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false | `bool` | `true` | no | +| [cluster\_maintenance\_schedule](#input\_cluster\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | +| [cluster\_network\_type](#input\_cluster\_network\_type) | Network type of the cluster. Valid values: IPV4, DUAL | `string` | `null` | no | +| [cluster\_parameter\_group\_description](#input\_cluster\_parameter\_group\_description) | The description of the DB cluster parameter group. | `string` | `null` | no | +| [cluster\_parameter\_group\_family](#input\_cluster\_parameter\_group\_family) | The family of the DB cluster parameter group. | `string` | `"aurora-postgresql16"` | no | +| [cluster\_parameter\_group\_parameters](#input\_cluster\_parameter\_group\_parameters) | List of objects containing parameters for the DB cluster parameter group. | 
list(
    object({
      name         = string
      apply_method = optional(string, "immediate")
      value        = any
    })
  )
| 
[
  {
    "name": "log_connections",
    "value": 1
  },
  {
    "name": "log_disconnections",
    "value": 1
  },
  {
    "name": "log_error_verbosity",
    "value": "verbose"
  },
  {
    "name": "pgaudit.log",
    "value": "all"
  },
  {
    "name": "pgaudit.role",
    "value": "rds_pgaudit"
  },
  {
    "apply_method": "pending-reboot",
    "name": "shared_preload_libraries",
    "value": "pgaudit,pg_stat_statements"
  }
]
| no | +| [cluster\_parameter\_group\_tags](#input\_cluster\_parameter\_group\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | +| [cluster\_vpc\_security\_group\_ids](#input\_cluster\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(any)` | `null` | no | +| [instance\_apply\_immediately](#input\_instance\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | +| [instance\_db\_instance\_class](#input\_instance\_db\_instance\_class) | The instance type of the RDS cluster. Example: 'db.t3.micro' | `string` | `"db.t3.medium"` | no | +| [instance\_maintenance\_schedule](#input\_instance\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | +| [instance\_minor\_version\_upgrade](#input\_instance\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. | `bool` | `null` | no | +| [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | If instance is publicly accessible. Default false | `bool` | `null` | no | +| [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire. | `number` | `7` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [aws\_log\_group\_asset](#output\_aws\_log\_group\_asset) | AWS log group asset | +| [aws\_rds\_aurora\_postgresql\_cluster\_asset](#output\_aws\_rds\_aurora\_postgresql\_cluster\_asset) | Aurora PostgreSQL cluster asset | +| [cluster](#output\_cluster) | Aurora PostgreSQL cluster | +| [cluster\_parameter\_group](#output\_cluster\_parameter\_group) | Aurora PostgreSQL cluster parameter group | +| [instance](#output\_instance) | Aurora PostgreSQL instance | +| [log\_group](#output\_log\_group) | Aurora PostgreSQL log group | + \ No newline at end of file diff --git a/modules/onboard-aws-rds-aurora-postgresql/main.tf b/modules/onboard-aws-rds-aurora-postgresql/main.tf new file mode 100644 index 0000000..fc282ff --- /dev/null +++ b/modules/onboard-aws-rds-aurora-postgresql/main.tf @@ -0,0 +1,78 @@ +module "aurora-postgresql-cluster-parameter-group" { + source = "../aws-rds-cluster-parameter-group" + + description = var.cluster_parameter_group_description + family = var.cluster_parameter_group_family + name = var.cluster_parameter_group_name + parameters = var.cluster_parameter_group_parameters + tags = var.cluster_parameter_group_tags +} + +module "aurora-postgresql-cluster" { + depends_on = [module.aurora-postgresql-log-group] + source = "../aws-rds-cluster" + + apply_immediately = var.cluster_apply_immediately + backup_retention = var.cluster_backup_retention + cluster_id = var.cluster_id + db_enabled_cloudwatch_logs_exports = var.cluster_db_enabled_cloudwatch_logs_exports + db_engine = "aurora-postgresql" + db_engine_version = var.cluster_db_engine_version + db_master_password = var.cluster_db_master_password + db_master_username = var.cluster_db_master_username + db_port = var.cluster_db_port + db_subnet_group_name = var.cluster_db_subnet_group_name + final_snapshot = var.cluster_final_snapshot + maintenance_schedule = var.cluster_maintenance_schedule + network_type = var.cluster_network_type + parameter_group_name = module.aurora-postgresql-cluster-parameter-group.this.name + vpc_security_group_ids = var.cluster_vpc_security_group_ids +} + +module "aurora-postgresql-instance" { + source = "../aws-rds-cluster-instance" + + apply_immediately = var.instance_apply_immediately + cluster_id = module.aurora-postgresql-cluster.this.cluster_identifier + db_engine = module.aurora-postgresql-cluster.this.engine + db_instance_class = var.instance_db_instance_class + db_subnet_group_name = module.aurora-postgresql-cluster.this.db_subnet_group_name + identifier = var.instance_identifier + maintenance_schedule = var.instance_maintenance_schedule + minor_version_upgrade = var.instance_minor_version_upgrade + publicly_accessible = var.instance_publicly_accessible +} + +module "aurora-postgresql-log-group" { + source = "../aws-cloudwatch-log-group" + + name = "/aws/rds/cluster/${var.cluster_id}/postgresql" + retention_in_days = var.log_group_retention_in_days +} + +module "aws-rds-aurora-postgresql-cluster-asset" { + source = "../dsfhub-aws-rds-aurora-postgresql-cluster" + + admin_email = var.aws_aurora_postgresql_cluster_admin_email + asset_display_name = module.aurora-postgresql-cluster.this.id + asset_id = module.aurora-postgresql-cluster.this.arn + audit_type = var.aws_aurora_postgresql_cluster_audit_type + gateway_id = var.aws_aurora_postgresql_cluster_gateway_id + parent_asset_id = var.aws_aurora_postgresql_cluster_parent_asset_id + region = var.aws_aurora_postgresql_cluster_region + server_host_name = module.aurora-postgresql-cluster.this.endpoint + server_port = module.aurora-postgresql-cluster.this.port +} + +module "aws-log-group-asset" { + source = "../dsfhub-aws-log-group" + + admin_email = var.aws_log_group_admin_email + asset_display_name = "${module.aurora-postgresql-log-group.this.arn}:*" + asset_id = "${module.aurora-postgresql-log-group.this.arn}:*" + audit_pull_enabled = var.aws_log_group_audit_pull_enabled + gateway_id = var.aws_log_group_gateway_id + parent_asset_id = module.aws-rds-aurora-postgresql-cluster-asset.this.asset_id + reason = var.aws_log_group_reason + region = var.aws_log_group_region +} diff --git a/modules/onboard-aws-rds-aurora-postgresql/outputs.tf b/modules/onboard-aws-rds-aurora-postgresql/outputs.tf new file mode 100644 index 0000000..425c0dc --- /dev/null +++ b/modules/onboard-aws-rds-aurora-postgresql/outputs.tf @@ -0,0 +1,29 @@ +output "cluster_parameter_group" { + description = "Aurora PostgreSQL cluster parameter group" + value = module.aurora-postgresql-cluster-parameter-group.this +} + +output "cluster" { + description = "Aurora PostgreSQL cluster" + value = module.aurora-postgresql-cluster.this +} + +output "instance" { + description = "Aurora PostgreSQL instance" + value = module.aurora-postgresql-instance.this +} + +output "log_group" { + description = "Aurora PostgreSQL log group" + value = module.aurora-postgresql-log-group.this +} + +output "aws_rds_aurora_postgresql_cluster_asset" { + description = "Aurora PostgreSQL cluster asset" + value = module.aws-rds-aurora-postgresql-cluster-asset.this +} + +output "aws_log_group_asset" { + description = "AWS log group asset" + value = module.aws-log-group-asset.this +} diff --git a/modules/onboard-aws-rds-aurora-postgresql/variables.tf b/modules/onboard-aws-rds-aurora-postgresql/variables.tf new file mode 100644 index 0000000..89872ab --- /dev/null +++ b/modules/onboard-aws-rds-aurora-postgresql/variables.tf @@ -0,0 +1,241 @@ +variable "aws_aurora_postgresql_cluster_admin_email" { + description = "The email address to notify about this asset" + type = string +} + +variable "aws_aurora_postgresql_cluster_audit_type" { + description = "Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details" + type = string + default = "LOG_GROUP" + validation { + condition = contains(["LOG_GROUP", "AGGREGATED"], var.aws_aurora_postgresql_cluster_audit_type) + error_message = "Invalid Value. Select from LOG_GROUP, or AGGREGATED." + } +} + +variable "aws_aurora_postgresql_cluster_parent_asset_id" { + description = "The asset_id of the cloud account with auth-mech such as key-pair, iam-role etc." + type = string +} + +variable "aws_aurora_postgresql_cluster_region" { + description = "AWS region containing the cluster." + type = string + default = null +} + +variable "aws_aurora_postgresql_cluster_gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string +} + +variable "aws_log_group_admin_email" { + description = "The email address to notify about the asset." + type = string +} + +variable "aws_log_group_audit_pull_enabled" { + description = "If true, sonargateway will collect the audit logs for this system if it can." + type = bool + default = false +} + +variable "aws_log_group_gateway_id" { + description = "The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'." + type = string +} + +variable "aws_log_group_reason" { + description = "Used to differentiate connections that belong to the same asset" + type = string + default = "default" +} + +variable "aws_log_group_region" { + description = "AWS region of the log group" + type = string +} + +variable "cluster_db_enabled_cloudwatch_logs_exports" { + description = "Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery." + type = list(any) + default = ["postgresql"] +} + +variable "cluster_db_engine_version" { + description = "Database engine version, e.g., 16.1" + type = string + default = "16.1" +} + +variable "cluster_id" { + description = "The name of the RDS cluster" + type = string +} + +variable "cluster_backup_retention" { + description = "Days to retain backups for, Default is 1 day." + type = number + default = null +} + +variable "cluster_db_master_username" { + description = "Username for the master DB user." + type = string + validation { + condition = ( + var.cluster_db_master_username != "rdsadmin" && + var.cluster_db_master_username != "admin" + ) + error_message = "The aurora cluster master username must not be either \"rdsadmin\" or \"admin\". Please select another value." + } +} + +variable "cluster_db_master_password" { + description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage_master_user_password is set to true" + type = string +} + +variable "cluster_network_type" { + description = " Network type of the cluster. Valid values: IPV4, DUAL" + type = string + default = null +} + +variable "cluster_db_subnet_group_name" { + description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available." + type = string + default = null +} + +variable "cluster_vpc_security_group_ids" { + description = "List of VPC security groups to associate." + type = list(any) + default = null +} + +variable "cluster_maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = null +} + +variable "cluster_final_snapshot" { + description = "Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final_snapshot_identifier. Default is false" + type = bool + default = true +} + +variable "cluster_db_port" { + description = "Port on which the DB accepts connections." + type = number + default = null +} + +variable "cluster_apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = null +} + +variable "cluster_parameter_group_name" { + description = "The name of the DB cluster parameter group" + type = string +} + +variable "cluster_parameter_group_family" { + description = "The family of the DB cluster parameter group." + type = string + default = "aurora-postgresql16" +} + +variable "cluster_parameter_group_description" { + description = "The description of the DB cluster parameter group." + type = string + default = null +} + +variable "cluster_parameter_group_parameters" { + description = "List of objects containing parameters for the DB cluster parameter group." + type = list( + object({ + name = string + apply_method = optional(string, "immediate") + value = any + }) + ) + default = [ + { + name = "log_connections" + value = 1 + }, + { + name = "log_disconnections" + value = 1 + }, + { + name = "log_error_verbosity" + value = "verbose" + }, + { + name = "pgaudit.log" + value = "all" + }, + { + name = "pgaudit.role" + value = "rds_pgaudit" + }, + { + name = "shared_preload_libraries" + value = "pgaudit,pg_stat_statements" + apply_method = "pending-reboot" + } + ] +} + +variable "cluster_parameter_group_tags" { + description = "A map of tags to assign to the resource." + type = map(string) + default = null +} + +variable "instance_identifier" { + description = "The name of the aurora cluster instance" + type = string +} + +variable "instance_publicly_accessible" { + description = "If instance is publicly accessible. Default false" + type = bool + default = null +} + +variable "instance_db_instance_class" { + description = "The instance type of the RDS cluster. Example: 'db.t3.micro'" + type = string + default = "db.t3.medium" +} + +variable "instance_maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string + default = null +} + +variable "instance_apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = null +} + +variable "instance_minor_version_upgrade" { + description = "Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window." + type = bool + default = null +} + +variable "log_group_retention_in_days" { + description = "Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire." + type = number + default = 7 +} From 6d92edef56560d4174d0c7fc062bc5c3e3589a3d Mon Sep 17 00:00:00 2001 From: PetalJsonar Date: Mon, 22 Jul 2024 21:39:51 +0000 Subject: [PATCH 2/7] Apply automatic changes --- examples/onboard-aws-rds-aurora-mysql-slowquery/main.tf | 2 +- examples/onboard-aws-rds-aurora-mysql/main.tf | 2 +- examples/onboard-aws-rds-aurora-postgresql/main.tf | 2 +- modules/dsfhub-aws-kinesis/variables.tf | 2 +- modules/onboard-aws-rds-aurora-mysql-kinesis/variables.tf | 2 +- modules/onboard-aws-rds-aurora-postgresql-kinesis/main.tf | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/examples/onboard-aws-rds-aurora-mysql-slowquery/main.tf b/examples/onboard-aws-rds-aurora-mysql-slowquery/main.tf index 1d5f97f..c5b0b90 100644 --- a/examples/onboard-aws-rds-aurora-mysql-slowquery/main.tf +++ b/examples/onboard-aws-rds-aurora-mysql-slowquery/main.tf @@ -89,7 +89,7 @@ module "aws-aurora-mysql-slowquery" { cluster_db_subnet_group_name = local.subnet_group_name cluster_vpc_security_group_ids = local.vpc_security_group_ids - instance_identifier = "aurora-mysql-inst" + instance_identifier = "aurora-mysql-inst" instance_publicly_accessible = false aws_aurora_mysql_cluster_admin_email = local.admin_email diff --git a/examples/onboard-aws-rds-aurora-mysql/main.tf b/examples/onboard-aws-rds-aurora-mysql/main.tf index f18b2a3..b03e3ef 100644 --- a/examples/onboard-aws-rds-aurora-mysql/main.tf +++ b/examples/onboard-aws-rds-aurora-mysql/main.tf @@ -63,7 +63,7 @@ module "aws-aurora-mysql" { cluster_db_subnet_group_name = local.subnet_group_name cluster_vpc_security_group_ids = local.vpc_security_group_ids - instance_identifier = "aurora-mysql-inst" + instance_identifier = "aurora-mysql-inst" instance_publicly_accessible = false aws_aurora_mysql_cluster_admin_email = local.admin_email diff --git a/examples/onboard-aws-rds-aurora-postgresql/main.tf b/examples/onboard-aws-rds-aurora-postgresql/main.tf index a783934..73d8a5f 100644 --- a/examples/onboard-aws-rds-aurora-postgresql/main.tf +++ b/examples/onboard-aws-rds-aurora-postgresql/main.tf @@ -108,7 +108,7 @@ module "aurora-postgresql" { source = "../../modules/onboard-aws-rds-aurora-postgresql" aws_aurora_postgresql_cluster_admin_email = local.admin_email - aws_aurora_postgresql_cluster_audit_type = "AGGREGATED" + aws_aurora_postgresql_cluster_audit_type = "AGGREGATED" aws_aurora_postgresql_cluster_gateway_id = local.gateway_id aws_aurora_postgresql_cluster_parent_asset_id = module.aws-default-account-asset.this.asset_id aws_aurora_postgresql_cluster_region = local.aws_region diff --git a/modules/dsfhub-aws-kinesis/variables.tf b/modules/dsfhub-aws-kinesis/variables.tf index ca26f91..db21a9b 100644 --- a/modules/dsfhub-aws-kinesis/variables.tf +++ b/modules/dsfhub-aws-kinesis/variables.tf @@ -10,7 +10,7 @@ variable "asset_display_name" { variable "asset_id" { description = "AWS kinesis stream ARN" - type = string + type = string } variable "audit_pull_enabled" { diff --git a/modules/onboard-aws-rds-aurora-mysql-kinesis/variables.tf b/modules/onboard-aws-rds-aurora-mysql-kinesis/variables.tf index 0232784..bd6e74d 100644 --- a/modules/onboard-aws-rds-aurora-mysql-kinesis/variables.tf +++ b/modules/onboard-aws-rds-aurora-mysql-kinesis/variables.tf @@ -150,7 +150,7 @@ variable "db_instance_class" { can(regex("^db.r6g.*large$", var.db_instance_class)) || can(regex("^db.r6i.*large$", var.db_instance_class)) || can(regex("^db.r5.*large$", var.db_instance_class)) || - can(regex("^db.x2g.*$", var.db_instance_class)) + can(regex("^db.x2g.*$", var.db_instance_class)) ) error_message = "Invalid instance class for database activity streams. Supported instance classes for database activity streams can be found at https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.Overview.html#DBActivityStreams.Overview.requirements.classes." } diff --git a/modules/onboard-aws-rds-aurora-postgresql-kinesis/main.tf b/modules/onboard-aws-rds-aurora-postgresql-kinesis/main.tf index 5047956..2878a38 100644 --- a/modules/onboard-aws-rds-aurora-postgresql-kinesis/main.tf +++ b/modules/onboard-aws-rds-aurora-postgresql-kinesis/main.tf @@ -1,5 +1,5 @@ module "aurora-postgresql-cluster" { - source = "../aws-rds-cluster" + source = "../aws-rds-cluster" apply_immediately = var.cluster_apply_immediately backup_retention = var.cluster_backup_retention From 2db1cf255e0abb14a970052fb9e626970264feea Mon Sep 17 00:00:00 2001 From: Petal Vitis Date: Mon, 22 Jul 2024 16:14:52 -0700 Subject: [PATCH 3/7] modified paths for dsfhub-aws-cloud-account and updated READMEs --- .../README.md | 2 +- .../main.tf | 2 +- .../README.md | 2 +- .../main.tf | 2 +- .../onboard-aws-rds-aurora-mysql/README.md | 2 +- examples/onboard-aws-rds-aurora-mysql/main.tf | 2 +- .../README.md | 2 +- .../main.tf | 2 +- .../README.md | 2 +- .../onboard-aws-rds-aurora-postgresql/main.tf | 2 +- .../aws-rds-cluster-activity-stream/README.md | 8 ++- .../aws-rds-cluster-activity-stream/main.tf | 2 +- modules/aws-rds-cluster-instance/README.md | 10 ++- modules/aws-rds-cluster-instance/main.tf | 1 - .../aws-rds-cluster-parameter-group/README.md | 6 +- modules/aws-rds-cluster/README.md | 12 ++-- modules/aws-rds-cluster/main.tf | 34 ++++----- modules/aws-rds-cluster/variables.tf | 69 +++++++++---------- modules/dsfhub-aws-kinesis/README.md | 8 ++- .../README.md | 10 ++- .../README.md | 10 ++- .../README.md | 14 ++-- .../README.md | 40 +++++++---- .../onboard-aws-rds-aurora-mysql/README.md | 34 +++++---- .../README.md | 16 +++-- .../README.md | 28 +++++--- 26 files changed, 187 insertions(+), 135 deletions(-) diff --git a/examples/onboard-aws-rds-aurora-mysql-kinesis/README.md b/examples/onboard-aws-rds-aurora-mysql-kinesis/README.md index 0256407..06ad80a 100644 --- a/examples/onboard-aws-rds-aurora-mysql-kinesis/README.md +++ b/examples/onboard-aws-rds-aurora-mysql-kinesis/README.md @@ -17,7 +17,7 @@ An AWS account asset will need to be onboarded to your DSF hub prior to using th | Name | Source | Version | |------|--------|---------| | [aws-aurora-mysql-kinesis](#module\_aws-aurora-mysql-kinesis) | ../../modules/onboard-aws-rds-aurora-mysql-kinesis | n/a | -| [aws-default-account-asset](#module\_aws-default-account-asset) | ../../modules/dsfhub-aws-cloud-account | n/a | +| [aws-default-account-asset](#module\_aws-default-account-asset) | imperva/agentless-onboarding/dsfhub//modules/dsfhub-aws-cloud-account | n/a | ## Inputs diff --git a/examples/onboard-aws-rds-aurora-mysql-kinesis/main.tf b/examples/onboard-aws-rds-aurora-mysql-kinesis/main.tf index cc523d3..a3f47fe 100644 --- a/examples/onboard-aws-rds-aurora-mysql-kinesis/main.tf +++ b/examples/onboard-aws-rds-aurora-mysql-kinesis/main.tf @@ -37,7 +37,7 @@ provider "dsfhub" { ################################################################################ # 1. AWS cloud account module "aws-default-account-asset" { - source = "../../modules/dsfhub-aws-cloud-account" + source = "imperva/agentless-onboarding/dsfhub//modules/dsfhub-aws-cloud-account" admin_email = local.admin_email asset_display_name = "aws-account-asset" diff --git a/examples/onboard-aws-rds-aurora-mysql-slowquery/README.md b/examples/onboard-aws-rds-aurora-mysql-slowquery/README.md index 1ecc26a..a69ea57 100644 --- a/examples/onboard-aws-rds-aurora-mysql-slowquery/README.md +++ b/examples/onboard-aws-rds-aurora-mysql-slowquery/README.md @@ -17,7 +17,7 @@ An AWS account asset will need to be onboarded to your DSF hub prior to using th | Name | Source | Version | |------|--------|---------| | [aws-aurora-mysql-slowquery](#module\_aws-aurora-mysql-slowquery) | ../../modules/onboard-aws-rds-aurora-mysql-slowquery | n/a | -| [aws-default-account-asset](#module\_aws-default-account-asset) | ../../modules/dsfhub-aws-cloud-account | n/a | +| [aws-default-account-asset](#module\_aws-default-account-asset) | imperva/agentless-onboarding/dsfhub//modules/dsfhub-aws-cloud-account | n/a | ## Inputs diff --git a/examples/onboard-aws-rds-aurora-mysql-slowquery/main.tf b/examples/onboard-aws-rds-aurora-mysql-slowquery/main.tf index c5b0b90..6ba3679 100644 --- a/examples/onboard-aws-rds-aurora-mysql-slowquery/main.tf +++ b/examples/onboard-aws-rds-aurora-mysql-slowquery/main.tf @@ -38,7 +38,7 @@ provider "dsfhub" { ################################################################################ module "aws-default-account-asset" { - source = "../../modules/dsfhub-aws-cloud-account" + source = "imperva/agentless-onboarding/dsfhub//modules/dsfhub-aws-cloud-account" admin_email = local.admin_email asset_display_name = "aws-account-asset" diff --git a/examples/onboard-aws-rds-aurora-mysql/README.md b/examples/onboard-aws-rds-aurora-mysql/README.md index 76c3df3..2a8c882 100644 --- a/examples/onboard-aws-rds-aurora-mysql/README.md +++ b/examples/onboard-aws-rds-aurora-mysql/README.md @@ -17,7 +17,7 @@ An AWS account asset will need to be onboarded to your DSF hub prior to using th | Name | Source | Version | |------|--------|---------| | [aws-aurora-mysql](#module\_aws-aurora-mysql) | ../../modules/onboard-aws-rds-aurora-mysql | n/a | -| [aws-default-account-asset](#module\_aws-default-account-asset) | ../../modules/dsfhub-aws-cloud-account | n/a | +| [aws-default-account-asset](#module\_aws-default-account-asset) | imperva/agentless-onboarding/dsfhub//modules/dsfhub-aws-cloud-account | n/a | ## Inputs diff --git a/examples/onboard-aws-rds-aurora-mysql/main.tf b/examples/onboard-aws-rds-aurora-mysql/main.tf index b03e3ef..4e5c61e 100644 --- a/examples/onboard-aws-rds-aurora-mysql/main.tf +++ b/examples/onboard-aws-rds-aurora-mysql/main.tf @@ -38,7 +38,7 @@ provider "dsfhub" { ################################################################################ module "aws-default-account-asset" { - source = "../../modules/dsfhub-aws-cloud-account" + source = "imperva/agentless-onboarding/dsfhub//modules/dsfhub-aws-cloud-account" admin_email = local.admin_email asset_display_name = "aws-account-asset" diff --git a/examples/onboard-aws-rds-aurora-postgresql-kinesis/README.md b/examples/onboard-aws-rds-aurora-postgresql-kinesis/README.md index c12872b..c819706 100644 --- a/examples/onboard-aws-rds-aurora-postgresql-kinesis/README.md +++ b/examples/onboard-aws-rds-aurora-postgresql-kinesis/README.md @@ -17,7 +17,7 @@ An AWS account asset will need to be onboarded to your DSF hub prior to using th | Name | Source | Version | |------|--------|---------| | [aws-aurora-postgresql-kinesis](#module\_aws-aurora-postgresql-kinesis) | ../../modules/onboard-aws-rds-aurora-postgresql-kinesis | n/a | -| [aws-default-account-asset](#module\_aws-default-account-asset) | ../../modules/dsfhub-aws-cloud-account | n/a | +| [aws-default-account-asset](#module\_aws-default-account-asset) | imperva/agentless-onboarding/dsfhub//modules/dsfhub-aws-cloud-account | n/a | ## Inputs diff --git a/examples/onboard-aws-rds-aurora-postgresql-kinesis/main.tf b/examples/onboard-aws-rds-aurora-postgresql-kinesis/main.tf index 354bc4c..0cec602 100644 --- a/examples/onboard-aws-rds-aurora-postgresql-kinesis/main.tf +++ b/examples/onboard-aws-rds-aurora-postgresql-kinesis/main.tf @@ -37,7 +37,7 @@ provider "dsfhub" { ################################################################################ # 1. AWS cloud account module "aws-default-account-asset" { - source = "../../modules/dsfhub-aws-cloud-account" + source = "imperva/agentless-onboarding/dsfhub//modules/dsfhub-aws-cloud-account" admin_email = local.admin_email asset_display_name = "aws-account-asset" diff --git a/examples/onboard-aws-rds-aurora-postgresql/README.md b/examples/onboard-aws-rds-aurora-postgresql/README.md index 43676b1..7f0b482 100644 --- a/examples/onboard-aws-rds-aurora-postgresql/README.md +++ b/examples/onboard-aws-rds-aurora-postgresql/README.md @@ -28,7 +28,7 @@ Part of the onboarding process involves connecting to your Aurora PostgreSQL clu | Name | Source | Version | |------|--------|---------| | [aurora-postgresql](#module\_aurora-postgresql) | ../../modules/onboard-aws-rds-aurora-postgresql | n/a | -| [aws-default-account-asset](#module\_aws-default-account-asset) | ../../modules/dsfhub-aws-cloud-account | n/a | +| [aws-default-account-asset](#module\_aws-default-account-asset) | imperva/agentless-onboarding/dsfhub//modules/dsfhub-aws-cloud-account | n/a | ## Resources diff --git a/examples/onboard-aws-rds-aurora-postgresql/main.tf b/examples/onboard-aws-rds-aurora-postgresql/main.tf index 73d8a5f..2e0a3bc 100644 --- a/examples/onboard-aws-rds-aurora-postgresql/main.tf +++ b/examples/onboard-aws-rds-aurora-postgresql/main.tf @@ -41,7 +41,7 @@ provider "dsfhub" { ################################################################################ # 1. AWS cloud account module "aws-default-account-asset" { - source = "../../modules/dsfhub-aws-cloud-account" + source = "imperva/agentless-onboarding/dsfhub//modules/dsfhub-aws-cloud-account" admin_email = local.admin_email asset_display_name = "aws-account-asset" diff --git a/modules/aws-rds-cluster-activity-stream/README.md b/modules/aws-rds-cluster-activity-stream/README.md index d43545c..9313f13 100644 --- a/modules/aws-rds-cluster-activity-stream/README.md +++ b/modules/aws-rds-cluster-activity-stream/README.md @@ -9,6 +9,10 @@ No requirements. |------|---------| | [aws](#provider\_aws) | n/a | +## Modules + +No modules. + ## Resources | Name | Type | @@ -19,14 +23,14 @@ No requirements. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [engine\_native\_audit\_fields\_included](#input\_engine\_native\_audit\_fields\_included) | Specifies whether the database activity stream includes engine-native audit fields. This option only applies to an Oracle DB instance. By default, no engine-native audit fields are included. | `string` | `null` | no | | [kms\_key\_id](#input\_kms\_key\_id) | The AWS KMS key identifier for encrypting messages in the database activity stream. The AWS KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. | `string` | n/a | yes | | [mode](#input\_mode) | Specifies the mode of the database activity stream. Database events such as a change or access generate an activity stream event. The database session can handle these events either synchronously or asynchronously. One of: sync, async. | `string` | n/a | yes | | [resource\_arn](#input\_resource\_arn) | The Amazon Resource Name (ARN) of the DB cluster | `string` | n/a | yes | -| [engine\_native\_audit\_fields\_included](#input\_engine\_native\_audit\_fields\_included) | Specifies whether the database activity stream includes engine-native audit fields. This option only applies to an Oracle DB instance. By default, no engine-native audit fields are included. | `string` | `null` | no | ## Outputs | Name | Description | |------|-------------| -| [this](#output\_this) | RDS cluster activity stream | +| [this](#output\_this) | RDS Cluster activity stream | \ No newline at end of file diff --git a/modules/aws-rds-cluster-activity-stream/main.tf b/modules/aws-rds-cluster-activity-stream/main.tf index 62d69e9..b012e33 100644 --- a/modules/aws-rds-cluster-activity-stream/main.tf +++ b/modules/aws-rds-cluster-activity-stream/main.tf @@ -2,5 +2,5 @@ resource "aws_rds_cluster_activity_stream" "this" { resource_arn = var.resource_arn mode = var.mode kms_key_id = var.kms_key_id - engine_native_audit_fields_included = var.engine_native_audit_fields_included # oracle specific + engine_native_audit_fields_included = var.engine_native_audit_fields_included # Oracle-specific } diff --git a/modules/aws-rds-cluster-instance/README.md b/modules/aws-rds-cluster-instance/README.md index 56337c1..677ca64 100644 --- a/modules/aws-rds-cluster-instance/README.md +++ b/modules/aws-rds-cluster-instance/README.md @@ -9,6 +9,10 @@ No requirements. |------|---------| | [aws](#provider\_aws) | n/a | +## Modules + +No modules. + ## Resources | Name | Type | @@ -19,12 +23,12 @@ No requirements. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [cluster\_id](#input\_cluster\_id) | The name of the RDS cluster | `string` | n/a | yes | -| [identifier](#input\_identifier) | The name of the aurora cluster instance | `string` | n/a | yes | | [apply\_immediately](#input\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | +| [cluster\_id](#input\_cluster\_id) | The name of the RDS cluster | `string` | n/a | yes | | [db\_engine](#input\_db\_engine) | Cluster engine e.g., aurora-mysql | `string` | `null` | no | | [db\_instance\_class](#input\_db\_instance\_class) | The instance type of the RDS cluster. Example: 'db.t3.micro' | `string` | `null` | no | | [db\_subnet\_group\_name](#input\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | +| [identifier](#input\_identifier) | The name of the aurora cluster instance | `string` | n/a | yes | | [maintenance\_schedule](#input\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | | [minor\_version\_upgrade](#input\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. | `bool` | `null` | no | | [publicly\_accessible](#input\_publicly\_accessible) | If instance is publicly accessible. Default false | `bool` | `null` | no | @@ -33,5 +37,5 @@ No requirements. | Name | Description | |------|-------------| -| [this](#output\_this) | aurora mysql cluster instance | +| [this](#output\_this) | Aurora MySQL Cluster instance | \ No newline at end of file diff --git a/modules/aws-rds-cluster-instance/main.tf b/modules/aws-rds-cluster-instance/main.tf index 5343fe1..8325106 100644 --- a/modules/aws-rds-cluster-instance/main.tf +++ b/modules/aws-rds-cluster-instance/main.tf @@ -1,5 +1,4 @@ resource "aws_rds_cluster_instance" "this" { - apply_immediately = var.apply_immediately auto_minor_version_upgrade = var.minor_version_upgrade cluster_identifier = var.cluster_id diff --git a/modules/aws-rds-cluster-parameter-group/README.md b/modules/aws-rds-cluster-parameter-group/README.md index 39682ab..f8c0d73 100644 --- a/modules/aws-rds-cluster-parameter-group/README.md +++ b/modules/aws-rds-cluster-parameter-group/README.md @@ -9,6 +9,10 @@ No requirements. |------|---------| | [aws](#provider\_aws) | n/a | +## Modules + +No modules. + ## Resources | Name | Type | @@ -19,9 +23,9 @@ No requirements. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [description](#input\_description) | The description of the DB cluster parameter group. | `string` | `null` | no | | [family](#input\_family) | The family of the DB cluster parameter group. | `string` | n/a | yes | | [name](#input\_name) | The name of the DB cluster parameter group | `string` | n/a | yes | -| [description](#input\_description) | The description of the DB cluster parameter group. | `string` | `null` | no | | [parameters](#input\_parameters) | List of objects containing parameters for the DB cluster parameter group. | 
list(
    object({
      name         = string
      apply_method = optional(string, "immediate")
      value        = any
    })
  )
| `null` | no | | [tags](#input\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | diff --git a/modules/aws-rds-cluster/README.md b/modules/aws-rds-cluster/README.md index 20d5064..6dcbc2d 100644 --- a/modules/aws-rds-cluster/README.md +++ b/modules/aws-rds-cluster/README.md @@ -9,6 +9,10 @@ No requirements. |------|---------| | [aws](#provider\_aws) | n/a | +## Modules + +No modules. + ## Resources | Name | Type | @@ -19,14 +23,14 @@ No requirements. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [cluster\_id](#input\_cluster\_id) | The name of the RDS cluster | `string` | n/a | yes | -| [db\_master\_password](#input\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | -| [db\_master\_username](#input\_db\_master\_username) | Username for the master DB user, must not use rdsadmin as that is reserved. | `string` | n/a | yes | | [apply\_immediately](#input\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | | [backup\_retention](#input\_backup\_retention) | Days to retain backups for, Default is 1 day. | `number` | `null` | no | +| [cluster\_id](#input\_cluster\_id) | The name of the RDS cluster | `string` | n/a | yes | | [db\_enabled\_cloudwatch\_logs\_exports](#input\_db\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery. | `list(any)` | `null` | no | | [db\_engine](#input\_db\_engine) | Cluster engine e.g., aurora-mysql | `string` | `null` | no | | [db\_engine\_version](#input\_db\_engine\_version) | Database engine version, e.g., 8.0.mysql\_aurora.3.05.1 | `string` | `null` | no | +| [db\_master\_password](#input\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | +| [db\_master\_username](#input\_db\_master\_username) | Username for the master DB user, must not use rdsadmin as that is reserved. | `string` | n/a | yes | | [db\_port](#input\_db\_port) | Port on which the DB accepts connections. | `number` | `null` | no | | [db\_subnet\_group\_name](#input\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | | [final\_snapshot](#input\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false | `bool` | `null` | no | @@ -39,5 +43,5 @@ No requirements. | Name | Description | |------|-------------| -| [this](#output\_this) | Aurora Mysql cluster | +| [this](#output\_this) | Aurora MySQL cluster | \ No newline at end of file diff --git a/modules/aws-rds-cluster/main.tf b/modules/aws-rds-cluster/main.tf index 88e1a8a..c675f3e 100644 --- a/modules/aws-rds-cluster/main.tf +++ b/modules/aws-rds-cluster/main.tf @@ -1,25 +1,17 @@ resource "aws_rds_cluster" "this" { - - # Cluster settings - cluster_identifier = var.cluster_id - engine = var.db_engine - engine_version = var.db_engine_version - port = var.db_port - backup_retention_period = var.backup_retention - preferred_maintenance_window = var.maintenance_schedule - skip_final_snapshot = var.final_snapshot - - # credentials - master_username = var.db_master_username - master_password = var.db_master_password - - # network - network_type = var.network_type - db_subnet_group_name = var.db_subnet_group_name - vpc_security_group_ids = var.vpc_security_group_ids - - # audit + apply_immediately = var.apply_immediately + backup_retention_period = var.backup_retention + cluster_identifier = var.cluster_id enabled_cloudwatch_logs_exports = var.db_enabled_cloudwatch_logs_exports + engine = var.db_engine + engine_version = var.db_engine_version + master_password = var.db_master_password + master_username = var.db_master_username + port = var.db_port + db_subnet_group_name = var.db_subnet_group_name + skip_final_snapshot = var.final_snapshot + preferred_maintenance_window = var.maintenance_schedule db_cluster_parameter_group_name = var.parameter_group_name - apply_immediately = var.apply_immediately + network_type = var.network_type + vpc_security_group_ids = var.vpc_security_group_ids } diff --git a/modules/aws-rds-cluster/variables.tf b/modules/aws-rds-cluster/variables.tf index eae236f..b636e83 100644 --- a/modules/aws-rds-cluster/variables.tf +++ b/modules/aws-rds-cluster/variables.tf @@ -1,3 +1,20 @@ +variable "apply_immediately" { + description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" + type = bool + default = null +} + +variable "backup_retention" { + description = "Days to retain backups for, Default is 1 day." + type = number + default = null +} + +variable "cluster_id" { + description = "The name of the RDS cluster" + type = string +} + variable "db_enabled_cloudwatch_logs_exports" { description = "Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery." type = list(any) @@ -15,31 +32,19 @@ variable "db_engine_version" { default = null } -variable "cluster_id" { - description = "The name of the RDS cluster" +variable "db_master_password" { + description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage_master_user_password is set to true" type = string } - -variable "backup_retention" { - description = "Days to retain backups for, Default is 1 day." - type = number - default = null -} - variable "db_master_username" { description = "Username for the master DB user, must not use rdsadmin as that is reserved." type = string } -variable "db_master_password" { - description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage_master_user_password is set to true" - type = string -} - -variable "network_type" { - description = " Network type of the cluster. Valid values: IPV4, DUAL" - type = string +variable "db_port" { + description = "Port on which the DB accepts connections." + type = number default = null } @@ -49,33 +54,21 @@ variable "db_subnet_group_name" { default = null } -variable "vpc_security_group_ids" { - description = "List of VPC security groups to associate." - type = list(any) - default = null -} - -variable "maintenance_schedule" { - description = "Weekly time range during which system maintenance can occur, in (UTC)." - type = string - default = null -} - variable "final_snapshot" { description = "Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final_snapshot_identifier. Default is false" type = bool default = null } -variable "db_port" { - description = "Port on which the DB accepts connections." - type = number +variable "maintenance_schedule" { + description = "Weekly time range during which system maintenance can occur, in (UTC)." + type = string default = null } -variable "apply_immediately" { - description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true" - type = bool +variable "network_type" { + description = " Network type of the cluster. Valid values: IPV4, DUAL" + type = string default = null } @@ -84,3 +77,9 @@ variable "parameter_group_name" { type = string default = null } + +variable "vpc_security_group_ids" { + description = "List of VPC security groups to associate." + type = list(any) + default = null +} diff --git a/modules/dsfhub-aws-kinesis/README.md b/modules/dsfhub-aws-kinesis/README.md index ab294b4..a62eeef 100644 --- a/modules/dsfhub-aws-kinesis/README.md +++ b/modules/dsfhub-aws-kinesis/README.md @@ -9,6 +9,10 @@ No requirements. |------|---------| | [dsfhub](#provider\_dsfhub) | n/a | +## Modules + +No modules. + ## Resources | Name | Type | @@ -22,10 +26,10 @@ No requirements. | [admin\_email](#input\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | | [asset\_display\_name](#input\_asset\_display\_name) | User-friendly name of the asset, defined by user | `string` | n/a | yes | | [asset\_id](#input\_asset\_id) | AWS kinesis stream ARN | `string` | n/a | yes | -| [gateway\_id](#input\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes | -| [parent\_asset\_id](#input\_parent\_asset\_id) | The asset\_id that contains this asset (e.g. Asset ID of the database sending audit events). The parent must either be an AWS account, or have a parent which is an AWS account. | `string` | n/a | yes | | [audit\_pull\_enabled](#input\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no | | [audit\_type](#input\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `null` | no | +| [gateway\_id](#input\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes | +| [parent\_asset\_id](#input\_parent\_asset\_id) | The asset\_id that contains this asset (e.g. Asset ID of the database sending audit events). The parent must either be an AWS account, or have a parent which is an AWS account. | `string` | n/a | yes | | [reason](#input\_reason) | Used to differentiate connections that belong to the same asset | `string` | `"default"` | no | | [region](#input\_region) | AWS region of the kinesis stream | `string` | `null` | no | diff --git a/modules/dsfhub-aws-rds-aurora-mysql-cluster/README.md b/modules/dsfhub-aws-rds-aurora-mysql-cluster/README.md index 4513be6..4af6165 100644 --- a/modules/dsfhub-aws-rds-aurora-mysql-cluster/README.md +++ b/modules/dsfhub-aws-rds-aurora-mysql-cluster/README.md @@ -9,6 +9,10 @@ No requirements. |------|---------| | [dsfhub](#provider\_dsfhub) | n/a | +## Modules + +No modules. + ## Resources | Name | Type | @@ -22,18 +26,18 @@ No requirements. | [admin\_email](#input\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | | [asset\_display\_name](#input\_asset\_display\_name) | User-friendly name of the asset, defined by user | `string` | n/a | yes | | [asset\_id](#input\_asset\_id) | AWS ARN, e.g. "arn:aws:rds:us-east-2:123456790:cluster:db-name" | `string` | n/a | yes | +| [auth\_mechanism](#input\_auth\_mechanism) | Specifies the auth mechanism used by the connection | `string` | `null` | no | | [gateway\_id](#input\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | | [parent\_asset\_id](#input\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | n/a | yes | -| [auth\_mechanism](#input\_auth\_mechanism) | Specifies the auth mechanism used by the connection | `string` | `null` | no | | [password](#input\_password) | User's password | `string` | `null` | no | | [region](#input\_region) | AWS region containing the cluster. | `string` | `null` | no | | [server\_host\_name](#input\_server\_host\_name) | Endpoint URL | `string` | `null` | no | | [server\_port](#input\_server\_port) | Port of the cluster for connection | `string` | `null` | no | -| [username](#input\_username) | Username to connect to the cluster with | `string` | `null` | no | +| [username](#input\_username) | Username to use to connect to the cluster. | `string` | `null` | no | ## Outputs | Name | Description | |------|-------------| -| [this](#output\_this) | Aurora Mysql cluster DSF asset | +| [this](#output\_this) | Aurora MySQL cluster DSF asset | \ No newline at end of file diff --git a/modules/dsfhub-aws-rds-aurora-postgresql-cluster/README.md b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/README.md index e8a0fc8..50b1f05 100644 --- a/modules/dsfhub-aws-rds-aurora-postgresql-cluster/README.md +++ b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/README.md @@ -9,6 +9,10 @@ No requirements. |------|---------| | [dsfhub](#provider\_dsfhub) | n/a | +## Modules + +No modules. + ## Resources | Name | Type | @@ -22,15 +26,15 @@ No requirements. | [admin\_email](#input\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | | [asset\_display\_name](#input\_asset\_display\_name) | User-friendly name of the asset, defined by user | `string` | n/a | yes | | [asset\_id](#input\_asset\_id) | AWS ARN, e.g. "arn:aws:rds:us-east-2:123456790:cluster:db-name" | `string` | n/a | yes | -| [gateway\_id](#input\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | -| [parent\_asset\_id](#input\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | n/a | yes | | [audit\_type](#input\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `null` | no | | [auth\_mechanism](#input\_auth\_mechanism) | Specifies the auth mechanism used by the connection | `string` | `null` | no | +| [gateway\_id](#input\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [parent\_asset\_id](#input\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | n/a | yes | | [password](#input\_password) | User's password | `string` | `null` | no | | [region](#input\_region) | AWS region containing the cluster. | `string` | `null` | no | | [server\_host\_name](#input\_server\_host\_name) | Endpoint URL | `string` | `null` | no | | [server\_port](#input\_server\_port) | Port of the cluster for connection | `string` | `null` | no | -| [username](#input\_username) | Username to connect to the cluster with | `string` | `null` | no | +| [username](#input\_username) | Username to use to connect to the cluster. | `string` | `null` | no | ## Outputs diff --git a/modules/onboard-aws-rds-aurora-mysql-kinesis/README.md b/modules/onboard-aws-rds-aurora-mysql-kinesis/README.md index e49f332..183632c 100644 --- a/modules/onboard-aws-rds-aurora-mysql-kinesis/README.md +++ b/modules/onboard-aws-rds-aurora-mysql-kinesis/README.md @@ -8,7 +8,9 @@ There is one prerequisite for using this module: See the corresponding example for more details. +## Requirements +No requirements. ## Providers @@ -41,29 +43,29 @@ See the corresponding example for more details. | [aws\_aurora\_mysql\_cluster\_admin\_email](#input\_aws\_aurora\_mysql\_cluster\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | | [aws\_aurora\_mysql\_cluster\_gateway\_id](#input\_aws\_aurora\_mysql\_cluster\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | | [aws\_aurora\_mysql\_cluster\_parent\_asset\_id](#input\_aws\_aurora\_mysql\_cluster\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | n/a | yes | -| [aws\_kinesis\_admin\_email](#input\_aws\_kinesis\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | -| [aws\_kinesis\_gateway\_id](#input\_aws\_kinesis\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes | -| [cluster\_db\_master\_password](#input\_cluster\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | -| [cluster\_db\_master\_username](#input\_cluster\_db\_master\_username) | Username for the master DB user, must not use rdsadmin as that is reserved. | `string` | n/a | yes | -| [cluster\_id](#input\_cluster\_id) | The name of the Aurora MySQL cluster | `string` | n/a | yes | -| [instance\_identifier](#input\_instance\_identifier) | The name of the aurora mysql cluster instance | `string` | n/a | yes | | [aws\_aurora\_mysql\_cluster\_region](#input\_aws\_aurora\_mysql\_cluster\_region) | AWS region containing the cluster. | `string` | `null` | no | +| [aws\_kinesis\_admin\_email](#input\_aws\_kinesis\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | | [aws\_kinesis\_audit\_pull\_enabled](#input\_aws\_kinesis\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no | +| [aws\_kinesis\_gateway\_id](#input\_aws\_kinesis\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes | | [aws\_kinesis\_reason](#input\_aws\_kinesis\_reason) | Used to differentiate connections that belong to the same asset | `string` | `"default"` | no | | [aws\_kinesis\_region](#input\_aws\_kinesis\_region) | AWS region of the kinesis stream | `string` | `null` | no | | [cluster\_apply\_immediately](#input\_cluster\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | | [cluster\_backup\_retention](#input\_cluster\_backup\_retention) | Days to retain backups for, Default is 1 day. | `number` | `null` | no | | [cluster\_db\_enabled\_cloudwatch\_logs\_exports](#input\_cluster\_db\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery. | `list(any)` | `null` | no | | [cluster\_db\_engine\_version](#input\_cluster\_db\_engine\_version) | Database engine version, i.e. 8.0.mysql\_aurora.3.05.1 | `string` | `null` | no | +| [cluster\_db\_master\_password](#input\_cluster\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | +| [cluster\_db\_master\_username](#input\_cluster\_db\_master\_username) | Username for the master DB user, must not use rdsadmin as that is reserved. | `string` | n/a | yes | | [cluster\_db\_port](#input\_cluster\_db\_port) | Port on which the DB accepts connections. | `number` | `null` | no | | [cluster\_db\_subnet\_group\_name](#input\_cluster\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | | [cluster\_final\_snapshot](#input\_cluster\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false | `bool` | `null` | no | +| [cluster\_id](#input\_cluster\_id) | The name of the Aurora MySQL cluster | `string` | n/a | yes | | [cluster\_maintenance\_schedule](#input\_cluster\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | | [cluster\_network\_type](#input\_cluster\_network\_type) | Network type of the cluster. Valid values: IPV4, DUAL | `string` | `null` | no | | [cluster\_parameter\_group\_name](#input\_cluster\_parameter\_group\_name) | Cluster parameter group associated with the cluster | `string` | `null` | no | | [cluster\_vpc\_security\_group\_ids](#input\_cluster\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(any)` | `null` | no | | [db\_instance\_class](#input\_db\_instance\_class) | The instance type of the RDS cluster. Supported instance classes for database activity streams can be found at https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.Overview.html#DBActivityStreams.Overview.requirements.classes. | `string` | `"db.r5.large"` | no | | [instance\_apply\_immediately](#input\_instance\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `true` | no | +| [instance\_identifier](#input\_instance\_identifier) | The name of the aurora mysql cluster instance | `string` | n/a | yes | | [instance\_maintenance\_schedule](#input\_instance\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | | [instance\_minor\_version\_upgrade](#input\_instance\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. | `bool` | `null` | no | | [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | If instance is publicly accessible. Default false | `bool` | `null` | no | diff --git a/modules/onboard-aws-rds-aurora-mysql-slowquery/README.md b/modules/onboard-aws-rds-aurora-mysql-slowquery/README.md index b019026..aa3830a 100644 --- a/modules/onboard-aws-rds-aurora-mysql-slowquery/README.md +++ b/modules/onboard-aws-rds-aurora-mysql-slowquery/README.md @@ -1,5 +1,5 @@ # onboard-aws-rds-aurora-mysql-slowquery -Onboard Amazon Aurora MySQL Slowquery to DSF Hub. +Onboard Amazon Aurora MySQL Slow query to DSF Hub. ## Notes There is one prerequisite for using this module: @@ -8,7 +8,13 @@ There is one prerequisite for using this module: See the corresponding example for more details. +## Requirements +No requirements. + +## Providers + +No providers. ## Modules @@ -23,26 +29,28 @@ See the corresponding example for more details. | [aws-log-group-slowquery-asset](#module\_aws-log-group-slowquery-asset) | ../dsfhub-aws-log-group | n/a | | [aws-rds-aurora-mysql-cluster-asset](#module\_aws-rds-aurora-mysql-cluster-asset) | ../dsfhub-aws-rds-aurora-mysql-cluster | n/a | +## Resources + +No resources. + ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [aws\_aurora\_mysql\_cluster\_region](#input\_aws\_aurora\_mysql\_cluster\_region) | AWS region containing the instance. | `string` | n/a | yes | -| [cluster\_cluster\_id](#input\_cluster\_cluster\_id) | The name of the aurora mysql cluster | `string` | n/a | yes | -| [cluster\_db\_master\_password](#input\_cluster\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | -| [cluster\_db\_master\_username](#input\_cluster\_db\_master\_username) | Username for the master DB user, must not use rdsadmin as that is reserved. | `string` | n/a | yes | -| [cluster\_parameter\_group\_name](#input\_cluster\_parameter\_group\_name) | The name of the DB cluster parameter group | `string` | n/a | yes | -| [instance\_identifier](#input\_instance\_identifier) | The name of the aurora mysql cluster instance | `string` | n/a | yes | | [aws\_aurora\_mysql\_cluster\_admin\_email](#input\_aws\_aurora\_mysql\_cluster\_admin\_email) | The email address to notify about the assets. | `string` | `null` | no | | [aws\_aurora\_mysql\_cluster\_gateway\_id](#input\_aws\_aurora\_mysql\_cluster\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | `null` | no | | [aws\_aurora\_mysql\_cluster\_parent\_asset\_id](#input\_aws\_aurora\_mysql\_cluster\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | `null` | no | +| [aws\_aurora\_mysql\_cluster\_region](#input\_aws\_aurora\_mysql\_cluster\_region) | AWS region containing the instance. | `string` | n/a | yes | | [aws\_log\_group\_audit\_pull\_enabled](#input\_aws\_log\_group\_audit\_pull\_enabled) | Turn on/off auditing on the data source and log aggregator | `bool` | `false` | no | | [aws\_log\_group\_audit\_type](#input\_aws\_log\_group\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `"LOG_GROUP"` | no | | [cluster\_apply\_immediately](#input\_cluster\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `true` | no | | [cluster\_backup\_retention](#input\_cluster\_backup\_retention) | Days to retain backups for, Default is 1 day. | `number` | `1` | no | +| [cluster\_cluster\_id](#input\_cluster\_cluster\_id) | The name of the aurora mysql cluster | `string` | n/a | yes | | [cluster\_db\_enabled\_cloudwatch\_logs\_exports](#input\_cluster\_db\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery. | `list(any)` | 
[
  "audit",
  "slowquery"
]
| no | | [cluster\_db\_engine](#input\_cluster\_db\_engine) | Cluster engine i.e, aurora-mysql | `string` | `"aurora-mysql"` | no | | [cluster\_db\_engine\_version](#input\_cluster\_db\_engine\_version) | Database engine version, i.e. 8.0.mysql\_aurora.3.05.1 | `string` | `"8.0.mysql_aurora.3.04.1"` | no | +| [cluster\_db\_master\_password](#input\_cluster\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | +| [cluster\_db\_master\_username](#input\_cluster\_db\_master\_username) | Username for the master DB user, must not use rdsadmin as that is reserved. | `string` | n/a | yes | | [cluster\_db\_port](#input\_cluster\_db\_port) | Port on which the DB accepts connections. | `number` | `3306` | no | | [cluster\_db\_subnet\_group\_name](#input\_cluster\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | | [cluster\_final\_snapshot](#input\_cluster\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false | `bool` | `true` | no | @@ -50,10 +58,12 @@ See the corresponding example for more details. | [cluster\_network\_type](#input\_cluster\_network\_type) | Network type of the cluster. Valid values: IPV4, DUAL | `string` | `"IPV4"` | no | | [cluster\_parameter\_group\_description](#input\_cluster\_parameter\_group\_description) | The description of the DB cluster parameter group. | `string` | `"RDS aurora mysql cluster parameter group"` | no | | [cluster\_parameter\_group\_family](#input\_cluster\_parameter\_group\_family) | The family of the DB cluster parameter group. | `string` | `"aurora-mysql8.0"` | no | +| [cluster\_parameter\_group\_name](#input\_cluster\_parameter\_group\_name) | The name of the DB cluster parameter group | `string` | n/a | yes | | [cluster\_parameter\_group\_parameters](#input\_cluster\_parameter\_group\_parameters) | List of objects containing parameters for the DB cluster parameter group. | 
list(
    object({
      name         = string
      apply_method = optional(string, "immediate")
      value        = any
    })
  )
| 
[
  {
    "name": "server_audit_logging",
    "value": 1
  },
  {
    "name": "server_audit_excl_users",
    "value": "rdsadmin"
  },
  {
    "name": "server_audit_events",
    "value": "CONNECT,QUERY,QUERY_DCL,QUERY_DDL,QUERY_DML"
  },
  {
    "name": "slow_query_log",
    "value": 1
  },
  {
    "name": "long_query_time",
    "value": 0
  },
  {
    "name": "log_slow_admin_statements",
    "value": 1
  }
]
| no | | [cluster\_parameter\_group\_tags](#input\_cluster\_parameter\_group\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | | [cluster\_vpc\_security\_group\_ids](#input\_cluster\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(any)` | `null` | no | | [instance\_db\_instance\_class](#input\_instance\_db\_instance\_class) | The instance type of the RDS cluster. Example: 'db.t3.micro' | `string` | `"db.t3.medium"` | no | +| [instance\_identifier](#input\_instance\_identifier) | The name of the aurora mysql cluster instance | `string` | n/a | yes | | [instance\_minor\_version\_upgrade](#input\_instance\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. | `bool` | `false` | no | | [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | If instance is publicly accessible. Default false | `bool` | `false` | no | | [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire. | `number` | `7` | no | @@ -62,12 +72,12 @@ See the corresponding example for more details. | Name | Description | |------|-------------| -| [cluster](#output\_cluster) | Aurora Mysql Cluster | -| [cluster\_parameter\_group](#output\_cluster\_parameter\_group) | Aurora Mysql Cluster parameter group | -| [dsf\_aurora\_mysql\_cluster](#output\_dsf\_aurora\_mysql\_cluster) | Aurora Mysql cluster DSF asset | -| [dsf\_aurora\_mysql\_log\_group](#output\_dsf\_aurora\_mysql\_log\_group) | DSF Aurora Mysql log group asset | -| [dsf\_aurora\_mysql\_log\_group\_slowquery](#output\_dsf\_aurora\_mysql\_log\_group\_slowquery) | DSF Aurora Mysql slow query log group asset | -| [instance](#output\_instance) | Aurora Mysql instance | -| [log\_group](#output\_log\_group) | Aurora Mysql log group | -| [log\_group\_slowquery](#output\_log\_group\_slowquery) | Aurora Mysql slow query log group | +| [cluster](#output\_cluster) | Aurora MySQL Cluster | +| [cluster\_parameter\_group](#output\_cluster\_parameter\_group) | Aurora MySQL Cluster parameter group | +| [dsf\_aurora\_mysql\_cluster](#output\_dsf\_aurora\_mysql\_cluster) | Aurora MySQL cluster DSF asset | +| [dsf\_aurora\_mysql\_log\_group](#output\_dsf\_aurora\_mysql\_log\_group) | Aurora MySQL log group asset | +| [dsf\_aurora\_mysql\_log\_group\_slowquery](#output\_dsf\_aurora\_mysql\_log\_group\_slowquery) | Aurora MySQL slow query log group asset | +| [instance](#output\_instance) | Aurora MySQL instance | +| [log\_group](#output\_log\_group) | Aurora MySQL log group | +| [log\_group\_slowquery](#output\_log\_group\_slowquery) | Aurora MySQL slow query log group | \ No newline at end of file diff --git a/modules/onboard-aws-rds-aurora-mysql/README.md b/modules/onboard-aws-rds-aurora-mysql/README.md index b94eca0..f76799e 100644 --- a/modules/onboard-aws-rds-aurora-mysql/README.md +++ b/modules/onboard-aws-rds-aurora-mysql/README.md @@ -8,7 +8,13 @@ There is one prerequisite for using this module: See the corresponding example for more details. +## Requirements +No requirements. + +## Providers + +No providers. ## Modules @@ -21,26 +27,28 @@ See the corresponding example for more details. | [aws-log-group-asset](#module\_aws-log-group-asset) | ../dsfhub-aws-log-group | n/a | | [aws-rds-aurora-mysql-cluster-asset](#module\_aws-rds-aurora-mysql-cluster-asset) | ../dsfhub-aws-rds-aurora-mysql-cluster | n/a | +## Resources + +No resources. + ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [aws\_aurora\_mysql\_cluster\_region](#input\_aws\_aurora\_mysql\_cluster\_region) | AWS region containing the instance. | `string` | n/a | yes | -| [cluster\_cluster\_id](#input\_cluster\_cluster\_id) | The name of the aurora mysql cluster | `string` | n/a | yes | -| [cluster\_db\_master\_password](#input\_cluster\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | -| [cluster\_db\_master\_username](#input\_cluster\_db\_master\_username) | Username for the master DB user, must not use rdsadmin as that is reserved. | `string` | n/a | yes | -| [cluster\_parameter\_group\_name](#input\_cluster\_parameter\_group\_name) | The name of the DB cluster parameter group | `string` | n/a | yes | -| [instance\_identifier](#input\_instance\_identifier) | The name of the aurora mysql cluster instance | `string` | n/a | yes | | [aws\_aurora\_mysql\_cluster\_admin\_email](#input\_aws\_aurora\_mysql\_cluster\_admin\_email) | The email address to notify about the assets. | `string` | `null` | no | | [aws\_aurora\_mysql\_cluster\_gateway\_id](#input\_aws\_aurora\_mysql\_cluster\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | `null` | no | | [aws\_aurora\_mysql\_cluster\_parent\_asset\_id](#input\_aws\_aurora\_mysql\_cluster\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | `null` | no | +| [aws\_aurora\_mysql\_cluster\_region](#input\_aws\_aurora\_mysql\_cluster\_region) | AWS region containing the instance. | `string` | n/a | yes | | [aws\_log\_group\_audit\_pull\_enabled](#input\_aws\_log\_group\_audit\_pull\_enabled) | Turn on/off auditing on the data source and log aggregator | `bool` | `false` | no | | [aws\_log\_group\_audit\_type](#input\_aws\_log\_group\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `"LOG_GROUP"` | no | | [cluster\_apply\_immediately](#input\_cluster\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `true` | no | | [cluster\_backup\_retention](#input\_cluster\_backup\_retention) | Days to retain backups for, Default is 1 day. | `number` | `1` | no | +| [cluster\_cluster\_id](#input\_cluster\_cluster\_id) | The name of the aurora mysql cluster | `string` | n/a | yes | | [cluster\_db\_enabled\_cloudwatch\_logs\_exports](#input\_cluster\_db\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery. | `list(any)` | 
[
  "audit"
]
| no | | [cluster\_db\_engine](#input\_cluster\_db\_engine) | Cluster engine i.e, aurora-mysql | `string` | `"aurora-mysql"` | no | | [cluster\_db\_engine\_version](#input\_cluster\_db\_engine\_version) | Database engine version, i.e. 8.0.mysql\_aurora.3.05.1 | `string` | `"8.0.mysql_aurora.3.04.1"` | no | +| [cluster\_db\_master\_password](#input\_cluster\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | +| [cluster\_db\_master\_username](#input\_cluster\_db\_master\_username) | Username for the master DB user, must not use rdsadmin as that is reserved. | `string` | n/a | yes | | [cluster\_db\_port](#input\_cluster\_db\_port) | Port on which the DB accepts connections. | `number` | `3306` | no | | [cluster\_db\_subnet\_group\_name](#input\_cluster\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | | [cluster\_final\_snapshot](#input\_cluster\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false | `bool` | `true` | no | @@ -48,10 +56,12 @@ See the corresponding example for more details. | [cluster\_network\_type](#input\_cluster\_network\_type) | Network type of the cluster. Valid values: IPV4, DUAL | `string` | `"IPV4"` | no | | [cluster\_parameter\_group\_description](#input\_cluster\_parameter\_group\_description) | The description of the DB cluster parameter group. | `string` | `"RDS aurora mysql cluster parameter group"` | no | | [cluster\_parameter\_group\_family](#input\_cluster\_parameter\_group\_family) | The family of the DB cluster parameter group. | `string` | `"aurora-mysql8.0"` | no | +| [cluster\_parameter\_group\_name](#input\_cluster\_parameter\_group\_name) | The name of the DB cluster parameter group | `string` | n/a | yes | | [cluster\_parameter\_group\_parameters](#input\_cluster\_parameter\_group\_parameters) | List of objects containing parameters for the DB cluster parameter group. | 
list(
    object({
      name         = string
      apply_method = optional(string, "immediate")
      value        = any
    })
  )
| 
[
  {
    "name": "server_audit_logging",
    "value": 1
  },
  {
    "name": "server_audit_excl_users",
    "value": "rdsadmin"
  },
  {
    "name": "server_audit_events",
    "value": "CONNECT,QUERY,QUERY_DCL,QUERY_DDL,QUERY_DML"
  }
]
| no | | [cluster\_parameter\_group\_tags](#input\_cluster\_parameter\_group\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | | [cluster\_vpc\_security\_group\_ids](#input\_cluster\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(any)` | `null` | no | | [instance\_db\_instance\_class](#input\_instance\_db\_instance\_class) | The instance type of the RDS cluster. Example: 'db.t3.micro' | `string` | `"db.t3.medium"` | no | +| [instance\_identifier](#input\_instance\_identifier) | The name of the aurora mysql cluster instance | `string` | n/a | yes | | [instance\_minor\_version\_upgrade](#input\_instance\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. | `bool` | `false` | no | | [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | If instance is publicly accessible. Default false | `bool` | `false` | no | | [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire. | `number` | `7` | no | @@ -60,10 +70,10 @@ See the corresponding example for more details. | Name | Description | |------|-------------| -| [cluster](#output\_cluster) | Aurora Mysql Cluster | -| [cluster\_parameter\_group](#output\_cluster\_parameter\_group) | Aurora Mysql Cluster parameter group | -| [dsf\_aurora\_mysql\_cluster](#output\_dsf\_aurora\_mysql\_cluster) | Aurora Mysql cluster DSF asset | -| [dsf\_aurora\_mysql\_log\_group](#output\_dsf\_aurora\_mysql\_log\_group) | DSF Aurora Mysql log group asset | -| [instance](#output\_instance) | Aurora Mysql instance | -| [log\_group](#output\_log\_group) | Aurora Mysql log group | +| [cluster](#output\_cluster) | Aurora MySQL Cluster | +| [cluster\_parameter\_group](#output\_cluster\_parameter\_group) | Aurora MySQL Cluster parameter group | +| [dsf\_aurora\_mysql\_cluster](#output\_dsf\_aurora\_mysql\_cluster) | Aurora MySQL cluster asset | +| [dsf\_aurora\_mysql\_log\_group](#output\_dsf\_aurora\_mysql\_log\_group) | Aurora MySQL log group asset | +| [instance](#output\_instance) | Aurora MySQL instance | +| [log\_group](#output\_log\_group) | Aurora MySQL log group | \ No newline at end of file diff --git a/modules/onboard-aws-rds-aurora-postgresql-kinesis/README.md b/modules/onboard-aws-rds-aurora-postgresql-kinesis/README.md index 9eb4dfa..6bd1be6 100644 --- a/modules/onboard-aws-rds-aurora-postgresql-kinesis/README.md +++ b/modules/onboard-aws-rds-aurora-postgresql-kinesis/README.md @@ -8,7 +8,9 @@ There is one prerequisite for using this module: See the corresponding example for more details. +## Requirements +No requirements. ## Providers @@ -39,26 +41,25 @@ See the corresponding example for more details. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [aws\_aurora\_postgresql\_cluster\_admin\_email](#input\_aws\_aurora\_postgresql\_cluster\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | +| [aws\_aurora\_postgresql\_cluster\_audit\_type](#input\_aws\_aurora\_postgresql\_cluster\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `"KINESIS"` | no | | [aws\_aurora\_postgresql\_cluster\_gateway\_id](#input\_aws\_aurora\_postgresql\_cluster\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | | [aws\_aurora\_postgresql\_cluster\_parent\_asset\_id](#input\_aws\_aurora\_postgresql\_cluster\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | n/a | yes | -| [aws\_kinesis\_admin\_email](#input\_aws\_kinesis\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | -| [aws\_kinesis\_gateway\_id](#input\_aws\_kinesis\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes | -| [cluster\_db\_master\_password](#input\_cluster\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | -| [cluster\_db\_master\_username](#input\_cluster\_db\_master\_username) | Username for the master DB user. | `string` | n/a | yes | -| [cluster\_id](#input\_cluster\_id) | The name of the Aurora PostgreSQL cluster | `string` | n/a | yes | -| [instance\_identifier](#input\_instance\_identifier) | The name of the aurora cluster instance | `string` | n/a | yes | -| [aws\_aurora\_postgresql\_cluster\_audit\_type](#input\_aws\_aurora\_postgresql\_cluster\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `"KINESIS"` | no | | [aws\_aurora\_postgresql\_cluster\_region](#input\_aws\_aurora\_postgresql\_cluster\_region) | AWS region containing the cluster. | `string` | `null` | no | +| [aws\_kinesis\_admin\_email](#input\_aws\_kinesis\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | | [aws\_kinesis\_audit\_pull\_enabled](#input\_aws\_kinesis\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no | +| [aws\_kinesis\_gateway\_id](#input\_aws\_kinesis\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes | | [aws\_kinesis\_reason](#input\_aws\_kinesis\_reason) | Used to differentiate connections that belong to the same asset | `string` | `"default"` | no | | [aws\_kinesis\_region](#input\_aws\_kinesis\_region) | AWS region of the kinesis stream | `string` | `null` | no | | [cluster\_apply\_immediately](#input\_cluster\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | | [cluster\_backup\_retention](#input\_cluster\_backup\_retention) | Days to retain backups for, Default is 1 day. | `number` | `null` | no | | [cluster\_db\_enabled\_cloudwatch\_logs\_exports](#input\_cluster\_db\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery. | `list(any)` | `null` | no | | [cluster\_db\_engine\_version](#input\_cluster\_db\_engine\_version) | Database engine version, e.g., 16.1 | `string` | `"16.1"` | no | +| [cluster\_db\_master\_password](#input\_cluster\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | +| [cluster\_db\_master\_username](#input\_cluster\_db\_master\_username) | Username for the master DB user. | `string` | n/a | yes | | [cluster\_db\_port](#input\_cluster\_db\_port) | Port on which the DB accepts connections. | `number` | `null` | no | | [cluster\_db\_subnet\_group\_name](#input\_cluster\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | | [cluster\_final\_snapshot](#input\_cluster\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false | `bool` | `null` | no | +| [cluster\_id](#input\_cluster\_id) | The name of the Aurora PostgreSQL cluster | `string` | n/a | yes | | [cluster\_maintenance\_schedule](#input\_cluster\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | | [cluster\_network\_type](#input\_cluster\_network\_type) | Network type of the cluster. Valid values: IPV4, DUAL | `string` | `null` | no | | [cluster\_parameter\_group\_name](#input\_cluster\_parameter\_group\_name) | Cluster parameter group associated with the cluster | `string` | `null` | no | @@ -66,6 +67,7 @@ See the corresponding example for more details. | [instance\_apply\_immediately](#input\_instance\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | | [instance\_class](#input\_instance\_class) | The instance type of the RDS cluster. Supported instance classes for database activity streams can be found at https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBActivityStreams.Overview.html#DBActivityStreams.Overview.requirements.classes. | `string` | `"db.r5.large"` | no | | [instance\_db\_subnet\_group\_name](#input\_instance\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | +| [instance\_identifier](#input\_instance\_identifier) | The name of the aurora cluster instance | `string` | n/a | yes | | [instance\_maintenance\_schedule](#input\_instance\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | | [instance\_minor\_version\_upgrade](#input\_instance\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. | `bool` | `null` | no | | [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | If instance is publicly accessible. Default false | `bool` | `null` | no | diff --git a/modules/onboard-aws-rds-aurora-postgresql/README.md b/modules/onboard-aws-rds-aurora-postgresql/README.md index 29ab797..58b0505 100644 --- a/modules/onboard-aws-rds-aurora-postgresql/README.md +++ b/modules/onboard-aws-rds-aurora-postgresql/README.md @@ -9,7 +9,13 @@ There are two prerequisites for using this module: See the corresponding example for more details. +## Requirements +No requirements. + +## Providers + +No providers. ## Modules @@ -22,41 +28,45 @@ See the corresponding example for more details. | [aws-log-group-asset](#module\_aws-log-group-asset) | ../dsfhub-aws-log-group | n/a | | [aws-rds-aurora-postgresql-cluster-asset](#module\_aws-rds-aurora-postgresql-cluster-asset) | ../dsfhub-aws-rds-aurora-postgresql-cluster | n/a | +## Resources + +No resources. + ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [aws\_aurora\_postgresql\_cluster\_admin\_email](#input\_aws\_aurora\_postgresql\_cluster\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes | +| [aws\_aurora\_postgresql\_cluster\_audit\_type](#input\_aws\_aurora\_postgresql\_cluster\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `"LOG_GROUP"` | no | | [aws\_aurora\_postgresql\_cluster\_gateway\_id](#input\_aws\_aurora\_postgresql\_cluster\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | | [aws\_aurora\_postgresql\_cluster\_parent\_asset\_id](#input\_aws\_aurora\_postgresql\_cluster\_parent\_asset\_id) | The asset\_id of the cloud account with auth-mech such as key-pair, iam-role etc. | `string` | n/a | yes | -| [aws\_log\_group\_admin\_email](#input\_aws\_log\_group\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | -| [aws\_log\_group\_gateway\_id](#input\_aws\_log\_group\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes | -| [aws\_log\_group\_region](#input\_aws\_log\_group\_region) | AWS region of the log group | `string` | n/a | yes | -| [cluster\_db\_master\_password](#input\_cluster\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | -| [cluster\_db\_master\_username](#input\_cluster\_db\_master\_username) | Username for the master DB user. | `string` | n/a | yes | -| [cluster\_id](#input\_cluster\_id) | The name of the RDS cluster | `string` | n/a | yes | -| [cluster\_parameter\_group\_name](#input\_cluster\_parameter\_group\_name) | The name of the DB cluster parameter group | `string` | n/a | yes | -| [instance\_identifier](#input\_instance\_identifier) | The name of the aurora cluster instance | `string` | n/a | yes | -| [aws\_aurora\_postgresql\_cluster\_audit\_type](#input\_aws\_aurora\_postgresql\_cluster\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `"LOG_GROUP"` | no | | [aws\_aurora\_postgresql\_cluster\_region](#input\_aws\_aurora\_postgresql\_cluster\_region) | AWS region containing the cluster. | `string` | `null` | no | +| [aws\_log\_group\_admin\_email](#input\_aws\_log\_group\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | | [aws\_log\_group\_audit\_pull\_enabled](#input\_aws\_log\_group\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no | +| [aws\_log\_group\_gateway\_id](#input\_aws\_log\_group\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes | | [aws\_log\_group\_reason](#input\_aws\_log\_group\_reason) | Used to differentiate connections that belong to the same asset | `string` | `"default"` | no | +| [aws\_log\_group\_region](#input\_aws\_log\_group\_region) | AWS region of the log group | `string` | n/a | yes | | [cluster\_apply\_immediately](#input\_cluster\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | | [cluster\_backup\_retention](#input\_cluster\_backup\_retention) | Days to retain backups for, Default is 1 day. | `number` | `null` | no | | [cluster\_db\_enabled\_cloudwatch\_logs\_exports](#input\_cluster\_db\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery. | `list(any)` | 
[
  "postgresql"
]
| no | | [cluster\_db\_engine\_version](#input\_cluster\_db\_engine\_version) | Database engine version, e.g., 16.1 | `string` | `"16.1"` | no | +| [cluster\_db\_master\_password](#input\_cluster\_db\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Cannot be set if manage\_master\_user\_password is set to true | `string` | n/a | yes | +| [cluster\_db\_master\_username](#input\_cluster\_db\_master\_username) | Username for the master DB user. | `string` | n/a | yes | | [cluster\_db\_port](#input\_cluster\_db\_port) | Port on which the DB accepts connections. | `number` | `null` | no | | [cluster\_db\_subnet\_group\_name](#input\_cluster\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | `null` | no | | [cluster\_final\_snapshot](#input\_cluster\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false | `bool` | `true` | no | +| [cluster\_id](#input\_cluster\_id) | The name of the RDS cluster | `string` | n/a | yes | | [cluster\_maintenance\_schedule](#input\_cluster\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | | [cluster\_network\_type](#input\_cluster\_network\_type) | Network type of the cluster. Valid values: IPV4, DUAL | `string` | `null` | no | | [cluster\_parameter\_group\_description](#input\_cluster\_parameter\_group\_description) | The description of the DB cluster parameter group. | `string` | `null` | no | | [cluster\_parameter\_group\_family](#input\_cluster\_parameter\_group\_family) | The family of the DB cluster parameter group. | `string` | `"aurora-postgresql16"` | no | +| [cluster\_parameter\_group\_name](#input\_cluster\_parameter\_group\_name) | The name of the DB cluster parameter group | `string` | n/a | yes | | [cluster\_parameter\_group\_parameters](#input\_cluster\_parameter\_group\_parameters) | List of objects containing parameters for the DB cluster parameter group. | 
list(
    object({
      name         = string
      apply_method = optional(string, "immediate")
      value        = any
    })
  )
| 
[
  {
    "name": "log_connections",
    "value": 1
  },
  {
    "name": "log_disconnections",
    "value": 1
  },
  {
    "name": "log_error_verbosity",
    "value": "verbose"
  },
  {
    "name": "pgaudit.log",
    "value": "all"
  },
  {
    "name": "pgaudit.role",
    "value": "rds_pgaudit"
  },
  {
    "apply_method": "pending-reboot",
    "name": "shared_preload_libraries",
    "value": "pgaudit,pg_stat_statements"
  }
]
| no | | [cluster\_parameter\_group\_tags](#input\_cluster\_parameter\_group\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no | | [cluster\_vpc\_security\_group\_ids](#input\_cluster\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(any)` | `null` | no | | [instance\_apply\_immediately](#input\_instance\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is true | `bool` | `null` | no | | [instance\_db\_instance\_class](#input\_instance\_db\_instance\_class) | The instance type of the RDS cluster. Example: 'db.t3.micro' | `string` | `"db.t3.medium"` | no | +| [instance\_identifier](#input\_instance\_identifier) | The name of the aurora cluster instance | `string` | n/a | yes | | [instance\_maintenance\_schedule](#input\_instance\_maintenance\_schedule) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `null` | no | | [instance\_minor\_version\_upgrade](#input\_instance\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. | `bool` | `null` | no | | [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | If instance is publicly accessible. Default false | `bool` | `null` | no | From 66ca014ae8eb979e914f3b20de57f88499f7438c Mon Sep 17 00:00:00 2001 From: Petal Vitis Date: Tue, 23 Jul 2024 09:40:13 -0700 Subject: [PATCH 4/7] differentiated between eg modules to validate successfully --- .../onboard-aws-rds-aurora-mysql-slowquery/main.tf | 4 ++-- examples/onboard-aws-rds-aurora-mysql/main.tf | 4 ++-- .../main.tf | 4 ++-- examples/onboard-aws-rds-aurora-postgresql/main.tf | 12 ++++++------ .../onboard-aws-rds-aurora-mysql-kinesis/README.md | 2 +- .../variables.tf | 2 +- .../variables.tf | 6 +++--- modules/onboard-aws-rds-aurora-mysql/variables.tf | 8 ++++---- 8 files changed, 21 insertions(+), 21 deletions(-) diff --git a/examples/onboard-aws-rds-aurora-mysql-slowquery/main.tf b/examples/onboard-aws-rds-aurora-mysql-slowquery/main.tf index 6ba3679..0689c75 100644 --- a/examples/onboard-aws-rds-aurora-mysql-slowquery/main.tf +++ b/examples/onboard-aws-rds-aurora-mysql-slowquery/main.tf @@ -49,7 +49,7 @@ module "aws-default-account-asset" { } ################################################################################ -# Amazon Aurora MySQL Slowquery +# Amazon Aurora MySQL Slow query ################################################################################ module "aws-aurora-mysql-slowquery" { @@ -89,7 +89,7 @@ module "aws-aurora-mysql-slowquery" { cluster_db_subnet_group_name = local.subnet_group_name cluster_vpc_security_group_ids = local.vpc_security_group_ids - instance_identifier = "aurora-mysql-inst" + instance_identifier = "aurora-mysql" instance_publicly_accessible = false aws_aurora_mysql_cluster_admin_email = local.admin_email diff --git a/examples/onboard-aws-rds-aurora-mysql/main.tf b/examples/onboard-aws-rds-aurora-mysql/main.tf index 4e5c61e..5c475de 100644 --- a/examples/onboard-aws-rds-aurora-mysql/main.tf +++ b/examples/onboard-aws-rds-aurora-mysql/main.tf @@ -49,7 +49,7 @@ module "aws-default-account-asset" { } ################################################################################ -# Amazon Aurora Mysql +# Amazon Aurora MySQL ################################################################################ module "aws-aurora-mysql" { @@ -63,7 +63,7 @@ module "aws-aurora-mysql" { cluster_db_subnet_group_name = local.subnet_group_name cluster_vpc_security_group_ids = local.vpc_security_group_ids - instance_identifier = "aurora-mysql-inst" + instance_identifier = "aurora-mysql" instance_publicly_accessible = false aws_aurora_mysql_cluster_admin_email = local.admin_email diff --git a/examples/onboard-aws-rds-aurora-postgresql-kinesis/main.tf b/examples/onboard-aws-rds-aurora-postgresql-kinesis/main.tf index 0cec602..2b5aa28 100644 --- a/examples/onboard-aws-rds-aurora-postgresql-kinesis/main.tf +++ b/examples/onboard-aws-rds-aurora-postgresql-kinesis/main.tf @@ -50,7 +50,7 @@ module "aws-default-account-asset" { ################################################################################ # Amazon Aurora PostgreSQL 16 via kinesis stream ################################################################################ -module "aws-aurora-postgresql-kinesis" { +module "aws-aurora-postgresql-kinesis-1" { source = "../../modules/onboard-aws-rds-aurora-postgresql-kinesis" aws_aurora_postgresql_cluster_admin_email = local.admin_email @@ -79,7 +79,7 @@ module "aws-aurora-postgresql-kinesis" { ################################################################################ # Amazon Aurora PostgreSQL 16 via kinesis stream aggregated ################################################################################ -module "aws-aurora-postgresql-kinesis" { +module "aws-aurora-postgresql-kinesis-2" { source = "../../modules/onboard-aws-rds-aurora-postgresql-kinesis" aws_aurora_postgresql_cluster_admin_email = local.admin_email diff --git a/examples/onboard-aws-rds-aurora-postgresql/main.tf b/examples/onboard-aws-rds-aurora-postgresql/main.tf index 2e0a3bc..b64729d 100644 --- a/examples/onboard-aws-rds-aurora-postgresql/main.tf +++ b/examples/onboard-aws-rds-aurora-postgresql/main.tf @@ -1,7 +1,7 @@ locals { aws_region = "us-east-2" apply_immediately = true - master_user = "admin" + master_user = "PGadmin" master_password = "Abcd1234" subnet_group_name = "default" vpc_security_groups = ["sg-0123456789abcdefg"] @@ -54,14 +54,14 @@ module "aws-default-account-asset" { # 2. Run shell script locally to create extension and role on the newly created # postgres cluster. resource "terraform_data" "configure_database" { - depends_on = [module.aurora-postgresql] + depends_on = [module.aurora-postgresql-1] provisioner "local-exec" { environment = { - PGHOST = module.aurora-postgresql.cluster.endpoint + PGHOST = module.aurora-postgresql-1.cluster.endpoint PGUSER = local.master_user PGPASSWORD = local.master_password - PGPORT = module.aurora-postgresql.cluster.port + PGPORT = module.aurora-postgresql-1.cluster.port PGDATABASE = "postgres" } @@ -74,7 +74,7 @@ resource "terraform_data" "configure_database" { ################################################################################ # Amazon Aurora PostgreSQL 16.1 ################################################################################ -module "aurora-postgresql" { +module "aurora-postgresql-1" { source = "../../modules/onboard-aws-rds-aurora-postgresql" aws_aurora_postgresql_cluster_admin_email = local.admin_email @@ -104,7 +104,7 @@ module "aurora-postgresql" { ################################################################################ # Amazon Aurora PostgreSQL 16.1 Aggregated ################################################################################ -module "aurora-postgresql" { +module "aurora-postgresql-2" { source = "../../modules/onboard-aws-rds-aurora-postgresql" aws_aurora_postgresql_cluster_admin_email = local.admin_email diff --git a/modules/onboard-aws-rds-aurora-mysql-kinesis/README.md b/modules/onboard-aws-rds-aurora-mysql-kinesis/README.md index 183632c..de4dd7e 100644 --- a/modules/onboard-aws-rds-aurora-mysql-kinesis/README.md +++ b/modules/onboard-aws-rds-aurora-mysql-kinesis/README.md @@ -71,7 +71,7 @@ No requirements. | [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | If instance is publicly accessible. Default false | `bool` | `null` | no | | [key\_custom\_master\_key\_spec](#input\_key\_custom\_master\_key\_spec) | Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports. Valid values: SYMMETRIC\_DEFAULT, RSA\_2048, RSA\_3072, RSA\_4096, HMAC\_256, ECC\_NIST\_P256, ECC\_NIST\_P384, ECC\_NIST\_P521, or ECC\_SECG\_P256K1. | `string` | `"SYMMETRIC_DEFAULT"` | no | | [key\_deletion\_window\_in\_days](#input\_key\_deletion\_window\_in\_days) | The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. | `number` | `30` | no | -| [key\_description](#input\_key\_description) | The description of the key as viewed in AWS console. | `string` | `"AWS KMS Key to encrypt Aurora Mysql Database Activity Stream."` | no | +| [key\_description](#input\_key\_description) | The description of the key as viewed in AWS console. | `string` | `"AWS KMS Key to encrypt Aurora MySQL Database Activity Stream."` | no | | [key\_is\_enabled](#input\_key\_is\_enabled) | Specifies whether the key is enabled. | `bool` | `true` | no | | [key\_multi\_region](#input\_key\_multi\_region) | Indicates whether the KMS key is a multi-Region (true) or regional (false) key. | `bool` | `false` | no | | [key\_tags](#input\_key\_tags) | A map of tags to assign to the object. | `map(string)` | `null` | no | diff --git a/modules/onboard-aws-rds-aurora-mysql-kinesis/variables.tf b/modules/onboard-aws-rds-aurora-mysql-kinesis/variables.tf index bd6e74d..4060872 100644 --- a/modules/onboard-aws-rds-aurora-mysql-kinesis/variables.tf +++ b/modules/onboard-aws-rds-aurora-mysql-kinesis/variables.tf @@ -189,7 +189,7 @@ variable "key_deletion_window_in_days" { variable "key_description" { description = "The description of the key as viewed in AWS console." type = string - default = "AWS KMS Key to encrypt Aurora Mysql Database Activity Stream." + default = "AWS KMS Key to encrypt Aurora MySQL Database Activity Stream." } variable "key_is_enabled" { diff --git a/modules/onboard-aws-rds-aurora-mysql-slowquery/variables.tf b/modules/onboard-aws-rds-aurora-mysql-slowquery/variables.tf index a300bf2..8930ca3 100644 --- a/modules/onboard-aws-rds-aurora-mysql-slowquery/variables.tf +++ b/modules/onboard-aws-rds-aurora-mysql-slowquery/variables.tf @@ -59,7 +59,7 @@ variable "cluster_parameter_group_tags" { default = null } -# Aurora Mysql Cluster variables +# Aurora MySQL Cluster variables variable "cluster_db_enabled_cloudwatch_logs_exports" { description = "Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery." type = list(any) @@ -139,7 +139,7 @@ variable "cluster_apply_immediately" { default = true } -# Aurora Mysql Instance variables +# Aurora MySQL Instance variables variable "instance_identifier" { description = "The name of the aurora mysql cluster instance" type = string @@ -163,7 +163,7 @@ variable "instance_publicly_accessible" { default = false } -#AWS cloudwatch variables +# AWS CloudWatch variables variable "log_group_retention_in_days" { description = "Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire." type = number diff --git a/modules/onboard-aws-rds-aurora-mysql/variables.tf b/modules/onboard-aws-rds-aurora-mysql/variables.tf index e443141..df5dc67 100644 --- a/modules/onboard-aws-rds-aurora-mysql/variables.tf +++ b/modules/onboard-aws-rds-aurora-mysql/variables.tf @@ -47,7 +47,7 @@ variable "cluster_parameter_group_tags" { default = null } -# Aurora Mysql Cluster variables +# Aurora MySQL Cluster variables variable "cluster_db_enabled_cloudwatch_logs_exports" { description = "Set of log types to enable for exporting to CloudWatch logs. Valid values: audit, error, general, slowquery." type = list(any) @@ -129,7 +129,7 @@ variable "cluster_apply_immediately" { default = true } -# Aurora Mysql Instance variables +# Aurora MySQL Instance variables variable "instance_identifier" { description = "The name of the aurora mysql cluster instance" type = string @@ -153,7 +153,7 @@ variable "instance_publicly_accessible" { default = false } -#AWS cloudwatch variables +# AWS CloudWatch variables variable "log_group_retention_in_days" { description = "Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire." type = number @@ -198,4 +198,4 @@ variable "aws_log_group_audit_pull_enabled" { description = "Turn on/off auditing on the data source and log aggregator" type = bool default = false -} \ No newline at end of file +} From 1896792f437d067899c8aca0257cf1c5c9ec236e Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 23 Jul 2024 16:41:34 +0000 Subject: [PATCH 5/7] terraform-docs: automated action --- .../README.md | 14 ++++++++++++++ .../README.md | 14 ++++++++++++++ examples/onboard-aws-rds-aurora-mysql/README.md | 14 ++++++++++++++ .../README.md | 17 ++++++++++++++++- .../onboard-aws-rds-aurora-postgresql/README.md | 9 ++++++++- modules/aws-kms-key/README.md | 4 ++++ 6 files changed, 70 insertions(+), 2 deletions(-) diff --git a/examples/onboard-aws-rds-aurora-mysql-kinesis/README.md b/examples/onboard-aws-rds-aurora-mysql-kinesis/README.md index 06ad80a..b68fbcc 100644 --- a/examples/onboard-aws-rds-aurora-mysql-kinesis/README.md +++ b/examples/onboard-aws-rds-aurora-mysql-kinesis/README.md @@ -10,7 +10,13 @@ It creates both 'aws' and 'dsfhub' resources. More information regarding authent An AWS account asset will need to be onboarded to your DSF hub prior to using this module. The account asset will need to be granted permissions to be able to read from the newly created kinesis stream. +## Requirements +No requirements. + +## Providers + +No providers. ## Modules @@ -19,10 +25,18 @@ An AWS account asset will need to be onboarded to your DSF hub prior to using th | [aws-aurora-mysql-kinesis](#module\_aws-aurora-mysql-kinesis) | ../../modules/onboard-aws-rds-aurora-mysql-kinesis | n/a | | [aws-default-account-asset](#module\_aws-default-account-asset) | imperva/agentless-onboarding/dsfhub//modules/dsfhub-aws-cloud-account | n/a | +## Resources + +No resources. + ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes | | [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes | + +## Outputs + +No outputs. \ No newline at end of file diff --git a/examples/onboard-aws-rds-aurora-mysql-slowquery/README.md b/examples/onboard-aws-rds-aurora-mysql-slowquery/README.md index a69ea57..64d2213 100644 --- a/examples/onboard-aws-rds-aurora-mysql-slowquery/README.md +++ b/examples/onboard-aws-rds-aurora-mysql-slowquery/README.md @@ -10,7 +10,13 @@ This example creates both 'aws' and 'dsfhub' resources. More information regardi An AWS account asset will need to be onboarded to your DSF hub prior to using this module. The account asset will need to be granted permissions to be able to read from the newly created CloudWatch log group. +## Requirements +No requirements. + +## Providers + +No providers. ## Modules @@ -19,10 +25,18 @@ An AWS account asset will need to be onboarded to your DSF hub prior to using th | [aws-aurora-mysql-slowquery](#module\_aws-aurora-mysql-slowquery) | ../../modules/onboard-aws-rds-aurora-mysql-slowquery | n/a | | [aws-default-account-asset](#module\_aws-default-account-asset) | imperva/agentless-onboarding/dsfhub//modules/dsfhub-aws-cloud-account | n/a | +## Resources + +No resources. + ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes | | [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes | + +## Outputs + +No outputs. \ No newline at end of file diff --git a/examples/onboard-aws-rds-aurora-mysql/README.md b/examples/onboard-aws-rds-aurora-mysql/README.md index 2a8c882..cc807c1 100644 --- a/examples/onboard-aws-rds-aurora-mysql/README.md +++ b/examples/onboard-aws-rds-aurora-mysql/README.md @@ -10,7 +10,13 @@ This example creates both 'aws' and 'dsfhub' resources. More information regardi An AWS account asset will need to be onboarded to your DSF hub prior to using this module. The account asset will need to be granted permissions to be able to read from the newly created CloudWatch log group. +## Requirements +No requirements. + +## Providers + +No providers. ## Modules @@ -19,10 +25,18 @@ An AWS account asset will need to be onboarded to your DSF hub prior to using th | [aws-aurora-mysql](#module\_aws-aurora-mysql) | ../../modules/onboard-aws-rds-aurora-mysql | n/a | | [aws-default-account-asset](#module\_aws-default-account-asset) | imperva/agentless-onboarding/dsfhub//modules/dsfhub-aws-cloud-account | n/a | +## Resources + +No resources. + ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes | | [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes | + +## Outputs + +No outputs. \ No newline at end of file diff --git a/examples/onboard-aws-rds-aurora-postgresql-kinesis/README.md b/examples/onboard-aws-rds-aurora-postgresql-kinesis/README.md index c819706..474c17c 100644 --- a/examples/onboard-aws-rds-aurora-postgresql-kinesis/README.md +++ b/examples/onboard-aws-rds-aurora-postgresql-kinesis/README.md @@ -10,19 +10,34 @@ It creates both 'aws' and 'dsfhub' resources. More information regarding authent An AWS account asset will need to be onboarded to your DSF hub prior to using this module. The account asset will need to be granted permissions to be able to read from the newly created kinesis stream. +## Requirements +No requirements. + +## Providers + +No providers. ## Modules | Name | Source | Version | |------|--------|---------| -| [aws-aurora-postgresql-kinesis](#module\_aws-aurora-postgresql-kinesis) | ../../modules/onboard-aws-rds-aurora-postgresql-kinesis | n/a | +| [aws-aurora-postgresql-kinesis-1](#module\_aws-aurora-postgresql-kinesis-1) | ../../modules/onboard-aws-rds-aurora-postgresql-kinesis | n/a | +| [aws-aurora-postgresql-kinesis-2](#module\_aws-aurora-postgresql-kinesis-2) | ../../modules/onboard-aws-rds-aurora-postgresql-kinesis | n/a | | [aws-default-account-asset](#module\_aws-default-account-asset) | imperva/agentless-onboarding/dsfhub//modules/dsfhub-aws-cloud-account | n/a | +## Resources + +No resources. + ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes | | [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes | + +## Outputs + +No outputs. \ No newline at end of file diff --git a/examples/onboard-aws-rds-aurora-postgresql/README.md b/examples/onboard-aws-rds-aurora-postgresql/README.md index 7f0b482..0a4c600 100644 --- a/examples/onboard-aws-rds-aurora-postgresql/README.md +++ b/examples/onboard-aws-rds-aurora-postgresql/README.md @@ -15,7 +15,9 @@ Part of the onboarding process involves connecting to your Aurora PostgreSQL clu **Note:** This example requires the ``psql`` client to be installed, as well as for the newly created Aurora cluster to be accessible from your local machine. +## Requirements +No requirements. ## Providers @@ -27,7 +29,8 @@ Part of the onboarding process involves connecting to your Aurora PostgreSQL clu | Name | Source | Version | |------|--------|---------| -| [aurora-postgresql](#module\_aurora-postgresql) | ../../modules/onboard-aws-rds-aurora-postgresql | n/a | +| [aurora-postgresql-1](#module\_aurora-postgresql-1) | ../../modules/onboard-aws-rds-aurora-postgresql | n/a | +| [aurora-postgresql-2](#module\_aurora-postgresql-2) | ../../modules/onboard-aws-rds-aurora-postgresql | n/a | | [aws-default-account-asset](#module\_aws-default-account-asset) | imperva/agentless-onboarding/dsfhub//modules/dsfhub-aws-cloud-account | n/a | ## Resources @@ -42,4 +45,8 @@ Part of the onboarding process involves connecting to your Aurora PostgreSQL clu |------|-------------|------|---------|:--------:| | [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes | | [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes | + +## Outputs + +No outputs. \ No newline at end of file diff --git a/modules/aws-kms-key/README.md b/modules/aws-kms-key/README.md index 36de536..9014eb7 100644 --- a/modules/aws-kms-key/README.md +++ b/modules/aws-kms-key/README.md @@ -9,6 +9,10 @@ No requirements. |------|---------| | [aws](#provider\_aws) | n/a | +## Modules + +No modules. + ## Resources | Name | Type | From c4ccc595435b2e28b3efa646232d764b0a89dcb0 Mon Sep 17 00:00:00 2001 From: Petal Vitis Date: Tue, 23 Jul 2024 11:52:58 -0700 Subject: [PATCH 6/7] made the output names and descriptions more consistent --- modules/aws-rds-cluster-activity-stream/README.md | 2 +- modules/aws-rds-cluster-activity-stream/outputs.tf | 2 +- modules/aws-rds-cluster-instance/README.md | 2 +- modules/aws-rds-cluster-instance/outputs.tf | 2 +- modules/aws-rds-cluster/README.md | 2 +- modules/aws-rds-cluster/outputs.tf | 2 +- .../README.md | 2 +- .../outputs.tf | 2 +- .../onboard-aws-rds-aurora-mysql-slowquery/README.md | 6 +++--- .../outputs.tf | 12 ++++++------ modules/onboard-aws-rds-aurora-mysql/README.md | 4 ++-- modules/onboard-aws-rds-aurora-mysql/outputs.tf | 6 +++--- modules/onboard-aws-rds-aurora-postgresql/outputs.tf | 4 ++-- 13 files changed, 24 insertions(+), 24 deletions(-) diff --git a/modules/aws-rds-cluster-activity-stream/README.md b/modules/aws-rds-cluster-activity-stream/README.md index 9313f13..8259607 100644 --- a/modules/aws-rds-cluster-activity-stream/README.md +++ b/modules/aws-rds-cluster-activity-stream/README.md @@ -32,5 +32,5 @@ No modules. | Name | Description | |------|-------------| -| [this](#output\_this) | RDS Cluster activity stream | +| [this](#output\_this) | RDS Aurora Cluster database activity stream | \ No newline at end of file diff --git a/modules/aws-rds-cluster-activity-stream/outputs.tf b/modules/aws-rds-cluster-activity-stream/outputs.tf index 3414fcc..1cda0bf 100644 --- a/modules/aws-rds-cluster-activity-stream/outputs.tf +++ b/modules/aws-rds-cluster-activity-stream/outputs.tf @@ -1,4 +1,4 @@ output "this" { - description = "RDS Cluster activity stream" + description = "RDS Aurora Cluster database activity stream" value = aws_rds_cluster_activity_stream.this } diff --git a/modules/aws-rds-cluster-instance/README.md b/modules/aws-rds-cluster-instance/README.md index 677ca64..5560ec5 100644 --- a/modules/aws-rds-cluster-instance/README.md +++ b/modules/aws-rds-cluster-instance/README.md @@ -37,5 +37,5 @@ No modules. | Name | Description | |------|-------------| -| [this](#output\_this) | Aurora MySQL Cluster instance | +| [this](#output\_this) | RDS Aurora cluster instance | \ No newline at end of file diff --git a/modules/aws-rds-cluster-instance/outputs.tf b/modules/aws-rds-cluster-instance/outputs.tf index f57e416..7056ce7 100644 --- a/modules/aws-rds-cluster-instance/outputs.tf +++ b/modules/aws-rds-cluster-instance/outputs.tf @@ -1,4 +1,4 @@ output "this" { - description = "Aurora MySQL Cluster instance" + description = "RDS Aurora cluster instance" value = aws_rds_cluster_instance.this } diff --git a/modules/aws-rds-cluster/README.md b/modules/aws-rds-cluster/README.md index 6dcbc2d..56c0951 100644 --- a/modules/aws-rds-cluster/README.md +++ b/modules/aws-rds-cluster/README.md @@ -43,5 +43,5 @@ No modules. | Name | Description | |------|-------------| -| [this](#output\_this) | Aurora MySQL cluster | +| [this](#output\_this) | RDS Aurora cluster | \ No newline at end of file diff --git a/modules/aws-rds-cluster/outputs.tf b/modules/aws-rds-cluster/outputs.tf index 552ac2a..379f083 100644 --- a/modules/aws-rds-cluster/outputs.tf +++ b/modules/aws-rds-cluster/outputs.tf @@ -1,4 +1,4 @@ output "this" { - description = "Aurora MySQL cluster" + description = "RDS Aurora cluster" value = aws_rds_cluster.this } diff --git a/modules/dsfhub-aws-rds-aurora-postgresql-cluster/README.md b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/README.md index 50b1f05..e6222a4 100644 --- a/modules/dsfhub-aws-rds-aurora-postgresql-cluster/README.md +++ b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/README.md @@ -40,5 +40,5 @@ No modules. | Name | Description | |------|-------------| -| [this](#output\_this) | Aurora PostgreSQL DSF asset | +| [this](#output\_this) | Aurora PostgreSQL cluster DSF asset | \ No newline at end of file diff --git a/modules/dsfhub-aws-rds-aurora-postgresql-cluster/outputs.tf b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/outputs.tf index 555a870..3b34474 100644 --- a/modules/dsfhub-aws-rds-aurora-postgresql-cluster/outputs.tf +++ b/modules/dsfhub-aws-rds-aurora-postgresql-cluster/outputs.tf @@ -1,4 +1,4 @@ output "this" { - description = "Aurora PostgreSQL DSF asset" + description = "Aurora PostgreSQL cluster DSF asset" value = dsfhub_data_source.this } diff --git a/modules/onboard-aws-rds-aurora-mysql-slowquery/README.md b/modules/onboard-aws-rds-aurora-mysql-slowquery/README.md index aa3830a..165ae34 100644 --- a/modules/onboard-aws-rds-aurora-mysql-slowquery/README.md +++ b/modules/onboard-aws-rds-aurora-mysql-slowquery/README.md @@ -72,11 +72,11 @@ No resources. | Name | Description | |------|-------------| +| [aws\_log\_group\_asset](#output\_aws\_log\_group\_asset) | AWS log group asset | +| [aws\_log\_group\_slowquery\_asset](#output\_aws\_log\_group\_slowquery\_asset) | AWS Slow Query log group asset | +| [aws\_rds\_aurora\_mysql\_cluster\_asset](#output\_aws\_rds\_aurora\_mysql\_cluster\_asset) | Aurora MySQL cluster asset | | [cluster](#output\_cluster) | Aurora MySQL Cluster | | [cluster\_parameter\_group](#output\_cluster\_parameter\_group) | Aurora MySQL Cluster parameter group | -| [dsf\_aurora\_mysql\_cluster](#output\_dsf\_aurora\_mysql\_cluster) | Aurora MySQL cluster DSF asset | -| [dsf\_aurora\_mysql\_log\_group](#output\_dsf\_aurora\_mysql\_log\_group) | Aurora MySQL log group asset | -| [dsf\_aurora\_mysql\_log\_group\_slowquery](#output\_dsf\_aurora\_mysql\_log\_group\_slowquery) | Aurora MySQL slow query log group asset | | [instance](#output\_instance) | Aurora MySQL instance | | [log\_group](#output\_log\_group) | Aurora MySQL log group | | [log\_group\_slowquery](#output\_log\_group\_slowquery) | Aurora MySQL slow query log group | diff --git a/modules/onboard-aws-rds-aurora-mysql-slowquery/outputs.tf b/modules/onboard-aws-rds-aurora-mysql-slowquery/outputs.tf index 3cdc2d9..e477eda 100644 --- a/modules/onboard-aws-rds-aurora-mysql-slowquery/outputs.tf +++ b/modules/onboard-aws-rds-aurora-mysql-slowquery/outputs.tf @@ -23,17 +23,17 @@ output "log_group_slowquery" { value = module.aurora-mysql-log-group-slowquery.this } -output "dsf_aurora_mysql_cluster" { - description = "Aurora MySQL cluster DSF asset" +output "aws_rds_aurora_mysql_cluster_asset" { + description = "Aurora MySQL cluster asset" value = module.aws-rds-aurora-mysql-cluster-asset.this } -output "dsf_aurora_mysql_log_group" { - description = "Aurora MySQL log group asset" +output "aws_log_group_asset" { + description = "AWS log group asset" value = module.aws-log-group-asset.this } -output "dsf_aurora_mysql_log_group_slowquery" { - description = "Aurora MySQL slow query log group asset" +output "aws_log_group_slowquery_asset" { + description = "AWS Slow Query log group asset" value = module.aws-log-group-slowquery-asset.this } diff --git a/modules/onboard-aws-rds-aurora-mysql/README.md b/modules/onboard-aws-rds-aurora-mysql/README.md index f76799e..198dae5 100644 --- a/modules/onboard-aws-rds-aurora-mysql/README.md +++ b/modules/onboard-aws-rds-aurora-mysql/README.md @@ -70,10 +70,10 @@ No resources. | Name | Description | |------|-------------| +| [aws\_log\_group\_asset](#output\_aws\_log\_group\_asset) | AWS log group asset | +| [aws\_rds\_aurora\_mysql\_cluster\_asset](#output\_aws\_rds\_aurora\_mysql\_cluster\_asset) | Aurora MySQL cluster asset | | [cluster](#output\_cluster) | Aurora MySQL Cluster | | [cluster\_parameter\_group](#output\_cluster\_parameter\_group) | Aurora MySQL Cluster parameter group | -| [dsf\_aurora\_mysql\_cluster](#output\_dsf\_aurora\_mysql\_cluster) | Aurora MySQL cluster asset | -| [dsf\_aurora\_mysql\_log\_group](#output\_dsf\_aurora\_mysql\_log\_group) | Aurora MySQL log group asset | | [instance](#output\_instance) | Aurora MySQL instance | | [log\_group](#output\_log\_group) | Aurora MySQL log group | \ No newline at end of file diff --git a/modules/onboard-aws-rds-aurora-mysql/outputs.tf b/modules/onboard-aws-rds-aurora-mysql/outputs.tf index b69ff6f..a197da2 100644 --- a/modules/onboard-aws-rds-aurora-mysql/outputs.tf +++ b/modules/onboard-aws-rds-aurora-mysql/outputs.tf @@ -18,12 +18,12 @@ output "log_group" { value = module.aurora-mysql-log-group.this } -output "dsf_aurora_mysql_cluster" { +output "aws_rds_aurora_mysql_cluster_asset" { description = "Aurora MySQL cluster asset" value = module.aws-rds-aurora-mysql-cluster-asset.this } -output "dsf_aurora_mysql_log_group" { - description = "Aurora MySQL log group asset" +output "aws_log_group_asset" { + description = "AWS log group asset" value = module.aws-log-group-asset.this } diff --git a/modules/onboard-aws-rds-aurora-postgresql/outputs.tf b/modules/onboard-aws-rds-aurora-postgresql/outputs.tf index 425c0dc..4cee4fb 100644 --- a/modules/onboard-aws-rds-aurora-postgresql/outputs.tf +++ b/modules/onboard-aws-rds-aurora-postgresql/outputs.tf @@ -1,10 +1,10 @@ output "cluster_parameter_group" { - description = "Aurora PostgreSQL cluster parameter group" + description = "Aurora PostgreSQL Cluster parameter group" value = module.aurora-postgresql-cluster-parameter-group.this } output "cluster" { - description = "Aurora PostgreSQL cluster" + description = "Aurora PostgreSQL Cluster" value = module.aurora-postgresql-cluster.this } From a183f81d331523b4b7a7d6604139707c626ce820 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 23 Jul 2024 18:54:11 +0000 Subject: [PATCH 7/7] terraform-docs: automated action --- modules/onboard-aws-rds-aurora-postgresql/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/onboard-aws-rds-aurora-postgresql/README.md b/modules/onboard-aws-rds-aurora-postgresql/README.md index 58b0505..be3248e 100644 --- a/modules/onboard-aws-rds-aurora-postgresql/README.md +++ b/modules/onboard-aws-rds-aurora-postgresql/README.md @@ -78,8 +78,8 @@ No resources. |------|-------------| | [aws\_log\_group\_asset](#output\_aws\_log\_group\_asset) | AWS log group asset | | [aws\_rds\_aurora\_postgresql\_cluster\_asset](#output\_aws\_rds\_aurora\_postgresql\_cluster\_asset) | Aurora PostgreSQL cluster asset | -| [cluster](#output\_cluster) | Aurora PostgreSQL cluster | -| [cluster\_parameter\_group](#output\_cluster\_parameter\_group) | Aurora PostgreSQL cluster parameter group | +| [cluster](#output\_cluster) | Aurora PostgreSQL Cluster | +| [cluster\_parameter\_group](#output\_cluster\_parameter\_group) | Aurora PostgreSQL Cluster parameter group | | [instance](#output\_instance) | Aurora PostgreSQL instance | | [log\_group](#output\_log\_group) | Aurora PostgreSQL log group | \ No newline at end of file