Add support for global clusters (#7)

* Add support for global clusters

* Add full support for global cluster

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v3.2.0
+  rev: v3.3.0
   hooks:
   - id: check-added-large-files
     args: ['--maxkb=500']
@@ -18,7 +18,7 @@ repos:
     args: ['--allow-missing-credentials']
   - id: trailing-whitespace
 - repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.43.0
+  rev: v1.44.0
   hooks:
   - id: terraform_fmt
   - id: terraform_docs

README.md

@@ -67,25 +67,36 @@ Module is to be used with Terraform > 0.12.
 ## Examples
 
 * [Aurora MySQL](https://github.com/umotif-public/terraform-aws-rds-aurora/tree/master/examples/aurora-mysql)
+* [Global Aurora MySQL](https://github.com/umotif-public/terraform-aws-rds-aurora/tree/master/examples/global-aurora-mysql)
 
 ## Authors
 
 Module managed by [Marcin Cuber](https://github.com/marcincuber) [LinkedIn](https://www.linkedin.com/in/marcincuber/).
 
+## Global Aurora Cluster
+
+Module supports configuration for Global Cluster, see an appropriate example for full configuration.
+
+Please note that there are various limitations from AWS that you need to consider. See the [AWS doc](https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-global-database.html#aurora-global-database.limitations).
+
+On the Terraform side, if you decide to upgrade engine version. You will need to run `terraform apply` twice. This is required since Terraform will only upgrade 2nd cluster during first run. During second run Terraform will upgrade the 1st cluster and automatically update global cluster version to match all clusters.
+
+In order to activate global cluster, set `enable_global_cluster = true` when using this module.
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| terraform | >= 0.12.6, < 0.14 |
-| aws | >= 3.8, < 4.0 |
+| terraform | >= 0.12.6 |
+| aws | >= 3.8 |
 | random | >= 2.3 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | >= 3.8, < 4.0 |
+| aws | >= 3.8 |
 | random | >= 2.3 |
 
 ## Inputs
@@ -112,6 +123,7 @@ Module managed by [Marcin Cuber](https://github.com/marcincuber) [LinkedIn](http
 | db\_parameter\_group\_name | The name of a DB parameter group to use | `string` | `null` | no |
 | db\_subnet\_group\_name | The existing subnet group name to use | `string` | `""` | no |
 | deletion\_protection | If the DB instance should have deletion protection enabled | `bool` | `false` | no |
+| enable\_global\_cluster | Set this variable to `true` if DB Cluster is going to be part of a Global Cluster. | `bool` | `false` | no |
 | enable\_http\_endpoint | Whether or not to enable the Data API for a serverless Aurora database engine. | `bool` | `false` | no |
 | enabled\_cloudwatch\_logs\_exports | List of object which define log types to export to cloudwatch. See in examples. | `list` | `[]` | no |
 | engine | Aurora database engine type, currently aurora, aurora-mysql or aurora-postgresql | `string` | `"aurora"` | no |

examples/aurora-mysql/kms.tf

@@ -0,0 +1,109 @@
+data "aws_iam_policy_document" "rds" {
+  statement {
+    sid = "Enable IAM User Permissions"
+
+    actions = ["kms:*"]
+
+    resources = ["*"]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
+        data.aws_caller_identity.current.arn
+      ]
+    }
+  }
+
+  statement {
+    sid = "Allow use of the key"
+
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+
+    resources = ["*"]
+
+    principals {
+      type = "Service"
+      identifiers = [
+        "rds.amazonaws.com",
+        "monitoring.rds.amazonaws.com"
+      ]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "cloudwatch" {
+  statement {
+    sid = "Enable IAM User Permissions"
+
+    actions = ["kms:*"]
+
+    resources = ["*"]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
+        data.aws_caller_identity.current.arn
+      ]
+    }
+  }
+
+  statement {
+    sid = "Allow use of the key"
+
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+
+    resources = ["*"]
+
+    principals {
+      type = "Service"
+      identifiers = [
+        "logs.${data.aws_region.current.name}.amazonaws.com"
+      ]
+    }
+  }
+}
+
+#############
+# KMS key
+#############
+module "kms" {
+  source  = "umotif-public/kms/aws"
+  version = "~> 1.0"
+
+  alias_name              = "rds-kms-test-key"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+  policy                  = data.aws_iam_policy_document.rds.json
+
+  tags = {
+    Environment = "test"
+  }
+}
+
+module "kms-cloudwatch" {
+  source  = "umotif-public/kms/aws"
+  version = "~> 1.0"
+
+  alias_name              = "cloudwatch-kms-test-key"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+  policy                  = data.aws_iam_policy_document.cloudwatch.json
+
+  tags = {
+    Environment = "test"
+  }
+}

examples/aurora-mysql/main.tf

@@ -10,9 +10,9 @@ data "aws_region" "current" {}
 #####
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 2.48"
+  version = "~> 2.63"
 
-  name = "simple-vpc"
+  name = "simple-rds-aurora-vpc"
 
   cidr = "10.0.0.0/16"
 
@@ -23,99 +23,6 @@ module "vpc" {
   enable_nat_gateway = false
 }
 
-#############
-# KMS key
-#############
-module "kms" {
-  source  = "umotif-public/kms/aws"
-  version = "~> 1.0"
-
-  alias_name              = "rds-kms-test-key"
-  deletion_window_in_days = 7
-  enable_key_rotation     = true
-  policy = jsonencode(
-    {
-      "Version" : "2012-10-17",
-      "Statement" : [
-        {
-          "Sid" : "Enable IAM User Permissions",
-          "Effect" : "Allow",
-          "Principal" : {
-            "AWS" : [
-              "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
-              data.aws_caller_identity.current.arn
-            ]
-          },
-          "Action" : "kms:*",
-          "Resource" : "*"
-        },
-        {
-          "Sid" : "Allow use of the key",
-          "Effect" : "Allow",
-          "Principal" : {
-            "Service" : ["rds.amazonaws.com", "monitoring.rds.amazonaws.com"]
-          },
-          "Action" : [
-            "kms:Encrypt",
-            "kms:Decrypt",
-            "kms:ReEncrypt*",
-            "kms:GenerateDataKey*",
-            "kms:DescribeKey"
-          ],
-          "Resource" : "*"
-        }
-      ]
-    }
-  )
-
-  tags = {
-    Environment = "test"
-  }
-}
-
-module "kms-cloudwatch" {
-  source  = "umotif-public/kms/aws"
-  version = "~> 1.0"
-
-  alias_name              = "cloudwatch-kms-test-key"
-  deletion_window_in_days = 7
-  enable_key_rotation     = true
-  policy = jsonencode(
-    {
-      "Version" : "2012-10-17",
-      "Statement" : [
-        {
-          "Sid" : "Enable IAM User Permissions",
-          "Effect" : "Allow",
-          "Principal" : {
-            "AWS" : [
-              "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
-              data.aws_caller_identity.current.arn
-            ]
-          },
-          "Action" : "kms:*",
-          "Resource" : "*"
-        },
-        {
-          "Effect" : "Allow",
-          "Principal" : { "Service" : "logs.${data.aws_region.current.name}.amazonaws.com" },
-          "Action" : [
-            "kms:Encrypt*",
-            "kms:Decrypt*",
-            "kms:ReEncrypt*",
-            "kms:GenerateDataKey*",
-            "kms:Describe*"
-          ],
-          "Resource" : "*"
-        }
-      ]
-    }
-  )
-
-  tags = {
-    Environment = "test"
-  }
-}
 #############
 # RDS Aurora
 #############

examples/global-aurora-mysql/kms.tf

@@ -0,0 +1,76 @@
+data "aws_iam_policy_document" "rds" {
+  statement {
+    sid = "Enable IAM User Permissions"
+
+    actions = ["kms:*"]
+
+    resources = ["*"]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
+        data.aws_caller_identity.current.arn
+      ]
+    }
+  }
+
+  statement {
+    sid = "Allow use of the key"
+
+    actions = [
+      "kms:Encrypt",
+      "kms:Decrypt",
+      "kms:ReEncrypt*",
+      "kms:GenerateDataKey*",
+      "kms:DescribeKey"
+    ]
+
+    resources = ["*"]
+
+    principals {
+      type = "Service"
+      identifiers = [
+        "rds.amazonaws.com",
+        "monitoring.rds.amazonaws.com"
+      ]
+    }
+  }
+}
+
+module "kms-ireland" {
+  source  = "umotif-public/kms/aws"
+  version = "~> 1.0"
+
+  providers = {
+    aws = aws.primary
+  }
+
+  alias_name              = "global-rds-kms-test-key"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+  policy                  = data.aws_iam_policy_document.rds.json
+
+
+  tags = {
+    Environment = "test"
+  }
+}
+
+module "kms-london" {
+  source  = "umotif-public/kms/aws"
+  version = "~> 1.0"
+
+  providers = {
+    aws = aws.secondary
+  }
+
+  alias_name              = "global-rds-kms-test-key"
+  deletion_window_in_days = 7
+  enable_key_rotation     = true
+  policy                  = data.aws_iam_policy_document.rds.json
+
+  tags = {
+    Environment = "test"
+  }
+}