projects / arvados.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge branch '21832-installer-rds-support'
[arvados.git] / tools / salt-install / terraform / aws / services / main.tf
diff --git a/tools/salt-install/terraform/aws/services/main.tf b/tools/salt-install/terraform/aws/services/main.tf
index bdb2bdcc366aa53db51b67408c6ce48c5200f5d4..6e51535abd595eb231cd2fb5bbe96aebc551f5e9 100644 (file)
--- a/tools/salt-install/terraform/aws/services/main.tf
+++ b/tools/salt-install/terraform/aws/services/main.tf
@@ -22,6 +22,14 @@ provider "aws" {
   }
 }
 
   }
 }
 
+provider "random" {}
+
+resource "random_string" "default_rds_password" {
+  count = (local.use_rds && var.rds_password == "") ? 1 : 0
+  length  = 32
+  special = false
+}
+
 resource "aws_iam_instance_profile" "keepstore_instance_profile" {
   name = "${local.cluster_name}-keepstore-00-iam-role"
   role = data.terraform_remote_state.data-storage.outputs.keepstore_iam_role_name
 resource "aws_iam_instance_profile" "keepstore_instance_profile" {
   name = "${local.cluster_name}-keepstore-00-iam-role"
   role = data.terraform_remote_state.data-storage.outputs.keepstore_iam_role_name
@@ -67,7 +75,11 @@ resource "aws_instance" "arvados_service" {
     volume_type = "gp3"
     volume_size = try(var.instance_volume_size[each.value], var.instance_volume_size.default)
   }
     volume_type = "gp3"
     volume_size = try(var.instance_volume_size[each.value], var.instance_volume_size.default)
   }
-
+  metadata_options {
+    # Sets IMDSv2 to required. Default is "optional".
+    http_tokens = "required"
+    http_endpoint = "enabled"
+  }
   lifecycle {
     ignore_changes = [
       # Avoids recreating the instance when the latest AMI changes.
   lifecycle {
     ignore_changes = [
       # Avoids recreating the instance when the latest AMI changes.
@@ -78,6 +90,44 @@ resource "aws_instance" "arvados_service" {
   }
 }
 
   }
 }
 
+resource "aws_db_subnet_group" "arvados_db_subnet_group" {
+  count = local.use_rds ? 1 : 0
+  name       = "${local.cluster_name}_db_subnet_group"
+  subnet_ids = [local.private_subnet_id, local.additional_rds_subnet_id]
+}
+
+resource "aws_db_instance" "postgresql_service" {
+  count = local.use_rds ? 1 : 0
+  allocated_storage = local.rds_allocated_storage
+  max_allocated_storage = local.rds_max_allocated_storage
+  engine = "postgres"
+  engine_version = local.rds_postgresql_version
+  instance_class = local.rds_instance_type
+  db_name = "${local.cluster_name}_arvados"
+  username = local.rds_username
+  password = local.rds_password
+  skip_final_snapshot  = !local.rds_backup_before_deletion
+  final_snapshot_identifier = local.rds_final_backup_name
+
+  vpc_security_group_ids = [local.arvados_sg_id]
+  db_subnet_group_name = aws_db_subnet_group.arvados_db_subnet_group[0].name
+
+  backup_retention_period = local.rds_backup_retention_period
+  publicly_accessible = false
+  storage_encrypted = true
+  multi_az = false
+
+  lifecycle {
+    ignore_changes = [
+      username,
+    ]
+  }
+
+  tags = {
+    Name = "${local.cluster_name}_postgresql_service"
+  }
+}
+
 resource "aws_iam_policy" "compute_node_ebs_autoscaler" {
   name = "${local.cluster_name}_compute_node_ebs_autoscaler"
   policy = jsonencode({
 resource "aws_iam_policy" "compute_node_ebs_autoscaler" {
   name = "${local.cluster_name}_compute_node_ebs_autoscaler"
   policy = jsonencode({