Working postgress connection

- Security group to handle incoming/outgoing connections to grafana
  - Grafana now has connection to VPC allowing DB access
- To reliably reference data-replication resources new tags have been
  included

Author: TheOneFromNorway

terraform/app/modules/ecs_service/main.tf

@@ -17,12 +17,13 @@ resource "aws_security_group" "this" {
   }
 }
 
-resource "aws_security_group_rule" "egress_all" {
+resource "aws_security_group_rule" "egress" {
+  count             = min(length(var.default_egress_cidr_blocks), 1)
   type              = "egress"
   from_port         = 0
   to_port           = 0
   protocol          = "-1"
-  cidr_blocks       = ["0.0.0.0/0"]
+  cidr_blocks       = var.default_egress_cidr_blocks
   security_group_id = aws_security_group.this.id
 }
 

terraform/app/modules/ecs_service/variables.tf

@@ -17,6 +17,13 @@ variable "server_type_name" {
   nullable    = true
 }
 
+variable "default_egress_cidr_blocks" {
+  type        = list(string)
+  description = "The default CIDR blocks for egress rules from the service. Defaults to allow all outbound traffic."
+  default     = ["0.0.0.0/0"]
+  nullable    = false
+}
+
 variable "minimum_replica_count" {
   type        = number
   description = "Minimum amount of allowed replicas for the service. Also the replica count when creating th service."

terraform/data_replication/ecs.tf

@@ -39,5 +39,6 @@ module "db_access_service" {
     region               = var.region
     health_check_command = ["CMD-SHELL", "echo 'alive' || exit 1"]
   }
-  depends_on = [aws_rds_cluster_instance.instance]
+  default_egress_cidr_blocks = var.allowed_egress_cidr_blocks
+  depends_on                 = [aws_rds_cluster_instance.instance]
 }

terraform/data_replication/network.tf

@@ -11,12 +11,18 @@ resource "aws_subnet" "subnet_a" {
   vpc_id            = aws_vpc.vpc.id
   cidr_block        = "10.0.1.0/24"
   availability_zone = "${var.region}a"
+  tags = {
+    Private = true
+  }
 }
 
 resource "aws_subnet" "subnet_b" {
   vpc_id            = aws_vpc.vpc.id
   cidr_block        = "10.0.2.0/24"
   availability_zone = "${var.region}b"
+  tags = {
+    Private = true
+  }
 }
 
 resource "aws_route_table" "private" {
@@ -36,45 +42,43 @@ resource "aws_subnet" "public_subnet" {
   vpc_id            = aws_vpc.vpc.id
   cidr_block        = "10.0.3.0/24"
   availability_zone = "${var.region}a"
+  tags = {
+    Private = false
+  }
 }
 
-resource "aws_internet_gateway" "internet_gateway" {
-  count  = local.shared_egress_infrastructure_count
+resource "aws_internet_gateway" "this" {
   vpc_id = aws_vpc.vpc.id
   tags = {
     Name = "data-replication-igw-${var.environment}"
   }
 }
 
-resource "aws_eip" "nat_ip" {
-  count      = local.shared_egress_infrastructure_count
+resource "aws_eip" "this" {
   domain     = "vpc"
-  depends_on = [aws_internet_gateway.internet_gateway]
+  depends_on = [aws_internet_gateway.this]
 }
 
-resource "aws_nat_gateway" "nat_gateway" {
-  count             = local.shared_egress_infrastructure_count
+resource "aws_nat_gateway" "this" {
   subnet_id         = aws_subnet.public_subnet.id
-  allocation_id     = aws_eip.nat_ip[0].id
+  allocation_id     = aws_eip.this.id
   connectivity_type = "public"
-  depends_on        = [aws_internet_gateway.internet_gateway]
+  depends_on        = [aws_internet_gateway.this]
   tags = {
     Name = "data-replication-nat-gateway-${var.environment}"
   }
 }
 
 resource "aws_route" "private_to_public" {
-  count                  = length(var.allowed_egress_cidr_blocks)
   route_table_id         = aws_route_table.private.id
-  destination_cidr_block = var.allowed_egress_cidr_blocks[count.index]
-  nat_gateway_id         = aws_nat_gateway.nat_gateway[0].id
+  nat_gateway_id         = aws_nat_gateway.this.id
+  destination_cidr_block = "0.0.0.0/0"
 }
 
 resource "aws_route" "public_to_igw" {
-  count                  = length(var.allowed_egress_cidr_blocks)
   route_table_id         = aws_route_table.public.id
-  destination_cidr_block = var.allowed_egress_cidr_blocks[count.index]
-  gateway_id             = aws_internet_gateway.internet_gateway[0].id
+  gateway_id             = aws_internet_gateway.this.id
+  destination_cidr_block = "0.0.0.0/0"
 }
 
 resource "aws_route_table" "public" {

terraform/data_replication/rds.tf

@@ -5,6 +5,18 @@ resource "aws_db_subnet_group" "dbsg" {
 
 resource "aws_security_group" "rds" {
   vpc_id = aws_vpc.vpc.id
+  tags = {
+    Name = "${local.name_prefix}-rds-sg"
+  }
+}
+
+resource "aws_security_group_rule" "ecs_to_grafana" {
+  type                     = "egress"
+  from_port                = 5432
+  to_port                  = 5432
+  protocol                 = "tcp"
+  security_group_id        = module.db_access_service.security_group_id
+  source_security_group_id = aws_security_group.rds.id
 }
 
 resource "aws_security_group_rule" "rds_inbound" {
@@ -16,6 +28,16 @@ resource "aws_security_group_rule" "rds_inbound" {
   source_security_group_id = module.db_access_service.security_group_id
 }
 
+resource "aws_security_group_rule" "rds_inbound_grafana" {
+  type              = "ingress"
+  from_port         = 5432
+  to_port           = 5432
+  protocol          = "tcp"
+  security_group_id = aws_security_group.rds.id
+  cidr_blocks       = [aws_vpc.vpc.cidr_block]
+  description       = "Allow Grafana workspace access to PostgreSQL"
+}
+
 resource "aws_rds_cluster" "cluster" {
   cluster_identifier     = "${local.name_prefix}-rds-${formatdate("hh-mm-ss", timestamp())}"
   engine                 = "aurora-postgresql"

terraform/data_replication/ssm_parameters.tf

@@ -14,8 +14,7 @@ resource "aws_secretsmanager_secret" "ro_db_password" {
     Name = "${local.name_prefix}-ro-db-password"
   }
   lifecycle {
-    ignore_changes       = [name]
-    replace_triggered_by = [aws_rds_cluster.cluster]
+    ignore_changes = [name]
   }
 }
 

terraform/data_replication/variables.tf

@@ -82,9 +82,8 @@ variable "rails_master_key_path" {
 }
 
 locals {
-  name_prefix                        = "mavis-${var.environment}-data-replication"
-  subnet_list                        = [aws_subnet.subnet_a.id, aws_subnet.subnet_b.id]
-  shared_egress_infrastructure_count = min(length(var.allowed_egress_cidr_blocks), 1)
+  name_prefix = "mavis-${var.environment}-data-replication"
+  subnet_list = [aws_subnet.subnet_a.id, aws_subnet.subnet_b.id]
 
   task_envs = [
     {

terraform/monitoring/aws/variables.tf

@@ -34,5 +34,7 @@ locals {
       AWS-Mavis-ReadOnly = "16b29214-60a1-7008-ff52-0ccd29b7e2d4"
     }
   }
-  bucket_name = "nhse-mavis-grafana-${var.environment}"
+  bucket_name             = "nhse-mavis-grafana-${var.environment}"
+  prefix_environment      = var.environment == "development" ? "qa" : var.environment
+  data_replication_prefix = "mavis-${local.prefix_environment}-data-replication"
 }

terraform/monitoring/aws/workspace.tf

@@ -14,6 +14,10 @@ resource "aws_grafana_workspace" "this" {
     }
   })
   data_sources = ["CLOUDWATCH"]
+  vpc_configuration {
+    security_group_ids = [aws_security_group.grafana_workspace.id]
+    subnet_ids         = data.aws_subnets.data_replication.ids
+  }
 }
 
 resource "aws_grafana_role_association" "role" {
@@ -28,3 +32,60 @@ resource "aws_grafana_workspace_service_account" "grafana_provider" {
   grafana_role = "ADMIN"
   workspace_id = aws_grafana_workspace.this.id
 }
+
+locals {
+}
+
+resource "aws_security_group" "grafana_workspace" {
+  name_prefix = "grafana-workspace-${var.environment}"
+  description = "Security group for Grafana workspace"
+  vpc_id      = data.aws_vpcs.data_replication.ids[0]
+  tags = {
+    Name = "grafana-workspace-sg-${var.environment}"
+  }
+}
+
+resource "aws_security_group_rule" "egress_rds" {
+  type              = "egress"
+  from_port         = 5432
+  to_port           = 5432
+  protocol          = "tcp"
+  security_group_id = aws_security_group.grafana_workspace.id
+  cidr_blocks       = ["10.0.0.0/16"]
+}
+
+resource "aws_security_group_rule" "egress_443" {
+  type              = "egress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  security_group_id = aws_security_group.grafana_workspace.id
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+resource "aws_security_group_rule" "ingress_443" {
+  type              = "ingress"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  security_group_id = aws_security_group.grafana_workspace.id
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+data "aws_vpcs" "data_replication" {
+  filter {
+    name   = "tag:Environment"
+    values = [local.data_replication_prefix]
+  }
+}
+
+data "aws_subnets" "data_replication" {
+  filter {
+    name   = "vpc-id"
+    values = data.aws_vpcs.data_replication.ids
+  }
+  filter {
+    name   = "tag:Private"
+    values = [true]
+  }
+}

terraform/monitoring/grafana/main.tf

@@ -29,3 +29,5 @@ resource "grafana_data_source" "cloudwatch" {
   })
   uid = "cloudwatch"
 }
+
+# resouce "grafana_data_source" "postgres" {}