Merge pull request #2 from openoakland/postgresdb

Refactor modules to pull out postgres database

.gitignore

@@ -1,4 +1,6 @@
+*.lock.info
 *.tfplan
-*.tfstore
+*.tfstate
+*.tfstate.backup
 terraform.tfvars
 .terraform

Makefile

@@ -1,6 +1,4 @@
-MODULES := \
-    beanstalk_app \
-    beanstalk_env
+MODULES := $(dir $(wildcard */))
 
 MODULE_TEST_TARGETS := $(addprefix test., $(MODULES))
 

README.md

@@ -13,6 +13,21 @@ You'll need to install these.
 - [Terraform](https://www.terraform.io/downloads.html) v0.11+
 
 
+## Development
+
+### Setup
+
+Set your AWS access key.
+
+    $ export AWS_ACCESS_KEY_ID=<your-aws-access-key-id>
+    $ export AWS_SECRET_ACCESS_KEY=<your-aws-secret-access-key>
+
+There is no state for this repo. You can run `terraform plan` or `terraform
+apply` with local state to make sure modules are created properly. Make changes
+to `test.tf` template in order to test them. Make sure to delete your modules
+afterwards with `terraform destroy`.
+
+
 ### Test your templates
 
 Runs `terraform validate` on all the modules.

beanstalk_app/README.md

@@ -0,0 +1,22 @@
+# beanstalk_app
+
+Creates an Elastic Beanstalk app.
+
+## Usage
+
+```hcl
+module "myapp" {
+  source = "github.com/openoakland/terraform-modules.git//beanstalk_app?ref=2.0.0
+
+  app_name = "myapp"
+}
+```
+
+### Variables
+
+See [beanstalk_app/variables.tf](./variables.tf).
+
+
+### Outputs
+
+N/A

beanstalk_app/main.tf

@@ -2,10 +2,6 @@ data "aws_iam_role" "beanstalk_service" {
   name = "aws-elasticbeanstalk-service-role"
 }
 
-resource "aws_route53_zone" "default" {
-  name = "${var.dns_zone}"
-}
-
 resource "aws_elastic_beanstalk_application" "default" {
   name = "${var.app_name}"
 

beanstalk_app/variables.tf

@@ -3,11 +3,6 @@ variable "app_name" {
   type        = "string"
 }
 
-variable "dns_zone" {
-  description = "DNS Zone name to create where beanstalk environments will be hosted."
-  type        = "string"
-}
-
 variable "delete_source_from_s3" {
   description = "When old application versions are removed, the source should also be deleted from S3."
   default     = "true"

beanstalk_web_env/README.md

@@ -0,0 +1,36 @@
+# beanstalk_web_env
+
+Creates an AWS Elastic Beanstalk web environment with load balancer and auto
+scaling group.
+
+
+## Usage
+
+```hcl
+module "myapp" {
+  source = "github.com/openoakland/terraform-modules.git//beanstalk_app?ref=2.0.0
+
+  app_name = "myapp"
+}
+
+module "myapp_prod_web" {
+  source         = "github.com/openoakland/terraform-modules//beanstalk_web_env?ref=v2.0.0"
+  app_name       = "myapp"
+  app_instance   = "production"
+  dns_zone_name  = "myapp.aws.example.com"
+  dns_zone_id    = "${aws_route53_zone.myapp_zone.id}"
+
+  environment_variables {
+    DATABASE_URL = "postgres://dbuser:dbpassword@dbhost/dbname"
+  }
+}
+```
+
+### Variables
+
+See [beanstalk_web_env/variables.tf](./variables.tf).
+
+
+### Outputs
+
+See [beanstalk_web_env/outputs.tf](./outputs.tf).

beanstalk_env/dns.tf → beanstalk_web_env/dns.tf

@@ -1,5 +1,9 @@
+data "aws_route53_zone" "environment" {
+  name = "${var.dns_zone}."
+}
+
 resource "aws_route53_record" "environment" {
-  zone_id = "${var.dns_zone_id}"
+  zone_id = "${data.aws_route53_zone.environment.zone_id}"
   name    = "${var.app_name}-${var.app_instance}"
   type    = "CNAME"
   ttl     = 300
@@ -8,7 +12,7 @@ resource "aws_route53_record" "environment" {
 
 // Create an SSL/TLS certificate for the domain
 resource "aws_acm_certificate" "environment" {
-  domain_name       = "${var.app_name}-${var.app_instance}.${var.dns_zone_name}"
+  domain_name       = "${var.app_name}-${var.app_instance}.${var.dns_zone}"
   validation_method = "DNS"
 
   lifecycle {
@@ -20,7 +24,7 @@ resource "aws_acm_certificate" "environment" {
 resource "aws_route53_record" "cert_validation" {
   name    = "${aws_acm_certificate.environment.domain_validation_options.0.resource_record_name}"
   type    = "${aws_acm_certificate.environment.domain_validation_options.0.resource_record_type}"
-  zone_id = "${var.dns_zone_id}"
+  zone_id = "${data.aws_route53_zone.environment.zone_id}"
   records = ["${aws_acm_certificate.environment.domain_validation_options.0.resource_record_value}"]
   ttl     = 60
 }

beanstalk_env/main.tf → beanstalk_web_env/main.tf

@@ -3,7 +3,7 @@ data "aws_elastic_beanstalk_solution_stack" "docker" {
   name_regex  = "^64bit Amazon Linux (.*) running Docker (.*)$"
 }
 
-resource "aws_security_group" "application" {
+resource "aws_security_group" "instances" {
   name = "${var.app_name}-${var.app_instance}-app"
 
   // Allow HTTP connections from the load balancer
@@ -48,42 +48,6 @@ resource "aws_security_group" "application-load-balancer" {
   }
 }
 
-resource "aws_security_group" "database" {
-  name = "${var.app_name}-${var.app_instance}-db"
-
-  // Allow HTTP connections from the application
-  ingress {
-    from_port = 5432
-    to_port   = 5432
-    protocol  = "tcp"
-
-    security_groups = [
-      "${aws_security_group.application.id}",
-    ]
-  }
-}
-
-resource "aws_db_instance" "database" {
-  allocated_storage         = 20
-  storage_type              = "gp2"
-  engine                    = "postgres"
-  engine_version            = "10.5"
-  instance_class            = "db.t2.micro"
-  deletion_protection       = "${var.deletion_protection}"
-  identifier                = "${var.app_name}-${var.app_instance}"
-  final_snapshot_identifier = "${var.app_name}-${var.app_instance}-final"
-  name                      = "${var.db_name}"
-  username                  = "${var.db_username}"
-  password                  = "${var.db_password}"
-  publicly_accessible       = "false"
-  backup_retention_period   = "7"
-  backup_window             = "10:00-10:30"
-
-  vpc_security_group_ids = [
-    "${aws_security_group.database.id}",
-  ]
-}
-
 resource "aws_elastic_beanstalk_environment" "environment" {
   name                = "${var.app_name}-${var.app_instance}"
   application         = "${var.app_name}"
@@ -97,10 +61,16 @@ resource "aws_elastic_beanstalk_environment" "environment" {
     value     = "${var.instance_type}"
   }
 
+  setting {
+    namespace = "aws:autoscaling:launchconfiguration"
+    name      = "EC2KeyName"
+    value     = "${var.key_pair}"
+  }
+
   setting {
     namespace = "aws:autoscaling:launchconfiguration"
     name      = "SecurityGroups"
-    value     = "${aws_security_group.application.name}"
+    value     = "${join(",", concat(list(aws_security_group.instances.name), var.security_groups))}"
   }
 
   setting {
@@ -185,12 +155,6 @@ resource "aws_elastic_beanstalk_environment" "environment" {
     value     = "true"
   }
 
-  setting {
-    namespace = "aws:elasticbeanstalk:application:environment"
-    name      = "DATABASE_URL"
-    value     = "postgis://${var.db_username}:${var.db_password}@${aws_db_instance.database.endpoint}/${var.db_name}"
-  }
-
   # Define environment variables for the application.
   # TODO Terraform v0.12 introduces dynamic nested blocks to make this better
   # https://www.hashicorp.com/blog/hashicorp-terraform-0-12-preview-for-and-for-each#dynamic-nested-blocks

beanstalk_web_env/outputs.tf

@@ -0,0 +1,9 @@
+output "cname" {
+  description = "CNAME of the created Beanstalk environment."
+  value       = "${aws_elastic_beanstalk_environment.environment.cname}"
+}
+
+output "fqdn" {
+  description = "Public FQDN of the created Beanstalk environment."
+  value       = "${aws_route53_record.environment.fqdn}"
+}

beanstalk_env/variables.tf → beanstalk_web_env/variables.tf

@@ -2,18 +2,6 @@ variable "app_name" {
   description = "Slugified name of the beanstalk application."
 }
 
-variable "db_name" {
-  description = "Name of the RDS database to create for the application."
-}
-
-variable "db_username" {
-  description = "RDS username to create for the application."
-}
-
-variable "db_password" {
-  description = "RDS password to create for the application."
-}
-
 variable "app_instance" {
   description = "Name of this beanstalk environment e.g. (dev, staging, production, etc)."
 }
@@ -28,21 +16,22 @@ variable "instance_type" {
   default     = "t3.micro"
 }
 
-variable "dns_zone_name" {
-  description = "DNS zone (name) to use for beanstalk application."
-}
-
-variable "dns_zone_id" {
-  description = "DNS zone (id) to use for beanstalk application."
-}
-
-variable "deletion_protection" {
-  description = "Enable deletion protection on various components."
-  default     = true
+variable "dns_zone" {
+  description = "DNS zone to use for beanstalk application e.g. aws.example.com"
 }
 
 variable "environment_variables" {
   description = "Map of environment variables to set for this beanstalk environment."
   type        = "map"
   default     = {}
 }
+
+variable "key_pair" {
+  description = "SSH key pair to assign to EC2 instances."
+  default     = ""
+}
+
+variable "security_groups" {
+  description = "List of security groups to attach to Beanstalk instances."
+  default     = []
+}

postgresdb/README.md

@@ -0,0 +1,27 @@
+# postgresd
+
+Creates a PostgreSQL RDS database instnace.
+
+
+## Usage
+
+```hcl
+module "db" {
+  source = "github.com/openoakland/terraform-modules.git//postgresdb?ref=2.0.0
+
+  db_name     = "myapp_db"
+  db_password = "${var.db_password}"
+  db_username = "myappuser"
+  namespace   = "myapp-prod"
+
+}
+```
+
+### Variables
+
+See [postgresdb/variables.tf](./variables.tf).
+
+
+### Outputs
+
+See [postgresdb/outputs.tf](./outputs.tf).

postgresdb/main.tf

@@ -0,0 +1,38 @@
+resource "aws_security_group" "allowed" {
+  name = "${var.namespace}-db-access"
+}
+
+resource "aws_security_group" "database" {
+  name = "${var.namespace}-db"
+
+  // Allow HTTP connections from the application instances
+  ingress {
+    from_port = 5432
+    to_port   = 5432
+    protocol  = "tcp"
+
+    security_groups = ["${aws_security_group.allowed.id}"]
+  }
+}
+
+resource "aws_db_instance" "database" {
+  allocated_storage         = 20
+  storage_type              = "gp2"
+  engine                    = "postgres"
+  engine_version            = "10.5"
+  instance_class            = "db.t2.micro"
+  deletion_protection       = "${var.deletion_protection}"
+  identifier                = "${var.namespace}"
+  final_snapshot_identifier = "${var.namespace}-final"
+  name                      = "${var.db_name}"
+  username                  = "${var.db_username}"
+  password                  = "${var.db_password}"
+  publicly_accessible       = "false"
+  backup_retention_period   = "7"
+  backup_window             = "10:00-10:30"
+  skip_final_snapshot       = "${var.skip_final_snapshot}"
+
+  vpc_security_group_ids = [
+    "${aws_security_group.database.id}",
+  ]
+}

postgresdb/outputs.tf

@@ -0,0 +1,19 @@
+output "database_url" {
+  description = "DATABASE_URL to configure for applications to use this database."
+  value       = "postgresql://${var.db_username}:${var.db_password}@${aws_db_instance.database.endpoint}/${var.db_name}"
+}
+
+output "postgis_database_url" {
+  description = "DATABASE_URL to configure for applications to use this database, with postgis:// prefix."
+  value       = "postgis://${var.db_username}:${var.db_password}@${aws_db_instance.database.endpoint}/${var.db_name}"
+}
+
+output "security_group_id" {
+  description = "Id of the security group with access to database."
+  value       = "${aws_security_group.allowed.id}"
+}
+
+output "security_group_name" {
+  description = "Name of the security group with access to database."
+  value       = "${aws_security_group.allowed.name}"
+}