Added support for docdb

So in order for docdb to have tls encryption during transit, the guides https://docs.aws.amazon.com/documentdb/latest/developerguide/security.encryption.ssl.html https://docs.aws.amazon.com/documentdb/latest/developerguide/connect_programmatically.html Call for the public keys to be downloaded/present in each container using it. The size of the file (~5kb) is just shy of 5% the capacity of a single k8s configmap value so what's happening is each deployment now has a configmap resource which for now only has 1 key (the rds ca pem) which is put in the /config/rds_ca.pem path (and there's now an envar pointing directly to that). With that in place a user can now have their app use docdb by referencing 4 environment variables: username, password, hostname, and ca_path. WE NEED TO BE SURE TO TELL FOLKS IN OUR DOCDB MODULE DOCS TO USE THAT ENVAR.
run-x · juandiegopalomino · Feb 4, 2021 · Feb 4, 2021 · Feb 4, 2021 · Feb 4, 2021
commit 0d3bcdf6d529e2e85f7cd1f84fc44eff0d77983f
diff --git a/config/registry.yaml b/config/registry.yaml
@@ -209,6 +209,19 @@ modules:
     outputs:
       docker_repo_url:
         export: true
+  aws-documentdb:
+    location: aws-documentdb
+    variables:
+      name: str
+      kms_account_key_arn: str
+      subnet_group_name: optional
+      engine_version: optional
+      security_group: optional
+      instance_class: optional
+    outputs:
+      db_user: str
+      db_password: str
+      db_host: str
   aws-rds:
     location: aws-rds
     variables:

diff --git a/config/tf_modules/aws-documentdb/main.tf b/config/tf_modules/aws-documentdb/main.tf
@@ -0,0 +1,30 @@
+resource "random_password" "documentdb_auth" {
+  length = 20
+  special = false
+}
+
+data "aws_security_group" "security_group" {
+  count = var.security_group == "" ? 1 : 0
+  name = "documentdb-sg"
+}
+
+resource "aws_docdb_cluster_instance" "cluster_instances" {
+  count              = 1
+  identifier         = "${var.name}-${count.index}"
+  cluster_identifier = aws_docdb_cluster.cluster.id
+  instance_class     = var.instance_class
+  apply_immediately = true
+  auto_minor_version_upgrade = true
+}
+
+resource "aws_docdb_cluster" "cluster" {
+  cluster_identifier = var.name
+  master_username    = "master_user"
+  master_password    = random_password.documentdb_auth.result
+  db_subnet_group_name = var.subnet_group_name
+  engine_version = var.engine_version
+  storage_encrypted = true
+  kms_key_id = var.kms_account_key_arn
+  vpc_security_group_ids = var.security_group == "" ? [data.aws_security_group.security_group[0].id] : [var.security_group]
+  apply_immediately = true
+}
diff --git a/config/tf_modules/aws-documentdb/output.tf b/config/tf_modules/aws-documentdb/output.tf
@@ -0,0 +1,12 @@
+output "db_host" {
+  value = aws_docdb_cluster.cluster.endpoint
+}
+
+output "db_user" {
+  value = aws_docdb_cluster.cluster.master_username
+}
+
+output "db_password" {
+  value = aws_docdb_cluster.cluster.master_password
+  sensitive = true
+}
diff --git a/config/tf_modules/aws-documentdb/variables.tf b/config/tf_modules/aws-documentdb/variables.tf
@@ -0,0 +1,27 @@
+variable "name" {
+  type = string
+}
+
+variable "subnet_group_name" {
+  type = string
+  default = "main-docdb"
+}
+
+variable "engine_version" {
+  type = string
+  default = "4.0.0"
+}
+
+variable "security_group" {
+  type = string
+  default = ""
+}
+
+variable "instance_class" {
+  type = string
+  default = "db.r5.large"
+}
+
+variable "kms_account_key_arn" {
+  type = string
+}
diff --git a/config/tf_modules/aws-network-init/db_subnet.tf b/config/tf_modules/aws-network-init/db_subnet.tf
@@ -1,4 +1,8 @@
 resource "aws_db_subnet_group" "main" {
   name       = "main"
   subnet_ids = aws_subnet.private_subnets[*].id
+  tags = {
+    "purpose": "postgres"
+    "ignore-if-seemingly-out-of-place": "yup"
+  }
 }
diff --git a/config/tf_modules/aws-network-init/documentdb_subnet.tf b/config/tf_modules/aws-network-init/documentdb_subnet.tf
@@ -0,0 +1,8 @@
+resource "aws_docdb_subnet_group" "main" {
+  name       = "main-docdb"
+  subnet_ids = aws_subnet.private_subnets[*].id
+  tags = {
+    "purpose": "docdb"
+    "ignore-if-seemingly-out-of-place": "yup"
+  }
+}
diff --git a/config/tf_modules/aws-network-init/security_groups.tf b/config/tf_modules/aws-network-init/security_groups.tf
@@ -40,6 +40,27 @@ resource "aws_security_group" "elasticache" {
     cidr_blocks = [aws_vpc.vpc.cidr_block]
   }
 
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_security_group" "documentdb" {
+  name        = "documentdb-sg"
+  description = "For usage by documentdb to give access to resources in the vpc"
+  vpc_id      = aws_vpc.vpc.id
+
+  ingress {
+    description = "documentdb"
+    from_port   = 27017
+    to_port     = 27017
+    protocol    = "tcp"
+    cidr_blocks = [aws_vpc.vpc.cidr_block]
+  }
+
   egress {
     from_port   = 0
     to_port     = 0

diff --git a/config/tf_modules/aws-redis/outputs.tf b/config/tf_modules/aws-redis/outputs.tf
@@ -1,5 +1,6 @@
 output "cache_auth_token" {
   value = aws_elasticache_replication_group.redis_cluster.auth_token
+  sensitive = true
 }
 
 output "cache_host" {

diff --git a/config/tf_modules/k8s-service/k8s-service/templates/configmap.yaml b/config/tf_modules/k8s-service/k8s-service/templates/configmap.yaml
diff --git a/config/tf_modules/k8s-service/k8s-service/templates/deployment.yaml b/config/tf_modules/k8s-service/k8s-service/templates/deployment.yaml
@@ -29,6 +29,10 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: Always
+          volumeMounts:
+            - name: config
+              mountPath: "/config"
+              readOnly: true
           ports:
             - name: http
               containerPort: {{ .Values.port }}
@@ -37,8 +41,10 @@ spec:
             httpGet:
               path: {{ .Values.livenessProbePath }}
               port: http
-          {{- if or (.Values.envVars) (.Values.secrets) }}
           env:
+            - name: RDS_CA_PATH
+              value: "/config/rds_ca.pem"
+            {{- if or (.Values.envVars) (.Values.secrets) }}
             {{ range .Values.envVars }}
             - name: {{ .name | quote }}
               value: {{ .value | quote }}
@@ -50,7 +56,7 @@ spec:
                   name: secret
                   key: {{ $val | quote }}
             {{ end }}
-          {{- end }}
+            {{- end }}
           readinessProbe:
             initialDelaySeconds: 10
             periodSeconds: 10
@@ -62,4 +68,14 @@ spec:
               {{- toYaml .Values.podResourceLimits | nindent 14 }}
             requests:
               {{- toYaml .Values.podResourceRequests | nindent 14 }}
+      volumes:
+        # You set volumes at the Pod level, then mount them into containers inside that Pod
+        - name: config
+          configMap:
+            # Provide the name of the ConfigMap you want to mount.
+            name: {{ include "k8s-service.fullname" . }}
+            # An array of keys from the ConfigMap to create as files
+            items:
+              - key: "rds_ca.pem"
+                path: "rds_ca.pem"
 {{- end }}