kunduso / rds-secretsmanager-rotation-lambda-terraform

This repository contains the necessary Terraform configurations to deploy an Amazon RDS for PostgreSQL and all the supporting infrastructure components like Amazon VPC, Subnets, KMS keys, security group and IAM roles, automated via GitHub Actions. Code scanning is enabled via Bridgecrew Checkov.
https://skundunotes.com/2024/09/18/create-amazon-rds-for-postgresql-db-using-terraform-and-github-actions/
The Unlicense
0 stars 0 forks source link

Add rds db instance #20

Closed kunduso closed 2 months ago

kunduso commented 2 months ago

The changes in this PR close #19, close #18, close #16, close #15, close #14.

github-actions[bot] commented 2 months ago

💰 Infracost report

Monthly estimate increased by $242 📈

Changed project Baseline cost Usage cost* Total change New monthly cost
kunduso/rds-secretsmanager-rotation-lambda-terraform/TFplan.JSON +$242 - +$242 $242

*Usage costs can be estimated by updating Infracost Cloud settings, see docs for other options.

Estimate details ``` Key: * usage cost, ~ changed, + added, - removed ────────────────────────────────── Project: kunduso/rds-secretsmanager-rotation-lambda-terraform/TFplan.JSON + aws_db_instance.postgresql +$241 + Database instance (on-demand, Multi-AZ, db.t3.large) +$212 + Storage (general purpose SSD, gp3) +$23 + Performance Insights Long Term Retention (db.t3.large) +$6 + Performance Insights API Monthly cost depends on usage +$0.01 per 1000 requests + aws_kms_key.encryption_rds +$1 + Customer master key +$1 + Requests Monthly cost depends on usage +$0.03 per 10k requests + ECC GenerateDataKeyPair requests Monthly cost depends on usage +$0.10 per 10k requests + RSA GenerateDataKeyPair requests Monthly cost depends on usage +$0.10 per 10k requests Monthly cost change for kunduso/rds-secretsmanager-rotation-lambda-terraform/TFplan.JSON Amount: +$242 ($0.00 → $242) ────────────────────────────────── Key: * usage cost, ~ changed, + added, - removed *Usage costs can be estimated by updating Infracost Cloud settings, see docs for other options. 20 cloud resources were detected: ∙ 2 were estimated ∙ 18 were free Infracost estimate: Monthly estimate increased by $242 ↑ ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┓ ┃ Changed project ┃ Baseline cost ┃ Usage cost* ┃ Total change ┃ ┣━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━━━╋━━━━━━━━━━━━━╋━━━━━━━━━━━━━━┫ ┃ kunduso/rds-secretsmanager-rotation-lambda-terraform/TFplan.JSON ┃ +$242 ┃ - ┃ +$242 ┃ ┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━━━┻━━━━━━━━━━━━━┻━━━━━━━━━━━━━━┛ ```

This comment will be updated when code changes.

github-actions[bot] commented 2 months ago

Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Plan 📖success

Terraform Validation 🤖success

Show Plan ``` terraform data.aws_availability_zones.available: Reading... data.aws_caller_identity.current: Reading... data.aws_caller_identity.current: Read complete after 0s [id=743794601996] data.aws_availability_zones.available: Read complete after 0s [id=us-east-2] Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create <= read (data resources) Terraform will perform the following actions: # data.aws_iam_policy_document.encryption_rds_policy will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "encryption_rds_policy" { + id = (known after apply) + json = (known after apply) + minified_json = (known after apply) + statement { + actions = [ + "kms:CancelKeyDeletion", + "kms:Create*", + "kms:Decrypt", + "kms:Delete*", + "kms:DescribeKey", + "kms:Disable*", + "kms:Enable*", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:Get*", + "kms:List*", + "kms:Put*", + "kms:ReEncrypt*", + "kms:Revoke*", + "kms:ScheduleKeyDeletion", + "kms:TagResource", + "kms:UntagResource", + "kms:Update*", ] + effect = "Allow" + resources = [ + (known after apply), ] + sid = "Enable IAM User Permissions" + principals { + identifiers = [ + "arn:aws:iam::743794601996:root", ] + type = "AWS" } } + statement { + actions = [ + "kms:CreateGrant", + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*", ] + effect = "Allow" + resources = [ + (known after apply), ] + sid = "Allow RDS to use the key" + principals { + identifiers = [ + "rds.amazonaws.com", ] + type = "Service" } } + statement { + actions = [ + "kms:CreateGrant", + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*", ] + effect = "Allow" + resources = [ + (known after apply), ] + sid = "Allow Secrets Manager to use the key" + principals { + identifiers = [ + "secretsmanager.amazonaws.com", ] + type = "Service" } } + statement { + actions = [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*", ] + effect = "Allow" + resources = [ + (known after apply), ] + sid = "Allow SSM to use the key" + condition { + test = "StringEquals" + values = [ + "743794601996", ] + variable = "kms:CallerAccount" } + condition { + test = "StringEquals" + values = [ + "ssm.us-east-2.amazonaws.com", ] + variable = "kms:ViaService" } + principals { + identifiers = [ + "ssm.amazonaws.com", ] + type = "Service" } } } # aws_db_instance.postgresql will be created + resource "aws_db_instance" "postgresql" { + address = (known after apply) + allocated_storage = 100 + apply_immediately = true + arn = (known after apply) + auto_minor_version_upgrade = true + availability_zone = (known after apply) + backup_retention_period = (known after apply) + backup_target = (known after apply) + backup_window = (known after apply) + ca_cert_identifier = "rds-ca-rsa2048-g1" + character_set_name = (known after apply) + copy_tags_to_snapshot = true + db_name = (known after apply) + db_subnet_group_name = (known after apply) + dedicated_log_volume = false + delete_automated_backups = true + deletion_protection = true + domain_fqdn = (known after apply) + enabled_cloudwatch_logs_exports = [ + "postgresql", + "upgrade", ] + endpoint = (known after apply) + engine = "postgres" + engine_lifecycle_support = (known after apply) + engine_version = "16.3" + engine_version_actual = (known after apply) + hosted_zone_id = (known after apply) + iam_database_authentication_enabled = true + id = (known after apply) + identifier = "app-12" + identifier_prefix = (known after apply) + instance_class = "db.t3.large" + iops = (known after apply) + kms_key_id = (known after apply) + latest_restorable_time = (known after apply) + license_model = (known after apply) + listener_endpoint = (known after apply) + maintenance_window = (known after apply) + manage_master_user_password = true + master_user_secret = (known after apply) + master_user_secret_kms_key_id = (known after apply) + monitoring_interval = 10 + monitoring_role_arn = (known after apply) + multi_az = true + nchar_character_set_name = (known after apply) + network_type = (known after apply) + option_group_name = (known after apply) + parameter_group_name = "app-12" + performance_insights_enabled = true + performance_insights_kms_key_id = (known after apply) + performance_insights_retention_period = 31 + port = (known after apply) + publicly_accessible = false + replica_mode = (known after apply) + replicas = (known after apply) + resource_id = (known after apply) + skip_final_snapshot = true + snapshot_identifier = (known after apply) + status = (known after apply) + storage_encrypted = true + storage_throughput = (known after apply) + storage_type = "gp3" + tags_all = { + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } + timezone = (known after apply) + username = "postgres" + vpc_security_group_ids = (known after apply) } # aws_db_parameter_group.postgres will be created + resource "aws_db_parameter_group" "postgres" { + arn = (known after apply) + description = "Managed by Terraform" + family = "postgres16" + id = (known after apply) + name = "app-12" + name_prefix = (known after apply) + skip_destroy = false + tags_all = { + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } + parameter { + apply_method = "immediate" + name = "log_min_duration_statement" + value = "1" } + parameter { + apply_method = "immediate" + name = "log_statement" + value = "all" } + parameter { + apply_method = "immediate" + name = "rds.force_ssl" + value = "1" } } # aws_db_subnet_group.rds will be created + resource "aws_db_subnet_group" "rds" { + arn = (known after apply) + description = "Managed by Terraform" + id = (known after apply) + name = "app-12-subnet-group" + name_prefix = (known after apply) + subnet_ids = (known after apply) + supported_network_types = (known after apply) + tags_all = { + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } + vpc_id = (known after apply) } # aws_default_security_group.default will be created + resource "aws_default_security_group" "default" { + arn = (known after apply) + description = (known after apply) + egress = (known after apply) + id = (known after apply) + ingress = (known after apply) + name = (known after apply) + name_prefix = (known after apply) + owner_id = (known after apply) + revoke_rules_on_delete = false + tags_all = { + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } + vpc_id = (known after apply) } # aws_iam_policy.ssm_parameter_policy will be created + resource "aws_iam_policy" "ssm_parameter_policy" { + arn = (known after apply) + attachment_count = (known after apply) + description = "Policy to read the RDS Endpoint and Password ARN stored in the SSM Parameter Store." + id = (known after apply) + name = "app-12-rds-connection-read-policy" + name_prefix = (known after apply) + path = "/" + policy = (known after apply) + policy_id = (known after apply) + tags_all = { + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } } # aws_iam_role.rds_monitoring_role will be created + resource "aws_iam_role" "rds_monitoring_role" { + arn = (known after apply) + assume_role_policy = jsonencode( { + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "monitoring.rds.amazonaws.com" } }, ] + Version = "2012-10-17" } ) + create_date = (known after apply) + force_detach_policies = false + id = (known after apply) + managed_policy_arns = (known after apply) + max_session_duration = 3600 + name = "app-12-rds-monitoring-role" + name_prefix = (known after apply) + path = "/" + tags_all = { + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } + unique_id = (known after apply) + inline_policy (known after apply) } # aws_iam_role_policy_attachment.managed_rds_monitoring_policy_attachement will be created + resource "aws_iam_role_policy_attachment" "managed_rds_monitoring_policy_attachement" { + id = (known after apply) + policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole" + role = "app-12-rds-monitoring-role" } # aws_kms_alias.encryption_rds will be created + resource "aws_kms_alias" "encryption_rds" { + arn = (known after apply) + id = (known after apply) + name = "alias/app-12-kms" + name_prefix = (known after apply) + target_key_arn = (known after apply) + target_key_id = (known after apply) } # aws_kms_key.encryption_rds will be created + resource "aws_kms_key" "encryption_rds" { + arn = (known after apply) + bypass_policy_lockout_safety_check = false + customer_master_key_spec = "SYMMETRIC_DEFAULT" + deletion_window_in_days = 7 + description = "Key to encrypt the app-12 resources." + enable_key_rotation = true + id = (known after apply) + is_enabled = true + key_id = (known after apply) + key_usage = "ENCRYPT_DECRYPT" + multi_region = (known after apply) + policy = (known after apply) + rotation_period_in_days = (known after apply) + tags_all = { + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } } # aws_kms_key_policy.encryption_rds will be created + resource "aws_kms_key_policy" "encryption_rds" { + bypass_policy_lockout_safety_check = false + id = (known after apply) + key_id = (known after apply) + policy = (known after apply) } # aws_route_table.this_rt will be created + resource "aws_route_table" "this_rt" { + arn = (known after apply) + id = (known after apply) + owner_id = (known after apply) + propagating_vgws = (known after apply) + route = (known after apply) + tags = { + "Name" = "app-12-route-table" } + tags_all = { + "Name" = "app-12-route-table" + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } + vpc_id = (known after apply) } # aws_route_table_association.db[0] will be created + resource "aws_route_table_association" "db" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # aws_route_table_association.db[1] will be created + resource "aws_route_table_association" "db" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # aws_security_group.rds will be created + resource "aws_security_group" "rds" { + arn = (known after apply) + description = "Security group for RDS in app-12" + egress = (known after apply) + id = (known after apply) + ingress = (known after apply) + name = "app-12-rds-sg" + name_prefix = (known after apply) + owner_id = (known after apply) + revoke_rules_on_delete = false + tags = { + "Name" = "app-12-rds-sg" } + tags_all = { + "Name" = "app-12-rds-sg" + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } + vpc_id = (known after apply) } # aws_security_group_rule.egress_rds_sg will be created + resource "aws_security_group_rule" "egress_rds_sg" { + cidr_blocks = [ + "15.25.15.0/26", ] + description = "allow traffic to reach outside the vpc" + from_port = 0 + id = (known after apply) + protocol = "-1" + security_group_id = (known after apply) + security_group_rule_id = (known after apply) + self = false + source_security_group_id = (known after apply) + to_port = 0 + type = "egress" } # aws_security_group_rule.ingress_rds_sg will be created + resource "aws_security_group_rule" "ingress_rds_sg" { + cidr_blocks = [ + "15.25.15.0/26", ] + description = "allow traffic to RDS" + from_port = 5432 + id = (known after apply) + protocol = "tcp" + security_group_id = (known after apply) + security_group_rule_id = (known after apply) + self = false + source_security_group_id = (known after apply) + to_port = 5432 + type = "ingress" } # aws_ssm_parameter.rds_connection will be created + resource "aws_ssm_parameter" "rds_connection" { + arn = (known after apply) + data_type = (known after apply) + id = (known after apply) + insecure_value = (known after apply) + key_id = (known after apply) + name = "/app-12/rds-connection" + tags_all = { + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } + tier = (known after apply) + type = "SecureString" + value = (sensitive value) + version = (known after apply) } # aws_subnet.db[0] will be created + resource "aws_subnet" "db" { + arn = (known after apply) + assign_ipv6_address_on_creation = false + availability_zone = "us-east-2a" + availability_zone_id = (known after apply) + cidr_block = "15.25.15.0/28" + enable_dns64 = false + enable_resource_name_dns_a_record_on_launch = false + enable_resource_name_dns_aaaa_record_on_launch = false + id = (known after apply) + ipv6_cidr_block_association_id = (known after apply) + ipv6_native = false + map_public_ip_on_launch = false + owner_id = (known after apply) + private_dns_hostname_type_on_launch = (known after apply) + tags = { + "Name" = "app-12subnet-1" } + tags_all = { + "Name" = "app-12subnet-1" + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } + vpc_id = (known after apply) } # aws_subnet.db[1] will be created + resource "aws_subnet" "db" { + arn = (known after apply) + assign_ipv6_address_on_creation = false + availability_zone = "us-east-2b" + availability_zone_id = (known after apply) + cidr_block = "15.25.15.16/28" + enable_dns64 = false + enable_resource_name_dns_a_record_on_launch = false + enable_resource_name_dns_aaaa_record_on_launch = false + id = (known after apply) + ipv6_cidr_block_association_id = (known after apply) + ipv6_native = false + map_public_ip_on_launch = false + owner_id = (known after apply) + private_dns_hostname_type_on_launch = (known after apply) + tags = { + "Name" = "app-12subnet-2" } + tags_all = { + "Name" = "app-12subnet-2" + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } + vpc_id = (known after apply) } # aws_vpc.this will be created + resource "aws_vpc" "this" { + arn = (known after apply) + cidr_block = "15.25.15.0/26" + default_network_acl_id = (known after apply) + default_route_table_id = (known after apply) + default_security_group_id = (known after apply) + dhcp_options_id = (known after apply) + enable_dns_hostnames = true + enable_dns_support = true + enable_network_address_usage_metrics = (known after apply) + id = (known after apply) + instance_tenancy = "default" + ipv6_association_id = (known after apply) + ipv6_cidr_block = (known after apply) + ipv6_cidr_block_network_border_group = (known after apply) + main_route_table_id = (known after apply) + owner_id = (known after apply) + tags = { + "Name" = "app-12" } + tags_all = { + "Name" = "app-12" + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } } Plan: 20 to add, 0 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: TFplan.JSON To perform exactly these actions, run the following command to apply: terraform apply "TFplan.JSON" ```

Pushed by: @kunduso, Action: pull_request

github-actions[bot] commented 2 months ago

Terraform Format and Style 🖌success

Terraform Initialization ⚙️success

Terraform Plan 📖success

Terraform Validation 🤖success

Show Plan ``` terraform data.aws_availability_zones.available: Reading... data.aws_caller_identity.current: Reading... data.aws_caller_identity.current: Read complete after 0s [id=743794601996] data.aws_availability_zones.available: Read complete after 0s [id=us-east-2] Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create <= read (data resources) Terraform will perform the following actions: # data.aws_iam_policy_document.encryption_rds_policy will be read during apply # (config refers to values not yet known) <= data "aws_iam_policy_document" "encryption_rds_policy" { + id = (known after apply) + json = (known after apply) + minified_json = (known after apply) + statement { + actions = [ + "kms:CancelKeyDeletion", + "kms:Create*", + "kms:Decrypt", + "kms:Delete*", + "kms:DescribeKey", + "kms:Disable*", + "kms:Enable*", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:Get*", + "kms:List*", + "kms:Put*", + "kms:ReEncrypt*", + "kms:Revoke*", + "kms:ScheduleKeyDeletion", + "kms:TagResource", + "kms:UntagResource", + "kms:Update*", ] + effect = "Allow" + resources = [ + (known after apply), ] + sid = "Enable IAM User Permissions" + principals { + identifiers = [ + "arn:aws:iam::743794601996:root", ] + type = "AWS" } } + statement { + actions = [ + "kms:CreateGrant", + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*", ] + effect = "Allow" + resources = [ + (known after apply), ] + sid = "Allow RDS to use the key" + principals { + identifiers = [ + "rds.amazonaws.com", ] + type = "Service" } } + statement { + actions = [ + "kms:CreateGrant", + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*", ] + effect = "Allow" + resources = [ + (known after apply), ] + sid = "Allow Secrets Manager to use the key" + principals { + identifiers = [ + "secretsmanager.amazonaws.com", ] + type = "Service" } } + statement { + actions = [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*", ] + effect = "Allow" + resources = [ + (known after apply), ] + sid = "Allow SSM to use the key" + condition { + test = "StringEquals" + values = [ + "743794601996", ] + variable = "kms:CallerAccount" } + condition { + test = "StringEquals" + values = [ + "ssm.us-east-2.amazonaws.com", ] + variable = "kms:ViaService" } + principals { + identifiers = [ + "ssm.amazonaws.com", ] + type = "Service" } } } # aws_db_instance.postgresql will be created + resource "aws_db_instance" "postgresql" { + address = (known after apply) + allocated_storage = 100 + apply_immediately = true + arn = (known after apply) + auto_minor_version_upgrade = true + availability_zone = (known after apply) + backup_retention_period = (known after apply) + backup_target = (known after apply) + backup_window = (known after apply) + ca_cert_identifier = "rds-ca-rsa2048-g1" + character_set_name = (known after apply) + copy_tags_to_snapshot = true + db_name = (known after apply) + db_subnet_group_name = (known after apply) + dedicated_log_volume = false + delete_automated_backups = true + deletion_protection = true + domain_fqdn = (known after apply) + enabled_cloudwatch_logs_exports = [ + "postgresql", + "upgrade", ] + endpoint = (known after apply) + engine = "postgres" + engine_lifecycle_support = (known after apply) + engine_version = "16.3" + engine_version_actual = (known after apply) + hosted_zone_id = (known after apply) + iam_database_authentication_enabled = true + id = (known after apply) + identifier = "app-12" + identifier_prefix = (known after apply) + instance_class = "db.t3.large" + iops = (known after apply) + kms_key_id = (known after apply) + latest_restorable_time = (known after apply) + license_model = (known after apply) + listener_endpoint = (known after apply) + maintenance_window = (known after apply) + manage_master_user_password = true + master_user_secret = (known after apply) + master_user_secret_kms_key_id = (known after apply) + monitoring_interval = 10 + monitoring_role_arn = (known after apply) + multi_az = true + nchar_character_set_name = (known after apply) + network_type = (known after apply) + option_group_name = (known after apply) + parameter_group_name = "app-12" + performance_insights_enabled = true + performance_insights_kms_key_id = (known after apply) + performance_insights_retention_period = 31 + port = (known after apply) + publicly_accessible = false + replica_mode = (known after apply) + replicas = (known after apply) + resource_id = (known after apply) + skip_final_snapshot = true + snapshot_identifier = (known after apply) + status = (known after apply) + storage_encrypted = true + storage_throughput = (known after apply) + storage_type = "gp3" + tags_all = { + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } + timezone = (known after apply) + username = "postgres" + vpc_security_group_ids = (known after apply) } # aws_db_parameter_group.postgres will be created + resource "aws_db_parameter_group" "postgres" { + arn = (known after apply) + description = "Managed by Terraform" + family = "postgres16" + id = (known after apply) + name = "app-12" + name_prefix = (known after apply) + skip_destroy = false + tags_all = { + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } + parameter { + apply_method = "immediate" + name = "log_min_duration_statement" + value = "1" } + parameter { + apply_method = "immediate" + name = "log_statement" + value = "all" } + parameter { + apply_method = "immediate" + name = "rds.force_ssl" + value = "1" } } # aws_db_subnet_group.rds will be created + resource "aws_db_subnet_group" "rds" { + arn = (known after apply) + description = "Managed by Terraform" + id = (known after apply) + name = "app-12-subnet-group" + name_prefix = (known after apply) + subnet_ids = (known after apply) + supported_network_types = (known after apply) + tags_all = { + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } + vpc_id = (known after apply) } # aws_default_security_group.default will be created + resource "aws_default_security_group" "default" { + arn = (known after apply) + description = (known after apply) + egress = (known after apply) + id = (known after apply) + ingress = (known after apply) + name = (known after apply) + name_prefix = (known after apply) + owner_id = (known after apply) + revoke_rules_on_delete = false + tags_all = { + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } + vpc_id = (known after apply) } # aws_iam_policy.ssm_parameter_policy will be created + resource "aws_iam_policy" "ssm_parameter_policy" { + arn = (known after apply) + attachment_count = (known after apply) + description = "Policy to read the RDS Endpoint and Password ARN stored in the SSM Parameter Store." + id = (known after apply) + name = "app-12-rds-connection-read-policy" + name_prefix = (known after apply) + path = "/" + policy = (known after apply) + policy_id = (known after apply) + tags_all = { + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } } # aws_iam_role.rds_monitoring_role will be created + resource "aws_iam_role" "rds_monitoring_role" { + arn = (known after apply) + assume_role_policy = jsonencode( { + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "monitoring.rds.amazonaws.com" } }, ] + Version = "2012-10-17" } ) + create_date = (known after apply) + force_detach_policies = false + id = (known after apply) + managed_policy_arns = (known after apply) + max_session_duration = 3600 + name = "app-12-rds-monitoring-role" + name_prefix = (known after apply) + path = "/" + tags_all = { + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } + unique_id = (known after apply) + inline_policy (known after apply) } # aws_iam_role_policy_attachment.managed_rds_monitoring_policy_attachement will be created + resource "aws_iam_role_policy_attachment" "managed_rds_monitoring_policy_attachement" { + id = (known after apply) + policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole" + role = "app-12-rds-monitoring-role" } # aws_kms_alias.encryption_rds will be created + resource "aws_kms_alias" "encryption_rds" { + arn = (known after apply) + id = (known after apply) + name = "alias/app-12-kms" + name_prefix = (known after apply) + target_key_arn = (known after apply) + target_key_id = (known after apply) } # aws_kms_key.encryption_rds will be created + resource "aws_kms_key" "encryption_rds" { + arn = (known after apply) + bypass_policy_lockout_safety_check = false + customer_master_key_spec = "SYMMETRIC_DEFAULT" + deletion_window_in_days = 7 + description = "Key to encrypt the app-12 resources." + enable_key_rotation = true + id = (known after apply) + is_enabled = true + key_id = (known after apply) + key_usage = "ENCRYPT_DECRYPT" + multi_region = (known after apply) + policy = (known after apply) + rotation_period_in_days = (known after apply) + tags_all = { + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } } # aws_kms_key_policy.encryption_rds will be created + resource "aws_kms_key_policy" "encryption_rds" { + bypass_policy_lockout_safety_check = false + id = (known after apply) + key_id = (known after apply) + policy = (known after apply) } # aws_route_table.this_rt will be created + resource "aws_route_table" "this_rt" { + arn = (known after apply) + id = (known after apply) + owner_id = (known after apply) + propagating_vgws = (known after apply) + route = (known after apply) + tags = { + "Name" = "app-12-route-table" } + tags_all = { + "Name" = "app-12-route-table" + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } + vpc_id = (known after apply) } # aws_route_table_association.db[0] will be created + resource "aws_route_table_association" "db" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # aws_route_table_association.db[1] will be created + resource "aws_route_table_association" "db" { + id = (known after apply) + route_table_id = (known after apply) + subnet_id = (known after apply) } # aws_security_group.rds will be created + resource "aws_security_group" "rds" { + arn = (known after apply) + description = "Security group for RDS in app-12" + egress = (known after apply) + id = (known after apply) + ingress = (known after apply) + name = "app-12-rds-sg" + name_prefix = (known after apply) + owner_id = (known after apply) + revoke_rules_on_delete = false + tags = { + "Name" = "app-12-rds-sg" } + tags_all = { + "Name" = "app-12-rds-sg" + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } + vpc_id = (known after apply) } # aws_security_group_rule.egress_rds_sg will be created + resource "aws_security_group_rule" "egress_rds_sg" { + cidr_blocks = [ + "15.25.15.0/26", ] + description = "allow traffic to reach outside the vpc" + from_port = 0 + id = (known after apply) + protocol = "-1" + security_group_id = (known after apply) + security_group_rule_id = (known after apply) + self = false + source_security_group_id = (known after apply) + to_port = 0 + type = "egress" } # aws_security_group_rule.ingress_rds_sg will be created + resource "aws_security_group_rule" "ingress_rds_sg" { + cidr_blocks = [ + "15.25.15.0/26", ] + description = "allow traffic to RDS" + from_port = 5432 + id = (known after apply) + protocol = "tcp" + security_group_id = (known after apply) + security_group_rule_id = (known after apply) + self = false + source_security_group_id = (known after apply) + to_port = 5432 + type = "ingress" } # aws_ssm_parameter.rds_connection will be created + resource "aws_ssm_parameter" "rds_connection" { + arn = (known after apply) + data_type = (known after apply) + id = (known after apply) + insecure_value = (known after apply) + key_id = (known after apply) + name = "/app-12/rds-connection" + tags_all = { + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } + tier = (known after apply) + type = "SecureString" + value = (sensitive value) + version = (known after apply) } # aws_subnet.db[0] will be created + resource "aws_subnet" "db" { + arn = (known after apply) + assign_ipv6_address_on_creation = false + availability_zone = "us-east-2a" + availability_zone_id = (known after apply) + cidr_block = "15.25.15.0/28" + enable_dns64 = false + enable_resource_name_dns_a_record_on_launch = false + enable_resource_name_dns_aaaa_record_on_launch = false + id = (known after apply) + ipv6_cidr_block_association_id = (known after apply) + ipv6_native = false + map_public_ip_on_launch = false + owner_id = (known after apply) + private_dns_hostname_type_on_launch = (known after apply) + tags = { + "Name" = "app-12subnet-1" } + tags_all = { + "Name" = "app-12subnet-1" + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } + vpc_id = (known after apply) } # aws_subnet.db[1] will be created + resource "aws_subnet" "db" { + arn = (known after apply) + assign_ipv6_address_on_creation = false + availability_zone = "us-east-2b" + availability_zone_id = (known after apply) + cidr_block = "15.25.15.16/28" + enable_dns64 = false + enable_resource_name_dns_a_record_on_launch = false + enable_resource_name_dns_aaaa_record_on_launch = false + id = (known after apply) + ipv6_cidr_block_association_id = (known after apply) + ipv6_native = false + map_public_ip_on_launch = false + owner_id = (known after apply) + private_dns_hostname_type_on_launch = (known after apply) + tags = { + "Name" = "app-12subnet-2" } + tags_all = { + "Name" = "app-12subnet-2" + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } + vpc_id = (known after apply) } # aws_vpc.this will be created + resource "aws_vpc" "this" { + arn = (known after apply) + cidr_block = "15.25.15.0/26" + default_network_acl_id = (known after apply) + default_route_table_id = (known after apply) + default_security_group_id = (known after apply) + dhcp_options_id = (known after apply) + enable_dns_hostnames = true + enable_dns_support = true + enable_network_address_usage_metrics = (known after apply) + id = (known after apply) + instance_tenancy = "default" + ipv6_association_id = (known after apply) + ipv6_cidr_block = (known after apply) + ipv6_cidr_block_network_border_group = (known after apply) + main_route_table_id = (known after apply) + owner_id = (known after apply) + tags = { + "Name" = "app-12" } + tags_all = { + "Name" = "app-12" + "Source" = "https://github.com/kunduso/rds-secretsmanager-rotation-lambda-terraform" } } Plan: 20 to add, 0 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Saved the plan to: TFplan.JSON To perform exactly these actions, run the following command to apply: terraform apply "TFplan.JSON" ```

Pushed by: @kunduso, Action: pull_request