feat: Add a database for apps (MSSQL only). (#3)

jamesiarmes · web-flow · commit 0069ded8aa0a · 2025-06-13T18:27:26.000-04:00
diff --git a/tofu/config/development/infra/local.tf b/tofu/config/development/infra/local.tf
@@ -1,5 +1,5 @@
 locals {
   apps = {
-    sebt : yamldecode(file("${path.module}/apps/dc-sebt-portal.yaml"))
+    dc-sebt-portal : yamldecode(file("${path.module}/apps/dc-sebt-portal.yaml"))
   }
 }
diff --git a/tofu/config/development/infra/main.tf b/tofu/config/development/infra/main.tf
@@ -49,19 +49,22 @@ module "vpc" {
 }
 
 module "app" {
-  source = "../../../modules/app"
+  source   = "../../../modules/app"
+  for_each = local.apps
 
-  project     = local.apps["sebt"].name
-  environment = "development"
-  program     = local.apps["sebt"].program
-  services    = local.apps["sebt"].services
-  domain      = try(
-    local.apps["sebt"].domain,
-    try(local.apps.internal, true) ? module.hosted_zones.route53_zone_name.internal : module.hosted_zones.route53_zone_name.external
+  project          = each.value.name
+  environment      = "development"
+  program          = each.value.program
+  services         = each.value.services
+  database_engine  = each.value.database.type
+  database_version = try(each.value.database.version, null)
+  domain = try(
+    each.value.domain,
+    try(each.value.internal, true) ? module.hosted_zones.route53_zone_name.internal : module.hosted_zones.route53_zone_name.external
   )
 
   logging_key_arn = module.logging.kms_key_arn
-  vpc_id = module.vpc.vpc_id
+  vpc_id          = module.vpc.vpc_id
   private_subnets = module.vpc.private_subnets
   public_subnets  = module.vpc.public_subnets
 }
diff --git a/tofu/config/development/infra/outputs.tf b/tofu/config/development/infra/outputs.tf
@@ -1,4 +1,4 @@
 output "apps" {
   description = "Deployed applications."
-  value = module.app.services
+  value       = module.app
 }
diff --git a/tofu/modules/app/data.tf b/tofu/modules/app/data.tf
@@ -0,0 +1,11 @@
+data "aws_caller_identity" "identity" {}
+
+data "aws_partition" "current" {}
+
+data "aws_region" "current" {}
+
+data "aws_rds_engine_version" "this" {
+  engine  = local.database_engine
+  version = var.database_version
+  latest  = true
+}
diff --git a/tofu/modules/app/database.tf b/tofu/modules/app/database.tf
@@ -0,0 +1,17 @@
+resource "aws_kms_key" "database" {
+  description             = "Database encryption key for ${var.project} ${var.environment}"
+  deletion_window_in_days = local.production ? 30 : 7
+  enable_key_rotation     = true
+  policy = jsonencode(yamldecode(templatefile("${path.module}/templates/key-policy.yaml.tftpl", {
+    account_id : data.aws_caller_identity.identity.account_id,
+    partition : data.aws_partition.current.partition,
+    region : data.aws_region.current.name,
+  })))
+
+  tags = local.tags
+}
+
+resource "aws_kms_alias" "database" {
+  name          = "alias/${var.project}/${var.environment}/database"
+  target_key_id = aws_kms_key.database.id
+}
diff --git a/tofu/modules/app/local.tf b/tofu/modules/app/local.tf
@@ -1,3 +1,12 @@
 locals {
-  project_short = var.project_short != null ? var.project_short : var.project
+  database_engine = var.database_engine == "mssql" ? "sqlserver-web" : var.database_engine
+  prefix          = "${var.project}-${var.environment}"
+  production      = var.environment == "production"
+  project_short   = var.project_short != null ? var.project_short : var.project
+  tags = {
+    application = "${var.project}-${var.environment}"
+    program     = var.program
+    project     = var.project
+    environment = var.environment
+  }
 }
diff --git a/tofu/modules/app/main.tf b/tofu/modules/app/main.tf
@@ -1,5 +1,12 @@
+module "secrets" {
+  source = "github.com/codeforamerica/tofu-modules-aws-secrets?ref=1.0.0"
+
+  project     = var.project
+  environment = var.environment
+}
+
 module "service" {
-  source = "github.com/codeforamerica/tofu-modules-aws-fargate-service?ref=1.2.1"
+  source   = "github.com/codeforamerica/tofu-modules-aws-fargate-service?ref=security-group-outputs"
   for_each = var.services
 
   project       = var.project
@@ -12,15 +19,78 @@ module "service" {
   domain    = var.domain
   subdomain = try(each.value.subdomain, "www")
 
-  vpc_id          = var.vpc_id
-  private_subnets = var.private_subnets
-  public_subnets  = var.public_subnets
-  logging_key_id  = var.logging_key_arn
-  container_port  = try(each.value.expose, 3000)
+  vpc_id                   = var.vpc_id
+  private_subnets          = var.private_subnets
+  public_subnets           = var.public_subnets
+  logging_key_id           = var.logging_key_arn
+  container_port           = try(each.value.expose, 3000)
   create_version_parameter = true
 
-  tags = {
-    application = "${var.project}-${var.environment}"
-    program = var.program
+  environment_variables = {
+    DATABASE_HOST = module.mssql.db_instance_endpoint
+  }
+
+  environment_secrets = {
+    DATABASE_USERNAME = "${module.mssql.db_instance_master_user_secret_arn}:usernmae"
+    DATABASE_PASSWORD = "${module.mssql.db_instance_master_user_secret_arn}:password"
   }
+
+  tags = local.tags
+}
+
+module "mssql" {
+  source  = "terraform-aws-modules/rds/aws"
+  version = ">= 6.12"
+
+  identifier                             = local.prefix
+  instance_use_identifier_prefix         = true
+  engine                                 = local.database_engine
+  engine_version                         = data.aws_rds_engine_version.this.version
+  auto_minor_version_upgrade             = true
+  apply_immediately                      = !local.production
+  subnet_ids                             = var.private_subnets
+  create_db_subnet_group                 = true
+  create_db_option_group                 = false
+  family                                 = data.aws_rds_engine_version.this.parameter_group_family
+  instance_class                         = "db.t3.small"
+  allocated_storage                      = 20
+  max_allocated_storage                  = 100
+  username                               = "root"
+  storage_type                           = "gp3"
+  kms_key_id                             = aws_kms_key.database.arn
+  master_user_secret_kms_key_id          = module.secrets.kms_key_arn
+  performance_insights_kms_key_id        = var.logging_key_arn
+  cloudwatch_log_group_kms_key_id        = var.logging_key_arn
+  cloudwatch_log_group_retention_in_days = local.production ? 31 : 7
+  create_cloudwatch_log_group            = true
+  create_monitoring_role                 = true
+  enabled_cloudwatch_logs_exports        = data.aws_rds_engine_version.this.exportable_log_types
+  vpc_security_group_ids                 = [module.database_security_group.security_group_id]
+
+  allow_major_version_upgrade = !local.production
+
+  tags = local.tags
+}
+
+# Create an empty security group for the database. To avoid a circular
+# dependency between the database and the services, we create the security group
+# here and then add the ingress rules in a separate resource.
+module "database_security_group" {
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "~> 5.3"
+
+  name   = "${local.prefix}-database"
+  vpc_id = var.vpc_id
+
+  tags = local.tags
+}
+
+resource "aws_vpc_security_group_ingress_rule" "database" {
+  for_each          = module.service
+  security_group_id = module.database_security_group.security_group_id
+
+  ip_protocol                  = "tcp"
+  from_port                    = module.mssql.db_instance_port
+  to_port                      = module.mssql.db_instance_port
+  referenced_security_group_id = each.value.security_group_id
 }
diff --git a/tofu/modules/app/outputs.tf b/tofu/modules/app/outputs.tf
@@ -1,4 +1,4 @@
 output "services" {
   description = "Deployed services for the application."
-  value = module.service
+  value       = module.service
 }
diff --git a/tofu/modules/app/templates/key-policy.yaml.tftpl b/tofu/modules/app/templates/key-policy.yaml.tftpl
@@ -0,0 +1,38 @@
+Version: '2012-10-17'
+Statement:
+- Sid: Enable IAM User Permissions
+  Effect: Allow
+  Principal:
+    AWS: arn:${partition}:iam::${account_id}:root
+  Action: kms:*
+  Resource: "*"
+- Sid: Allow access through RDS for all principals in the account that are authorized
+    to use RDS
+  Effect: Allow
+  Principal:
+    AWS: "*"
+  Action:
+  - kms:Encrypt
+  - kms:Decrypt
+  - kms:ReEncrypt*
+  - kms:GenerateDataKey*
+  - kms:CreateGrant
+  - kms:ListGrants
+  - kms:DescribeKey
+  Resource: "*"
+  Condition:
+    StringEquals:
+      kms:ViaService: rds.${region}.amazonaws.com
+      kms:CallerAccount: '${account_id}'
+    ForAnyValue:StringEquals:
+      kms:EncryptionContextKeys: aws:rds:db-id
+- Sid: Allow direct access to key metadata to the account
+  Effect: Allow
+  Principal:
+    AWS: arn:${partition}:iam::${account_id}:root
+  Action:
+  - kms:Describe*
+  - kms:Get*
+  - kms:List*
+  - kms:RevokeGrant
+  Resource: "*"
diff --git a/tofu/modules/app/variables.tf b/tofu/modules/app/variables.tf
@@ -1,51 +1,62 @@
+variable "database_engine" {
+  description = "The database engine to use for the application."
+  type        = string
+}
+
+variable "database_version" {
+  description = "The version of the database engine to use."
+  type        = string
+  default     = null
+}
+
 variable "domain" {
-    description = "The domain for the application."
-    type        = string
+  description = "The domain for the application."
+  type        = string
 }
 
 variable "environment" {
-    description = "The environment for the application."
-    type        = string
+  description = "The environment for the application."
+  type        = string
 }
 
 variable "logging_key_arn" {
-    description = "The ARN of the KMS key used for logging."
-    type        = string
+  description = "The ARN of the KMS key used for logging."
+  type        = string
 }
 
 variable "private_subnets" {
-    description = "List of private subnets for the application."
-    type        = list(string)
+  description = "List of private subnets for the application."
+  type        = list(string)
 }
 
 variable "program" {
-    description = "The program the application is associated with."
-    type        = string
+  description = "The program the application is associated with."
+  type        = string
 }
 
 variable "project" {
-    description = "The name of the project."
-    type        = string
+  description = "The name of the project."
+  type        = string
 }
 
 variable "project_short" {
-    description = "Short name for the project, used in resource names."
-    type        = string
+  description = "Short name for the project, used in resource names."
+  type        = string
   default     = null
 }
 
 variable "public_subnets" {
-    description = "List of public subnets for the application."
-    type        = list(string)
+  description = "List of public subnets for the application."
+  type        = list(string)
 }
 
 variable "services" {
-    description = "Services to deploy for the application."
-    type        = map(any)
-    default     = {}
+  description = "Services to deploy for the application."
+  type        = map(any)
+  default     = {}
 }
 
 variable "vpc_id" {
-    description = "The VPC ID where the application will be deployed."
-    type        = string
+  description = "The VPC ID where the application will be deployed."
+  type        = string
 }

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`locals {`
`2`	`2`	`apps = {`
`3`		`- sebt : yamldecode(file("${path.module}/apps/dc-sebt-portal.yaml"))`
	`3`	`+ dc-sebt-portal : yamldecode(file("${path.module}/apps/dc-sebt-portal.yaml"))`
`4`	`4`	`}`
`5`	`5`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`	`1`	`output "apps" {`
`2`	`2`	`description = "Deployed applications."`
`3`		`- value = module.app.services`
	`3`	`+ value = module.app`
`4`	`4`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`	`1`	`output "services" {`
`2`	`2`	`description = "Deployed services for the application."`
`3`		`- value = module.service`
	`3`	`+ value = module.service`
`4`	`4`	`}`