fix: Move database configuration to its own module.

jamesiarmes · jamesiarmes · commit 7b53eff3aea1 · 2025-06-16T15:56:29.000-04:00
diff --git a/tofu/config/development/infra/main.tf b/tofu/config/development/infra/main.tf
@@ -56,7 +56,7 @@ module "app" {
   environment      = "development"
   program          = each.value.program
   services         = each.value.services
-  database_engine  = each.value.database.type
+  database_engine  = try(each.value.database.type, null)
   database_version = try(each.value.database.version, null)
   domain = try(
     each.value.domain,
diff --git a/tofu/modules/app/database.tf b/tofu/modules/app/database.tf
@@ -1,17 +1,24 @@
-resource "aws_kms_key" "database" {
-  description             = "Database encryption key for ${var.project} ${var.environment}"
-  deletion_window_in_days = local.production ? 30 : 7
-  enable_key_rotation     = true
-  policy = jsonencode(yamldecode(templatefile("${path.module}/templates/key-policy.yaml.tftpl", {
-    account_id : data.aws_caller_identity.identity.account_id,
-    partition : data.aws_partition.current.partition,
-    region : data.aws_region.current.name,
-  })))
+module "database" {
+  source = "../database"
 
-  tags = local.tags
+  project         = var.project
+  environment     = var.environment
+  program         = var.program
+  private_subnets = var.private_subnets
+  vpc_id          = var.vpc_id
+
+  database_engine  = var.database_engine
+  database_version = var.database_version
+  logging_key_arn  = var.logging_key_arn
+  secrets_key_arn  = module.secrets.kms_key_arn
 }
 
-resource "aws_kms_alias" "database" {
-  name          = "alias/${var.project}/${var.environment}/database"
-  target_key_id = aws_kms_key.database.id
+resource "aws_vpc_security_group_ingress_rule" "database" {
+  for_each          = module.service
+  security_group_id = module.database.security_group_id
+
+  ip_protocol                  = "tcp"
+  from_port                    = module.database.port
+  to_port                      = module.database.port
+  referenced_security_group_id = each.value.security_group_id
 }
diff --git a/tofu/modules/app/main.tf b/tofu/modules/app/main.tf
@@ -29,74 +29,18 @@ module "service" {
   create_version_parameter = true
 
   environment_variables = {
-    DATABASE_HOST = module.mssql.db_instance_endpoint
+    DATABASE_HOST = module.database.host
+    DATABASE_PORT = module.database.port
   }
 
   environment_secrets = {
-    DATABASE_USERNAME = "${module.mssql.db_instance_master_user_secret_arn}:username"
-    DATABASE_PASSWORD = "${module.mssql.db_instance_master_user_secret_arn}:password"
+    DATABASE_USERNAME = "${module.database.secret_arn}:username"
+    DATABASE_PASSWORD = "${module.database.secret_arn}:password"
   }
 
   tags = local.tags
 }
 
-module "mssql" {
-  source  = "terraform-aws-modules/rds/aws"
-  version = ">= 6.12"
-
-  identifier                             = local.prefix
-  instance_use_identifier_prefix         = true
-  engine                                 = local.database_engine
-  engine_version                         = data.aws_rds_engine_version.this.version
-  auto_minor_version_upgrade             = true
-  apply_immediately                      = !local.production
-  subnet_ids                             = var.private_subnets
-  create_db_subnet_group                 = true
-  create_db_option_group                 = false
-  family                                 = data.aws_rds_engine_version.this.parameter_group_family
-  instance_class                         = "db.t3.small"
-  allocated_storage                      = 20
-  max_allocated_storage                  = 100
-  username                               = "root"
-  storage_type                           = "gp3"
-  kms_key_id                             = aws_kms_key.database.arn
-  master_user_secret_kms_key_id          = module.secrets.kms_key_arn
-  performance_insights_kms_key_id        = var.logging_key_arn
-  cloudwatch_log_group_kms_key_id        = var.logging_key_arn
-  cloudwatch_log_group_retention_in_days = local.production ? 31 : 7
-  create_cloudwatch_log_group            = true
-  create_monitoring_role                 = true
-  enabled_cloudwatch_logs_exports        = data.aws_rds_engine_version.this.exportable_log_types
-  vpc_security_group_ids                 = [module.database_security_group.security_group_id]
-
-  allow_major_version_upgrade = !local.production
-
-  tags = local.tags
-}
-
-# Create an empty security group for the database. To avoid a circular
-# dependency between the database and the services, we create the security group
-# here and then add the ingress rules in a separate resource.
-module "database_security_group" {
-  source  = "terraform-aws-modules/security-group/aws"
-  version = "~> 5.3"
-
-  name   = "${local.prefix}-database"
-  vpc_id = var.vpc_id
-
-  tags = local.tags
-}
-
-resource "aws_vpc_security_group_ingress_rule" "database" {
-  for_each          = module.service
-  security_group_id = module.database_security_group.security_group_id
-
-  ip_protocol                  = "tcp"
-  from_port                    = module.mssql.db_instance_port
-  to_port                      = module.mssql.db_instance_port
-  referenced_security_group_id = each.value.security_group_id
-}
-
 resource "aws_cloudwatch_log_subscription_filter" "datadog" {
   depends_on = [module.service]
   for_each   = length(local.datadog_lambda) > 0 ? local.log_groups : toset([])
diff --git a/tofu/modules/app/variables.tf b/tofu/modules/app/variables.tf
@@ -1,6 +1,7 @@
 variable "database_engine" {
   description = "The database engine to use for the application."
   type        = string
+  default     = null
 }
 
 variable "database_version" {
diff --git a/tofu/modules/database/data.tf b/tofu/modules/database/data.tf
@@ -0,0 +1,11 @@
+data "aws_caller_identity" "identity" {}
+
+data "aws_partition" "current" {}
+
+data "aws_region" "current" {}
+
+data "aws_rds_engine_version" "this" {
+  engine  = local.database_engine
+  version = var.database_version
+  latest  = true
+}
diff --git a/tofu/modules/database/local.tf b/tofu/modules/database/local.tf
@@ -0,0 +1,11 @@
+locals {
+  database_engine = var.database_engine == "mssql" ? "sqlserver-web" : var.database_engine
+  prefix          = "${var.project}-${var.environment}"
+  production      = var.environment == "production"
+  tags = {
+    application = "${var.project}-${var.environment}"
+    program     = var.program
+    project     = var.project
+    environment = var.environment
+  }
+}
diff --git a/tofu/modules/database/main.tf b/tofu/modules/database/main.tf
@@ -0,0 +1,65 @@
+resource "aws_kms_key" "database" {
+  description             = "Database encryption key for ${var.project} ${var.environment}"
+  deletion_window_in_days = local.production ? 30 : 7
+  enable_key_rotation     = true
+  policy = jsonencode(yamldecode(templatefile("${path.module}/templates/key-policy.yaml.tftpl", {
+    account_id : data.aws_caller_identity.identity.account_id,
+    partition : data.aws_partition.current.partition,
+    region : data.aws_region.current.name,
+  })))
+
+  tags = local.tags
+}
+
+resource "aws_kms_alias" "database" {
+  name          = "alias/${var.project}/${var.environment}/database"
+  target_key_id = aws_kms_key.database.id
+}
+
+module "mssql" {
+  source   = "terraform-aws-modules/rds/aws"
+  version  = ">= 6.12"
+  for_each = var.database_engine == "mssql" ? toset(["this"]) : toset([])
+
+  identifier                             = local.prefix
+  instance_use_identifier_prefix         = true
+  engine                                 = local.database_engine
+  engine_version                         = data.aws_rds_engine_version.this.version
+  auto_minor_version_upgrade             = true
+  apply_immediately                      = !local.production
+  subnet_ids                             = var.private_subnets
+  create_db_subnet_group                 = true
+  create_db_option_group                 = false
+  family                                 = data.aws_rds_engine_version.this.parameter_group_family
+  instance_class                         = "db.t3.small"
+  allocated_storage                      = 20
+  max_allocated_storage                  = 100
+  username                               = "root"
+  storage_type                           = "gp3"
+  kms_key_id                             = aws_kms_key.database.arn
+  master_user_secret_kms_key_id          = var.secrets_key_arn
+  performance_insights_kms_key_id        = var.logging_key_arn
+  cloudwatch_log_group_kms_key_id        = var.logging_key_arn
+  cloudwatch_log_group_retention_in_days = local.production ? 31 : 7
+  create_cloudwatch_log_group            = true
+  create_monitoring_role                 = true
+  enabled_cloudwatch_logs_exports        = data.aws_rds_engine_version.this.exportable_log_types
+  vpc_security_group_ids                 = [module.database_security_group.security_group_id]
+
+  allow_major_version_upgrade = !local.production
+
+  tags = local.tags
+}
+
+# Create an empty security group for the database. To avoid a circular
+# dependency between the database and the services, we create the security group
+# here and then add the ingress rules in a separate resource.
+module "database_security_group" {
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "~> 5.3"
+
+  name   = "${local.prefix}-database"
+  vpc_id = var.vpc_id
+
+  tags = local.tags
+}
diff --git a/tofu/modules/database/outputs.tf b/tofu/modules/database/outputs.tf
@@ -0,0 +1,19 @@
+output "security_group_id" {
+  description = "Security group ID for the database."
+  value       = module.database_security_group.security_group_id
+}
+
+output "host" {
+  description = "Host on which the database is accessible."
+  value       = try(module.mssql["this"].db_instance_address, "")
+}
+
+output "port" {
+  description = "Port on which the database is accessible."
+  value       = try(module.mssql["this"].db_instance_port, "")
+}
+
+output "secret_arn" {
+  description = "ARN of the secret containing the database credentials."
+  value       = try(module.mssql["this"].db_instance_master_user_secret_arn, "")
+}
diff --git a/tofu/modules/database/templates/key-policy.yaml.tftpl b/tofu/modules/database/templates/key-policy.yaml.tftpl
diff --git a/tofu/modules/database/variables.tf b/tofu/modules/database/variables.tf
@@ -0,0 +1,46 @@
+variable "database_engine" {
+  description = "The database engine to use for the application."
+  type        = string
+  default     = null
+}
+
+variable "database_version" {
+  description = "The version of the database engine to use."
+  type        = string
+  default     = null
+}
+
+variable "environment" {
+  description = "The environment for the application."
+  type        = string
+}
+
+variable "logging_key_arn" {
+  description = "The ARN of the KMS key used for logging."
+  type        = string
+}
+
+variable "private_subnets" {
+  description = "List of private subnets for the application."
+  type        = list(string)
+}
+
+variable "program" {
+  description = "The program the application is associated with."
+  type        = string
+}
+
+variable "project" {
+  description = "The name of the project."
+  type        = string
+}
+
+variable "secrets_key_arn" {
+  description = "The ARN of the KMS key used for secrets."
+  type        = string
+}
+
+variable "vpc_id" {
+  description = "The VPC ID where the application will be deployed."
+  type        = string
+}
diff --git a/tofu/modules/database/versions.tf b/tofu/modules/database/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.9"
+
+  required_providers {
+    aws = {
+      version = "~> 5.93"
+      source  = "hashicorp/aws"
+    }
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`variable "database_engine" {`
`2`	`2`	`description = "The database engine to use for the application."`
`3`	`3`	`type = string`
	`4`	`+ default = null`
`4`	`5`	`}`
`5`	`6`
`6`	`7`	`variable "database_version" {`