feat: simplify terraform.

Author: missionmike

.github/actions/terraform-plan/action.yml

@@ -17,6 +17,11 @@ runs:
       shell: bash
       run: ./import_resources.sh
 
+    - name: Terraform Import Existing Secrets
+      working-directory: terraform
+      shell: bash
+      run: ./import_secrets.sh
+
     - name: Validate Terraform
       working-directory: terraform
       shell: bash

terraform/app_runner.tf

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Define the environments
+environments=("test" "prod")
+
+# Loop through each environment
+for env in "${environments[@]}"; do
+  # Get the ARN of the secret
+  secret_arn=$(aws secretsmanager list-secrets --query "SecretList[?Name=='${env}/postgresql/credentials'].ARN" --output text)
+  
+  # Check if the secret exists
+  if [ -n "$secret_arn" ]; then
+    echo "Importing secret for environment: $env"
+    terraform import "aws_secretsmanager_secret.db_secrets[\"$env\"]" "$secret_arn"
+  else
+    echo "Secret for environment: $env does not exist"
+  fi
+done

terraform/iam.tf

@@ -37,23 +37,3 @@ output "endpoints" {
     env => instance.endpoint
   }
 }
-
-output "app_runner_services" {
-  value = {
-    for env, service in aws_apprunner_service.service : env => {
-      service_url = service.service_url
-      service_id  = service.service_id
-      status      = service.status
-    }
-  }
-}
-
-output "custom_domains" {
-  value = {
-    for env, domain in aws_apprunner_custom_domain_association.domain : env => {
-      domain_name = domain.domain_name
-      status      = domain.status
-      dns_target  = domain.dns_target
-    }
-  }
-}

terraform/import_secrets.sh

@@ -1,6 +1,10 @@
 resource "aws_db_subnet_group" "postgresql" {
   name       = "postgresql-subnet-group"
   subnet_ids = aws_subnet.private[*].id
+
+  lifecycle {
+    prevent_destroy = true
+  }
 }
 
 resource "aws_db_instance" "postgresql" {
@@ -18,11 +22,15 @@ resource "aws_db_instance" "postgresql" {
 
   skip_final_snapshot = true
 
-  vpc_security_group_ids = [aws_security_group.rds_sg.id]
+  vpc_security_group_ids = [var.rds_security_group_id]
   db_subnet_group_name   = aws_db_subnet_group.postgresql.name
 
   publicly_accessible = false
   multi_az            = false
 
   tags = each.value.tags
+
+  lifecycle {
+    prevent_destroy = true
+  }
 }

terraform/outputs.tf

@@ -2,6 +2,10 @@ resource "aws_secretsmanager_secret" "db_secrets" {
   for_each = var.environments
   name     = "${each.key}/postgresql/credentials"
   tags     = each.value.tags
+
+  lifecycle {
+    prevent_destroy = true
+  }
 }
 
 resource "aws_secretsmanager_secret_version" "secret_versions" {
@@ -16,4 +20,8 @@ resource "aws_secretsmanager_secret_version" "secret_versions" {
     dbname   = each.value.db_name
   })
   depends_on = [aws_db_instance.postgresql]
+
+  lifecycle {
+    create_before_destroy = true
+  }
 }

terraform/rds.tf

@@ -9,43 +9,8 @@ resource "aws_security_group" "rds_sg" {
     protocol    = "tcp"
     cidr_blocks = ["10.0.0.0/16"] # Replace with appropriate CIDR block
   }
-}
-
-resource "aws_security_group" "vpce" {
-  name        = "vpce-security-group"
-  description = "Security group for VPC Endpoints"
-  vpc_id      = aws_vpc.main.id
-
-  ingress {
-    from_port   = 443
-    to_port     = 443
-    protocol    = "tcp"
-    cidr_blocks = [aws_vpc.main.cidr_block]
-  }
-}
-
-resource "aws_security_group" "app_runner" {
-  name        = "app-runner-security-group"
-  description = "Security group for App Runner VPC Connector"
-  vpc_id      = aws_vpc.main.id
-
-  # Allow outbound traffic to RDS
-  egress {
-    from_port   = 5432
-    to_port     = 5432
-    protocol    = "tcp"
-    cidr_blocks = ["10.0.0.0/16"] # Replace with appropriate CIDR block
-  }
-
-  # Allow all other outbound traffic
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
 
-  tags = {
-    Name = "app-runner-sg"
+  lifecycle {
+    prevent_destroy = true
   }
 }

terraform/secrets.tf

@@ -1,2 +1,3 @@
 # Overrides the default values for the variables defined in variables.tf
-region = "us-west-2"
+region                = "us-west-2"
+rds_security_group_id = "sg-0c40327281d3f4db4"

terraform/security.tf

@@ -21,3 +21,8 @@ variable "environments" {
     }
   }
 }
+
+variable "rds_security_group_id" {
+  description = "The security group ID for the RDS instance"
+  type        = string
+}