Merge pull request #50 from datafold/gerard-p-3769-better-password-retrieval-management

gtoonstra · web-flow · commit 13339ea8b8a2 · 2025-04-03T10:22:26.000+02:00
fix: Disaster Recovery issues
diff --git a/main.tf b/main.tf
@@ -74,6 +74,7 @@ module "load_balancer" {
   lb_access_logs         = var.lb_access_logs
   lb_deploy_nlb          = var.lb_deploy_nlb
   lb_vpces_details       = var.lb_vpces_details
+  initial_apply_complete = var.initial_apply_complete
 
   vpces_security_group_id = local.vpces_sec_group_id
 }
@@ -195,6 +196,7 @@ module "database" {
   provider_region                          = var.provider_region
   vpc_private_subnets                      = local.vpc_private_subnets
   rds_username                             = var.rds_username
+  rds_password_override                    = var.rds_password_override
   rds_instance                             = var.rds_instance
   rds_allocated_storage                    = var.rds_allocated_storage
   rds_max_allocated_storage                = var.rds_max_allocated_storage
@@ -223,6 +225,7 @@ module "database" {
   rds_copy_tags_to_snapshot                = var.rds_copy_tags_to_snapshot
   rds_performance_insights_enabled         = var.rds_performance_insights_enabled
   rds_performance_insights_retention_period= var.rds_performance_insights_retention_period
+  rds_monitoring_role_arn                  = var.rds_monitoring_role_arn
   rds_auto_minor_version_upgrade           = var.rds_auto_minor_version_upgrade
   rds_monitoring_interval                  = var.rds_monitoring_interval
 }
@@ -340,3 +343,30 @@ module "vpc_peering" {
   vpc_private_route_table_id = module.networking.vpc_private_route_table_id
   vpc_public_route_table_id  = module.networking.vpc_public_route_table_id
 }
+
+resource "null_resource" "deployment_check" {
+  triggers = {
+    initial_apply_complete = var.initial_apply_complete
+  }
+
+  provisioner "local-exec" {
+    command = <<-EOT
+      # Get the load balancer IPs value
+      LB_IPS="${module.load_balancer.load_balancer_ips}"
+
+      echo $LB_IPS
+
+      # Check if it's empty, null, or just "[]"
+      if [ -z "$LB_IPS" ] || [ "$LB_IPS" = "[]" ] || [ "$LB_IPS" = "[\"\"]" ]|| [ "$LB_IPS" = "null" ]; then
+        echo "\n\nERROR: Initial deployment complete. Set 'initial_apply_complete = true' to resolve load balancer IP dependencies.\n\n"
+        exit 1
+      fi
+    EOT
+    interpreter = ["/bin/bash", "-c"]
+    quiet       = true
+  }
+
+  depends_on = [
+    module.load_balancer
+  ]
+}
diff --git a/modules/clickhouse_backup/main.tf b/modules/clickhouse_backup/main.tf
@@ -20,6 +20,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "clickhouse_backup" {
     expiration {
       days = 14
     }
+    filter {}
     status = "Enabled"
   }
 }
diff --git a/modules/database/main.tf b/modules/database/main.tf
@@ -37,7 +37,7 @@ module "db" {
   db_name                     = var.database_name
   username                    = var.rds_username
   manage_master_user_password = false
-  password                    = random_password.rds_master_password.result
+  password                    = local.rds_password
   port                        = var.rds_port
   copy_tags_to_snapshot       = var.rds_copy_tags_to_snapshot
 
@@ -68,6 +68,7 @@ module "db" {
 
   performance_insights_enabled = var.rds_performance_insights_enabled
   create_monitoring_role       = false
+  monitoring_role_arn          = var.rds_monitoring_role_arn
   monitoring_interval          = var.rds_monitoring_interval
 
   performance_insights_retention_period = var.rds_performance_insights_retention_period
@@ -101,7 +102,9 @@ module "db" {
 
 locals {
   log_rds_automated_backups_replication_path = "${path.module}/../../logs/rds_automated_backups_replication.log"
+  rds_password = var.rds_password_override != null ? var.rds_password_override : random_password.rds_master_password.result
 }
+
 # https://docs.aws.amazon.com/cli/latest/reference/rds/start-db-instance-automated-backups-replication.html
 resource "null_resource" "rds-automated-backups-replication" {
   count = var.rds_backups_replication_target_region != null ? 1 : 0
diff --git a/modules/database/outputs.tf b/modules/database/outputs.tf
@@ -7,7 +7,7 @@ output "postgres_username" {
 }
 
 output "postgres_password" {
-  value = random_password.rds_master_password.result
+  value = local.rds_password
 }
 
 output "postgres_database_name" {
diff --git a/modules/database/variables.tf b/modules/database/variables.tf
@@ -34,6 +34,12 @@ variable "rds_username" {
   description = "RDS username"
 }
 
+variable "rds_password_override" {
+  type        = string
+  default     = null
+  description = "Password override"
+}
+
 variable "rds_instance" {
   type        = string
   default     = "db.t3.medium"
@@ -200,6 +206,12 @@ variable "rds_performance_insights_retention_period" {
   description = "RDS performance insights retention period"
 }
 
+variable "rds_monitoring_role_arn" {
+  type        = string
+  description = "The IAM role allowed to send RDS metrics to cloudwatch"
+  default     = null
+}
+
 variable "rds_auto_minor_version_upgrade" {
   type        = bool
   default     = false
diff --git a/modules/eks/main.tf b/modules/eks/main.tf
@@ -47,7 +47,7 @@ module "eks" {
   # https://github.com/terraform-aws-modules/terraform-aws-eks/tree/master/docs
 
   source  = "terraform-aws-modules/eks/aws"
-  version = "~> 20.13.1"
+  version = "~> 20.35.0"
   # version = var.eks_module_version
 
   cluster_name    = var.deployment_name
diff --git a/modules/load_balancer/main.tf b/modules/load_balancer/main.tf
@@ -28,7 +28,7 @@ data "aws_acm_certificate" "alb" {
 # https://registry.terraform.io/modules/terraform-aws-modules/alb/aws/latest
 module "alb_app" {
   source  = "terraform-aws-modules/alb/aws"
-  version = "~> 6.2.0"
+  version = "~> 8.7.0"
 
   name = var.lb_name_override == "" ? "${var.deployment_name}-app" : var.lb_name_override
 
@@ -109,22 +109,29 @@ locals {
   vpc_subnets_joined = join(",", var.vpc_subnets)
 }
 
-data "aws_network_interfaces" "lb_app" {
+data "aws_network_interface" "lb_app" {
+  count  = var.initial_apply_complete ? length(var.vpc_subnets) : 0
+  
   filter {
-    name   = "description"
+    name = "description"
     values = ["ELB ${module.alb_app.lb_arn_suffix}"]
   }
 
-  depends_on = [ module.alb_app ]
-}
+  filter {
+    name   = "subnet-id"
+    values = [var.vpc_subnets[count.index]]
+  }
 
-data "aws_network_interface" "lb_app" {
-  count = length(data.aws_network_interfaces.lb_app.ids)
-  id    = data.aws_network_interfaces.lb_app.ids[count.index]
+  depends_on = [ module.alb_app ]
 }
 
 locals {
-  lb_ips = var.lb_internal ? jsonencode([for eni in data.aws_network_interface.lb_app : format("%s", eni.private_ip)]) : jsonencode([for eni in data.aws_network_interface.lb_app : format("%s", eni.association[0].public_ip)])
+  lb_ips = jsonencode(var.initial_apply_complete ? (
+    var.lb_internal ? 
+        [for eni in data.aws_network_interface.lb_app : format("%s", eni.private_ip)] : 
+        [for eni in data.aws_network_interface.lb_app : format("%s", eni.association[0].public_ip)]
+    ) : [""]
+  )
 }
 
 resource "aws_lb_target_group" "nlb_alb_target" {
diff --git a/modules/load_balancer/variables.tf b/modules/load_balancer/variables.tf
@@ -110,4 +110,10 @@ variable "lb_vpces_details" {
     supported_ip_address_types = list(string)
   })
   description = "Endpoint service to define for internal traffic over private link"
-}
+}
+
+variable "initial_apply_complete" {
+  type        = bool
+  default     = false
+  description = "Indicates if this infra is deployed or not. Helps to resolve dependencies."
+}
diff --git a/outputs.tf b/outputs.tf
@@ -286,4 +286,4 @@ output "storage_worker_role_arn" {
 output "storage_worker_service_account_name" {
   value = module.eks.storage_worker_service_account_name
   description = "The name of the service account for storage_worker"
-}
+}
diff --git a/variables.tf b/variables.tf
@@ -104,6 +104,12 @@ variable "private_subnet_index" {
   description = "Index of the private subnet"
 }
 
+variable "initial_apply_complete" {
+  type        = bool
+  default     = false
+  description = "Indicates if this infra is deployed or not. Helps to resolve dependencies."
+}
+
 #  ┏━┓┏━┓┏━┓╻ ╻╻╺┳┓┏━╸┏━┓
 #  ┣━┛┣┳┛┃ ┃┃┏┛┃ ┃┃┣╸ ┣┳┛
 #  ╹  ╹┗╸┗━┛┗┛ ╹╺┻┛┗━╸╹┗╸
@@ -403,6 +409,12 @@ variable "rds_username" {
   description = "Overrides the default RDS user name that is provisioned."
 }
 
+variable "rds_password_override" {
+  type        = string
+  default     = null
+  description = "Password override"
+}
+
 variable "rds_identifier" {
   type        = string
   default     = ""
@@ -537,6 +549,12 @@ variable "rds_performance_insights_enabled" {
   description = "RDS performance insights enabled or not"
 }
 
+variable "rds_monitoring_role_arn" {
+  type        = string
+  description = "The IAM role allowed to send RDS metrics to cloudwatch"
+  default     = null
+}
+
 variable "db_extra_parameters" {
   type        = list
   default     = []
diff --git a/versions.tf b/versions.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.8.0"
+      version = ">= 5.93.0"
     }
     dns = {
       source  = "hashicorp/dns"

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "clickhouse_backup" {`
`20`	`20`	`expiration {`
`21`	`21`	`days = 14`
`22`	`22`	`}`
	`23`	`+ filter {}`
`23`	`24`	`status = "Enabled"`
`24`	`25`	`}`
`25`	`26`	`}`
Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@ output "postgres_username" {`
`7`	`7`	`}`
`8`	`8`
`9`	`9`	`output "postgres_password" {`
`10`		`- value = random_password.rds_master_password.result`
	`10`	`+ value = local.rds_password`
`11`	`11`	`}`
`12`	`12`
`13`	`13`	`output "postgres_database_name" {`