Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat!: Update default values for security posture improvement #369

Merged
merged 17 commits into from
Feb 16, 2022
Merged

feat!: Update default values for security posture improvement #369

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
9ed54b4
chore: fix outputs to use current standards
bryantbiggs Dec 24, 2021
97c24ae
chore: update default settings for security improvements
bryantbiggs Dec 24, 2021
42bb71f
feat: set null for username, password, engine when using existing sou…
bryantbiggs Dec 24, 2021
9930aaf
feat: bump provider version to support latest attribute update, bump …
bryantbiggs Dec 24, 2021
2bbb20c
feat!: change default to use random password of length 16 and remove …
bryantbiggs Dec 24, 2021
93760a4
chore: add PR title check workflow
bryantbiggs Dec 25, 2021
5450053
chore: add upgrade guide
bryantbiggs Dec 25, 2021
c3de340
chore: updates from testing
bryantbiggs Dec 25, 2021
999cacd
chore: update release configs based on EKS findings
bryantbiggs Jan 5, 2022
ebd1603
Merge branch 'master' of github.com:terraform-aws-modules/terraform-a…
bryantbiggs Jan 12, 2022
d368766
Merge branch 'master' into feat/updates
bryantbiggs Jan 22, 2022
029b06b
feat: replace `var.name` with `var.db_name` due to deprecation, bump …
bryantbiggs Feb 15, 2022
2418f85
fix: update default values to be `null` where possible
bryantbiggs Feb 15, 2022
bb05127
chore: upgrade engines to latest version
bryantbiggs Feb 15, 2022
2b7f945
fix: remove duplicated instance just for sqlserver, we can handle as …
bryantbiggs Feb 15, 2022
52281a7
chore: update upgrade document
bryantbiggs Feb 15, 2022
b311f3e
chore: update main README
bryantbiggs Feb 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.62.3
rev: v1.64.0
hooks:
- id: terraform_fmt
- id: terraform_validate
Expand Down
85 changes: 42 additions & 43 deletions README.md
View file
Open in desktop

Large diffs are not rendered by default.

108 changes: 108 additions & 0 deletions UPGRADE-4.0.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
# Upgrade from v3.x to v4.x

If you have any questions regarding this upgrade process, please consult the [`examples/`](https://github.com/terraform-aws-modules/terraform-aws-rds/tree/master/examples) projects:

If you find a bug, please open an issue with supporting configuration to reproduce.

## List of backwards incompatible changes

- Support for Terraform `<=v0.12.x` has been dropped; `v0.13.1` is now the minimum supported version
- Terraform AWS provider minimum version is now `v4.0.0` in order to support the replacement of `var.name`(deprecated) for `var.db_name`
- Separate RDS instance resource for MSSQL/SQLServer has been removed - all engines are supported under one resource
- `storage_encrypted` is now set to `true` by default; was previously `false`
- `create_random_password` is now set to `true` by default; was previously `false`
- `create_db_subnet_group` is now set to `false` by default; was previously `true`; typically a shared DB subnet group will be used, most likely from the VPC module
- `random_password_length` is now set to `16` by default, was previously `10`
- Random provider minimum version supported is now `v3.1.0`
- `final_snapshot_identifier` no longer coalesces `var.final_snapshot_identifier` and instead relies on `var.final_snapshot_identifier_prefix` with a random suffix to avoid name collisions

## Additional changes

### Added

- `latest_restorable_time` added to ignored changes
- `replica_mode` support added to DB instance

### Modified

- `username`, `password`, and `engine` are set to `null` when a `replicate_source_db` or `snapshot_identifier` is provided; these values are already provided in the respective source
- `engine_version` is set to `null` when a value is provided for `replicate_source_db`
- `db_subnet_group_name` has been updated to use full name when prefix is enabled
- `Name` tag removed from instance resource; name is set via `identifier` and not through tags; users can add back into the tags they provide if desired
- Outputs have been updated to use `try()` syntax; local variable usage has been removed within outputs
- `engine`, `major_engine_version`, `family`, `password`, `db_subnet_group_name`,`db_subnet_group_description`,`parameter_group_name`,
`parameter_group_description`, `option_group_name`, `option_group_description` is now set to `null` by default; was previously `""`
- `timeouts` is now set to `{}` by default; was previously a copy+paste of default value used by provider. This is a no-op but will show up in plans as a diff

### Variable and output changes

1. Removed variables:

- `final_snapshot_identifier`

2. Renamed variables:

- `name` (deprecated) -> `db_name`

3. Added variables:

- `replica_mode`

4. Removed outputs:

- None

5. Renamed outputs:

- None

6. Added outputs:

- None

## Upgrade Migrations

The following examples demonstrate some of the changes that users can elect to make to avoid any potential disruptions when upgrading.

### Before 3.x Example

```hcl
module "rds" {
source = "terraform-aws-modules/rds/aws"
version = "~> 3.0"

master_password = "MySuperStrongPassword!"

# Previously on read-replicas or restored from snapshot instances you needed to explicitly set these to null
# These can now be safely removed and instead on the module to resolve these appropriately
username = null
password = null
engine = null
}
```

### After 4.x Example

```hcl
module "asg" {
source = "terraform-aws-modules/rds/aws"
version = "~> 4.0"

master_password = "MySuperStrongPassword!"
# Set random password creation to false if providing your own password as input
create_random_password = false

# If you did not have storage encrypted in `v3.x`, you can explicitly disable in `v4.x` to avoid disruption
storage_encrypted = false
}
```

#### MSSQL/SQLServer

For MSSSQL/SQLServer, users will want to rename the resource in their Terraform state to align with the flattened DB instance resource module in v4.x:

```bash
terraform state mv 'module.<module-name>.module.db_instance.aws_db_instance.this_mssql[0]' 'module.<module-name>.module.db_instance.aws_db_instance.this[0]'
```

Where `<module-name>` is the name of your module definition.
10 changes: 5 additions & 5 deletions examples/complete-mssql/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,23 +19,23 @@ Note that this example may create resources which cost money. Run `terraform des

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.26 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.49 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 2.49 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.0 |

## Modules

| Name | Source | Version |
|------|--------|---------|
| <a name="module_db"></a> [db](#module\_db) | ../../ | n/a |
| <a name="module_db_disabled"></a> [db\_disabled](#module\_db\_disabled) | ../../ | n/a |
| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 2 |
| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.0 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |

## Resources

Expand Down
15 changes: 5 additions & 10 deletions examples/complete-mssql/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ locals {

module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 2"
version = "~> 3.0"

name = local.name
cidr = "10.99.0.0/18"
Expand All @@ -34,7 +34,7 @@ module "vpc" {

module "security_group" {
source = "terraform-aws-modules/security-group/aws"
version = "~> 4"
version = "~> 4.0"

name = local.name
description = "Complete SqlServer example security group"
Expand Down Expand Up @@ -116,20 +116,16 @@ module "db" {
identifier = local.name

engine = "sqlserver-ex"
engine_version = "15.00.4073.23.v1"
engine_version = "15.00.4153.1.v1"
family = "sqlserver-ex-15.0" # DB parameter group
major_engine_version = "15.00" # DB option group
instance_class = "db.t3.large"

allocated_storage = 20
max_allocated_storage = 100
storage_encrypted = false

name = null
username = "complete_mssql"
create_random_password = true
random_password_length = 12
port = 1433
username = "complete_mssql"
port = 1433

domain = aws_directory_service_directory.demo.id
domain_iam_role_name = aws_iam_role.rds_ad_auth.name
Expand Down Expand Up @@ -166,7 +162,6 @@ module "db_disabled" {
identifier = "${local.name}-disabled"

create_db_instance = false
create_db_subnet_group = false
create_db_parameter_group = false
create_db_option_group = false
}
4 changes: 2 additions & 2 deletions examples/complete-mssql/versions.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
terraform {
required_version = ">= 0.12.26"
required_version = ">= 0.13.1"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 2.49"
version = ">= 4.0"
}
}
}
8 changes: 4 additions & 4 deletions examples/complete-mysql/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,8 @@ Note that this example may create resources which cost money. Run `terraform des

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.26 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.49 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 |

## Providers

Expand All @@ -33,8 +33,8 @@ No providers.
| <a name="module_db"></a> [db](#module\_db) | ../../ | n/a |
| <a name="module_db_default"></a> [db\_default](#module\_db\_default) | ../../ | n/a |
| <a name="module_db_disabled"></a> [db\_disabled](#module\_db\_disabled) | ../../ | n/a |
| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 2 |
| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.0 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |

## Resources

Expand Down
25 changes: 10 additions & 15 deletions examples/complete-mysql/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ locals {

module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 2"
version = "~> 3.0"

name = local.name
cidr = "10.99.0.0/18"
Expand All @@ -34,7 +34,7 @@ module "vpc" {

module "security_group" {
source = "terraform-aws-modules/security-group/aws"
version = "~> 4"
version = "~> 4.0"

name = local.name
description = "Complete MySQL example security group"
Expand Down Expand Up @@ -65,18 +65,16 @@ module "db" {

# All available versions: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.VersionMgmt
engine = "mysql"
engine_version = "8.0.20"
engine_version = "8.0.27"
family = "mysql8.0" # DB parameter group
major_engine_version = "8.0" # DB option group
instance_class = "db.t3.large"
instance_class = "db.t3a.large"

allocated_storage = 20
max_allocated_storage = 100
storage_encrypted = false

name = "completeMysql"
db_name = "completeMysql"
username = "complete_mysql"
password = "YourPwdShouldBeLongAndSecure!"
port = 3306

multi_az = true
Expand Down Expand Up @@ -132,18 +130,16 @@ module "db_default" {

# All available versions: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html#MySQL.Concepts.VersionMgmt
engine = "mysql"
engine_version = "8.0.20"
engine_version = "8.0.27"
family = "mysql8.0" # DB parameter group
major_engine_version = "8.0" # DB option group
instance_class = "db.t3.large"
instance_class = "db.t3a.large"

allocated_storage = 20

name = "completeMysql"
username = "complete_mysql"
create_random_password = true
random_password_length = 12
port = 3306
db_name = "completeMysql"
username = "complete_mysql"
port = 3306

subnet_ids = module.vpc.database_subnets
vpc_security_group_ids = [module.security_group.security_group_id]
Expand All @@ -162,7 +158,6 @@ module "db_disabled" {
identifier = "${local.name}-disabled"

create_db_instance = false
create_db_subnet_group = false
create_db_parameter_group = false
create_db_option_group = false
}
4 changes: 2 additions & 2 deletions examples/complete-mysql/versions.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
terraform {
required_version = ">= 0.12.26"
required_version = ">= 0.13.1"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 2.49"
version = ">= 4.0"
}
}
}
8 changes: 4 additions & 4 deletions examples/complete-oracle/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,8 @@ Note that this example may create resources which cost money. Run `terraform des

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.26 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.49 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0 |

## Providers

Expand All @@ -32,8 +32,8 @@ No providers.
|------|--------|---------|
| <a name="module_db"></a> [db](#module\_db) | ../../ | n/a |
| <a name="module_db_disabled"></a> [db\_disabled](#module\_db\_disabled) | ../../ | n/a |
| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 2 |
| <a name="module_security_group"></a> [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.0 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |

## Resources

Expand Down
20 changes: 8 additions & 12 deletions examples/complete-oracle/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ locals {

module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 2"
version = "~> 3.0"

name = local.name
cidr = "10.99.0.0/18"
Expand All @@ -34,7 +34,7 @@ module "vpc" {

module "security_group" {
source = "terraform-aws-modules/security-group/aws"
version = "~> 4"
version = "~> 4.0"

name = local.name
description = "Complete Oracle example security group"
Expand Down Expand Up @@ -64,22 +64,19 @@ module "db" {
identifier = "demodb-oracle"

engine = "oracle-ee"
engine_version = "12.1.0.2.v8"
family = "oracle-ee-12.1" # DB parameter group
major_engine_version = "12.1" # DB option group
engine_version = "19.0.0.0.ru-2021-10.rur-2021-10.r1"
family = "oracle-ee-19.0" # DB parameter group
major_engine_version = "19.0" # DB option group
antonbabenko marked this conversation as resolved.
Show resolved Hide resolved
instance_class = "db.t3.large"
license_model = "bring-your-own-license"

allocated_storage = 20
max_allocated_storage = 100
storage_encrypted = false

# Make sure that database name is capitalized, otherwise RDS will try to recreate RDS instance every time
name = "COMPLETEORACLE"
username = "complete_oracle"
create_random_password = true
random_password_length = 12
port = 1521
db_name = "COMPLETEORACLE"
username = "complete_oracle"
port = 1521

multi_az = true
subnet_ids = module.vpc.database_subnets
Expand Down Expand Up @@ -109,7 +106,6 @@ module "db_disabled" {
identifier = "${local.name}-disabled"

create_db_instance = false
create_db_subnet_group = false
create_db_parameter_group = false
create_db_option_group = false
}
Loading