Refactor RDS module SG rule creation

burmek · burmek · commit a0e1c1358028 · 2023-07-18T16:17:16.000-04:00
diff --git a/comet-infrastructure/main.tf b/comet-infrastructure/main.tf
@@ -98,14 +98,12 @@ module "comet_rds" {
   count       = var.enable_rds ? 1 : 0
   environment = var.environment
 
-  ec2_enabled = var.enable_ec2
-  eks_enabled = var.enable_eks
-
   availability_zones          = var.enable_vpc ? module.comet_vpc[0].azs : var.availability_zones
   vpc_id                      = var.enable_vpc ? module.comet_vpc[0].vpc_id : var.comet_vpc_id
   rds_private_subnets         = var.enable_vpc ? module.comet_vpc[0].private_subnets : var.comet_private_subnets
-  rds_allow_ec2_sg            = var.enable_ec2 ? module.comet_ec2[0].comet_ec2_sg_id : null
-  rds_allow_eks_sg            = var.enable_eks ? module.comet_eks[0].nodegroup_sg_id : null
+  rds_allow_from_sg           = var.enable_ec2 ? module.comet_ec2[0].comet_ec2_sg_id : (
+                                var.enable_eks ? module.comet_eks[0].nodegroup_sg_id : (
+                                var.rds_allow_from_sg))
   rds_engine                  = var.rds_engine
   rds_engine_version          = var.rds_engine_version
   rds_instance_type           = var.rds_instance_type
diff --git a/comet-infrastructure/modules/comet_rds/main.tf b/comet-infrastructure/modules/comet_rds/main.tf
@@ -107,19 +107,9 @@ resource "aws_security_group" "mysql_sg" {
 }
 
 resource "aws_vpc_security_group_ingress_rule" "mysql_port_inbound_ec2" {
-  count                        = var.ec2_enabled ? 1 : 0
   security_group_id            = aws_security_group.mysql_sg.id
   from_port                    = local.mysql_port
   to_port                      = local.mysql_port
   ip_protocol                  = "tcp"
-  referenced_security_group_id = var.rds_allow_ec2_sg
-}
-
-resource "aws_vpc_security_group_ingress_rule" "mysql_port_inbound_eks" {
-  count                        = var.eks_enabled ? 1 : 0
-  security_group_id            = aws_security_group.mysql_sg.id
-  from_port                    = local.mysql_port
-  to_port                      = local.mysql_port
-  ip_protocol                  = "tcp"
-  referenced_security_group_id = var.rds_allow_eks_sg
+  referenced_security_group_id = var.rds_allow_from_sg
 }
diff --git a/comet-infrastructure/modules/comet_rds/variables.tf b/comet-infrastructure/modules/comet_rds/variables.tf
@@ -1,7 +1,6 @@
 variable "environment" {
   description = "Deployment environment, i.e. dev/stage/prod, etc"
   type        = string
-  default     = "dev"
 }
 
 variable "availability_zones" {
@@ -19,13 +18,8 @@ variable "rds_private_subnets" {
   type        = list(string)
 }
 
-variable "rds_allow_ec2_sg" {
-  description = "Security group associated with EC2 compute, if provisioned"
-  type        = string
-}
-
-variable "rds_allow_eks_sg" {
-  description = "Security group associated with EKS compute, if provisioned"
+variable "rds_allow_from_sg" {
+  description = "Security group from which to allow connections to RDS, for use when provisioning in existing VPC"
   type        = string
 }
 
@@ -77,16 +71,4 @@ variable "rds_database_name" {
 variable "rds_root_password" {
   description = "Root password for RDS database"
   type        = string
-}
-
-variable "ec2_enabled" {
-  description = "Indicates if EC2 compute has been provisioned for Comet"
-  type        = bool
-  default     = null
-}
-
-variable "eks_enabled" {
-  description = "Indicates if EKS compute has been provisioned for Comet"
-  type        = bool
-  default     = null
 }
diff --git a/comet-infrastructure/terraform.tfvars b/comet-infrastructure/terraform.tfvars
@@ -9,15 +9,18 @@ enable_s3           = false
 region              = "us-east-1"
 environment         = "prod"
 
-# if not using enable_vpc to provision a VPC for the Comet resources, set the variables below to specify the existing VPC
+# if not using comet_vpc to provision a VPC for the Comet resources, set the variables below to specify the existing VPC
 comet_vpc_id          = "vpc-012345abcdefghijkl"
 availability_zones    = ["us-east-1a", "us-east-1b", "us-east-1c"]
 comet_public_subnets  = ["subnet-012345abcdefghijkl", "subnet-012345abcdefghijkl", "subnet-012345abcdefghijkl"]
 comet_private_subnets = ["subnet-012345abcdefghijkl", "subnet-012345abcdefghijkl", "subnet-012345abcdefghijkl"]
 
-# if provisioning ElastiCache in existing VPC, set the variable below to specify an SG that connections will be allowed from
+# if provisioning comet_elasticache in existing VPC, set the variable below to specify an SG that connections will be allowed from
 elasticache_allow_from_sg = "sg-012345abcdefghijkl"
 
+# if provisioning comet_rds in existing VPC, set the variable below to specify an SG that connections will be allowed from
+rds_allow_from_sg = "sg-012345abcdefghijkl"
+
 s3_bucket_name      = "comet-use2-bucket"
 rds_root_password   = "CHANGE-ME"
 ssl_certificate_arn = ""
diff --git a/comet-infrastructure/variables.tf b/comet-infrastructure/variables.tf
@@ -230,6 +230,12 @@ variable "elasticache_num_cache_nodes" {
 }
 
 #comet_rds
+variable "rds_allow_from_sg" {
+  description = "Security group from which to allow connections to RDS, for use when provisioning in existing VPC"
+  type        = string
+  default     = null
+}
+
 variable "rds_engine" {
   description = "Engine type for RDS database"
   type        = string
