infra: rds proxy

code4romania · Nov 24, 2024 · 96daae0 · 96daae0
1 parent 27523bc
commit 96daae0
Show file tree

Hide file tree

Showing 2 changed files with 70 additions and 4 deletions.
diff --git a/terraform/database-proxy.tf b/terraform/database-proxy.tf
@@ -0,0 +1,62 @@
+resource "aws_db_proxy" "main" {
+  name                   = local.namespace
+  debug_logging          = false
+  engine_family          = "MYSQL"
+  idle_client_timeout    = 1800
+  require_tls            = true
+  role_arn               = aws_iam_role.db_proxy_secrets.arn
+  vpc_security_group_ids = [aws_security_group.database.id]
+  vpc_subnet_ids         = aws_subnet.private.*.id
+
+  auth {
+    auth_scheme = "SECRETS"
+    iam_auth    = "DISABLED"
+    secret_arn  = aws_secretsmanager_secret.rds.arn
+  }
+}
+
+resource "aws_db_proxy_default_target_group" "main" {
+  db_proxy_name = aws_db_proxy.main.name
+
+  connection_pool_config {
+    connection_borrow_timeout    = 120
+    max_connections_percent      = 75
+    max_idle_connections_percent = 50
+  }
+}
+
+resource "aws_db_proxy_target" "main" {
+  db_instance_identifier = aws_db_instance.main.id
+  db_proxy_name          = aws_db_proxy.main.name
+  target_group_name      = aws_db_proxy_default_target_group.main.name
+}
+
+resource "aws_iam_role" "db_proxy_secrets" {
+  name               = "RDSProxy-${local.namespace}-secrets"
+  assume_role_policy = data.aws_iam_policy_document.proxy_secrets_policy.json
+}
+
+resource "aws_iam_role_policy" "db_proxy_secrets" {
+  name   = "${local.namespace}-secrets"
+  role   = aws_iam_role.db_proxy_secrets.id
+  policy = data.aws_iam_policy_document.db_proxy_secrets_permissions.json
+}
+
+data "aws_iam_policy_document" "proxy_secrets_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["rds.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "db_proxy_secrets_permissions" {
+  statement {
+    effect    = "Allow"
+    actions   = ["secretsmanager:GetSecretValue"]
+    resources = [aws_secretsmanager_secret.rds.arn]
+  }
+}
diff --git a/terraform/service_app.tf b/terraform/service_app.tf
@@ -126,6 +126,10 @@ module "ecs_app" {
       name  = "PHP_PM_MAX_CHILDREN",
       value = 256
     },
+    {
+      name  = "DB_HOST",
+      value = aws_db_proxy.main.endpoint
+    }
   ]
 
   secrets = [
@@ -137,10 +141,10 @@ module "ecs_app" {
       name      = "DB_CONNECTION"
       valueFrom = "${aws_secretsmanager_secret.rds.arn}:engine::"
     },
-    {
-      name      = "DB_HOST"
-      valueFrom = "${aws_secretsmanager_secret.rds.arn}:host::"
-    },
+    # {
+    #   name      = "DB_HOST"
+    #   valueFrom = "${aws_secretsmanager_secret.rds.arn}:host::"
+    # },
     {
       name      = "DB_PORT"
       valueFrom = "${aws_secretsmanager_secret.rds.arn}:port::"