Skip to content

Commit 515daae

Browse files
committed
rds instance only ever in private subnet
1 parent b936463 commit 515daae

7 files changed

Lines changed: 27 additions & 55 deletions

File tree

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
###############################################################################
2+
# Install PostgreSQL client on EC2 host for direct database access
3+
# This allows running psql commands without entering the Docker container
4+
###############################################################################
5+
6+
packages:
7+
yum:
8+
postgresql15: []

infrastructure/environments/production/main.tf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,6 @@ module "network" {
4646
environment = local.environment
4747
aws_region = var.aws_region
4848
vpc_cidr = var.vpc_cidr
49-
allowed_ips = var.allowed_ips
5049
}
5150

5251
#############
@@ -122,9 +121,10 @@ module "rds" {
122121
database_name = var.database_name
123122
master_username = var.db_master_username
124123
master_password = module.secrets.db_password
124+
# Keep RDS in private subnets (best practice for production)
125125
db_subnet_group_name = module.network.db_subnet_group_name
126126
security_group_id = module.network.rds_security_group_id
127-
publicly_accessible = var.rds_publicly_accessible
127+
publicly_accessible = false # Keep private for security
128128
multi_az = var.rds_multi_az
129129

130130
# Backup configuration

infrastructure/environments/production/terraform.tfvars.example

Lines changed: 4 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -6,19 +6,16 @@
66
aws_region = "us-east-1"
77

88
# Network Configuration
9-
# Add your IP addresses here to allow direct RDS access (for psql, TablePlus, etc.)
10-
# Find your IP: curl ifconfig.me
11-
allowed_ips = [
12-
# IP 1,
13-
# IP 2
14-
]
9+
vpc_cidr = "10.0.0.0/16"
10+
11+
# Database Configuration
1512
database_name = "finishline"
1613
db_master_username = "postgres"
1714

1815
# RDS Configuration
1916
rds_instance_class = "db.t4g.medium"
2017
rds_allocated_storage = 20
21-
rds_publicly_accessible = false
18+
rds_publicly_accessible = false # Always false for production
2219
rds_multi_az = false # Set to true for high availability (costs 2x)
2320

2421
# Elastic Beanstalk Configuration

infrastructure/environments/production/variables.tf

Lines changed: 1 addition & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -28,18 +28,6 @@ variable "vpc_cidr" {
2828
default = "10.0.0.0/16"
2929
}
3030

31-
variable "allowed_ips" {
32-
description = "List of IP addresses (in CIDR notation) allowed to access RDS directly. Leave empty for no direct access."
33-
type = list(string)
34-
default = []
35-
36-
# Example:
37-
# allowed_ips = [
38-
# "73.123.45.67/32", # Your home IP
39-
# "52.98.76.54/32" # Your office IP
40-
# ]
41-
}
42-
4331
#####################
4432
# RDS Variables
4533
#####################
@@ -75,7 +63,7 @@ variable "db_master_username" {
7563
}
7664

7765
variable "rds_publicly_accessible" {
78-
description = "Whether RDS should be publicly accessible"
66+
description = "Whether RDS should be publicly accessible (should always be false for production)"
7967
type = bool
8068
default = false
8169
}

infrastructure/modules/network/main.tf

Lines changed: 11 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -191,13 +191,7 @@ resource "aws_security_group" "rds" {
191191
description = "Security group for RDS database"
192192
vpc_id = aws_vpc.main.id
193193

194-
ingress {
195-
description = "PostgreSQL from EB instances"
196-
from_port = 5432
197-
to_port = 5432
198-
protocol = "tcp"
199-
security_groups = [aws_security_group.eb_instance.id]
200-
}
194+
# No inline rules - all rules defined separately below
201195

202196
egress {
203197
description = "Allow all outbound traffic"
@@ -219,22 +213,20 @@ resource "aws_security_group" "rds" {
219213
}
220214

221215
#############
222-
# Security Group Rule - RDS Access from Whitelisted IPs
216+
# Security Group Rule - RDS Access from EB Instances
223217
#############
224-
resource "aws_security_group_rule" "rds_from_whitelisted_ips" {
225-
count = length(var.allowed_ips) > 0 ? 1 : 0
226-
227-
type = "ingress"
228-
description = "PostgreSQL from whitelisted IPs"
229-
from_port = 5432
230-
to_port = 5432
231-
protocol = "tcp"
232-
cidr_blocks = var.allowed_ips
233-
security_group_id = aws_security_group.rds.id
218+
resource "aws_security_group_rule" "rds_from_eb" {
219+
type = "ingress"
220+
description = "PostgreSQL from EB instances"
221+
from_port = 5432
222+
to_port = 5432
223+
protocol = "tcp"
224+
source_security_group_id = aws_security_group.eb_instance.id
225+
security_group_id = aws_security_group.rds.id
234226
}
235227

236228
#############
237-
# DB Subnet Group for RDS
229+
# DB Subnet Group for RDS (Private Subnets)
238230
#############
239231
resource "aws_db_subnet_group" "main" {
240232
name = "${var.project_name}-${var.environment}-db-subnet-group"

infrastructure/modules/network/outputs.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ output "rds_security_group_id" {
3636
}
3737

3838
output "db_subnet_group_name" {
39-
description = "Name of the DB subnet group"
39+
description = "Name of the DB subnet group (private subnets)"
4040
value = aws_db_subnet_group.main.name
4141
}
4242

infrastructure/modules/network/variables.tf

Lines changed: 0 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -20,16 +20,3 @@ variable "vpc_cidr" {
2020
type = string
2121
default = "10.0.0.0/16"
2222
}
23-
24-
variable "allowed_ips" {
25-
description = "List of IP addresses (in CIDR notation) allowed to access RDS directly"
26-
type = list(string)
27-
default = []
28-
29-
validation {
30-
condition = alltrue([
31-
for ip in var.allowed_ips : can(regex("^([0-9]{1,3}\\.){3}[0-9]{1,3}/[0-9]{1,2}$", ip))
32-
])
33-
error_message = "IPs must be in CIDR notation (e.g., '192.168.1.1/32')"
34-
}
35-
}

0 commit comments

Comments
 (0)