I created postgresql rds in aws with terraform. I'm checking from the aws console, everything seems normal. But I'm trying to connect to database with DBeaver but I can't connect. Likewise, I can't make the ssh connection for the ec2 I created, maybe there is a connection.
The terraform codes I wrote:
# postgres-db/main.tf
resource "aws_db_instance" "default" {
allocated_storage = 20
storage_type = "gp2"
engine = var.engine
engine_version = var.engine-version
instance_class = var.instance-class
db_name = var.db-name
identifier = var.identifier
username = var.username
password = var.password
port = var.port
publicly_accessible = var.publicly-accessible
db_subnet_group_name = var.db-subnet-group-name
parameter_group_name = var.parameter-group-name
vpc_security_group_ids = var.vpc-security-group-ids
apply_immediately = var.apply-immediately
skip_final_snapshot = true
}
module "service-db" {
source = "./postgres-db"
apply-immediately = true
db-name = var.service-db-name
db-subnet-group-name = data.terraform_remote_state.server.outputs.db_subnet_group
identifier = "${var.app-name}-db"
password = var.service-db-password
publicly-accessible = true # TODO: True for now, but should be false
username = var.service-db-username
vpc-security-group-ids = [data.terraform_remote_state.server.outputs.security_group_allow_internal_postgres]
}
resource "aws_security_group" "allow_internal_postgres" {
name = "allow-internal-postgres"
description = "Allow internal Postgres traffic"
vpc_id = aws_vpc.vpc.id
ingress {
from_port = 5432
to_port = 5432
protocol = "tcp"
cidr_blocks = [aws_vpc.vpc.cidr_block, "0.0.0.0/0"] # TODO: Remove public IP
}
}
In the research I did, it was written things like edit the security rules or set it to public, it seems like that anyway.
Security group inbound rules
Public accessible
How can I solve this problem can you please help?
I solved my problem by setting the subnet group to public.
module "service-db" {
source = "./postgres-db"
apply-immediately = true
db-name = var.service-db-name
db-subnet-group-name = data.terraform_remote_state.server.outputs.db_subnet_group_public
identifier = "${var.app-name}-db"
password = var.service-db-password
publicly-accessible = true # TODO: True for now, but should be false
username = var.service-db-username
vpc-security-group-ids = [data.terraform_remote_state.server.outputs.security_group_allow_internal_postgres]
}
resource "aws_db_subnet_group" "private" {
name = "${var.server_name}-db-subnet-group-private"
subnet_ids = aws_subnet.private.*.id
tags = {
Name = "${var.server_name} DB Subnet Group Private"
}
}
resource "aws_db_subnet_group" "public" {
name = "${var.server_name}-db-subnet-group-public"
subnet_ids = aws_subnet.public.*.id
tags = {
Name = "${var.server_name} DB Subnet Group Public"
}
}
Related
Here's my application gateway terraform template:
resource "azurerm_application_gateway" "appgw" {
name = "${var.client_name_prefix}${var.environment_name}${var.location_abr}gw${var.instance}"
resource_group_name = azurerm_resource_group.rg.name
location = var.location
enable_http2 = true
backend_http_settings {
name = "backOfficeAppHttpSetting"
cookie_based_affinity = "Disabled"
port = var.backed_port
protocol = "Http"
probe_name = "nginx-ingress-prob"
request_timeout = var.backend_request_timeout_back_office
pick_host_name_from_backend_address = false
host_name = "local.backoffice.${var.sslcert}"
affinity_cookie_name = "ApplicationGatewayAffinity"
}
http_listener {
name = "backOfficeAppListener"
frontend_ip_configuration_name = local.frontend_ip_configuration_name
frontend_port_name = local.frontend_port_443_name
protocol = "Https"
host_name = "${var.client_name}-${var.environment_name}-admin.${var.sslcert}"
require_sni = true
ssl_certificate_name = var.sslcert
}
http_listener {
name = "frontWebAppListener"
frontend_ip_configuration_name = local.frontend_ip_configuration_name
frontend_port_name = local.frontend_port_443_name
protocol = "Https"
host_name = "${var.client_name}-${var.environment_name}.${var.sslcert}"
require_sni = true
ssl_certificate_name = var.sslcert
}
}
And In key-vault.tf. I want to create to secret in which I want to save the value of first http_listener (HOSTNAME).
BUT, I'm unable to get it. Is there any way to get http_listener.host_name?
I want to know is there any way to get it.
I have tried it but i couldn't get it.
I am able to create a azurerm_postgresql_flexible_server and azurerm_postgresql_flexible_server_database using terraform.
I am not able to create a schema using TF but not able to get much help on documentation.
I also checked https://registry.terraform.io/providers/cyrilgdn/postgresql/latest/docs/resources/postgresql_schema
but that uses a different provider. I am not sure what am I missing here.
This is the TF template which creates the Azure PostgreSQL server and DB -
module "common_modules" {
source = "../modules/Main"
}
provider "azurerm" {
features {}
}
locals {
#Construct Tag Data for Resource
resourceTags = {
environment = var.environment
createdBy = var.createdBy
managedBy = var.managedBy
colorBand = var.colorBand
purpose = var.purpose
lastUpdateOn = formatdate("DD-MM-YYYY hh:mm:ss ZZZ", timestamp())
}
}
resource "azurerm_postgresql_flexible_server" "postgreSQL" {
name = var.postgreSQL
location = var.location
resource_group_name = var.ckeditorResorceGroup
administrator_login = var.postgreSQLAdmin
administrator_password = var.password
sku_name = "B_Standard_B1ms"
version = "13"
storage_mb = 32768
backup_retention_days = 7
geo_redundant_backup_enabled = false
tags = local.resourceTags
}
resource "azurerm_postgresql_flexible_server_database" "postgreSQLDB" {
name = var.postgreSQLDB
server_id = azurerm_postgresql_flexible_server.postgreSQL.id
collation = "en_US.utf8"
charset = "utf8"
}
resource "azurerm_postgresql_flexible_server_firewall_rule" "postgreSQLFirewallRule" {
name = "allow_access_to_azure_services"
server_id = azurerm_postgresql_flexible_server.postgreSQL.id
start_ip_address = "0.0.0.0"
end_ip_address = "0.0.0.0"
}
have a look at https://registry.terraform.io/providers/cyrilgdn/postgresql or https://github.com/cyrilgdn/terraform-provider-postgresql
usable, but you need network connectivity to resolve names (azure private dns zone) and to connect with postgresql flexible server. The terraform code should run in same vnet like flexi server.
I'm trying to spin up an Aurora Postgres Cluster and I can't seem to make it available over the internet. I'm using Terraform to code the infrastructure.
I've created a security group to allow external access and that is attached to the VPC's subnets used by the Cluster. Still, I can't seem to be able to access the endpoints from my local machine.
I can't figured out what I'm missing.
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = ">=3.11.0"
name = "vpc-auroradb-${var.environment}"
cidr = var.vpc_cidr_block
azs = var.availability_zones
private_subnets = var.vpc_private_subnets
public_subnets = var.vpc_public_subnets
database_subnets = var.vpc_database_subnets
enable_nat_gateway = true
enable_dns_hostnames = true
enable_dns_support = true
create_igw = true
create_database_internet_gateway_route = true
create_database_nat_gateway_route = true
create_database_subnet_group = true
create_database_subnet_route_table = true
}
module "aurora_cluster" {
source = "terraform-aws-modules/rds-aurora/aws"
version = ">=6.1.3"
name = "bambi-${var.environment}"
engine = "aurora-postgresql"
engine_version = "12.8"
instance_class = "db.t4g.large"
publicly_accessible = true
instances = {
1 = {
identifier = "bambi-1"
}
2 = {
identifier = "bambi-2"
}
}
autoscaling_enabled = true
autoscaling_min_capacity = 2
autoscaling_max_capacity = 3
vpc_id = module.vpc.vpc_id
db_subnet_group_name = module.vpc.database_subnet_group_name
create_db_subnet_group = false
create_security_group = false
iam_database_authentication_enabled = true
storage_encrypted = true
apply_immediately = true
monitoring_interval = 30
db_parameter_group_name = aws_db_parameter_group.parameter_group.id
db_cluster_parameter_group_name = aws_rds_cluster_parameter_group.parameter_group.id
vpc_security_group_ids = [aws_security_group.sg_public.id]
enabled_cloudwatch_logs_exports = ["postgresql"]
}
resource "aws_security_group" "sg_public" {
vpc_id = module.vpc.vpc_id
ingress {
from_port = 5432
to_port = 5432
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] # Allowing traffic in from all sources
}
egress {
from_port = 0 # Allowing any incoming port
to_port = 0 # Allowing any outgoing port
protocol = "-1" # Allowing any outgoing protocol
cidr_blocks = ["0.0.0.0/0"] # Allowing traffic out to all IP addresses
}
}
From the documentation of the used VPC module, in order to have public access for the database, you need the following:
create_database_subnet_group = true
create_database_subnet_route_table = true
create_database_internet_gateway_route = true
enable_dns_hostnames = true
enable_dns_support = true
create_database_nat_gateway_route should not be true. If we take a look at the code for the module on github:
resource "aws_route" "database_internet_gateway" {
count = var.create_vpc && var.create_igw && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_internet_gateway_route && false == var.create_database_nat_gateway_route ? 1 : 0
route_table_id = aws_route_table.database[0].id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.this[0].id
timeouts {
create = "5m"
}
}
We can see that the count for the route for the internet gateway will be 0. This means the route which would allow public internet access is not created for the database subnet.
In the other hand setting create_database_internet_gateway_route to true will block access through the NAT gateway as well, since the route table wont have the correct route.
resource "aws_route" "database_nat_gateway" {
count = var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && false == var.create_database_internet_gateway_route && var.create_database_nat_gateway_route && var.enable_nat_gateway ? var.single_nat_gateway ? 1 : length(var.database_subnets) : 0
route_table_id = element(aws_route_table.database.*.id, count.index)
destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = element(aws_nat_gateway.this.*.id, count.index)
timeouts {
create = "5m"
}
}
Essentially you block all the traffic by setting both variables to true.
im trying to create a service for web redirect through the application gateway using terraform.
I would like to authenticate the application gateway sl with the free certified (azurm_app_service_managed_certified) of the azure app service plan, is there an example?
Currently, thinking about the composition as follows. However, azurem_application_gateway is demanding ssl certification, so I don't know how to work.
Please let me know if there's a way to solve the problem in that way or in another way.
The problem with the script below is that if you want to use https in the application gateway, you have to use certificate, and I want to make and use free certificated in the service plan.
resource "azurerm_application_gateway" "app_gateway" {
provider = azurerm.generic
name = "${local.service_name}-app-gateway"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
enable_http2 = true
sku {
name = "Standard_Small"
tier = "Standard" # v1
capacity = 2
}
gateway_ip_configuration {
name = "${local.service_name}-ip-config"
subnet_id = azurerm_subnet.front_subnet.id
}
frontend_port {
name = local.frontend_port_name
port = 80
}
frontend_port {
name = local.backend_port_name
port = 443
}
frontend_ip_configuration {
name = local.frontend_ip_configuration_name
public_ip_address_id = azurerm_public_ip.pub_ip.id
}
backend_address_pool {
name = "${azurerm_virtual_network.vn.name}-beap"
fqdns = [local.host_name]
}
backend_http_settings {
name = local.http_setting_name
cookie_based_affinity = "Disabled"
port = 443
protocol = "Https"
request_timeout = 60
host_name = local.host_name
}
http_listener {
name = "${local.listener_name}-http"
frontend_ip_configuration_name = local.frontend_ip_configuration_name
frontend_port_name = local.frontend_port_name
protocol = "Http"
}
http_listener {
name = "${local.listener_name}-https"
frontend_ip_configuration_name = local.frontend_ip_configuration_name
frontend_port_name = local.backend_port_name
protocol = "Https"
}
request_routing_rule {
name = "${local.request_routing_rule_name}-http"
rule_type = "Basic"
http_listener_name = "${local.listener_name}-http"
backend_address_pool_name = local.backend_address_pool_name
backend_http_settings_name = local.http_setting_name
}
redirect_configuration {
name = local.redirect_configuration_name
redirect_type = "Permanent"
include_path = false
include_query_string = false
target_listener_name = "${local.listener_name}-https"
}
request_routing_rule {
name = "${local.request_routing_rule_name}-https"
rule_type = "Basic"
http_listener_name = "${local.listener_name}-https"
redirect_configuration_name = local.redirect_configuration_name
}
lifecycle {
ignore_changes = [
backend_address_pool,
backend_http_settings,
frontend_port,
http_listener,
request_routing_rule,
ssl_certificate,
redirect_configuration
]
}
}
resource "azurerm_dns_zone" "zone" {
provider = azurerm.generic
for_each = toset(local.dns_zone_names)
name = each.key
resource_group_name = azurerm_resource_group.rg.name
}
resource "azurerm_app_service_plan" "service_plan" {
provider = azurerm.generic
name = "${local.service_name}-service-plan"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
sku {
tier = "Basic"
size = "B1"
}
}
resource "azurerm_app_service" "service" {
provider = azurerm.generic
name = "${local.service_name}-service"
app_service_plan_id = azurerm_app_service_plan.service_plan.id
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
}
resource "azurerm_app_service_custom_hostname_binding" "service_host_bind" {
provider = azurerm.generic
count = length(local.dns_zone_names)
hostname = "${local.dns_zone_names[count.index]}"
app_service_name = azurerm_app_service.service.name
resource_group_name = azurerm_resource_group.rg.name
lifecycle {
ignore_changes = [ssl_state, thumbprint]
}
depends_on = [
azurerm_app_service.service,
azurerm_resource_group.rg
]
}
resource "azurerm_app_service_managed_certificate" "service_manage_cert" {
provider = azurerm.generic
count = length(local.dns_zone_names)
custom_hostname_binding_id = azurerm_app_service_custom_hostname_binding.service_host_bind[count.index].id
}
resource "azurerm_app_service_certificate_binding" "service_certi_bind" {
provider = azurerm.generic
count = length(local.dns_zone_names)
hostname_binding_id = azurerm_app_service_custom_hostname_binding.service_host_bind[count.index].id
certificate_id = azurerm_app_service_managed_certificate.service_manage_cert[count.index].id
ssl_state = "SniEnabled"
}
i want a service that simply directs to another website through dns using terraform, and if there is any other way, please let us know. (include http to https)
To protect and prevent website abuse, we would like to redirect multiple domains to one website.
ex : (adomain.net -> www.target.com, adomain.tv -> www.target.com, bdomain.net -> www.target.com)
Fist of all there is no support for app services managed certificate with application gateway as of now.
Yes, you can do redirection from multiple domains to one domain using system.webserver rewrite rule either inside app services web.config file or application gateway rewrite rule.
I have a Terraform config that I want to use to create VMs from a Vsphere template (Redhat 7) but I need to be able to specify the network interface to apply the customizations (static IP, Subnet, Gateway, DNS).
provider "vsphere" {
user = "${var.vsphere_user}"
password = "${var.vsphere_password}"
vsphere_server = "${var.vsphere_server}"
allow_unverified_ssl = true
}
resource "vsphere_virtual_machine" "vm1" {
name = "vm1"
folder = "${var.vsphere_folder}"
vcpu = 2
memory = 32768
datacenter = "dc1"
cluster = "cluster1"
skip_customization = false
disk {
template = "${var.vsphere_folder}/${var.template_redhat}"
datastore = "${var.template_datastore}"
type = "thin"
}
network_interface {
label = "${var.vlan}"
ipv4_address = "10.1.1.1"
ipv4_prefix_length = 16
ipv4_gateway = "10.1.1.254"
}
dns_servers = ["10.1.1.254"]
time_zone = "004"
}
I want to apply the static IP to bond0 instead of eth0, is this possible to do in Terraform?
Thanks.