From 6dfc1cbe7e75063a9e29e8e5f0ff24d8733090d7 Mon Sep 17 00:00:00 2001 From: Morris Mukiri Date: Fri, 9 Jul 2021 12:15:40 +0300 Subject: [PATCH] remove kms_key_id for unencrypted storage - remove kms key id when storage encryption is disabled - add provision to specify (optional) extra security groups Signed-off-by: Morris Mukiri --- storage.tf | 6 +++--- variables.tf | 6 ++++++ 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/storage.tf b/storage.tf index d03baba..bf18f8b 100644 --- a/storage.tf +++ b/storage.tf @@ -18,8 +18,8 @@ resource "aws_db_instance" "blank-database" { port = var.postgresql_port copy_tags_to_snapshot = var.postgresql_copy_tags_to_snapshot storage_encrypted = var.postgresql_storage_encrypted - kms_key_id = aws_kms_key.main.arn - vpc_security_group_ids = [aws_security_group.firewall_rule.id] + kms_key_id = var.postgresql_storage_encrypted? aws_kms_key.main.arn: null + vpc_security_group_ids = distinct(concat([aws_security_group.firewall_rule.id],var.extra_security_groups)) final_snapshot_identifier = var.postgresql_name backup_retention_period = var.postgresql_backup_retention_period backup_window = var.postgresql_backup_window @@ -50,7 +50,7 @@ resource "aws_db_instance" "from-snapshot" { multi_az = var.postgresql_multi_az port = var.postgresql_port storage_encrypted = var.postgresql_storage_encrypted - kms_key_id = aws_kms_key.main.arn + kms_key_id = var.postgresql_storage_encrypted? aws_kms_key.main.arn: null vpc_security_group_ids = [aws_security_group.firewall_rule.id] snapshot_identifier = var.postgresql_source_snapshot_identifier skip_final_snapshot = true diff --git a/variables.tf b/variables.tf index ffeb647..607936c 100644 --- a/variables.tf +++ b/variables.tf @@ -214,3 +214,9 @@ variable "postgresql_parameters" { default = {} description = "The map of DB parameters and their values" } + +variable "extra_security_groups"{ + type = list(string) + description = "Extra security groups to add to the RDS instance" + default = [] +} \ No newline at end of file