Merge pull request #196 from openaddresses/rds-vpc

VPC RDS Instance
openaddresses · Sep 16, 2021 · 0dbe5ad · 0dbe5ad
2 parents 90c6f13 + 35fcdf7
commit 0dbe5ad
Show file tree

Hide file tree

Showing 7 changed files with 57 additions and 21 deletions.
diff --git a/cloudformation/batch.template.js b/cloudformation/batch.template.js
@@ -1,10 +1,11 @@
 'use strict';
 
 const cf = require('@mapbox/cloudfriend');
-const api = require('./api');
-const batch = require('./batch');
-const db = require('./db');
-const schedule = require('./schedule');
+const api = require('./lib/api');
+const batch = require('./lib/batch');
+const db = require('./lib/db');
+const schedule = require('./lib/schedule');
+const kms = require('./lib/kms');
 const alarms = require('batch-alarms');
 
 const stack = {
@@ -39,6 +40,7 @@ module.exports = cf.merge(
     stack,
     db,
     api,
+    kms,
     batch,
     alarms({
         prefix: 'Batch',

diff --git a/cloudformation/api.js → cloudformation/lib/api.js b/cloudformation/api.js → cloudformation/lib/api.js
@@ -223,7 +223,7 @@ const stack = {
                         { Name: 'MAPBOX_TOKEN', Value: cf.ref('MapboxToken') },
                         { Name: 'MAILGUN_API_KEY', Value: cf.ref('MailGun') },
                         { Name: 'OPENCOLLECTIVE_API_KEY', Value: cf.ref('OpenCollective') },
-                        { Name: 'POSTGRES', Value: cf.join(['postgresql://openaddresses:', cf.ref('DatabasePassword'), '@', cf.getAtt('DBInstance', 'Endpoint.Address'), ':5432/openaddresses']) },
+                        { Name: 'POSTGRES', Value: cf.join(['postgresql://openaddresses:', cf.ref('DatabasePassword'), '@', cf.getAtt('DBInstanceVPC', 'Endpoint.Address'), ':5432/openaddresses']) },
                         { Name: 'SharedSecret', Value: cf.ref('SharedSecret') },
                         { Name: 'GithubSecret', Value: cf.ref('GithubSecret') },
                         { Name: 'Bucket', Value: cf.ref('Bucket') },

diff --git a/cloudformation/batch.js → cloudformation/lib/batch.js b/cloudformation/batch.js → cloudformation/lib/batch.js
diff --git a/cloudformation/db.js → cloudformation/lib/db.js b/cloudformation/db.js → cloudformation/lib/db.js
@@ -18,24 +18,41 @@ const stack = {
         }
     },
     Resources: {
-        DBInstance: {
+        DBInstanceVPC: {
             Type: 'AWS::RDS::DBInstance',
             Properties: {
                 Engine: 'postgres',
                 DBName: 'openaddresses',
+                DBInstanceIdentifier: cf.stackName,
+                KmsKeyId: cf.ref('OAKMS'),
                 EngineVersion: '13.3',
                 MasterUsername: 'openaddresses',
                 MasterUserPassword: cf.ref('DatabasePassword'),
                 AllocatedStorage: 10,
                 MaxAllocatedStorage: 100,
                 BackupRetentionPeriod: 10,
                 StorageType: 'gp2',
+                StorageEncrypted: true,
                 DBInstanceClass: cf.ref('DatabaseType'),
-                DBSecurityGroups: [cf.ref('DBSecurityGroup')],
+                VPCSecurityGroups: [cf.ref('DBVPCSecurityGroup')],
                 DBSubnetGroupName: cf.ref('DBSubnet'),
                 PubliclyAccessible: true
             }
         },
+        DBVPCSecurityGroup: {
+            Type: 'AWS::EC2::SecurityGroup',
+            Properties: {
+                GroupDescription: cf.join('-', [cf.stackName, 'rds-sg']),
+                VpcId: 'vpc-3f2aa15a',
+                SecurityGroupIngress: [{
+                    IpProtocol: '-1',
+                    SourceSecurityGroupId: cf.getAtt('APIServiceSecurityGroup', 'GroupId')
+                },{
+                    IpProtocol: '-1',
+                    CidrIp: '0.0.0.0/0'
+                }]
+            }
+        },
         DBSubnet: {
             Type: 'AWS::RDS::DBSubnetGroup',
             Properties: {
@@ -50,19 +67,6 @@ const stack = {
                 ]
             }
         },
-        DBSecurityGroup: {
-            Type: 'AWS::RDS::DBSecurityGroup',
-            Properties: {
-                GroupDescription: cf.join('-', [cf.stackName, 'rds-sg']),
-                EC2VpcId: 'vpc-3f2aa15a',
-                DBSecurityGroupIngress: [{
-                    EC2SecurityGroupId: cf.getAtt('APIServiceSecurityGroup', 'GroupId')
-                },{
-                    CIDRIP: '0.0.0.0/0'
-                }]
-            }
-        }
-
     },
     Outputs: {
         DB: {
@@ -72,7 +76,7 @@ const stack = {
                 ':',
                 cf.ref('DatabasePassword'),
                 '@',
-                cf.getAtt('DBInstance', 'Endpoint.Address'),
+                cf.getAtt('DBInstanceVPC', 'Endpoint.Address'),
                 ':5432/openaddresses'
             ])
         }

diff --git a/cloudformation/lib/kms.js b/cloudformation/lib/kms.js
@@ -0,0 +1,29 @@
+'use strict';
+
+const cf = require('@mapbox/cloudfriend');
+
+const stack = {
+    Resources: {
+        OAKMS: {
+            Type : 'AWS::KMS::Key',
+            Properties: {
+                Description: cf.stackName,
+                Enabled: true,
+                EnableKeyRotation: false,
+                KeyPolicy: {
+                    Id: cf.stackName,
+                    Statement: [{
+                        Effect: 'Allow',
+                        Principal: {
+                            AWS: cf.join(['arn:aws:iam::', cf.accountId, ':root']),
+                        },
+                        Action: ['kms:*'],
+                        Resource: '*'
+                    }]
+                }
+            }
+        }
+    }
+};
+
+module.exports = stack;
diff --git a/cloudformation/schedule.js → cloudformation/lib/schedule.js b/cloudformation/schedule.js → cloudformation/lib/schedule.js
diff --git a/cloudformation/task.template.js b/cloudformation/task.template.js
@@ -1,6 +1,7 @@
 'use strict';
 
 const cf = require('@mapbox/cloudfriend');
+
 const stack = {
     AWSTemplateFormatVersion: '2010-09-09',
     Description: 'OpenAddresses Batch T3 Compute Environment',