Resource Packs

Cloud

Example

Flavor

Feature

Postgres

Example: postgres resource based on AWS RDS

Configuration

This example configures a postgres Resource Definition using AWS RDS. A workload using the postgres resource to create database instance looks like:

resources:
  ...
  db:
    type: postgres

Infrastructure setup

graph TD;
  subgraph VPC
    database["Postgres AWS RDS instance"]
    subgraph EKS Cluster
      pod[workload pod]
    end
    database -- security group --> pod
  end

Orchestrator setup

graph LR;
  workload_1 --> db_1["db_1, resource_type: postgres"]
  workload_2 --> db_2["db_2, resource_type: postgres"]
  workload_2 --> shared.db_1["shared.db_1, resource_type: postgres"]
  workload_3 --> shared.db_1["shared.db_1, resource_type: postgres"]

Terraform docs

Requirements

Name Version
terraform >= 1.3.0
aws ~> 5.0
humanitec ~> 1.0
random ~> 3.5

Providers

Name Version
aws ~> 5.0
humanitec ~> 1.0
random ~> 3.5

Modules

Name Source Version
postgres ../../../humanitec-resource-defs/postgres/basic n/a

Resources

Name Type
aws_iam_role.humanitec_provisioner resource
aws_iam_role_policy_attachment.humanitec_provisioner resource
aws_security_group.postgres resource
aws_vpc_security_group_ingress_rule.k8s_node_postgres resource
humanitec_application.app resource
humanitec_resource_account.humanitec_provisioner resource
humanitec_resource_definition_criteria.postgres resource
random_password.external_id resource
aws_iam_policy_document.instance_assume_role_policy data source

Inputs

Name Description Type Default Required
k8s_node_security_group_id AWS Security Group ID of the kubernetes nodes to allow access to the AWS RDS cluster string n/a yes
region AWS Region to create resources string n/a yes
subnet_ids AWS Subnet IDs to use for the AWS RDS cluster set(string) n/a yes
vpc_id AWS VPC ID string n/a yes
name Name of the example application string "hum-rp-postgres-example" no
prefix Prefix of the created resources string "hum-rp-postgres-ex-" no
resource_packs_aws_rev AWS Resource Pack git branch string "refs/heads/main" no
resource_packs_aws_url AWS Resource Pack git url string "https://github.com/humanitec-architecture/resource-packs-aws.git" no

main.tf (view on GitHub) :

# AWS IAM role used by Humanitec to provision resources

locals {
  admin_policy_arn   = "arn:aws:iam::aws:policy/AdministratorAccess"
  humanitec_user_arn = "arn:aws:iam::767398028804:user/humanitec"
}

resource "random_password" "external_id" {
  length  = 16
  special = false
}

data "aws_iam_policy_document" "instance_assume_role_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "AWS"
      identifiers = [local.humanitec_user_arn]
    }

    condition {
      test     = "StringEquals"
      variable = "sts:ExternalId"
      values   = [random_password.external_id.result]
    }
  }
}

resource "aws_iam_role" "humanitec_provisioner" {
  name = var.name

  assume_role_policy = data.aws_iam_policy_document.instance_assume_role_policy.json
}

resource "aws_iam_role_policy_attachment" "humanitec_provisioner" {
  role       = aws_iam_role.humanitec_provisioner.name
  policy_arn = local.admin_policy_arn
}

resource "humanitec_resource_account" "humanitec_provisioner" {
  id   = var.name
  name = var.name
  type = "aws-role"
  credentials = jsonencode({
    aws_role    = aws_iam_role.humanitec_provisioner.arn
    external_id = random_password.external_id.result
  })

  depends_on = [
    # Otherwise the account looses permissions before the resources are deleted
    aws_iam_role_policy_attachment.humanitec_provisioner
  ]
}

# Example application and resource definition criteria

resource "humanitec_application" "app" {
  id   = var.name
  name = var.name
}

module "postgres" {
  source = "github.com/humanitec-architecture/resource-packs-aws?ref=v2024-06-14//humanitec-resource-defs/postgres/basic"

  resource_packs_aws_url = var.resource_packs_aws_url
  resource_packs_aws_rev = var.resource_packs_aws_rev
  append_logs_to_error   = true
  driver_account         = humanitec_resource_account.humanitec_provisioner.id

  region = var.region

  prefix        = var.prefix
  name          = var.name
  database_name = "my_database"
  username      = "username"
  password      = "password"

  create_db_subnet_group = true
  subnet_ids             = var.subnet_ids

  vpc_security_group_ids = [aws_security_group.postgres.id]
}

resource "humanitec_resource_definition_criteria" "postgres" {
  resource_definition_id = module.postgres.id
  app_id                 = humanitec_application.app.id

  force_delete = true
}

resource "aws_security_group" "postgres" {
  name        = "postgres"
  description = "postgres"
  vpc_id      = var.vpc_id
}

resource "aws_vpc_security_group_ingress_rule" "k8s_node_postgres" {
  security_group_id = aws_security_group.postgres.id

  referenced_security_group_id = var.k8s_node_security_group_id
  from_port                    = 5432
  ip_protocol                  = "tcp"
  to_port                      = 5432
}


providers.tf (view on GitHub) :

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
    humanitec = {
      source  = "humanitec/humanitec"
      version = "~> 1.0"
    }
    random = {
      source  = "hashicorp/random"
      version = "~> 3.5"
    }
  }

  required_version = ">= 1.3.0"
}

provider "aws" {
  default_tags {
    tags = {
      "managed_by" = "terraform"
      "source"     = "github.com/humanitec-architecture/resource-pack-aws"
    }
  }
}

provider "humanitec" {}

provider "random" {}


terraform.tfvars.example (view on GitHub) :


# AWS Security Group ID of the kubernetes nodes to allow access to the AWS RDS cluster
k8s_node_security_group_id = ""

# Name of the example application
name = "hum-rp-postgres-example"

# Prefix of the created resources
prefix = "hum-rp-postgres-ex-"

# AWS Region to create resources
region = ""

# AWS Resource Pack git branch
resource_packs_aws_rev = "refs/tags/v2024-06-14"

# AWS Resource Pack git url
resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git"

# AWS Subnet IDs to use for the AWS RDS cluster
subnet_ids = ""

# AWS VPC ID
vpc_id = ""

variables.tf (view on GitHub) :

variable "region" {
  type        = string
  description = "AWS Region to create resources"
}

variable "resource_packs_aws_url" {
  description = "AWS Resource Pack git url"
  type        = string
  default     = "https://github.com/humanitec-architecture/resource-packs-aws.git"
}

variable "resource_packs_aws_rev" {
  description = "AWS Resource Pack git branch"
  type        = string
  default     = "refs/tags/v2024-06-14"
}

variable "vpc_id" {
  description = "AWS VPC ID"
  type        = string
}

variable "subnet_ids" {
  description = "AWS Subnet IDs to use for the AWS RDS cluster"
  type        = set(string)
}

variable "k8s_node_security_group_id" {
  description = "AWS Security Group ID of the kubernetes nodes to allow access to the AWS RDS cluster"
  type        = string
}

variable "name" {
  description = "Name of the example application"
  type        = string
  default     = "hum-rp-postgres-example"
}

variable "prefix" {
  description = "Prefix of the created resources"
  type        = string
  default     = "hum-rp-postgres-ex-"
}

Top