Postgres
Example: postgres resource based on AWS RDS
Configuration
This example configures a postgres Resource Definition using AWS RDS. A workload using the postgres
resource to create database instance looks like:
resources:
...
db:
type: postgres
Infrastructure setup
graph TD;
subgraph VPC
database["Postgres AWS RDS instance"]
subgraph EKS Cluster
pod[workload pod]
end
database -- security group --> pod
end
Orchestrator setup
graph LR;
workload_1 --> db_1["db_1, resource_type: postgres"]
workload_2 --> db_2["db_2, resource_type: postgres"]
workload_2 --> shared.db_1["shared.db_1, resource_type: postgres"]
workload_3 --> shared.db_1["shared.db_1, resource_type: postgres"]
Terraform docs
Requirements
Name | Version |
---|---|
terraform | >= 1.3.0 |
aws | ~> 5.0 |
humanitec | ~> 1.0 |
random | ~> 3.5 |
Providers
Name | Version |
---|---|
aws | ~> 5.0 |
humanitec | ~> 1.0 |
random | ~> 3.5 |
Modules
Name | Source | Version |
---|---|---|
postgres | ../../../humanitec-resource-defs/postgres/basic | n/a |
Resources
Name | Type |
---|---|
aws_iam_role.humanitec_provisioner | resource |
aws_iam_role_policy_attachment.humanitec_provisioner | resource |
aws_security_group.postgres | resource |
aws_vpc_security_group_ingress_rule.k8s_node_postgres | resource |
humanitec_application.app | resource |
humanitec_resource_account.humanitec_provisioner | resource |
humanitec_resource_definition_criteria.postgres | resource |
random_password.external_id | resource |
aws_iam_policy_document.instance_assume_role_policy | data source |
Inputs
Name | Description | Type | Default | Required |
---|---|---|---|---|
k8s_node_security_group_id | AWS Security Group ID of the kubernetes nodes to allow access to the AWS RDS cluster | string |
n/a | yes |
region | AWS Region to create resources | string |
n/a | yes |
subnet_ids | AWS Subnet IDs to use for the AWS RDS cluster | set(string) |
n/a | yes |
vpc_id | AWS VPC ID | string |
n/a | yes |
name | Name of the example application | string |
"hum-rp-postgres-example" |
no |
prefix | Prefix of the created resources | string |
"hum-rp-postgres-ex-" |
no |
resource_packs_aws_rev | AWS Resource Pack git branch | string |
"refs/heads/main" |
no |
resource_packs_aws_url | AWS Resource Pack git url | string |
"https://github.com/humanitec-architecture/resource-packs-aws.git" |
no |
main.tf
(view on GitHub)
:
# AWS IAM role used by Humanitec to provision resources
locals {
admin_policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
humanitec_user_arn = "arn:aws:iam::767398028804:user/humanitec"
}
resource "random_password" "external_id" {
length = 16
special = false
}
data "aws_iam_policy_document" "instance_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = [local.humanitec_user_arn]
}
condition {
test = "StringEquals"
variable = "sts:ExternalId"
values = [random_password.external_id.result]
}
}
}
resource "aws_iam_role" "humanitec_provisioner" {
name = var.name
assume_role_policy = data.aws_iam_policy_document.instance_assume_role_policy.json
}
resource "aws_iam_role_policy_attachment" "humanitec_provisioner" {
role = aws_iam_role.humanitec_provisioner.name
policy_arn = local.admin_policy_arn
}
resource "humanitec_resource_account" "humanitec_provisioner" {
id = var.name
name = var.name
type = "aws-role"
credentials = jsonencode({
aws_role = aws_iam_role.humanitec_provisioner.arn
external_id = random_password.external_id.result
})
depends_on = [
# Otherwise the account looses permissions before the resources are deleted
aws_iam_role_policy_attachment.humanitec_provisioner
]
}
# Example application and resource definition criteria
resource "humanitec_application" "app" {
id = var.name
name = var.name
}
module "postgres" {
source = "github.com/humanitec-architecture/resource-packs-aws?ref=v2024-06-14//humanitec-resource-defs/postgres/basic"
resource_packs_aws_url = var.resource_packs_aws_url
resource_packs_aws_rev = var.resource_packs_aws_rev
append_logs_to_error = true
driver_account = humanitec_resource_account.humanitec_provisioner.id
region = var.region
prefix = var.prefix
name = var.name
database_name = "my_database"
username = "username"
password = "password"
create_db_subnet_group = true
subnet_ids = var.subnet_ids
vpc_security_group_ids = [aws_security_group.postgres.id]
}
resource "humanitec_resource_definition_criteria" "postgres" {
resource_definition_id = module.postgres.id
app_id = humanitec_application.app.id
force_delete = true
}
resource "aws_security_group" "postgres" {
name = "postgres"
description = "postgres"
vpc_id = var.vpc_id
}
resource "aws_vpc_security_group_ingress_rule" "k8s_node_postgres" {
security_group_id = aws_security_group.postgres.id
referenced_security_group_id = var.k8s_node_security_group_id
from_port = 5432
ip_protocol = "tcp"
to_port = 5432
}
providers.tf
(view on GitHub)
:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
humanitec = {
source = "humanitec/humanitec"
version = "~> 1.0"
}
random = {
source = "hashicorp/random"
version = "~> 3.5"
}
}
required_version = ">= 1.3.0"
}
provider "aws" {
default_tags {
tags = {
"managed_by" = "terraform"
"source" = "github.com/humanitec-architecture/resource-pack-aws"
}
}
}
provider "humanitec" {}
provider "random" {}
terraform.tfvars.example
(view on GitHub)
:
# AWS Security Group ID of the kubernetes nodes to allow access to the AWS RDS cluster
k8s_node_security_group_id = ""
# Name of the example application
name = "hum-rp-postgres-example"
# Prefix of the created resources
prefix = "hum-rp-postgres-ex-"
# AWS Region to create resources
region = ""
# AWS Resource Pack git branch
resource_packs_aws_rev = "refs/tags/v2024-06-14"
# AWS Resource Pack git url
resource_packs_aws_url = "https://github.com/humanitec-architecture/resource-packs-aws.git"
# AWS Subnet IDs to use for the AWS RDS cluster
subnet_ids = ""
# AWS VPC ID
vpc_id = ""
variables.tf
(view on GitHub)
:
variable "region" {
type = string
description = "AWS Region to create resources"
}
variable "resource_packs_aws_url" {
description = "AWS Resource Pack git url"
type = string
default = "https://github.com/humanitec-architecture/resource-packs-aws.git"
}
variable "resource_packs_aws_rev" {
description = "AWS Resource Pack git branch"
type = string
default = "refs/tags/v2024-06-14"
}
variable "vpc_id" {
description = "AWS VPC ID"
type = string
}
variable "subnet_ids" {
description = "AWS Subnet IDs to use for the AWS RDS cluster"
type = set(string)
}
variable "k8s_node_security_group_id" {
description = "AWS Security Group ID of the kubernetes nodes to allow access to the AWS RDS cluster"
type = string
}
variable "name" {
description = "Name of the example application"
type = string
default = "hum-rp-postgres-example"
}
variable "prefix" {
description = "Prefix of the created resources"
type = string
default = "hum-rp-postgres-ex-"
}