Skip to content

Commit 4402cb8

Browse files
RohitSquareopsRohitSquareops
authored
Merge pull request #10 from ankur6405/secret-manager
Added option to upload output to secret manager
2 parents b6048e5 + 2990613 commit 4402cb8

File tree

9 files changed

+141
-61
lines changed

9 files changed

+141
-61
lines changed

README.md

Lines changed: 28 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ This module allows you to easily deploy a MySQL database on Kubernetes using Hel
1111

1212
| MysqlDB Helm Chart Version | K8s supported version |
1313
| :-----: | :--- |
14-
| **9.2.0** | **1.23,1.24,1.25** |
14+
| **9.2.0** | **1.23,1.24,1.25,1.26,1.27** |
1515

1616

1717
## Usage Example
@@ -21,15 +21,27 @@ module "mysql" {
2121
source = "squareops/mysql/kubernetes"
2222
cluster_name = "dev-cluster"
2323
mysqldb_config = {
24-
name = "mysql"
25-
values_yaml = ""
26-
environment = "prod"
27-
architecture = "replication"
28-
storage_class_name = "gp3"
29-
custom_user_username = "admin"
30-
primary_db_volume_size = "10Gi"
31-
secondary_db_volume_size = "10Gi"
32-
secondary_db_replica_count = 2
24+
name = "mysql"
25+
values_yaml = ""
26+
environment = "prod"
27+
architecture = "replication"
28+
storage_class_name = "gp3"
29+
custom_user_username = "admin"
30+
primary_db_volume_size = "10Gi"
31+
secondary_db_volume_size = "10Gi"
32+
secondary_db_replica_count = 2
33+
store_password_to_secret_manager = true
34+
}
35+
mysqldb_custom_credentials_enabled = true
36+
mysqldb_custom_credentials_config = {
37+
root_user = "root"
38+
root_password = "RJDRIFsYC8ZS1WQuV0ps"
39+
custom_username = "admin"
40+
custom_user_password = "NCPFUKEMd7rrWuvMAa73"
41+
replication_user = "replicator"
42+
replication_password = "nvAHhm1uGQNYWVw6ZyAH"
43+
exporter_user = "mysqld_exporter"
44+
exporter_password = "ZawhvpueAehRdKFlbjaq"
3345
}
3446
mysqldb_backup_enabled = true
3547
mysqldb_backup_config = {
@@ -60,7 +72,7 @@ The required IAM permissions to create resources from this module can be found [
6072
5. To deploy Prometheus/Grafana, please follow the installation instructions for each tool in their respective documentation.
6173
6. Once Prometheus and Grafana are deployed, the exporter can be configured to scrape metrics data from your application or system and send it to Prometheus.
6274
7. Finally, you can use Grafana to create custom dashboards and visualize the metrics data collected by Prometheus.
63-
8. This module is compatible with EKS version 1.23, which is great news for users deploying the module on an EKS cluster running that version. Review the module's documentation, meet specific configuration requirements, and test thoroughly after deployment to ensure everything works as expected.
75+
8. This module is compatible with EKS version 1.23,1.24,1.25,1.26 and 1.27, which is great news for users deploying the module on an EKS cluster running that version. Review the module's documentation, meet specific configuration requirements, and test thoroughly after deployment to ensure everything works as expected.
6476
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
6577
## Requirements
6678

@@ -108,7 +120,9 @@ No modules.
108120
| <a name="input_create_namespace"></a> [create\_namespace](#input\_create\_namespace) | Specify whether or not to create the namespace if it does not already exist. Set it to true to create the namespace. | `string` | `true` | no |
109121
| <a name="input_mysqldb_backup_config"></a> [mysqldb\_backup\_config](#input\_mysqldb\_backup\_config) | configuration options for MySQL database backups. It includes properties such as the S3 bucket URI, the S3 bucket region, and the cron expression for full backups. | `any` | <pre>{<br> "cron_for_full_backup": "",<br> "s3_bucket_region": "",<br> "s3_bucket_uri": ""<br>}</pre> | no |
110122
| <a name="input_mysqldb_backup_enabled"></a> [mysqldb\_backup\_enabled](#input\_mysqldb\_backup\_enabled) | Specifies whether to enable backups for MySQL database. | `bool` | `false` | no |
111-
| <a name="input_mysqldb_config"></a> [mysqldb\_config](#input\_mysqldb\_config) | Specify the configuration settings for MySQL, including the name, environment, storage options, replication settings, and custom YAML values. | `any` | <pre>{<br> "architecture": "",<br> "custom_user_username": "",<br> "environment": "",<br> "name": "",<br> "primary_db_volume_size": "",<br> "secondary_db_replica_count": 1,<br> "secondary_db_volume_size": "",<br> "storage_class_name": "",<br> "values_yaml": ""<br>}</pre> | no |
123+
| <a name="input_mysqldb_config"></a> [mysqldb\_config](#input\_mysqldb\_config) | Specify the configuration settings for MySQL, including the name, environment, storage options, replication settings, and custom YAML values. | `any` | <pre>{<br> "architecture": "",<br> "custom_user_username": "",<br> "environment": "",<br> "name": "",<br> "primary_db_volume_size": "",<br> "secondary_db_replica_count": 1,<br> "secondary_db_volume_size": "",<br> "storage_class_name": "",<br> "store_password_to_secret_manager": true,<br> "values_yaml": ""<br>}</pre> | no |
124+
| <a name="input_mysqldb_custom_credentials_config"></a> [mysqldb\_custom\_credentials\_config](#input\_mysqldb\_custom\_credentials\_config) | Specify the configuration settings for MySQL to pass custom credentials during creation | `any` | <pre>{<br> "custom_user_password": "",<br> "custom_username": "",<br> "exporter_password": "",<br> "exporter_user": "",<br> "replication_password": "",<br> "replication_user": "",<br> "root_password": "",<br> "root_user": ""<br>}</pre> | no |
125+
| <a name="input_mysqldb_custom_credentials_enabled"></a> [mysqldb\_custom\_credentials\_enabled](#input\_mysqldb\_custom\_credentials\_enabled) | Specifies whether to enable custom for MySQL database. | `bool` | `false` | no |
112126
| <a name="input_mysqldb_exporter_enabled"></a> [mysqldb\_exporter\_enabled](#input\_mysqldb\_exporter\_enabled) | Specify whether or not to deploy Mysql exporter to collect Mysql metrics for monitoring in Grafana. | `bool` | `false` | no |
113127
| <a name="input_mysqldb_restore_config"></a> [mysqldb\_restore\_config](#input\_mysqldb\_restore\_config) | Configuration options for restoring dump to the MySQL database. | `any` | <pre>{<br> "s3_bucket_region": "",<br> "s3_bucket_uri": ""<br>}</pre> | no |
114128
| <a name="input_mysqldb_restore_enabled"></a> [mysqldb\_restore\_enabled](#input\_mysqldb\_restore\_enabled) | Specifies whether to enable restoring dump to the MySQL database. | `bool` | `false` | no |
@@ -119,7 +133,8 @@ No modules.
119133

120134
| Name | Description |
121135
|------|-------------|
122-
| <a name="output_mysqldb"></a> [mysqldb](#output\_mysqldb) | Mysql\_Info |
136+
| <a name="output_mysqldb_credential"></a> [mysqldb\_credential](#output\_mysqldb\_credential) | MySQL credentials used for accessing the MySQL database. |
137+
| <a name="output_mysqldb_endpoints"></a> [mysqldb\_endpoints](#output\_mysqldb\_endpoints) | MySQL endpoints in the Kubernetes cluster. |
123138
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
124139

125140
## Contribution & Issue Reporting

backup/templates/cronjob.yaml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,4 +40,3 @@ spec:
4040
secretKeyRef:
4141
name: aws-mysql
4242
key: AWS_DEFAULT_REGION
43-

examples/complete/README.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,5 +38,6 @@ No inputs.
3838

3939
| Name | Description |
4040
|------|-------------|
41-
| <a name="output_mysql_configuration"></a> [mysql\_configuration](#output\_mysql\_configuration) | Mysql\_Info |
41+
| <a name="output_mysql_credential"></a> [mysql\_credential](#output\_mysql\_credential) | MySQL credentials used for accessing the MySQL database. |
42+
| <a name="output_mysql_endpoints"></a> [mysql\_endpoints](#output\_mysql\_endpoints) | MySQL endpoints in the Kubernetes cluster. |
4243
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/complete/main.tf

Lines changed: 22 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -7,21 +7,34 @@ locals {
77
Expires = "Never"
88
Department = "Engineering"
99
}
10+
store_password_to_secret_manager = true
1011
}
1112

1213
module "mysql" {
1314
source = "squareops/mysql/kubernetes"
1415
cluster_name = ""
1516
mysqldb_config = {
16-
name = local.name
17-
values_yaml = file("./helm/values.yaml")
18-
environment = local.environment
19-
architecture = "replication"
20-
storage_class_name = "gp3"
21-
custom_user_username = "admin"
22-
primary_db_volume_size = "10Gi"
23-
secondary_db_volume_size = "10Gi"
24-
secondary_db_replica_count = 2
17+
name = local.name
18+
values_yaml = file("./helm/values.yaml")
19+
environment = local.environment
20+
architecture = "replication"
21+
storage_class_name = "gp3"
22+
custom_user_username = "admin"
23+
primary_db_volume_size = "10Gi"
24+
secondary_db_volume_size = "10Gi"
25+
secondary_db_replica_count = 2
26+
store_password_to_secret_manager = local.store_password_to_secret_manager
27+
}
28+
mysqldb_custom_credentials_enabled = true
29+
mysqldb_custom_credentials_config = {
30+
root_user = "root"
31+
root_password = "RJDRIFsYC8ZS1WQuV0ps"
32+
custom_username = "admin"
33+
custom_user_password = "NCPFUKEMd7rrWuvMAa73"
34+
replication_user = "replicator"
35+
replication_password = "nvAHhm1uGQNYWVw6ZyAH"
36+
exporter_user = "mysqld_exporter"
37+
exporter_password = "ZawhvpueAehRdKFlbjaq"
2538
}
2639
mysqldb_backup_enabled = true
2740
mysqldb_backup_config = {

examples/complete/output.tf

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
1-
output "mysql_configuration" {
2-
value = module.mysql.mysqldb
3-
description = "Mysql_Info"
1+
output "mysql_endpoints" {
2+
value = module.mysql.mysqldb_endpoints
3+
description = "MySQL endpoints in the Kubernetes cluster."
4+
}
5+
6+
output "mysql_credential" {
7+
value = local.store_password_to_secret_manager ? null : module.mysql.mysqldb_credential
8+
description = "MySQL credentials used for accessing the MySQL database."
49
}

examples/complete/provider.tf

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,6 @@ provider "aws" {
55
}
66
}
77

8-
98
data "aws_eks_cluster" "cluster" {
109
name = ""
1110
}
@@ -14,19 +13,16 @@ data "aws_eks_cluster_auth" "cluster" {
1413
name = ""
1514
}
1615

17-
1816
provider "kubernetes" {
1917
host = data.aws_eks_cluster.cluster.endpoint
2018
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
2119
token = data.aws_eks_cluster_auth.cluster.token
22-
2320
}
2421

2522
provider "helm" {
2623
kubernetes {
2724
host = data.aws_eks_cluster.cluster.endpoint
2825
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
2926
token = data.aws_eks_cluster_auth.cluster.token
30-
3127
}
3228
}

main.tf

Lines changed: 33 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -13,44 +13,59 @@ data "aws_eks_cluster" "kubernetes_cluster" {
1313
}
1414

1515
resource "random_password" "mysqldb_root_password" {
16+
count = var.mysqldb_custom_credentials_enabled ? 0 : 1
1617
length = 20
1718
special = false
1819
}
1920

2021
resource "random_password" "mysqldb_custom_user_password" {
22+
count = var.mysqldb_custom_credentials_enabled ? 0 : 1
2123
length = 20
2224
special = false
2325
}
2426

2527
resource "random_password" "mysqldb_replication_user_password" {
28+
count = var.mysqldb_custom_credentials_enabled ? 0 : 1
2629
length = 20
2730
special = false
2831
}
2932

3033
resource "random_password" "mysqldb_exporter_user_password" {
34+
count = var.mysqldb_custom_credentials_enabled ? 0 : 1
3135
length = 20
3236
special = false
3337
}
3438

3539
resource "aws_secretsmanager_secret" "mysql_user_password" {
40+
count = var.mysqldb_config.store_password_to_secret_manager ? 1 : 0
3641
name = format("%s/%s/%s", var.mysqldb_config.environment, var.mysqldb_config.name, "mysql")
3742
recovery_window_in_days = var.recovery_window_aws_secret
3843
}
3944

4045
resource "aws_secretsmanager_secret_version" "mysql_user_password" {
41-
secret_id = aws_secretsmanager_secret.mysql_user_password.id
42-
secret_string = <<EOF
43-
{
44-
"root_user": "root",
45-
"root_password": "${random_password.mysqldb_root_password.result}",
46-
"custom_username": "${var.mysqldb_config.custom_user_username}",
47-
"custom_user_password": "${random_password.mysqldb_custom_user_password.result}",
48-
"replication_user": "replicator",
49-
"replication_password": "${random_password.mysqldb_replication_user_password.result}",
50-
"exporter_user": "mysqld_exporter",
51-
"exporter_password": "${random_password.mysqldb_exporter_user_password.result}"
52-
}
53-
EOF
46+
count = var.mysqldb_config.store_password_to_secret_manager ? 1 : 0
47+
secret_id = aws_secretsmanager_secret.mysql_user_password[0].id
48+
secret_string = var.mysqldb_custom_credentials_enabled ? jsonencode(
49+
{
50+
"root_user" : "${var.mysqldb_custom_credentials_config.root_user}",
51+
"root_password" : "${var.mysqldb_custom_credentials_config.root_password}",
52+
"custom_username" : "${var.mysqldb_custom_credentials_config.custom_username}",
53+
"custom_user_password" : "${var.mysqldb_custom_credentials_config.custom_user_password}",
54+
"replication_user" : "${var.mysqldb_custom_credentials_config.replication_user}",
55+
"replication_password" : "${var.mysqldb_custom_credentials_config.replication_password}",
56+
"exporter_user" : "${var.mysqldb_custom_credentials_config.exporter_user}",
57+
"exporter_password" : "${var.mysqldb_custom_credentials_config.exporter_password}"
58+
}) : jsonencode(
59+
{
60+
"root_user" : "root",
61+
"root_password" : "${random_password.mysqldb_root_password[0].result}",
62+
"custom_username" : "${var.mysqldb_config.custom_user_username}",
63+
"custom_user_password" : "${random_password.mysqldb_custom_user_password[0].result}",
64+
"replication_user" : "replicator",
65+
"replication_password" : "${random_password.mysqldb_replication_user_password[0].result}",
66+
"exporter_user" : "mysqld_exporter",
67+
"exporter_password" : "${random_password.mysqldb_exporter_user_password[0].result}"
68+
})
5469
}
5570

5671
resource "kubernetes_namespace" "mysqldb" {
@@ -76,13 +91,13 @@ resource "helm_release" "mysqldb" {
7691
primary_pod_size = var.mysqldb_config.primary_db_volume_size,
7792
secondary_pod_size = var.mysqldb_config.secondary_db_volume_size,
7893
storage_class_name = var.mysqldb_config.storage_class_name,
79-
custom_user_username = var.mysqldb_config.custom_user_username,
80-
custom_user_password = random_password.mysqldb_custom_user_password.result,
81-
replication_password = random_password.mysqldb_replication_user_password.result,
82-
mysqldb_root_password = random_password.mysqldb_root_password.result,
94+
custom_user_username = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.custom_username : var.mysqldb_config.custom_user_username,
95+
custom_user_password = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.custom_user_password : random_password.mysqldb_custom_user_password[0].result,
96+
replication_password = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.replication_password : random_password.mysqldb_replication_user_password[0].result,
97+
mysqldb_root_password = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.root_password : random_password.mysqldb_root_password[0].result,
8398
mysqldb_exporter_enabled = var.mysqldb_exporter_enabled,
8499
service_monitor_namespace = var.namespace
85-
metrics_exporter_password = random_password.mysqldb_exporter_user_password.result,
100+
metrics_exporter_password = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.exporter_password : random_password.mysqldb_exporter_user_password[0].result,
86101
secondary_pod_replica_count = var.mysqldb_config.secondary_db_replica_count
87102
}),
88103
var.mysqldb_config.values_yaml

output.tf

Lines changed: 17 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,24 @@
1-
output "mysqldb" {
2-
description = "Mysql_Info"
1+
output "mysqldb_endpoints" {
2+
description = "MySQL endpoints in the Kubernetes cluster."
33
value = {
44
mysqlport = "3306",
55
mysql_primary_endpoint = "mysqldb-primary.${var.namespace}.svc.cluster.local",
66
mysql_primary_headless_endpoint = "mysqldb-primary-headless.${var.namespace}.svc.cluster.local",
77
mysql_secondary_endpoint = "mysqldb-secondary.${var.namespace}.svc.cluster.local",
8-
mysql_secondary_headless_endpoint = "mysqldb-secondary-headless.${var.namespace}.svc.cluster.local"
8+
mysql_secondary_headless_endpoint = "mysqldb-secondary-headless.${var.namespace}.svc.cluster.local",
9+
}
10+
}
11+
12+
output "mysqldb_credential" {
13+
description = "MySQL credentials used for accessing the MySQL database."
14+
value = var.mysqldb_config.store_password_to_secret_manager ? null : {
15+
root_user = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.root_user : "root",
16+
root_password = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.root_password : nonsensitive(random_password.mysqldb_root_password[0].result),
17+
custom_username = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.custom_username : var.mysqldb_config.custom_user_username,
18+
custom_user_password = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.custom_user_password : nonsensitive(random_password.mysqldb_custom_user_password[0].result),
19+
replication_user = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.replication_user : "replicator",
20+
replication_password = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.replication_password : nonsensitive(random_password.mysqldb_replication_user_password[0].result),
21+
exporter_user = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.exporter_user : "mysqld_exporter",
22+
exporter_password = var.mysqldb_custom_credentials_enabled ? var.mysqldb_custom_credentials_config.exporter_password : nonsensitive(random_password.mysqldb_exporter_user_password[0].result)
923
}
1024
}

variables.tf

Lines changed: 31 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,41 @@
11
variable "mysqldb_config" {
22
type = any
33
default = {
4-
name = ""
5-
environment = ""
6-
values_yaml = ""
7-
architecture = ""
8-
storage_class_name = ""
9-
custom_user_username = ""
10-
primary_db_volume_size = ""
11-
secondary_db_volume_size = ""
12-
secondary_db_replica_count = 1
4+
name = ""
5+
environment = ""
6+
values_yaml = ""
7+
architecture = ""
8+
storage_class_name = ""
9+
custom_user_username = ""
10+
primary_db_volume_size = ""
11+
secondary_db_volume_size = ""
12+
secondary_db_replica_count = 1
13+
store_password_to_secret_manager = true
1314
}
1415
description = "Specify the configuration settings for MySQL, including the name, environment, storage options, replication settings, and custom YAML values."
1516
}
1617

18+
variable "mysqldb_custom_credentials_enabled" {
19+
type = bool
20+
default = false
21+
description = "Specifies whether to enable custom credentials for MySQL database."
22+
}
23+
24+
variable "mysqldb_custom_credentials_config" {
25+
type = any
26+
default = {
27+
root_user = ""
28+
root_password = ""
29+
custom_username = ""
30+
custom_user_password = ""
31+
replication_user = ""
32+
replication_password = ""
33+
exporter_user = ""
34+
exporter_password = ""
35+
}
36+
description = "Specify the configuration settings for MySQL to pass custom credentials during creation"
37+
}
38+
1739
variable "app_version" {
1840
type = string
1941
default = "8.0.29-debian-11-r9"

0 commit comments

Comments
 (0)