Revert "[PRMP-123] Changing file permissions (#105)"

This reverts commit 94eae93.

terraform-db-roles/application-role.tf

@@ -0,0 +1,44 @@
+// TODO: PRMP-120 - Entire file may need removing
+
+resource "postgresql_role" "application_role" {
+  name = "application_role"
+}
+
+resource "postgresql_grant" "application_role_schema_usage_grant" {
+  database    = var.db_name
+  role        = postgresql_role.application_role.name
+  schema      = "public"
+  object_type = "schema"
+  privileges  = ["USAGE"]
+}
+
+resource "postgresql_role" "application_user" {
+  name  = "application_user"
+  login = true
+  roles = ["rds_iam", postgresql_role.application_role.name]
+}
+
+data "aws_iam_policy_document" "db_application_user_policy_doc" {
+  statement {
+    actions = [
+      "rds-db:connect"
+    ]
+
+    resources = [
+      "arn:aws:rds-db:${var.region}:${data.aws_caller_identity.current.account_id}:dbuser:${data.aws_ssm_parameter.db_cluster_resource_id.value}/${postgresql_role.application_user.name}"
+    ]
+
+    effect = "Allow"
+  }
+}
+
+resource "aws_iam_policy" "db_application_user_policy" {
+  name   = "${var.environment}-${var.component_name}-db_application_user"
+  policy = data.aws_iam_policy_document.db_application_user_policy_doc.json
+}
+
+# Grant ECS Task permissions to connect to the DB as application_user
+resource "aws_iam_role_policy_attachment" "db_application_user_policy_attach" {
+  role       = "${var.environment}-${var.component_name}-EcsTaskRole"
+  policy_arn = aws_iam_policy.db_application_user_policy.arn
+}

terraform-db-roles/data.tf

@@ -1 +1,5 @@
 data "aws_caller_identity" "current" {}
+
+data "aws_ssm_parameter" "db_cluster_resource_id" { // TODO: PRMP-120 - May need removing
+  name = "/repo/${var.environment}/output/${var.repo_name}/db-resource-cluster-id"
+}

terraform-db-roles/main.tf

@@ -3,11 +3,25 @@ provider "aws" {
   region  = var.region
 }
 
+provider "postgresql" { // TODO: PRMP-120 - REMOVE
+  host            = var.db_host
+  port            = var.db_port
+  database        = var.db_name
+  username        = var.db_username
+  password        = var.db_password
+  connect_timeout = 15
+  superuser       = false
+}
+
 terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
       version = "3.44.0"
     }
+    postgresql = { // TODO: PRMP-120 - REMOVE
+      source  = "cyrilgdn/postgresql"
+      version = "1.13.0"
+    }
   }
 }

terraform-db-roles/migration-role.tf

@@ -0,0 +1,79 @@
+// TODO: PRMP-120 - Entire file may need removing
+
+resource "postgresql_role" "migration_role" {
+  name = "migration_role"
+}
+
+resource "postgresql_grant" "migration_role_schema_usage_grant" {
+  database    = var.db_name
+  role        = postgresql_role.migration_role.name
+  schema      = "public"
+  object_type = "schema"
+  privileges  = ["USAGE", "CREATE"]
+}
+
+resource "postgresql_role" "migration_user" {
+  name        = "migration_user"
+  login       = true
+  valid_until = ""
+  roles       = ["rds_iam", postgresql_role.migration_role.name]
+}
+
+resource "aws_ssm_parameter" "migration_user" {
+  name  = "/repo/${var.environment}/output/${var.repo_name}/db-migration-user"
+  type  = "String"
+  value = postgresql_role.migration_user.name
+}
+
+data "aws_iam_policy_document" "migration-assume-role-policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type = "Service"
+      identifiers = [
+        "ec2.amazonaws.com"
+      ]
+    }
+  }
+}
+
+resource "aws_iam_role" "db_migration_role" {
+  name               = "${var.environment}-${var.component_name}-DbMigrationRole"
+  assume_role_policy = data.aws_iam_policy_document.migration-assume-role-policy.json
+  description        = "DbMigration role to migrate db in the pipeline"
+
+  tags = {
+    Environment = var.environment
+    CreatedBy   = var.repo_name
+  }
+}
+
+resource "aws_iam_instance_profile" "db_migration_role_profile" {
+  name = "${var.environment}-${var.component_name}-DbMigrationRole"
+  role = aws_iam_role.db_migration_role.name
+}
+
+data "aws_iam_policy_document" "db_migration_user_policy_doc" {
+  statement {
+    actions = [
+      "rds-db:connect"
+    ]
+
+    resources = [
+      "arn:aws:rds-db:${var.region}:${data.aws_caller_identity.current.account_id}:dbuser:${data.aws_ssm_parameter.db_cluster_resource_id.value}/${postgresql_role.migration_user.name}"
+    ]
+
+    effect = "Allow"
+  }
+}
+
+resource "aws_iam_policy" "db_migration_user_policy" {
+  name   = "${var.environment}-${var.component_name}-db_migration_user"
+  policy = data.aws_iam_policy_document.db_migration_user_policy_doc.json
+}
+
+resource "aws_iam_role_policy_attachment" "db_migration_user_policy_attach" {
+  role       = aws_iam_role.db_migration_role.name
+  policy_arn = aws_iam_policy.db_migration_user_policy.arn
+}

terraform-db-roles/variables.tf

@@ -8,9 +8,18 @@ variable "repo_name" {
   default = "prm-deductions-ehr-repository"
 }
 
+variable "db_port" { // TODO: PRMP-120 - REMOVE
+  type    = string
+  default = "5432"
+}
+
 variable "component_name" {
   type    = string
   default = "ehr-repo"
 }
 
 variable "environment" {}
+variable "db_name" {}     // TODO: PRMP-120 - REMOVE
+variable "db_host" {}     // TODO: PRMP-120 - REMOVE
+variable "db_username" {} // TODO: PRMP-120 - REMOVE
+variable "db_password" {} // TODO: PRMP-120 - REMOVE

terraform/data.tf

@@ -12,6 +12,14 @@ data "aws_ssm_parameter" "private_zone_id" {
   name = "/repo/${var.environment}/output/prm-deductions-infra/private-root-zone-id"
 }
 
+data "aws_ssm_parameter" "db-username" {
+  name = "/repo/${var.environment}/user-input/ehr-repo-db-username"
+}
+
+data "aws_ssm_parameter" "db-password" {
+  name = "/repo/${var.environment}/user-input/ehr-repo-db-password"
+}
+
 data "aws_ssm_parameter" "dynamodb_name" {
   name = "/repo/${var.environment}/output/prm-deductions-infra/ehr-transfer-tracker-db-name"
 }

terraform/dev.tfvars

@@ -3,7 +3,8 @@ component_name = "ehr-repo"
 dns_name       = "ehr-repo"
 repo_name      = "prm-deductions-ehr-repository"
 
-node_env = "prod"
+node_env      = "prod"
+database_name = "deductions_db" // TODO: PRMP-120 - REMOVE
 
 s3_bucket_name      = "dev-ehr-repo-bucket"
 s3_prev_bucket_name = "dev-ehr-repo"
@@ -14,3 +15,6 @@ port        = 3000
 
 service_desired_count    = "1"
 alb_deregistration_delay = 15
+
+grant_access_through_vpn               = true  // TODO: PRMP-120 - REMOVE
+enable_rds_cluster_deletion_protection = false // TODO: PRMP-120 - REMOVE

terraform/ecs-task.tf

@@ -7,7 +7,13 @@ locals {
     { name = "NODE_ENV", value = var.node_env },
     { name = "NHS_ENVIRONMENT", value = var.environment },
     { name = "S3_BUCKET_NAME", value = var.s3_bucket_name },
+    { name = "DATABASE_NAME", value = aws_rds_cluster.db-cluster.database_name }, # TODO: PRMP-120 - Removed code references as part of PRMP-123, terraform needs removing as part of PRMP-120
+    { name = "DATABASE_HOST", value = aws_rds_cluster.db-cluster.endpoint },      # TODO: PRMP-120 - Removed code references as part of PRMP-123, terraform needs removing as part of PRMP-120
+    { name = "DATABASE_USER", value = var.application_database_user },            # TODO: PRMP-120 - Removed code references as part of PRMP-123, terraform needs removing as part of PRMP-120
+    { name = "USE_AWS_RDS_CREDENTIALS", value = "true" },                         # TODO: PRMP-120 - Removed code references as part of PRMP-123, terraform needs removing as part of PRMP-120
     { name = "AWS_REGION", value = var.region },
+    { name = "SKIP_DB_MIGRATION", value = "true" }, # TODO: PRMP-120 - Removed code references as part of PRMP-123, terraform needs removing as part of PRMP-120
+    { name = "USE_SSL_FOR_DB", value = "true" },    # TODO: PRMP-120 - Removed code references as part of PRMP-123, terraform needs removing as part of PRMP-120
     { name = "LOG_LEVEL", value = var.log_level },
     { name = "DYNAMODB_NAME", value = data.aws_ssm_parameter.dynamodb_name.value },
   ]

terraform/main.tf

@@ -1,12 +1,13 @@
 provider "aws" {
-  region = var.region
+  profile = "default"
+  region  = var.region
 }
 
 terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.0"
+      version = "3.75.1"
     }
   }
 }

terraform/perf.tfvars

@@ -3,7 +3,8 @@ component_name = "ehr-repo"
 dns_name       = "ehr-repo"
 repo_name      = "prm-deductions-ehr-repository"
 
-node_env = "prod"
+node_env      = "prod"
+database_name = "deductions_db" // TODO: PRMP-120 - REMOVE
 
 s3_bucket_name      = "perf-ehr-repo-bucket"
 s3_prev_bucket_name = "perf-ehr-repo"
@@ -12,3 +13,6 @@ port = 3000
 
 service_desired_count    = "2"
 alb_deregistration_delay = 15
+
+grant_access_through_vpn               = true  // TODO: PRMP-120 - REMOVE
+enable_rds_cluster_deletion_protection = false // TODO: PRMP-120 - REMOVE

terraform/pre-prod.tfvars

@@ -3,7 +3,8 @@ component_name = "ehr-repo"
 dns_name       = "ehr-repo"
 repo_name      = "prm-deductions-ehr-repository"
 
-node_env = "prod"
+node_env      = "prod"
+database_name = "deductions_db" // TODO: PRMP-120 - REMOVE
 
 s3_bucket_name      = "pre-prod-ehr-repo-bucket"
 s3_prev_bucket_name = "pre-prod-ehr-repo"
@@ -15,5 +16,10 @@ service_desired_count    = "3"
 alb_deregistration_delay = 15
 log_level                = "info"
 
+grant_access_through_vpn               = true // TODO: PRMP-120 - REMOVE
+enable_rds_cluster_deletion_protection = true // TODO: PRMP-120 - REMOVE
+
 is_restricted_account = true
 
+db_instance_number = 3 // TODO: PRMP-120 - REMOVE
+

terraform/prod.tfvars

@@ -3,7 +3,8 @@ component_name = "ehr-repo"
 dns_name       = "ehr-repo"
 repo_name      = "prm-deductions-ehr-repository"
 
-node_env = "prod"
+node_env      = "prod"
+database_name = "deductions_db" // TODO: PRMP-120 - REMOVE
 
 s3_bucket_name      = "prod-ehr-repo-bucket"
 s3_prev_bucket_name = "prod-ehr-repo"
@@ -15,4 +16,9 @@ service_desired_count    = "3"
 alb_deregistration_delay = 15
 log_level                = "info"
 
+grant_access_through_vpn               = true // TODO: PRMP-120 - REMOVE
+enable_rds_cluster_deletion_protection = true // TODO: PRMP-120 - REMOVE
+
 is_restricted_account = true
+
+db_instance_number = 3 // TODO: PRMP-120 - REMOVE