Creates an RDS cluster param group for MD5 encryption

Updates the existing param group module so we can create a separate param group for the DWH db cluster that has MD5 encryption as the password param. This change is required when using AWS Glue which uses a JDBC driver which in turn uses MD5 for its password. At present will only be using Glue to connect to the DWH cluster
communitiesuk · Feb 18, 2025 · f5c0bbb · f5c0bbb
1 parent 57b633c
commit f5c0bbb
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 5 deletions.
diff --git a/service-infrastructure/database_parameter_groups/outputs.tf b/service-infrastructure/database_parameter_groups/outputs.tf
@@ -1,7 +1,7 @@
 output "aurora_pg_param_group_name" {
-  value = resource.aws_rds_cluster_parameter_group.rds_aurora.name
+  value = aws_rds_cluster_parameter_group.rds_aurora.name
 }
 
 output "rds_pg_param_group_name" {
-  value = resource.aws_db_parameter_group.rds_db.name
+  value = try(aws_db_parameter_group.rds_db[0].name, "")
 }
diff --git a/service-infrastructure/database_parameter_groups/parameter_groups.tf b/service-infrastructure/database_parameter_groups/parameter_groups.tf
@@ -1,9 +1,22 @@
 resource "aws_db_parameter_group" "rds_db" {
+  count  = var.has_rds == true ? 1 : 0
   name   = "rds-pg"
   family = "postgres14"
 }
 
+
+
 resource "aws_rds_cluster_parameter_group" "rds_aurora" {
-  name   = "aurora-pg"
+  name   = var.aurora_name
   family = "aurora-postgresql14"
+
+  dynamic "parameter" {
+    for_each = var.has_md_5_password == true ? [0] : []
+    content {
+      name  = "password_encryption"
+      value = "MD5"
+    }
+  }
+
 }
+
diff --git a/service-infrastructure/database_parameter_groups/variables.tf b/service-infrastructure/database_parameter_groups/variables.tf
@@ -0,0 +1,15 @@
+variable "has_md_5_password" {
+  type    = bool
+  default = false
+}
+
+variable "aurora_name" {
+  type    = string
+  default = "aurora-pg"
+}
+
+
+variable "has_rds" {
+  type    = bool
+  default = true
+}
diff --git a/service-infrastructure/modules.tf b/service-infrastructure/modules.tf
@@ -746,13 +746,14 @@ module "warehouse_api_application" {
   cloudwatch_ecs_events_arn = module.logging.cloudwatch_ecs_events_arn
 }
 
+
 module "warehouse_database" {
   source = "./aurora_rds"
 
-  cluster_parameter_group_name  = module.parameter_groups.aurora_pg_param_group_name
+  cluster_parameter_group_name  = module.data_warehouse_parameter_groups.aurora_pg_param_group_name
   db_name                       = "epb"
   instance_class                = "db.serverless"
-  instance_parameter_group_name = module.parameter_groups.rds_pg_param_group_name
+  instance_parameter_group_name = module.data_warehouse_parameter_groups.rds_pg_param_group_name
   postgres_version              = var.postgres_aurora_version
   prefix                        = "${local.prefix}-warehouse"
   security_group_ids            = [module.warehouse_application.ecs_security_group_id, module.bastion.security_group_id, module.warehouse_scheduled_tasks_application.ecs_security_group_id, module.warehouse_api_application.ecs_security_group_id]
@@ -898,6 +899,14 @@ module "parameter_groups" {
   source = "./database_parameter_groups"
 }
 
+module "data_warehouse_parameter_groups" {
+  source            = "./database_parameter_groups"
+  has_rds           = false
+  has_md_5_password = true
+  aurora_name       = "aurora-pg-md5"
+}
+
+
 module "error_pages" {
   source           = "./error_pages"
   prefix           = "${local.prefix}-error-pages"
@@ -997,3 +1006,4 @@ module "rds_kms_key" {
   prefix      = local.prefix
   environment = var.environment
 }
+