feat: add Windows authentication (#177)

5697a0a1 · Bryant Biggs · GitHub · d73b3c29 · 5697a0a1 · 5697a0a1
Commit 5697a0a1 authored Jul 20, 2020 by Bryant Biggs Committed by GitHub Jul 20, 2020
11 changed files
--- a/README.md
+++ b/README.md
@@ -168,6 +168,8 @@ No provider.
 | db\_subnet\_group\_name | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC | `string` | `""` | no |
 | delete\_automated\_backups | Specifies whether to remove automated backups immediately after the DB instance is deleted | `bool` | `true` | no |
 | deletion\_protection | The database can't be deleted when this value is set to true. | `bool` | `false` | no |
+| domain | The ID of the Directory Service Active Directory domain to create the instance in | `string` | `""` | no |
+| domain\_iam\_role\_name | (Required if domain is provided) The name of the IAM role to be used when making API calls to the Directory Service | `string` | `""` | no |
 | enabled\_cloudwatch\_logs\_exports | List of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported. Valid values (depending on engine): alert, audit, error, general, listener, slowquery, trace, postgresql (PostgreSQL), upgrade (PostgreSQL). | `list(string)` | `[]` | no |
 | engine | The database engine to use | `string` | n/a | yes |
 | engine\_version | The engine version to use | `string` | n/a | yes |
@@ -222,6 +224,8 @@ No provider.
 | this\_db\_instance\_arn | The ARN of the RDS instance |
 | this\_db\_instance\_availability\_zone | The availability zone of the RDS instance |
 | this\_db\_instance\_ca\_cert\_identifier | Specifies the identifier of the CA certificate for the DB instance |
+| this\_db\_instance\_domain | The ID of the Directory Service Active Directory domain the instance is joined to |
+| this\_db\_instance\_domain\_iam\_role\_name | The name of the IAM role to be used when making API calls to the Directory Service. |
 | this\_db\_instance\_endpoint | The connection endpoint |
 | this\_db\_instance\_hosted\_zone\_id | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) |
 | this\_db\_instance\_id | The RDS instance ID |

--- a/examples/complete-mssql/README.md
+++ b/examples/complete-mssql/README.md
@@ -38,6 +38,8 @@ No input.
 | this\_db\_instance\_address | The address of the RDS instance |
 | this\_db\_instance\_arn | The ARN of the RDS instance |
 | this\_db\_instance\_availability\_zone | The availability zone of the RDS instance |
+| this\_db\_instance\_domain | The ID of the Directory Service Active Directory domain the instance is joined to |
+| this\_db\_instance\_domain\_iam\_role\_name | The name of the IAM role to be used when making API calls to the Directory Service. |
 | this\_db\_instance\_endpoint | The connection endpoint |
 | this\_db\_instance\_hosted\_zone\_id | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) |
 | this\_db\_instance\_id | The RDS instance ID |

--- a/examples/complete-mssql/main.tf
+++ b/examples/complete-mssql/main.tf
 provider "aws" {
-  region = "us-west-1"
+  region = "us-east-1"
+}
+
+locals {
+  tags = {
+    Owner       = "user"
+    Environment = "dev"
+  }
 }

 ##############################################################
@@ -18,9 +25,62 @@ data "aws_security_group" "default" {
  name   = "default"
 }

+#####################################
+# IAM Role for Windows Authentication
+#####################################
+
+data "aws_iam_policy_document" "rds_assume_role" {
+  statement {
+    sid = "AssumeRole"
+
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    principals {
+      type        = "Service"
+      identifiers = ["rds.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "rds_ad_auth" {
+  name                  = "demo-rds-ad-auth"
+  description           = "Role used by RDS for Active Directory authentication and authorization"
+  force_detach_policies = true
+  assume_role_policy    = data.aws_iam_policy_document.rds_assume_role.json
+
+  tags = local.tags
+}
+
+resource "aws_iam_role_policy_attachment" "rds_directory_services" {
+  role       = aws_iam_role.rds_ad_auth.id
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSDirectoryServiceAccess"
+}
+
+##########################################
+# AWS Directory Service (Acitve Directory)
+##########################################
+
+resource "aws_directory_service_directory" "demo" {
+  name     = "corp.demo.com"
+  password = "SuperSecretPassw0rd"
+  edition  = "Standard"
+  type     = "MicrosoftAD"
+
+  vpc_settings {
+    vpc_id = data.aws_vpc.default.id
+    # Only 2 subnets, must be in different AZs
+    subnet_ids = slice(tolist(data.aws_subnet_ids.all.ids), 0, 2)
+  }
+
+  tags = local.tags
+}
+
 #####
 # DB
 #####
+
 module "db" {
  source = "../../"

@@ -37,6 +97,9 @@ module "db" {
  password = "YourPwdShouldBeLongAndSecure!"
  port     = "1433"

+  domain               = aws_directory_service_directory.demo.id
+  domain_iam_role_name = aws_iam_role.rds_ad_auth.name
+
  vpc_security_group_ids = [data.aws_security_group.default.id]

  maintenance_window = "Mon:00:00-Mon:03:00"
@@ -45,10 +108,7 @@ module "db" {
  # disable backups to create DB faster
  backup_retention_period = 0

-  tags = {
-    Owner       = "user"
-    Environment = "dev"
-  }
+  tags = local.tags

  # DB subnet group
  subnet_ids = data.aws_subnet_ids.all.ids

--- a/examples/complete-mssql/outputs.tf
+++ b/examples/complete-mssql/outputs.tf
@@ -77,3 +77,13 @@ output "this_db_parameter_group_arn" {
  description = "The ARN of the db parameter group"
  value       = module.db.this_db_parameter_group_arn
 }
+
+output "this_db_instance_domain" {
+  description = "The ID of the Directory Service Active Directory domain the instance is joined to"
+  value       = module.db.this_db_instance_domain
+}
+
+output "this_db_instance_domain_iam_role_name" {
+  description = "The name of the IAM role to be used when making API calls to the Directory Service. "
+  value       = module.db.this_db_instance_domain_iam_role_name
+}
--- a/main.tf
+++ b/main.tf
@@ -71,6 +71,8 @@ module "db_instance" {
  username                            = var.username
  password                            = var.password
  port                                = var.port
+  domain                              = var.domain
+  domain_iam_role_name                = var.domain_iam_role_name
  iam_database_authentication_enabled = var.iam_database_authentication_enabled

  replicate_source_db = var.replicate_source_db

--- a/modules/db_instance/README.md
+++ b/modules/db_instance/README.md
@@ -30,6 +30,8 @@ No requirements.
 | db\_subnet\_group\_name | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC | `string` | `""` | no |
 | delete\_automated\_backups | Specifies whether to remove automated backups immediately after the DB instance is deleted | `bool` | `true` | no |
 | deletion\_protection | The database can't be deleted when this value is set to true. | `bool` | `false` | no |
+| domain | The ID of the Directory Service Active Directory domain to create the instance in | `string` | `""` | no |
+| domain\_iam\_role\_name | (Required if domain is provided) The name of the IAM role to be used when making API calls to the Directory Service | `string` | `""` | no |
 | enabled\_cloudwatch\_logs\_exports | List of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported. Valid values (depending on engine): alert, audit, error, general, listener, slowquery, trace, postgresql (PostgreSQL), upgrade (PostgreSQL). | `list(string)` | `[]` | no |
 | engine | The database engine to use | `string` | n/a | yes |
 | engine\_version | The engine version to use | `string` | n/a | yes |
@@ -75,6 +77,8 @@ No requirements.
 | this\_db\_instance\_arn | The ARN of the RDS instance |
 | this\_db\_instance\_availability\_zone | The availability zone of the RDS instance |
 | this\_db\_instance\_ca\_cert\_identifier | Specifies the identifier of the CA certificate for the DB instance |
+| this\_db\_instance\_domain | The ID of the Directory Service Active Directory domain the instance is joined to |
+| this\_db\_instance\_domain\_iam\_role\_name | The name of the IAM role to be used when making API calls to the Directory Service. |
 | this\_db\_instance\_endpoint | The connection endpoint |
 | this\_db\_instance\_hosted\_zone\_id | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) |
 | this\_db\_instance\_id | The RDS instance ID |

--- a/modules/db_instance/main.tf
+++ b/modules/db_instance/main.tf
@@ -54,6 +54,8 @@ resource "aws_db_instance" "this" {
  username                            = var.username
  password                            = var.password
  port                                = var.port
+  domain                              = var.domain
+  domain_iam_role_name                = var.domain_iam_role_name
  iam_database_authentication_enabled = var.iam_database_authentication_enabled

  replicate_source_db = var.replicate_source_db
@@ -128,6 +130,8 @@ resource "aws_db_instance" "this_mssql" {
  username                            = var.username
  password                            = var.password
  port                                = var.port
+  domain                              = var.domain
+  domain_iam_role_name                = var.domain_iam_role_name
  iam_database_authentication_enabled = var.iam_database_authentication_enabled

  replicate_source_db = var.replicate_source_db

--- a/modules/db_instance/outputs.tf
+++ b/modules/db_instance/outputs.tf
 locals {
-  enhanced_monitoring_iam_role_name   = element(concat(aws_iam_role.enhanced_monitoring.*.name, [""]), 0)
-  enhanced_monitoring_iam_role_arn    = element(concat(aws_iam_role.enhanced_monitoring.*.arn, [""]), 0)
-  this_db_instance_address            = element(concat(aws_db_instance.this_mssql.*.address, aws_db_instance.this.*.address, [""]), 0)
-  this_db_instance_arn                = element(concat(aws_db_instance.this_mssql.*.arn, aws_db_instance.this.*.arn, [""]), 0)
-  this_db_instance_availability_zone  = element(concat(aws_db_instance.this_mssql.*.availability_zone, aws_db_instance.this.*.availability_zone, [""]), 0)
-  this_db_instance_endpoint           = element(concat(aws_db_instance.this_mssql.*.endpoint, aws_db_instance.this.*.endpoint, [""]), 0)
-  this_db_instance_hosted_zone_id     = element(concat(aws_db_instance.this_mssql.*.hosted_zone_id, aws_db_instance.this.*.hosted_zone_id, [""]), 0)
-  this_db_instance_id                 = element(concat(aws_db_instance.this_mssql.*.id, aws_db_instance.this.*.id, [""]), 0)
-  this_db_instance_resource_id        = element(concat(aws_db_instance.this_mssql.*.resource_id, aws_db_instance.this.*.resource_id, [""]), 0)
-  this_db_instance_status             = element(concat(aws_db_instance.this_mssql.*.status, aws_db_instance.this.*.status, [""]), 0)
-  this_db_instance_name               = element(concat(aws_db_instance.this_mssql.*.name, aws_db_instance.this.*.name, [""]), 0)
-  this_db_instance_username           = element(concat(aws_db_instance.this_mssql.*.username, aws_db_instance.this.*.username, [""]), 0)
-  this_db_instance_port               = element(concat(aws_db_instance.this_mssql.*.port, aws_db_instance.this.*.port, [""]), 0)
-  this_db_instance_ca_cert_identifier = element(concat(aws_db_instance.this_mssql.*.ca_cert_identifier, aws_db_instance.this.*.ca_cert_identifier, [""]), 0)
+  enhanced_monitoring_iam_role_name     = element(concat(aws_iam_role.enhanced_monitoring.*.name, [""]), 0)
+  enhanced_monitoring_iam_role_arn      = element(concat(aws_iam_role.enhanced_monitoring.*.arn, [""]), 0)
+  this_db_instance_address              = element(concat(aws_db_instance.this_mssql.*.address, aws_db_instance.this.*.address, [""]), 0)
+  this_db_instance_arn                  = element(concat(aws_db_instance.this_mssql.*.arn, aws_db_instance.this.*.arn, [""]), 0)
+  this_db_instance_availability_zone    = element(concat(aws_db_instance.this_mssql.*.availability_zone, aws_db_instance.this.*.availability_zone, [""]), 0)
+  this_db_instance_endpoint             = element(concat(aws_db_instance.this_mssql.*.endpoint, aws_db_instance.this.*.endpoint, [""]), 0)
+  this_db_instance_hosted_zone_id       = element(concat(aws_db_instance.this_mssql.*.hosted_zone_id, aws_db_instance.this.*.hosted_zone_id, [""]), 0)
+  this_db_instance_id                   = element(concat(aws_db_instance.this_mssql.*.id, aws_db_instance.this.*.id, [""]), 0)
+  this_db_instance_resource_id          = element(concat(aws_db_instance.this_mssql.*.resource_id, aws_db_instance.this.*.resource_id, [""]), 0)
+  this_db_instance_status               = element(concat(aws_db_instance.this_mssql.*.status, aws_db_instance.this.*.status, [""]), 0)
+  this_db_instance_name                 = element(concat(aws_db_instance.this_mssql.*.name, aws_db_instance.this.*.name, [""]), 0)
+  this_db_instance_username             = element(concat(aws_db_instance.this_mssql.*.username, aws_db_instance.this.*.username, [""]), 0)
+  this_db_instance_port                 = element(concat(aws_db_instance.this_mssql.*.port, aws_db_instance.this.*.port, [""]), 0)
+  this_db_instance_ca_cert_identifier   = element(concat(aws_db_instance.this_mssql.*.ca_cert_identifier, aws_db_instance.this.*.ca_cert_identifier, [""]), 0)
+  this_db_instance_domain               = element(concat(aws_db_instance.this_mssql.*.domain, [""]), 0)
+  this_db_instance_domain_iam_role_name = element(concat(aws_db_instance.this_mssql.*.domain_iam_role_name, [""]), 0)
 }

 output "enhanced_monitoring_iam_role_name" {
@@ -84,3 +86,13 @@ output "this_db_instance_ca_cert_identifier" {
  description = "Specifies the identifier of the CA certificate for the DB instance"
  value       = local.this_db_instance_ca_cert_identifier
 }
+
+output "this_db_instance_domain" {
+  description = "The ID of the Directory Service Active Directory domain the instance is joined to"
+  value       = local.this_db_instance_domain
+}
+
+output "this_db_instance_domain_iam_role_name" {
+  description = "The name of the IAM role to be used when making API calls to the Directory Service. "
+  value       = local.this_db_instance_domain_iam_role_name
+}
--- a/modules/db_instance/variables.tf
+++ b/modules/db_instance/variables.tf
@@ -56,6 +56,18 @@ variable "iam_database_authentication_enabled" {
  default     = false
 }

+variable "domain" {
+  description = "The ID of the Directory Service Active Directory domain to create the instance in"
+  type        = string
+  default     = ""
+}
+
+variable "domain_iam_role_name" {
+  description = "(Required if domain is provided) The name of the IAM role to be used when making API calls to the Directory Service"
+  type        = string
+  default     = ""
+}
+
 variable "engine" {
  description = "The database engine to use"
  type        = string

--- a/outputs.tf
+++ b/outputs.tf
@@ -64,6 +64,16 @@ output "this_db_instance_password" {
  sensitive   = true
 }

+output "this_db_instance_domain" {
+  description = "The ID of the Directory Service Active Directory domain the instance is joined to"
+  value       = module.db_instance.this_db_instance_domain
+}
+
+output "this_db_instance_domain_iam_role_name" {
+  description = "The name of the IAM role to be used when making API calls to the Directory Service. "
+  value       = module.db_instance.this_db_instance_domain_iam_role_name
+}
+
 output "this_db_instance_port" {
  description = "The database port"
  value       = module.db_instance.this_db_instance_port

--- a/variables.tf
+++ b/variables.tf
@@ -50,6 +50,18 @@ variable "iam_database_authentication_enabled" {
  default     = false
 }

+variable "domain" {
+  description = "The ID of the Directory Service Active Directory domain to create the instance in"
+  type        = string
+  default     = ""
+}
+
+variable "domain_iam_role_name" {
+  description = "(Required if domain is provided) The name of the IAM role to be used when making API calls to the Directory Service"
+  type        = string
+  default     = ""
+}
+
 variable "engine" {
  description = "The database engine to use"
  type        = string