RDS: Add DBSubnet resource, VPC security groups #13
Conversation
This commit enables EC2 RDS resource to use: - DBSubnets - VPC security groups As a result, it adds a DBSubnet resource which consists of at least 2 VPC subnets containing at least each AZ of your region. It enables support of RDS in a VPC. This makes it possible to use RDS in a VPC setup, i.e. in EC2-VPC.
|
Hi @RaitoBezarius , would you mind adding a working example under |
|
@AmineChikhaoui Sure, will do in some minutes. |
|
It has been 300 minutes but it's done :) @AmineChikhaoui |
RaitoBezarius
force-pushed
the
raito/rds-for-vpc
branch
from
8362273 to
4102176
Compare
|
No worries @RaitoBezarius , thanks ! |
nix/ec2-rds-subnet-group.nix
Outdated
| region = mkOption { | ||
| type = types.str; | ||
| description = "Amazon RDS DB subnet group region."; | ||
| }; | ||
|
|
||
| accessKeyId = mkOption { | ||
| default = ""; | ||
| type = types.str; | ||
| description = "The AWS Access Key ID."; | ||
| }; |
There was a problem hiding this comment.
u can use imports = [ ./common-ec2-auth-options.nix ]; for these options like we do in the other modules for example
nix/ec2-rds-subnet-group.nix
Outdated
| default = []; | ||
| type = types.listOf (types.either types.str (resource "vpc-subnet")); | ||
| apply = map (x: if builtins.isString x then x else "res-" + x._name + "." + x._type + ".subnetId"); | ||
| description = "List of VPC subnets to use for this DB subnet group (must contain at least a subnet for each AZ), it can be a VPC Subnet resource or a string representing the ID of the VPC Subnet."; |
There was a problem hiding this comment.
break into multiple lines.
|
Update this line to |
examples/ec2-rds-with-vpc.nix
Outdated
| engine = "postgres"; | ||
| dbName = "testNixOps"; | ||
| multiAZ = true; | ||
| vpcSecurityGroups = [ resources.ec2SecurityGroups.database ]; |
There was a problem hiding this comment.
should be vpcSecurityGroupIds
I also needed to add securityGroups = []; for it to work.
@AmineChikhaoui what about removing support for ec2 classic altogether ?
Why this change? |
nix/ec2-rds-dbinstance.nix
Outdated
| type = types.nullOr (types.either types.str (resource "ec2-rds-db-subnet-group")); | ||
| apply = group: if (builtins.isString group || group == null) then group else "res-" + group._name; | ||
| description = '' | ||
| A name for a DBSubnetGroup, they must contain at least one subnet in each availability zone in the AWS region. |
|
Thanks @RaitoBezarius Tested deploying the example after some minor changes. and it worked fine. We have an error in destroying the example since nixops do not wait for the rds to finalize termination and fail when destroying the security group cause it is still attached to the We should adress this. also I think we need to add the backup functionality to RDS module as well as remove automatically taking final snapshot (make a prompt or an argument). |
FYI, I noticed this issue and opened #11 for it, +1 for the final snapshot, I think it's a sane default to have though. |
nix/ec2-rds-subnet-group.nix
Outdated
| ''; | ||
| }; | ||
|
|
||
| imports = [ ./common-ec2-options.nix ]; |
There was a problem hiding this comment.
This addition wasn't tested, can you please make sure that it works ?
It doesn't evaluate as ./common-ec2-options.nix is a function so please make it's merged to options
options = {
/* options declarations */
} // (import ./common-ec2-options.nix { inherit lib; });
Also if I fix that locally the diff engine will throw an error as it doesn't find a handler that realizes the tags diff, so it needs to be fixed in the python side to create a handler for the tags option.
| { | ||
| network.description = "NixOps RDS in a VPC Testing"; | ||
| # A VPC. | ||
| resources.vpc.private = { |
There was a problem hiding this comment.
Can you also fix the indentation in this file please and remove any comments such as # A VPC which don't seem to be useful.
| or isinstance(r, nixopsaws.resources.ec2_rds_subnet_group.EC2RDSSubnetGroupState) | ||
| or isinstance(r, nixopsaws.resources.ec2_security_group.EC2SecurityGroupState)} | ||
|
|
||
| def destroy_before(self, resources): |
There was a problem hiding this comment.
Do we really need destroy_before ? afaik it's automatically handled by doing the opposite of create_after
There was a problem hiding this comment.
I didn't know this, as I was exploring the solution for #11
|
@AmineChikhaoui Changes were made. |
|
Thank you for the quick changes but please test before asking for review again :) |
|
@AmineChikhaoui Now it is tested. |
|
@RaitoBezarius I think there might be some minor changes to be done to make sure that when not using VPC security groups/DB subnet the config works as well. |
…t group is available in XML description
|
@AmineChikhaoui I made the change but I'm unable to test it, I would require an ol'EC2 Classic account, those are not available anymore as AWS defaults to EC2-VPC nowadays AFAIK. I tried to run it but AWS throws me an error saying: But according to this: hashicorp/terraform#486 it's expected for people having an EC2 VPC account (like myself). Let me know your thoughts on this. |
|
Any progress on this? |
|
@NickSeagull AFAIK, I'm waiting for @AmineChikhaoui to give it a try again and see what should we do regarding the EC2-Classic stuff that I cannot test. |
|
Last time I tested on ec2-classic there was still some problems, I'll try to post the stacktrace next time but I'm not sure how helpful that would be unless I'm going to do the fixes as you can't test it. |
|
@AmineChikhaoui It might help us to move forward, I wonder whether I can get my hand on an EC2 Classic account, I'll try to ask AWS support staff. |
|
Closing because of #113 |
This commit enables EC2 RDS resource to use:
As a result, it adds a DBSubnet resource which consists of at least 2
VPC subnets containing at least each AZ of your region.
It enables support of RDS in a VPC.
This makes it possible to use RDS in a VPC setup, i.e. in EC2-VPC.
Will fix #6.