Initial Implementation (#1)

* Add basic main.tf

This will hold our global config to be used in other resources

* Add default global variables

* Add Postgres Aurora

This commit has largely been lifted from our backing services module for
Postgres Aurora. It creates a Postgres Aurora cluster and writes the
outputs of that to SSM. If no master username / password is given, these
are generated as a random strings and saved to SSM using SecureString
where necessary. If not postgres_name is given, it defaults to using
using the terraform-null-label outputted id.

* Add VPC backing-services

This is part of terraform-root-modules backing service but I think we 
will likely want to create the VPC outside of this module and pass it 
in. I’ve left in for now but we can take out later.

* Add Postgres read replica

* Add Elasticache Redis backing service

* Add Kops metadata module

This is used to pull information from our kops cluser by doing a load of
data lookups based on some tags. We can then pass things like Kops node
security groups around to be used by other modules.

* Add AmazonMQ backing service for CodeFresh

This commit adds ActiveMQ broker and config for CodeFresh Enterprise. An
admin user is created and credentials stored encrypted in SSM. A DNS
hostname is created for the ActiveMQ endpoints.

Note that unlike the other backing modules in here, AmazonMQ resources
are not currently their own module. There are only a handful of
resources for this AmazonMQ stuff but we can pull it out into a module
if we so wish.

The default ActiveMQ config [1] has been added. This is optional in the
`aws_mq_broker` but due to Terraform not supporting conditional blocks
beyond a basic count, it is a pain to conditionally add this. The schema
can be found [2]

[1] http://svn.apache.org/repos/asf/activemq/trunk/assembly/src/release/conf/activemq.xml
[2] https://s3-us-west-2.amazonaws.com/amazon-mq-docs/XML/amazon-mq-active-mq-5.15.0.xsd

* Add docs

* Remove RDS Aurora Postgres replica

* Remove VPC and subnet modules

We will be injecting these resources into an existing VPC

* Remove need for kops metadata

* Move AmazonMQ into own module

* Add EFS

* Drop Redis Elasticache version to 3.2.6

3.2.10 doesn’t support encryption, see below:

```
Error creating Elasticache Replication Group: InvalidParameterCombination: Encryption features are not supported for engine version 3.2.10. Please use engine version 3.2.6
```

* Move aws_mq_broker users into module

These should have been in the module that calls this module however
there is a Terraform bug [1] meaning passing the list of user maps is
failing when trying to use a local value.

From the calling module, the below does work:

```
  users = [{
    "username"       = "admin"
    "password"       = "defaultpassword"
    "groups"         = ["admin"]
    "console_access" = true
  }]
```

however, using locals as we want to, it does not:

```
  users = [{
    "username"       = “${local.admin_user}”
    "password"       = “${local.admin_password}”
    "groups"         = ["admin"]
    "console_access" = true
  }]
```

[1] hashicorp/terraform#12263

* Update docs

* Remove deprecated mq_broker_name variable

* Pin aws-mq-broker module to 0.1.0 release

* Add global enabled variable for whole module

We can toggle individual components of the backing services by enabling
a specific service, or using the global flag to enable/disable all.

* Add s3 bucket to CodeFresh backing services.

* Rename node_security_groups to security_groups

These maybe the security groups of your kops nodes, they may not, so be
more generic.

* Add usage to README

* Pass only 1 or 2 subnets to mq.tf

Running ActiveMQ in ACTIVE_STANDBY_MULTI_AZ mode requires you only
supply 2 subnets. Any more and the resource will complain. Similarly
you must pass a single subnet if running in SINGLE_INSTANCE mode

* Actually use postgres_db_name if we pass it in

* Add full example

* Remove postgres_name variable

This should just be var.name as the postgres name is computed in the
RDS cluster module using labels.

* Pin mq broker module to latest 0.2.0 release

* Remove redis_name as this is calculated in module

* Update Redis variable descriptions

* overwrite SSM parameter is expected as a boolean

* Bump AmazonMQ default instance type

mq.t2.micro is likely not what you want in production.

* Remove null-label since not being used anymore

It is in use in all the submodule we call and we delegate down to them
for naming.

* Bump aws-efs module

To ensure we can use enabled flags on it

* Bump aws-s3-bucket to 0.1.0

Since we have the initial PR merged and have cut a release

* Remove aws-mq-broker enabled flags

Bump aws-mq-broker to 0.3.0, which does not feature enabled flags, so 
remove them.

In its current incarnation the terraform-aws-mq-broker does not support
the enabled variable allowing for boolean creation of resources in the
module, see [1] for more context.

[1] cloudposse/terraform-aws-mq-broker#4

* Add optional EFS VPC and subnet_id variables

This commit adds variables to enable overriding what VPC and subnet that
EFS runs in. If you don’t provide them, it default back to the 
`var.vpc_id` and `var.subnet_ids` values.

During testing of this module, we found something interesting. We were
deploying EFS to the backing services VPC, which is a different VPC to
the k8s cluster. Our pods were unable to resolve the DNS endpoint of the
EFS cluster, despite there being VPC peering between the two, with DNS
lookups between them enabled. AWS documentation [1] states that in this
scenario, you have a few options:

1) Use the EFS IP address directly (no thanks)
2) Create a DNS entry in Route53 CNAME’ing to the EFS DNS endpoint in 
   a private hosted zone

The underlying EFS module does already create a Route53 DNS entry CNAME
to the EFS DNS endpoint, but it isn’t in a private zone. The pod could
not resolve the Route53 DNS. Deploying EFS into the _same_ VPC as the 
k8s nodes worked a treat and finally the pods were able to resolve and 
mount EFS volumes.


[1] https://docs.aws.amazon.com/efs/latest/ug/manage-fs-access-vpc-peering.html

* Fix typos

* Fix typos

* Remove EFS + AmazonMQ from CodeFresh services

CodeFresh Enterprise is not compatible with AmazonMQ on the protocol
level and EFS will be moved into a general Kops backing service.

* Remove Terraform glue variables

These should be in the caller module, not this generic module.

* Update docs and pin example modules

* Update docs to remove TODO and add note on enabled

Author: joshmyers

README.md

@@ -29,9 +29,6 @@ badges:
     url: "https://slack.cloudposse.com"
 
 related:
-  - name: "terraform-null-label"
-    description: "Terraform Module to define a consistent naming convention by (namespace, stage, name, [attributes])"
-    url: "https://github.com/cloudposse/terraform-null-label"
   - name: "terraform-aws-rds-cluster"
     description: "Terraform module to provision an RDS Aurora cluster for MySQL or Postgres"
     url: "https://github.com/cloudposse/terraform-aws-rds-cluster"
@@ -56,21 +53,33 @@ related:
 
 # Short description of this project
 description: |-
-  Terraform module to provision CodeFresh Enterprise backing services for usage with a kops cluster
+  Terraform module to provision CodeFresh Enterprise backing services
 
 introduction: |-
   The module provisions the following resources:
-  - AWS Aurora primary
-  - AWS Aurora read replica
+  - AWS Aurora Postgresql
   - AWS Elasticache Redis
-  - AWS AmazonMQ (ActiveMQ)
+  - AWS S3 bucket with associated user and permissions
+
+  **NOTE:** This module can be enabled or disabled in entirety using the `enabled` flag or you can override certain services e.g. `s3_enabled = "true"` which will enable only the S3 backing service resources given `enabled = "false"`
 
 # How to use this project
 usage: |-
+  ```terraform
+  module "codefresh_backing_services" {
+    source          = "git::https://github.com/cloudposse/terraform-aws-codefresh-backing-services.git?ref=master"
+    enabled         = "true"
+    name            = "${var.name}"
+    namespace       = "${var.namespace}"
+    region          = "${var.region}"
+    stage           = "${var.stage}"
+    vpc_id          = "${module.vpc.vpc_id}"
+    subnet_ids      = ["${module.subnets.private_subnet_ids}"]
+    security_groups = ["${module.vpc.vpc_default_security_group_id}"]
+  }
+  ```
 
   For a complete example, see [examples/complete](examples/complete)
-  TODO
-
 
 include:
   - "docs/targets.md"

README.yaml

@@ -0,0 +1,182 @@
+# Don't use `admin` 
+# Read more: <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Limits.html>
+# ("MasterUsername admin cannot be used as it is a reserved word used by the engine")
+variable "postgres_admin_user" {
+  type        = "string"
+  description = "Postgres admin user name"
+  default     = ""
+}
+
+# Must be longer than 8 chars
+# Read more: <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Limits.html>
+# ("The parameter MasterUserPassword is not a valid password because it is shorter than 8 characters")
+variable "postgres_admin_password" {
+  type        = "string"
+  description = "Postgres password for the admin user"
+  default     = ""
+}
+
+variable "postgres_db_name" {
+  type        = "string"
+  description = "Postgres database name"
+  default     = ""
+}
+
+# db.r4.large is the smallest instance type supported by Aurora Postgres
+# https://aws.amazon.com/rds/aurora/#
+variable "postgres_instance_type" {
+  type        = "string"
+  default     = "db.r4.large"
+  description = "EC2 instance type for Postgres cluster"
+}
+
+variable "postgres_cluster_size" {
+  type        = "string"
+  default     = "2"
+  description = "Postgres cluster size"
+}
+
+variable "postgres_cluster_enabled" {
+  type        = "string"
+  default     = ""
+  description = "Set to false to prevent the module from creating any resources"
+}
+
+variable "postgres_cluster_family" {
+  type        = "string"
+  default     = "aurora-postgresql9.6"
+  description = "Postgres cluster DB family. Currently supported values are `aurora-postgresql9.6` and `aurora-postgresql10`"
+}
+
+variable "postgres_maintenance_window" {
+  type        = "string"
+  default     = "sun:03:00-sun:04:00"
+  description = "Weekly time range during which system maintenance can occur, in UTC"
+}
+
+locals {
+  postgres_cluster_enabled = "${var.postgres_cluster_enabled != "" ? var.postgres_cluster_enabled : var.enabled}"
+  postgres_admin_user      = "${length(var.postgres_admin_user) > 0 ? var.postgres_admin_user : join("", random_string.postgres_admin_user.*.result)}"
+  postgres_admin_password  = "${length(var.postgres_admin_password) > 0 ? var.postgres_admin_password : join("", random_string.postgres_admin_password.*.result)}"
+  postgres_db_name         = "${var.postgres_db_name != "" ? var.postgres_db_name : join("", random_pet.postgres_db_name.*.id)}"
+}
+
+module "aurora_postgres" {
+  source             = "git::https://github.com/cloudposse/terraform-aws-rds-cluster.git?ref=tags/0.10.0"
+  namespace          = "${var.namespace}"
+  stage              = "${var.stage}"
+  name               = "${var.name}"
+  attributes         = ["postgresql"]
+  engine             = "aurora-postgresql"
+  cluster_family     = "${var.postgres_cluster_family}"
+  instance_type      = "${var.postgres_instance_type}"
+  cluster_size       = "${var.postgres_cluster_size}"
+  admin_user         = "${local.postgres_admin_user}"
+  admin_password     = "${local.postgres_admin_password}"
+  db_name            = "${local.postgres_db_name}"
+  db_port            = "5432"
+  maintenance_window = "${var.postgres_maintenance_window}"
+  vpc_id             = "${var.vpc_id}"
+  subnets            = ["${var.subnet_ids}"]
+  zone_id            = "${local.zone_id}"
+  security_groups    = ["${var.security_groups}"]
+  enabled            = "${local.postgres_cluster_enabled}"
+}
+
+resource "random_pet" "postgres_db_name" {
+  count     = "${local.postgres_cluster_enabled == "true" ? 1 : 0}"
+  separator = "_"
+}
+
+resource "random_string" "postgres_admin_user" {
+  count   = "${local.postgres_cluster_enabled  == "true" ? 1 : 0}"
+  length  = 8
+  special = false
+  number  = false
+}
+
+resource "random_string" "postgres_admin_password" {
+  count   = "${local.postgres_cluster_enabled == "true" ? 1 : 0}"
+  length  = 16
+  special = true
+}
+
+resource "aws_ssm_parameter" "aurora_postgres_database_name" {
+  count       = "${local.postgres_cluster_enabled == "true" ? 1 : 0}"
+  name        = "${format(var.chamber_format, local.chamber_service, "aurora_postgres_database_name")}"
+  value       = "${module.aurora_postgres.name}"
+  description = "Aurora Postgres Database Name"
+  type        = "String"
+  overwrite   = "${var.overwrite_ssm_parameter}"
+}
+
+resource "aws_ssm_parameter" "aurora_postgres_master_username" {
+  count       = "${local.postgres_cluster_enabled == "true" ? 1 : 0}"
+  name        = "${format(var.chamber_format, local.chamber_service, "aurora_postgres_master_username")}"
+  value       = "${module.aurora_postgres.user}"
+  description = "Aurora Postgres Username for the master DB user"
+  type        = "String"
+  overwrite   = "${var.overwrite_ssm_parameter}"
+}
+
+resource "aws_ssm_parameter" "aurora_postgres_master_password" {
+  count       = "${local.postgres_cluster_enabled == "true" ? 1 : 0}"
+  name        = "${format(var.chamber_format, local.chamber_service, "aurora_postgres_master_password")}"
+  value       = "${module.aurora_postgres.password}"
+  description = "Aurora Postgres Password for the master DB user"
+  type        = "SecureString"
+  key_id      = "${data.aws_kms_key.chamber_kms_key.id}"
+  overwrite   = "${var.overwrite_ssm_parameter}"
+}
+
+resource "aws_ssm_parameter" "aurora_postgres_master_hostname" {
+  count       = "${local.postgres_cluster_enabled == "true" ? 1 : 0}"
+  name        = "${format(var.chamber_format, local.chamber_service, "aurora_postgres_master_hostname")}"
+  value       = "${module.aurora_postgres.master_host}"
+  description = "Aurora Postgres DB Master hostname"
+  type        = "String"
+  overwrite   = "${var.overwrite_ssm_parameter}"
+}
+
+resource "aws_ssm_parameter" "aurora_postgres_replicas_hostname" {
+  count       = "${local.postgres_cluster_enabled == "true" ? 1 : 0}"
+  name        = "${format(var.chamber_format, local.chamber_service, "aurora_postgres_replicas_hostname")}"
+  value       = "${module.aurora_postgres.replicas_host}"
+  description = "Aurora Postgres DB Replicas hostname"
+  type        = "String"
+  overwrite   = "${var.overwrite_ssm_parameter}"
+}
+
+resource "aws_ssm_parameter" "aurora_postgres_cluster_name" {
+  count       = "${local.postgres_cluster_enabled == "true" ? 1 : 0}"
+  name        = "${format(var.chamber_format, local.chamber_service, "aurora_postgres_cluster_name")}"
+  value       = "${module.aurora_postgres.cluster_name}"
+  description = "Aurora Postgres DB Cluster Identifier"
+  type        = "String"
+  overwrite   = "${var.overwrite_ssm_parameter}"
+}
+
+output "aurora_postgres_database_name" {
+  value       = "${local.postgres_cluster_enabled == "true" ? module.aurora_postgres.name : ""}"
+  description = "Aurora Postgres Database name"
+}
+
+output "aurora_postgres_master_username" {
+  value       = "${local.postgres_cluster_enabled == "true" ? module.aurora_postgres.user : ""}"
+  description = "Aurora Postgres Username for the master DB user"
+}
+
+output "aurora_postgres_master_hostname" {
+  value       = "${local.postgres_cluster_enabled == "true" ? module.aurora_postgres.master_host : ""}"
+  description = "Aurora Postgres DB Master hostname"
+}
+
+output "aurora_postgres_replicas_hostname" {
+  value       = "${local.postgres_cluster_enabled == "true" ? module.aurora_postgres.replicas_host : ""}"
+  description = "Aurora Postgres Replicas hostname"
+}
+
+output "aurora_postgres_cluster_name" {
+  value       = "${local.postgres_cluster_enabled == "true" ? module.aurora_postgres.cluster_name : ""}"
+  description = "Aurora Postgres Cluster Identifier"
+}

aurora-postgres.tf

@@ -0,0 +1,10 @@
+## Makefile Targets
+```
+Available targets:
+
+  help                                Help screen
+  help/all                            Display help for all targets
+  help/short                          This help short screen
+  lint                                Lint terraform code
+
+```

docs/targets.md

@@ -0,0 +1,65 @@
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| attributes | Additional attributes (e.g. `1`) | list | `<list>` | no |
+| chamber_format | Format to store parameters in SSM, for consumption with chamber | string | `/%s/%s` | no |
+| chamber_service | `chamber` service name. See [chamber usage](https://github.com/segmentio/chamber#usage) for more details | string | `` | no |
+| delimiter | Delimiter to be used between `namespace`, `stage`, `name` and `attributes` | string | `-` | no |
+| enabled | Set to false to prevent the module from creating any resources | string | `true` | no |
+| kms_key_id | KMS key ID used to encrypt SSM parameters | string | `` | no |
+| name | Name  (e.g. `codefresh`) | string | `cf` | no |
+| namespace | Namespace (e.g. `eg` or `cp`) | string | - | yes |
+| overwrite_ssm_parameter | Whether to overwrite an existing SSM parameter | string | `true` | no |
+| postgres_admin_password | Postgres password for the admin user | string | `` | no |
+| postgres_admin_user | Postgres admin user name | string | `` | no |
+| postgres_cluster_enabled | Set to false to prevent the module from creating any resources | string | `` | no |
+| postgres_cluster_family | Postgres cluster DB family. Currently supported values are `aurora-postgresql9.6` and `aurora-postgresql10` | string | `aurora-postgresql9.6` | no |
+| postgres_cluster_size | Postgres cluster size | string | `2` | no |
+| postgres_db_name | Postgres database name | string | `` | no |
+| postgres_instance_type | EC2 instance type for Postgres cluster | string | `db.r4.large` | no |
+| postgres_maintenance_window | Weekly time range during which system maintenance can occur, in UTC | string | `sun:03:00-sun:04:00` | no |
+| redis_apply_immediately | Whether to apply changes immediately or during the next maintenance window | string | `true` | no |
+| redis_at_rest_encryption_enabled | Enable Redis encryption at rest | string | `true` | no |
+| redis_auth_token | Auth token for password protecting Redis. `transit_encryption_enabled` must be set to `true`! Password must be longer than 16 chars | string | `` | no |
+| redis_automatic_failover | Whether to enable automatic failover | string | `true` | no |
+| redis_cluster_enabled | Set to false to prevent the module from creating any resources | string | `` | no |
+| redis_cluster_size | Redis cluster size | string | `2` | no |
+| redis_engine_version | Version of Redis engine | string | `5.0.0` | no |
+| redis_instance_type | EC2 instance type for Redis cluster | string | `cache.t2.medium` | no |
+| redis_maintenance_window | Weekly time range during which system maintenance can occur, in UTC | string | `sun:03:00-sun:04:00` | no |
+| redis_params | A list of Redis parameters to apply. Note that parameters may differ from a Redis family to another | list | `<list>` | no |
+| redis_transit_encryption_enabled | Enable TLS for Redis cluster | string | `true` | no |
+| s3_access_key_name | S3 user IAM access key name for storing in SSM. Default to aws_acces_key_id so chamber exports as AWS_ACCESS_KEY_ID, a standard AWS IAM ENV variable | string | `aws_access_key_id` | no |
+| s3_allowed_bucket_actions | List of actions to permit for S3 bucket | list | `<list>` | no |
+| s3_enabled | Set to false to prevent the module from creating any resources | string | `` | no |
+| s3_secret_key_name | S3 user IAM secret key name for storing in SSM. Default to aws_secret_acces_key so chamber exports as AWS_SECRET_ACCESS_KEY, a standard AWS IAM ENV variable | string | `aws_secret_access_key` | no |
+| s3_user_enabled | Set to `true` to create an S3 user with permission to access the bucket | string | `` | no |
+| s3_versioning_enabled | Whether to enable versioning on the S3 bucket. | string | `false` | no |
+| security_groups | List of security groups to be allowed to connect to the CodeFresh backing services | list | `<list>` | no |
+| stage | Stage (e.g. `prod`, `dev`, `staging`) | string | - | yes |
+| subnet_ids | A list of subnet IDs to launch the CodeFresh backing services in | list | `<list>` | no |
+| tags | Additional tags (e.g. map(`Cluster`,`us-east-1.cloudposse.co`) | map | `<map>` | no |
+| vpc_id | VPC ID for the CodeFresh backing services | string | - | yes |
+| zone_name | DNS zone name | string | - | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| aurora_postgres_cluster_name | Aurora Postgres Cluster Identifier |
+| aurora_postgres_database_name | Aurora Postgres Database name |
+| aurora_postgres_master_hostname | Aurora Postgres DB Master hostname |
+| aurora_postgres_master_username | Aurora Postgres Username for the master DB user |
+| aurora_postgres_replicas_hostname | Aurora Postgres Replicas hostname |
+| elasticache_redis_host | Elasticache Redis host |
+| elasticache_redis_id | Elasticache Redis cluster ID |
+| elasticache_redis_security_group_id | Elasticache Redis security group ID |
+| s3_access_key_id | The access key ID |
+| s3_bucket_arn | The s3 bucket ARN |
+| s3_secret_access_key | The secret access key. This will be written to the state file in plain-text |
+| s3_user_arn | The ARN assigned by AWS for the user |
+| s3_user_name | Normalized IAM user name |
+| s3_user_unique_id | The user unique ID assigned by AWS |
+