From a096815aa351bf8c7e54d5503a825f3dfe4691b3 Mon Sep 17 00:00:00 2001 From: Mathod Date: Mon, 24 Nov 2025 09:18:15 +0100 Subject: [PATCH] + acm + rds --- services/organization/accounts.yaml | 70 +++++ services/organization/namespace.yaml | 7 + services/organization/oragnization.yaml | 21 ++ .../organization/organizational-unites.yaml | 48 +++ services/organization/policy-attachments.yaml | 43 +++ services/organization/scp-deny-leave-org.yaml | 27 ++ .../organization/scp-restrict-regions.yaml | 42 +++ services/organization/secret.yaml | 13 + services/rds/README.md | 90 ++++++ services/rds/composition.yaml.stop | 289 ++++++++++++++++++ services/rds/definition.yaml.stop | 49 +++ services/rds/managedResources.yaml.stop | 221 ++++++++++++++ 12 files changed, 920 insertions(+) create mode 100644 services/organization/accounts.yaml create mode 100644 services/organization/namespace.yaml create mode 100644 services/organization/oragnization.yaml create mode 100644 services/organization/organizational-unites.yaml create mode 100644 services/organization/policy-attachments.yaml create mode 100644 services/organization/scp-deny-leave-org.yaml create mode 100644 services/organization/scp-restrict-regions.yaml create mode 100644 services/organization/secret.yaml create mode 100644 services/rds/README.md create mode 100644 services/rds/composition.yaml.stop create mode 100644 services/rds/definition.yaml.stop create mode 100644 services/rds/managedResources.yaml.stop diff --git a/services/organization/accounts.yaml b/services/organization/accounts.yaml new file mode 100644 index 0000000..e56060a --- /dev/null +++ b/services/organization/accounts.yaml @@ -0,0 +1,70 @@ +apiVersion: organizations.aws.m.upbound.io/v1beta1 +kind: Account +metadata: + name: aws-prod + namespace: aws-organization + labels: + environment: production + managed-by: crossplane +spec: + forProvider: + name: aws-prod + # IMPORTANT: Must be a unique email address + email: aws-prod@yourdomain.com + parentIdRef: + name: production-ou + roleName: OrganizationAccountAccessRole + tags: + Environment: Production + ManagedBy: Crossplane + CostCenter: Production + providerConfigRef: + name: org-config + +--- +apiVersion: organizations.aws.m.upbound.io/v1beta1 +kind: Account +metadata: + name: aws-dev + namespace: aws-organization + labels: + environment: development + managed-by: crossplane +spec: + forProvider: + name: aws-dev + email: aws-dev@yourdomain.com # Must be unique + parentIdRef: + name: non-production-ou + roleName: OrganizationAccountAccessRole + tags: + Environment: Development + ManagedBy: Crossplane + CostCenter: NonProduction + providerConfigRef: + name: org-config + +--- +apiVersion: organizations.aws.m.upbound.io/v1beta1 +kind: Account +metadata: + name: aws-qa + namespace: aws-organization + labels: + environment: qa + managed-by: crossplane +spec: + forProvider: + name: aws-qa + email: aws-qa@yourdomain.com # Must be unique + parentIdRef: + name: non-production-ou + roleName: OrganizationAccountAccessRole + tags: + Environment: QA + ManagedBy: Crossplane + CostCenter: NonProduction + providerConfigRef: + name: org-config + +--- \ No newline at end of file diff --git a/services/organization/namespace.yaml b/services/organization/namespace.yaml new file mode 100644 index 0000000..4014e33 --- /dev/null +++ b/services/organization/namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: aws-organization + labels: + managed-by: crossplane + purpose: aws-organization-management \ No newline at end of file diff --git a/services/organization/oragnization.yaml b/services/organization/oragnization.yaml new file mode 100644 index 0000000..7ed68ff --- /dev/null +++ b/services/organization/oragnization.yaml @@ -0,0 +1,21 @@ +apiVersion: organizations.aws.m.upbound.io/v1beta1 +kind: Organization +metadata: + name: my-organization + namespace: aws-organization + labels: + managed-by: crossplane +spec: + forProvider: + awsServiceAccessPrincipals: + - cloudtrail.amazonaws.com + - config.amazonaws.com + - sso.amazonaws.com + - account.amazonaws.com + - ram.amazonaws.com + enabledPolicyTypes: + - SERVICE_CONTROL_POLICY + - TAG_POLICY + featureSet: ALL + providerConfigRef: + name: org-config \ No newline at end of file diff --git a/services/organization/organizational-unites.yaml b/services/organization/organizational-unites.yaml new file mode 100644 index 0000000..78c7c9a --- /dev/null +++ b/services/organization/organizational-unites.yaml @@ -0,0 +1,48 @@ +apiVersion: organizations.aws.m.upbound.io/v1beta1 +kind: OrganizationalUnit +metadata: + name: production-ou + namespace: aws-organization + labels: + environment: production + managed-by: crossplane +spec: + forProvider: + name: Production + # IMPORTANT: Replace r-xxxx with your actual root ID + # Get it with: kubectl get organization my-organization -n aws-organization -o jsonpath='{.status.atProvider.roots[0].id}' + parentId: "r-xxxx" + providerConfigRef: + name: org-config + +--- +apiVersion: organizations.aws.m.upbound.io/v1beta1 +kind: OrganizationalUnit +metadata: + name: non-production-ou + namespace: aws-organization + labels: + environment: non-production + managed-by: crossplane +spec: + forProvider: + name: NonProduction + parentId: "r-xxxx" # Replace with your root ID + providerConfigRef: + name: org-config + +--- +apiVersion: organizations.aws.m.upbound.io/v1beta1 +kind: OrganizationalUnit +metadata: + name: management-ou + namespace: aws-organization + labels: + environment: management + managed-by: crossplane +spec: + forProvider: + name: Management + parentId: "r-xxxx" # Replace with your root ID + providerConfigRef: + name: org-config \ No newline at end of file diff --git a/services/organization/policy-attachments.yaml b/services/organization/policy-attachments.yaml new file mode 100644 index 0000000..bf9aec6 --- /dev/null +++ b/services/organization/policy-attachments.yaml @@ -0,0 +1,43 @@ +apiVersion: organizations.aws.m.upbound.io/v1beta1 +kind: PolicyAttachment +metadata: + name: leave-org-policy-prod + namespace: aws-organization +spec: + forProvider: + policyIdRef: + name: deny-leave-organization + targetIdRef: + name: production-ou + providerConfigRef: + name: org-config + +--- +apiVersion: organizations.aws.m.upbound.io/v1beta1 +kind: PolicyAttachment +metadata: + name: leave-org-policy-nonprod + namespace: aws-organization +spec: + forProvider: + policyIdRef: + name: deny-leave-organization + targetIdRef: + name: non-production-ou + providerConfigRef: + name: org-config + +--- +apiVersion: organizations.aws.m.upbound.io/v1beta1 +kind: PolicyAttachment +metadata: + name: region-policy-nonprod + namespace: aws-organization +spec: + forProvider: + policyIdRef: + name: deny-non-approved-regions + targetIdRef: + name: non-production-ou + providerConfigRef: + name: org-config \ No newline at end of file diff --git a/services/organization/scp-deny-leave-org.yaml b/services/organization/scp-deny-leave-org.yaml new file mode 100644 index 0000000..fa46fbd --- /dev/null +++ b/services/organization/scp-deny-leave-org.yaml @@ -0,0 +1,27 @@ +apiVersion: organizations.aws.m.upbound.io/v1beta1 +kind: Policy +metadata: + name: deny-leave-organization + namespace: aws-organization + labels: + policy-type: scp + purpose: security +spec: + forProvider: + name: DenyLeaveOrganization + description: Prevent accounts from leaving the organization + type: SERVICE_CONTROL_POLICY + content: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DenyLeaveOrg", + "Effect": "Deny", + "Action": "organizations:LeaveOrganization", + "Resource": "*" + } + ] + } + providerConfigRef: + name: org-config \ No newline at end of file diff --git a/services/organization/scp-restrict-regions.yaml b/services/organization/scp-restrict-regions.yaml new file mode 100644 index 0000000..943955b --- /dev/null +++ b/services/organization/scp-restrict-regions.yaml @@ -0,0 +1,42 @@ +apiVersion: organizations.aws.m.upbound.io/v1beta1 +kind: Policy +metadata: + name: deny-non-approved-regions + namespace: aws-organization + labels: + policy-type: scp + purpose: compliance +spec: + forProvider: + name: DenyNonApprovedRegions + description: Only allow specific AWS regions for compliance + type: SERVICE_CONTROL_POLICY + content: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DenyNonApprovedRegions", + "Effect": "Deny", + "Action": "*", + "Resource": "*", + "Condition": { + "StringNotEquals": { + "aws:RequestedRegion": [ + "eu-west-1", + "us-east-1", + "us-west-2" + ] + }, + "ArnNotLike": { + "aws:PrincipalArn": [ + "arn:aws:iam::*:role/OrganizationAccountAccessRole", + "arn:aws:iam::*:role/Admin*" + ] + } + } + } + ] + } + providerConfigRef: + name: org-config \ No newline at end of file diff --git a/services/organization/secret.yaml b/services/organization/secret.yaml new file mode 100644 index 0000000..a5f652a --- /dev/null +++ b/services/organization/secret.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + name: aws-credentials + namespace: aws-organization +type: Opaque +stringData: + credentials: | + [default] + aws_access_key_id = YOUR_ACCESS_KEY_HERE + aws_secret_access_key = YOUR_SECRET_KEY_HERE + # Optional: Add region if needed + # region = us-east-1 \ No newline at end of file diff --git a/services/rds/README.md b/services/rds/README.md new file mode 100644 index 0000000..9305044 --- /dev/null +++ b/services/rds/README.md @@ -0,0 +1,90 @@ +# Best Practices + +1) Name scheming + +Nom des resources = -- + +2) Tagging + +# Providers + +| Name | Version | +|---|---| +| [provider-aws-rds](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1) | 1.2.1 | +| [provider-aws-iam](https://marketplace.upbound.io/providers/upbound/provider-aws-iam/v1.2.1) | 1.2.1 | +| [provider-aws-ec2](https://marketplace.upbound.io/providers/upbound/provider-aws-ec2/v1.2.1) | 1.2.1 | + +# CompositeResources + +| Provider | Kind | +|---|---| +| [IAM](https://marketplace.upbound.io/providers/upbound/provider-aws-iam/v1.2.1) | [Role](https://marketplace.upbound.io/providers/upbound/provider-aws-iam/v1.2.1/resources/iam.aws.upbound.io/Role/v1beta1) | +| [RDS](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1) | [Cluster](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1/resources/rds.aws.upbound.io/Cluster/v1beta1) | +| [RDS](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1) | [ClusterRoleAssociation](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1/resources/rds.aws.upbound.io/ClusterRoleAssociation/v1beta1) | +| [RDS](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1) | [SubnetGroup](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1/resources/rds.aws.upbound.io/SubnetGroup/v1beta1) | +| [RDS](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1) | [ClusterInstance](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1/resources/rds.aws.upbound.io/ClusterInstance/v1beta1) | +| [RDS](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1) | [Instance](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1/resources/rds.aws.upbound.io/Instance/v1beta2) | +| [RDS](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1) | [ClusterParameterGroup](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1/resources/rds.aws.upbound.io/ClusterParameterGroup/v1beta1) | +| [RDS](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1) | [ParameterGroup](https://marketplace.upbound.io/providers/upbound/provider-aws-rds/v1.2.1/resources/rds.aws.upbound.io/ParameterGroup/v1beta1) | +| [EC2](https://marketplace.upbound.io/providers/upbound/provider-aws-ec2/v1.2.1) | [SecurityGroup](https://marketplace.upbound.io/providers/upbound/provider-aws-ec2/v1.2.1/resources/ec2.aws.upbound.io/SecurityGroup/v1beta1) | +| [EC2](https://marketplace.upbound.io/providers/upbound/provider-aws-ec2/v1.2.1) | [SecurityGroupRule](https://marketplace.upbound.io/providers/upbound/provider-aws-ec2/v1.2.1/resources/ec2.aws.upbound.io/SecurityGroupRule/v1beta1) | +| [EC2](https://marketplace.upbound.io/providers/upbound/provider-aws-ec2/v1.2.1) | [SecurityGroupIngressRule](https://marketplace.upbound.io/providers/upbound/provider-aws-ec2/v1.2.1/resources/ec2.aws.upbound.io/SecurityGroupIngressRule/v1beta1) | +| [EC2](https://marketplace.upbound.io/providers/upbound/provider-aws-ec2/v1.2.1) | [SecurityGroupEgressRule](https://marketplace.upbound.io/providers/upbound/provider-aws-ec2/v1.2.1/resources/ec2.aws.upbound.io/SecurityGroupEgressRule/v1beta1) | + +# Claim example + +```yaml +apiVersion: crossplane.evina/v1alpha1 +kind: RDS +metadata: + namespace: crossplane-system + name: claimed- +spec: + compositionRef: + name: rds-composition + parameters: + region: + app: + environment: + engine: +``` + +## Inputs + +| Name | Description | Value |Required | +|---|---|---|---| +| region | AWS Region where the provider will operate | eu-west-1 | Required | +| app | Name of the app (Used for Tagging/Naming) | dcbprotect / karpenter / brandprotect / grafana | Required | +| environment | Environment where the claim will operate (Used for Tag/Naming) | dev / staging / production | Required | +| account | Environment where the claim will operate (Used for Tagging) | 169590266381 | Recommended | +| engineVersion | The engine version to use | 5.7.mysql_aurora.2.11.2 | Required | +| providerConfigRef | Target a specific account | provider-aws-config.yaml | Required | +| instanceClass | Instance used to host the database | db.t3.medium | Required | + +# Outputs + +# TODO + +- [x] Import and observe all resources from terraform +- [ ] Create a managed resources with crossplane + - [x] IAM + - [x] Role + - [x] RDS + - [ ] Cluster + - [x] SubnetGroup + - [ ] ClusterInstance + - [x] Instance + - [x] ClusterParameterGroup + - [x] ParameterGroup + - [x] EC2 + - [x] SecurityGroup + - [ ] SecurityGroupRule (Générer une managedResources pour faire le lien entre une compo RDS et APP) + - [ ] SecurityGroupIngressRule (Générer une managedResources pour faire le lien entre une compo RDS et APP) + - [x] SecurityGroupEgressRule +- [ ] Check Tags +- [ ] Check when to use Refs +- [ ] How to create more instances from claim +- [ ] Create a certIdentifier ? +- [ ] Ajouter une resource roleAssociation for RDS and IAM role created +- [ ] Ajoute automatiquement la description "Managed by terraform" SubnetGroup ?? +- [ ] Create composition and definition \ No newline at end of file diff --git a/services/rds/composition.yaml.stop b/services/rds/composition.yaml.stop new file mode 100644 index 0000000..9e9b6ab --- /dev/null +++ b/services/rds/composition.yaml.stop @@ -0,0 +1,289 @@ +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: rds-composition + labels: + crossplane/provider: default + crossplane/xrd: xrdss.crossplane.evina +spec: + compositeTypeRef: + apiVersion: crossplane.evina/v1alpha1 + kind: XRDS + patchSets: + - name: region + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.region + toFieldPath: spec.forProvider.region + - name: providerConfigRef + patches: + - type: FromCompositeFieldPath + fromFieldPath: spec.parameters.providerConfigRef + toFieldPath: spec.providerConfigRef.name + writeConnectionSecretsToNamespace: crossplane + resources: +################################################################################################### + - name: Role + base: + apiVersion: iam.aws.upbound.io/v1beta1 + kind: Role + metadata: + labels: + claim: rds + provider: iam + kind: role + app: mathodprotect + environment: dev + spec: + forProvider: + assumeRolePolicy: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "rds.amazonaws.com" + } + } + ] + } + tags: + region: eu-west-1 + app: mathodprotect + environment: dev + account: "169590266381" + composition: rds + managedResources: role + patches: + - type: PatchSet + patchSetName: providerConfigRef + - type: CombineFromComposite + combine: + variables: + - fromFieldPath: spec.parameters.app + - fromFieldPath: spec.parameters.environment + strategy: string + string: + fmt: "rds-iam-role-%s-%s" + toFieldPath: "metadata.annotations[crossplane.io/external-name]" +################################################################################################### +# - name: Cluster +# base: +# apiVersion: rds.aws.upbound.io/v1beta1 +# kind: Cluster +# metadata: +# name: cluster-mathodprotect-dev +# labels: +# resources: Cluster +# spec: +# forProvider: +# availabilityZones: +# - eu-west-1a +# - eu-west-1b +# - eu-west-1c +# engine: aurora-mysql +# engineMode: provisioned +# engineVersion: 5.7.mysql_aurora.2.11.2 +# databaseName: mathodProtect +# autoGeneratePassword: true +# masterPasswordSecretRef: +# key: tropsecure +# name: cluster-mathodprotect-dev-password +# namespace: crossplane-system +# port: 3306 +# dbClusterParameterGroupName: clusterparametergroup-mathodprotect-dev +# # iamRoles: +# # - arn:aws:iam::453702081005:role/IAM-Role-Aurora +# # vpcSecurityGroupIds: +# # - sg-0292740ac642cbce9 +# vpcSecurityGroupIdRefs: +# - name: securitygroup-mathodprotect-dev +# masterUsername: mathod +# copyTagsToSnapshot: true +# finalSnapshotIdentifier: test-final +# dbSubnetGroupName: subnetgroup-mathodprotect-dev +# # dbSubnetGroupNameRef: +# backupRetentionPeriod: 1 +# preferredBackupWindow: 23:48-00:18 +# preferredMaintenanceWindow: tue:22:51-tue:23:21 +# tags: +# region: eu-west-1 +# project: mathodprotect +# environment: dev +# account: "169590266381" +# composition: rds +# managedResources: cluster +# writeConnectionSecretToRef: +# name: rds-mathod-protect-password +# namespace: crossplane-system +# patches: +# - type: PatchSet +# patchSetName: region +# - type: PatchSet +# patchSetName: providerConfigRef +################################################################################################### +# - name: SubnetGroup +# base: +# apiVersion: rds.aws.upbound.io/v1beta1 +# kind: SubnetGroup +# metadata: +# name: subnetgroup-mathodprotect-dev +# labels: +# resource: SubnetGroup +# spec: +# forProvider: +# subnetIds: # Replace to use subnetIdRefs +# - subnet-0c0a38354f2a028c8 +# - subnet-06dc47da5b4eae974 +# - subnet-0f3ee2a757ce85ad1 +# # subnetIdRefs: +# tags: +# region: eu-west-1 +# project: mathodprotect +# environment: dev +# account: "169590266381" +# composition: rds +# managedResources: subnetgroup +# patches: +# - type: PatchSet +# patchSetName: region +# - type: PatchSet +# patchSetName: providerConfigRef +################################################################################################### +# - name: ClusterInstance +# base: +# apiVersion: rds.aws.upbound.io/v1beta1 +# kind: ClusterInstance +# metadata: +# name: clusterinstance-mathodprotect-dev +# labels: +# resources: ClusterInstance +# spec: +# forProvider: +# # clusterIdentifier: cluster-mathodprotect-dev +# # id: backoffice-staging-eu-west-1-aurora-cluster-instance-0 +# clusterIdentifierRef: +# name: cluster-mathodprotect-dev +# engine: aurora-mysql +# instanceClass: db.t3.medium +# publiclyAccessible: false +# caCertIdentifier: rds-ca-2019 +# # dbParameterGroupName: +# dbParameterGroupNameRef: +# name: parametergroup-mathodprotect-dev +# # dbSubnetGroupName: +# dbSubnetGroupNameRef: +# name: subnetgroup-mathodprotect-dev +# patches: +# - type: PatchSet +# patchSetName: region +# - type: PatchSet +# patchSetName: providerConfigRef +################################################################################################### +# - name: ClusterParameterGroup +# base: +# apiVersion: rds.aws.upbound.io/v1beta1 +# kind: ClusterParameterGroup +# metadata: +# name: clusterparametergroup-mathodprotect-dev +# labels: +# resources: ClusterParameterGroup +# spec: +# forProvider: +# family: aurora-mysql5.7 +# parameter: +# - applyMethod: immediate +# name: aurora_load_from_s3_role +# value: arn:aws:iam::169590266381:role/role-mathodprotect-dev +# - applyMethod: immediate +# name: aurora_select_into_s3_role +# value: arn:aws:iam::169590266381:role/role-mathodprotect-dev +# - applyMethod: immediate +# name: aws_default_s3_role +# value: arn:aws:iam::169590266381:role/role-mathodprotect-dev +# - applyMethod: immediate +# name: innodb_online_alter_log_max_size +# value: "21474836480" +# - applyMethod: immediate +# name: slow_query_log +# value: "1" +# tags: +# region: eu-west-1 +# app: mathodprotect +# environment: dev +# account: "169590266381" +# composition: rds +# managedResources: clusterparametergroup +# patches: +# - type: PatchSet +# patchSetName: region +# - type: PatchSet +# patchSetName: providerConfigRef +################################################################################################### +# - name: ParameterGroup +# base: +# apiVersion: rds.aws.upbound.io/v1beta1 +# kind: ParameterGroup +# metadata: +# name: parametergroup-mathodprotect-dev +# labels: +# resources: ParameterGroup +# spec: +# forProvider: +# family: aurora-mysql5.7 +# tags: +# region: eu-west-1 +# app: mathodprotect +# environment: dev +# account: "169590266381" +# composition: rds +# managedResources: parametergroup +# patches: +# - type: PatchSet +# patchSetName: region +# - type: PatchSet +# patchSetName: providerConfigRef +################################################################################################### +# - name: SecurityGroup +# base: +# apiVersion: ec2.aws.upbound.io/v1beta1 +# kind: SecurityGroup +# metadata: +# name: securitygroup-mathodprotect-dev +# spec: +# forProvider: +# name: securitygroup-mathodprotect-dev +# vpcId: vpc-029aa16a171ccb018 +# # vpcIdRef: +# tags: +# region: eu-west-1 +# app: mathodprotect +# environment: dev +# account: "169590266381" +# composition: rds +# managedResources: securitygroup +# patches: +# - type: PatchSet +# patchSetName: region +# - type: PatchSet +# patchSetName: providerConfigRef +################################################################################################### +# - name: SecurityGroupEgressRule +# base: +# apiVersion: ec2.aws.upbound.io/v1beta1 +# kind: SecurityGroupEgressRule +# metadata: +# name: securitygroupegressrule-mathodprotect-dev +# spec: +# forProvider: +# cidrIpv4: 0.0.0.0/0 +# ipProtocol: "-1" +# securityGroupIdRef: +# name: securitygroup-mathodprotect-dev +# patches: +# - type: PatchSet +# patchSetName: region +# - type: PatchSet +# patchSetName: providerConfigRef \ No newline at end of file diff --git a/services/rds/definition.yaml.stop b/services/rds/definition.yaml.stop new file mode 100644 index 0000000..9a58a45 --- /dev/null +++ b/services/rds/definition.yaml.stop @@ -0,0 +1,49 @@ +apiVersion: apiextensions.crossplane.io/v1 +kind: CompositeResourceDefinition +metadata: + name: xrdss.crossplane.evina +spec: + group: crossplane.evina + names: + kind: XRDS + plural: xrdss + claimNames: + kind: RDS + plural: rdss + defaultCompositionRef: + name: rds-composition + versions: + - name: v1alpha1 + served: true + referenceable: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + parameters: + type: object + properties: + region: + description: AWS Region where the provider will operate + type: string + app: + description: + type: string + environment: + description: + type: string + engineVersion: + description: + type: string + providerConfigRef: + description: Name of the Kubernetes provider config + type: string + required: + - region + - app + - environment +# - engineVersion + - providerConfigRef diff --git a/services/rds/managedResources.yaml.stop b/services/rds/managedResources.yaml.stop new file mode 100644 index 0000000..08ffcf9 --- /dev/null +++ b/services/rds/managedResources.yaml.stop @@ -0,0 +1,221 @@ +apiVersion: iam.aws.upbound.io/v1beta1 +kind: Role +metadata: + name: role-mathodprotect-dev + labels: + resource: Role +spec: + forProvider: + assumeRolePolicy: | + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "rds.amazonaws.com" + } + } + ] + } + tags: + region: eu-west-1 + app: mathodprotect + environment: dev + account: "169590266381" + composition: rds + managedResources: role + providerConfigRef: + name: dev +--- +apiVersion: rds.aws.upbound.io/v1beta1 +kind: SubnetGroup +metadata: + name: subnetgroup-mathodprotect-dev + labels: + resource: SubnetGroup +spec: + forProvider: + region: eu-west-1 + subnetIds: # Replace to use subnetIdRefs + - subnet-0c0a38354f2a028c8 + - subnet-06dc47da5b4eae974 + - subnet-0f3ee2a757ce85ad1 +# subnetIdRefs: + tags: + region: eu-west-1 + project: mathodprotect + environment: dev + account: "169590266381" + composition: rds + managedResources: subnetgroup + providerConfigRef: + name: dev +--- +apiVersion: rds.aws.upbound.io/v1beta1 +kind: Cluster +metadata: + name: cluster-mathodprotect-dev + labels: + resources: Cluster +spec: + forProvider: + region: eu-west-1 + availabilityZones: + - eu-west-1a + - eu-west-1b + - eu-west-1c + engine: aurora-mysql + engineMode: provisioned + engineVersion: 5.7.mysql_aurora.2.11.2 + databaseName: mathodProtect + autoGeneratePassword: true + masterPasswordSecretRef: + key: tropsecure + name: cluster-mathodprotect-dev-password + namespace: crossplane-system + port: 3306 + dbClusterParameterGroupName: clusterparametergroup-mathodprotect-dev +# iamRoles: +# - arn:aws:iam::453702081005:role/IAM-Role-Aurora +# vpcSecurityGroupIds: +# - sg-0292740ac642cbce9 + vpcSecurityGroupIdRefs: + - name: securitygroup-mathodprotect-dev + masterUsername: mathod + copyTagsToSnapshot: true + finalSnapshotIdentifier: test-final + dbSubnetGroupName: subnetgroup-mathodprotect-dev +# dbSubnetGroupNameRef: + backupRetentionPeriod: 1 + preferredBackupWindow: 23:48-00:18 + preferredMaintenanceWindow: tue:22:51-tue:23:21 + tags: + region: eu-west-1 + project: mathodprotect + environment: dev + account: "169590266381" + composition: rds + managedResources: cluster + writeConnectionSecretToRef: + name: rds-mathod-protect-password + namespace: crossplane-system + providerConfigRef: + name: dev +--- +apiVersion: rds.aws.upbound.io/v1beta1 +kind: ClusterInstance +metadata: + name: clusterinstance-mathodprotect-dev + labels: + resources: ClusterInstance +spec: + forProvider: + region: eu-west-1 +# clusterIdentifier: cluster-mathodprotect-dev +# id: backoffice-staging-eu-west-1-aurora-cluster-instance-0 + clusterIdentifierRef: + name: cluster-mathodprotect-dev + engine: aurora-mysql + instanceClass: db.t3.medium + publiclyAccessible: false + caCertIdentifier: rds-ca-2019 +# dbParameterGroupName: + dbParameterGroupNameRef: + name: parametergroup-mathodprotect-dev +# dbSubnetGroupName: + dbSubnetGroupNameRef: + name: subnetgroup-mathodprotect-dev + providerConfigRef: + name: dev +--- +apiVersion: rds.aws.upbound.io/v1beta1 +kind: ClusterParameterGroup +metadata: + name: clusterparametergroup-mathodprotect-dev + labels: + resources: ClusterParameterGroup +spec: + forProvider: + region: eu-west-1 + family: aurora-mysql5.7 + parameter: + - applyMethod: immediate + name: aurora_load_from_s3_role + value: arn:aws:iam::169590266381:role/role-mathodprotect-dev + - applyMethod: immediate + name: aurora_select_into_s3_role + value: arn:aws:iam::169590266381:role/role-mathodprotect-dev + - applyMethod: immediate + name: aws_default_s3_role + value: arn:aws:iam::169590266381:role/role-mathodprotect-dev + - applyMethod: immediate + name: innodb_online_alter_log_max_size + value: "21474836480" + - applyMethod: immediate + name: slow_query_log + value: "1" + tags: + region: eu-west-1 + app: mathodprotect + environment: dev + account: "169590266381" + composition: rds + managedResources: clusterparametergroup + providerConfigRef: + name: dev +--- +apiVersion: rds.aws.upbound.io/v1beta1 +kind: ParameterGroup +metadata: + name: parametergroup-mathodprotect-dev + labels: + resources: ParameterGroup +spec: + forProvider: + region: eu-west-1 + family: aurora-mysql5.7 + tags: + region: eu-west-1 + app: mathodprotect + environment: dev + account: "169590266381" + composition: rds + managedResources: parametergroup + providerConfigRef: + name: dev +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: SecurityGroup +metadata: + name: securitygroup-mathodprotect-dev +spec: + forProvider: + region: eu-west-1 + name: securitygroup-mathodprotect-dev + vpcId: vpc-029aa16a171ccb018 +# vpcIdRef: + tags: + region: eu-west-1 + app: mathodprotect + environment: dev + account: "169590266381" + composition: rds + managedResources: securitygroup + providerConfigRef: + name: dev +--- +apiVersion: ec2.aws.upbound.io/v1beta1 +kind: SecurityGroupEgressRule +metadata: + name: securitygroupegressrule-mathodprotect-dev +spec: + forProvider: + region: eu-west-1 + cidrIpv4: 0.0.0.0/0 + ipProtocol: "-1" + securityGroupIdRef: + name: securitygroup-mathodprotect-dev + providerConfigRef: + name: dev \ No newline at end of file