ministryofjustice · madhu-k-sr2 · Apr 11, 2024 · Apr 3, 2024 · Apr 4, 2024 · Apr 4, 2024
@@ -0,0 +1,42 @@
+data "aws_iam_policy_document" "dms_assume_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      identifiers = ["dms.eu-west-2.amazonaws.com"]
+      type        = "Service"
+    }
+  }
+}
+
+data "aws_iam_policy_document" "dms_glue_assume_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      identifiers = ["glue.amazonaws.com"]
+      type        = "Service"
+    }
+  }
+}
+
+data "aws_iam_policy_document" "dms_target_ep_s3_bucket" {
+  statement {
+    sid = "EnforceTLSv12orHigher"
+    principals {
+      type        = "AWS"
+      identifiers = ["*"]
+    }
+    effect  = "Deny"
+    actions = ["s3:*"]
+    resources = [
+      aws_s3_bucket.dms_target_ep_s3_bucket.arn,
+      "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}/*"
+    ]
+    condition {
+      test     = "NumericLessThan"
+      variable = "s3:TlsVersion"
+      values   = [1.2]
+    }
+  }
+}
@@ -0,0 +1,49 @@
+resource "aws_glue_connection" "rds_sqlserver_db_glue_connection" {
+  connection_properties = {
+    JDBC_CONNECTION_URL = "jdbc:sqlserver://${aws_db_instance.database_2022.endpoint}"
+    PASSWORD            = aws_secretsmanager_secret_version.db_password.secret_string
+    USERNAME            = "admin"
+  }
+
+  name = "rds-sqlserver-db-glue-conn-tf"
+
+  physical_connection_requirements {
+    security_group_id_list = [aws_security_group.db.id]
+    subnet_id              = data.aws_subnet.private_subnets_a.id
+    availability_zone      = data.aws_subnet.private_subnets_a.availability_zone
+  }
+}
+
+resource "aws_glue_catalog_database" "rds_sqlserver_glue_catalog_db" {
+  name = "rds_sqlserver_dms"
+  create_table_default_permission {
+    permissions = ["SELECT"]
+
+    principal {
+      data_lake_principal_identifier = "IAM_ALLOWED_PRINCIPALS"
+    }
+  }
+}
+
+resource "aws_glue_crawler" "rds-sqlserver-db-glue-crawler" {
+  name          = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf"
+  role          = aws_iam_role.dms-glue-crawler-role.arn
+  database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name
+  description   = "Crawler to fetch database names"
+  #   table_prefix  = "your_table_prefix"
+
+  jdbc_target {
+    connection_name = aws_glue_connection.rds_sqlserver_db_glue_connection.name
+    path            = "%"
+  }
+  tags = merge(
+    local.tags,
+    {
+      Resource_Type = "RDS SQLServer Glue Crawler for DMS",
+    }
+  )
+
+  # provisioner "local-exec" {
+  #   command = "aws glue start-crawler --name ${self.name}"
+  # }
+}
@@ -0,0 +1,83 @@
+# Database Migration Service requires the below IAM Roles to be created before replication instances can be created. 
+
+# Define IAM role for DMS S3 Endpoint
+resource "aws_iam_role" "dms-endpoint-role" {
+  name               = "dms-endpoint-access-role-tf"
+  assume_role_policy = data.aws_iam_policy_document.dms_assume_role.json
+}
+
+# Define S3 IAM policy for DMS S3 Endpoint
+resource "aws_iam_policy" "dms-s3-ep-role-policy" {
+  name = "dms-s3-target-ep-policy"
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "DMSAccess",
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetBucketLocation",
+                "s3:ListBucket"
+            ],
+            "Resource": "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}"
+        },
+        {
+            "Sid": "DMSObjectActions",
+            "Effect": "Allow",
+            "Action": [
+                "s3:PutObject",
+                "s3:GetObject",
+                "s3:DeleteObject"
+            ],
+            "Resource": "${aws_s3_bucket.dms_target_ep_s3_bucket.arn}/*"
+        }
+    ]
+}
+EOF
+}
+
+# Attach predefined IAM Policy to the Role for DMS S3 Endpoint
+resource "aws_iam_role_policy_attachment" "dms-endpoint-role" {
+  role       = aws_iam_role.dms-endpoint-role.name
+  policy_arn = aws_iam_policy.dms-s3-ep-role-policy.arn
+}
+
+# ==========================================================================
+
+# Create DMS VPC EC2 Role
+resource "aws_iam_role" "dms-vpc-role" {
+  name               = "dms-vpc-mng-role-tf"
+  assume_role_policy = data.aws_iam_policy_document.dms_assume_role.json
+}
+
+# Attach IAM Policy to the predefined DMS VPC EC2 Role
+resource "aws_iam_role_policy_attachment" "dms-vpc-role-AmazonDMSVPCManagementRole" {
+  role       = aws_iam_role.dms-vpc-role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole"
+}
+
+# ==========================================================================
+
+resource "aws_iam_role" "dms-cloudwatch-logs-role" {
+  name               = "dms-cloudwatch-logs-role-tf"
+  assume_role_policy = data.aws_iam_policy_document.dms_assume_role.json
+}
+
+resource "aws_iam_role_policy_attachment" "dms-cloudwatch-logs-role-AmazonDMSCloudWatchLogsRole" {
+  role       = aws_iam_role.dms-cloudwatch-logs-role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonDMSCloudWatchLogsRole"
+}
+
+resource "aws_iam_role" "dms-glue-crawler-role" {
+  name               = "dms-glue-crawler-role-tf"
+  assume_role_policy = data.aws_iam_policy_document.dms_glue_assume_role.json
+  managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole"]
+}
+
+resource "aws_iam_role_policy_attachment" "dms-glue-crawler-role" {
+  role       = aws_iam_role.dms-glue-crawler-role.name
+  policy_arn = aws_iam_policy.dms-s3-ep-role-policy.arn
+}
+# ==========================================================================
@@ -0,0 +1,25 @@
+module "dms_task" {
+  source = "./modules/dms"
+
+  for_each = toset(var.database_list)
+
+  database_name = each.key
+
+  # DMS Source Endpoint Inputs
+  rds_db_security_group_id = aws_security_group.db.id
+  rds_db_server_name       = split(":", aws_db_instance.database_2022.endpoint)[0]
+  rds_db_instance_port     = aws_db_instance.database_2022.port
+  rds_db_username          = aws_db_instance.database_2022.username
+  rds_db_instance_pasword  = aws_db_instance.database_2022.password
+
+  # DMS Target Endpoint Inputs
+  target_s3_bucket_name      = aws_s3_bucket.dms_target_ep_s3_bucket.id
+  ep_service_access_role_arn = aws_iam_role.dms-endpoint-role.arn
+
+  # DMS Migration Task Inputs
+  dms_replication_instance_arn    = aws_dms_replication_instance.dms_replication_instance.replication_instance_arn
+  rep_task_settings_filepath      = trimspace(file("${path.module}/dms_replication_task_settings.json"))
+  rep_task_table_mapping_filepath = trimspace(file("${path.module}/dms_rep_task_table_mappings.json"))
+
+  local_tags = local.tags
+}
@@ -0,0 +1,17 @@
+{
+    "rules": [
+        {
+            "rule-type": "selection",
+            "rule-id": "054476697",
+            "rule-name": "054476697",
+            "object-locator": {
+                "schema-name": "%",
+                "table-name": "%"
+            },
+            "rule-action": "include",
+            "filters": [],
+            "parallel-load": null,
+            "isAutoSegmentationChecked": false
+        }
+    ]
+}
@@ -0,0 +1,53 @@
+# Create a new replication subnet group
+resource "aws_dms_replication_subnet_group" "dms_replication_subnet_group" {
+  replication_subnet_group_description = "RDS subnet group"
+  replication_subnet_group_id          = "rds-replication-subnet-group-tf"
+
+  subnet_ids = tolist(aws_db_subnet_group.db.subnet_ids)
+
+  tags = merge(
+    local.tags,
+    {
+      Resource_Type = "DMS Replication Subnet Group",
+    }
+  )
+
+  # explicit depends_on is needed since this resource doesn't reference the role or policy attachment
+  depends_on = [aws_iam_role_policy_attachment.dms-vpc-role-AmazonDMSVPCManagementRole]
+}
+
+# ==========================================================================
+
+# Create a new replication instance
+
+resource "aws_dms_replication_instance" "dms_replication_instance" {
+  allocated_storage          = var.dms_allocated_storage_gib
+  apply_immediately          = true
+  auto_minor_version_upgrade = true
+  availability_zone          = var.dms_availability_zone
+  engine_version             = var.dms_engine_version
+  #   kms_key_arn                  = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8"
+  multi_az = false
+  #   preferred_maintenance_window = "sun:10:30-sun:14:30"
+  publicly_accessible         = false
+  replication_instance_class  = var.dms_replication_instance_class
+  replication_instance_id     = "dms-replication-instance-tf"
+  replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id
+
+  tags = merge(
+    local.tags,
+    {
+      Resource_Type = "DMS Replication Instance",
+    }
+  )
+
+  vpc_security_group_ids = [
+    aws_security_group.dms_ri_security_group.id,
+  ]
+
+  depends_on = [
+    aws_iam_role_policy_attachment.dms-endpoint-role,
+    aws_iam_role_policy_attachment.dms-cloudwatch-logs-role-AmazonDMSCloudWatchLogsRole,
+    aws_iam_role_policy_attachment.dms-vpc-role-AmazonDMSVPCManagementRole
+  ]
+}