Updating vpc definition for database

2026-06-08 11:17:27 +00:00 · 2023-07-10 13:20:59 +01:00 · 2023-07-10 13:20:59 +01:00 · 4877db46f8
commit 4877db46f8
parent a0ee39a2f9
1 changed files with 27 additions and 0 deletions
--- a/infrastructure/terraform/main.tf
+++ b/infrastructure/terraform/main.tf
@ -29,6 +29,32 @@ data "aws_secretsmanager_secret_version" "db_credentials" {
  secret_id = data.aws_secretsmanager_secret.db_credentials.id
 }

+# Default VPC
+data "aws_default_vpc" "default" {}
+
+# For MVP, we allow all inbound traffic to the DB - this will need to be changed later; we'll likely
+# need to re-deploy the frontend to AWS so that it's within the same VPC as the DB
+resource "aws_security_group" "allow_db" {
+  name        = "allow_tls"
+  description = "Allow TLS inbound traffic"
+  vpc_id      = data.aws_default_vpc.default.id
+
+  ingress {
+    # TLS (change to whatever ports you need)
+    from_port   = 5432
+    to_port     = 5432
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port = 0
+    to_port = 0
+    protocol = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
 resource "aws_db_instance" "default" {
  allocated_storage    = var.allocated_storage
  engine               = "postgres"
@ -39,6 +65,7 @@ resource "aws_db_instance" "default" {
  password             = jsondecode(data.aws_secretsmanager_secret_version.db_credentials.secret_string)["db_assessment_model_password"]
  parameter_group_name = "default.postgres14"
  skip_final_snapshot  = true
+  vpc_security_group_ids = [aws_security_group.allow_db.id]
  lifecycle {
    prevent_destroy = true
  }