From 4877db46f8f0f7a72b0097270bfdbde0e31faa14 Mon Sep 17 00:00:00 2001
From: Khalim Conn-Kowlessar <kconnkowlessar@gmail.com>
Date: Mon, 10 Jul 2023 13:20:59 +0100
Subject: [PATCH] Updating vpc definition for database

---
 infrastructure/terraform/main.tf | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/infrastructure/terraform/main.tf b/infrastructure/terraform/main.tf
index ac90f381..ea84e1d7 100644
--- a/infrastructure/terraform/main.tf
+++ b/infrastructure/terraform/main.tf
@@ -29,6 +29,32 @@ data "aws_secretsmanager_secret_version" "db_credentials" {
   secret_id = data.aws_secretsmanager_secret.db_credentials.id
 }
 
+# Default VPC
+data "aws_default_vpc" "default" {}
+
+# For MVP, we allow all inbound traffic to the DB - this will need to be changed later; we'll likely
+# need to re-deploy the frontend to AWS so that it's within the same VPC as the DB
+resource "aws_security_group" "allow_db" {
+  name        = "allow_tls"
+  description = "Allow TLS inbound traffic"
+  vpc_id      = data.aws_default_vpc.default.id
+
+  ingress {
+    # TLS (change to whatever ports you need)
+    from_port   = 5432
+    to_port     = 5432
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port = 0
+    to_port = 0
+    protocol = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
 resource "aws_db_instance" "default" {
   allocated_storage    = var.allocated_storage
   engine               = "postgres"
@@ -39,6 +65,7 @@ resource "aws_db_instance" "default" {
   password             = jsondecode(data.aws_secretsmanager_secret_version.db_credentials.secret_string)["db_assessment_model_password"]
   parameter_group_name = "default.postgres14"
   skip_final_snapshot  = true
+  vpc_security_group_ids = [aws_security_group.allow_db.id]
   lifecycle {
     prevent_destroy = true
   }