Add support for AWS SSM

[bobbyiliev]

Currently, we create the necessary RDS objects like databases using a Kubernetes job from the Helm terraform module.

Ideally, we would like to have a better control over that and possibly use the Postgres Terraform module instead.

We can use an EC2 bastion host running AWS SSM Session Manager to tunnel access to RDS, eg:

resource "aws_instance" "bastion" {
  ami                    = data.aws_ami.amazon_linux.id
  instance_type          = "t3.micro"
  subnet_id              = var.database_subnet_ids[0] # Inside the RDS VPC
  vpc_security_group_ids = [aws_security_group.bastion.id]

  iam_instance_profile = aws_iam_instance_profile.ssm_instance_profile.name

  tags = { Name = "${local.name_prefix}-bastion" }
}

resource "aws_iam_role" "ssm_role" {
  name = "${local.name_prefix}-ssm-role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Action = "sts:AssumeRole"
      Effect = "Allow"
      Principal = { Service = "ec2.amazonaws.com" }
    }]
  })
}

resource "aws_iam_instance_profile" "ssm_instance_profile" {
  name = "${local.name_prefix}-ssm-profile"
  role = aws_iam_role.ssm_role.name
}

resource "aws_iam_role_policy_attachment" "ssm_core" {
  role       = aws_iam_role.ssm_role.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
}

Then, the Terraform PostgreSQL provider can connect via the bastion’s private IP.

provider "postgresql" {
  host            = aws_instance.bastion.private_ip
  port            = 5432
  database        = var.database_name
  username        = var.database_username
  password        = var.database_password
  sslmode         = "require"
}