Implement dms module to create pre-migration configuration

TheOneFromNorway · bogsi17 · commit d1db17b102b6 · 2025-06-18T17:24:55.000+01:00
- Increase max ACU
  - The migration is quite memory intensive on the target &amp; source DBs
- Implement template file
- Allow new ECS module access to DB secrets
- Include target DB secrets into permission scope for ECS task execution
  role
- Include target DM in existing security group configuration
  - This simplifies setup as existing security group can simply persist
    post-migration
- Create custom kms key
  - This is the crucial element needed to allow remote backups of target
    db
- Implement naming convention/strategy for db instance configuration
 - One locals with for_each loop
 - Read and write node are in failover configuration so refer to them
   simply as primary 1 and 2
- Create read instance for the source DB
  - This is needed for DB failover to reboot instances without downtime
  - Allows syncing to updated parameter groups as needed for the migration
- Update policy with base permissions needed for running deployments via
  github
- Create additional policy document with DMS specific permissions (to be
  attached to github deployment role)
diff --git a/terraform/account/deployment_permissions.tf b/terraform/account/deployment_permissions.tf
@@ -45,3 +45,15 @@ resource "aws_iam_role_policy_attachment" "data_replication" {
   role       = aws_iam_role.data_replication_deploy.name
   policy_arn = each.value
 }
+
+################ DMS Policies ################
+
+resource "aws_iam_policy" "dms" {
+  name   = "DMSGithubPolicy"
+  policy = file("resources/iam_policy_DMSGithubPolicy.json")
+}
+
+resource "aws_iam_role_policy_attachment" "mavis_dms" {
+  role       = aws_iam_role.mavis_deploy.name
+  policy_arn = aws_iam_policy.dms.arn
+}
diff --git a/terraform/account/resources/iam_policy_DMSGithubPolicy.json b/terraform/account/resources/iam_policy_DMSGithubPolicy.json
@@ -0,0 +1,28 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "Statement1",
+      "Effect": "Allow",
+      "Action": [
+        "dms:CreateDataMigration",
+        "dms:CreateEndpoint",
+        "dms:CreateReplicationConfig",
+        "dms:CreateReplicationInstance",
+        "dms:CreateReplicationSubnetGroup",
+        "dms:CreateReplicationTask",
+        "dms:DeleteEndpoint",
+        "dms:DeleteReplicationConfig",
+        "dms:DeleteReplicationInstance",
+        "dms:DeleteReplicationTask",
+        "dms:DeleteReplicationSubnetGroup",
+        "dms:ModifyEndpoint",
+        "dms:ModifyReplicationConfig",
+        "dms:ModifyReplicationTask",
+        "dms:ModifyReplicationInstance",
+        "dms:ModifyReplicationSubnetGroup"
+      ],
+      "Resource": ["*"]
+    }
+  ]
+}
diff --git a/terraform/account/resources/iam_policy_DeployMavisResources.json b/terraform/account/resources/iam_policy_DeployMavisResources.json
@@ -34,6 +34,7 @@
         "ec2:CreateSecurityGroup",
         "ec2:CreateSubnet",
         "ec2:CreateVpc",
+        "ec2:CreateVpcEndpoint",
         "ec2:DeleteFlowLogs",
         "ec2:DeleteInternetGateway",
         "ec2:DeleteNatGateway",
@@ -42,6 +43,7 @@
         "ec2:DeleteSecurityGroup",
         "ec2:DeleteSubnet",
         "ec2:DeleteVpc",
+        "ec2:DeleteVpcEndpoints",
         "ec2:DetachInternetGateway",
         "ec2:DetachNetworkInterface",
         "ec2:DisassociateAddress",
@@ -95,12 +97,16 @@
         "rds:CreateDBCluster",
         "rds:CreateDBInstance",
         "rds:CreateDBSubnetGroup",
+        "rds:CreateDBClusterParameterGroup",
         "rds:DeleteDBCluster",
         "rds:DeleteDBInstance",
         "rds:DeleteDBSubnetGroup",
+        "rds:DeleteDBClusterParameterGroup",
         "rds:ModifyDBCluster",
         "rds:ModifyCurrentDBClusterCapacity",
         "rds:ModifyDBInstance",
+        "rds:ModifyDBClusterParameterGroup",
+        "rds:ResetDBClusterParameterGroup",
         "resource-groups:CreateGroup",
         "resource-groups:DeleteGroup",
         "route53:ChangeResourceRecordSets",
@@ -119,6 +125,9 @@
         "secretsmanager:CreateSecret",
         "secretsmanager:PutSecretValue",
         "secretsmanager:UpdateSecret",
+        "secretsmanager:GetSecretValue",
+        "secretsmanager:RotateSecret",
+        "secretsmanager:DeleteSecret",
         "ssm:DeleteParameter",
         "ssm:DeleteParameters",
         "ssm:PutParameter"
diff --git a/terraform/app/db_migration_configuration.tf b/terraform/app/db_migration_configuration.tf
@@ -0,0 +1,95 @@
+module "dms_custom_kms_migration" {
+  source      = "./modules/dms"
+  environment = var.environment
+
+  ecs_sg_ids           = concat(local.ecs_sg_ids, [module.prepare_new_db_service.security_group_id])
+  source_endpoint      = aws_rds_cluster.aurora_cluster.endpoint
+  source_port          = aws_rds_cluster.aurora_cluster.port
+  source_database_name = aws_rds_cluster.aurora_cluster.database_name
+  source_db_secret_arn = var.db_secret_arn == null ? aws_rds_cluster.aurora_cluster.master_user_secret[0].secret_arn : var.db_secret_arn
+
+  target_endpoint        = aws_rds_cluster.core.endpoint
+  target_port            = aws_rds_cluster.core.port
+  target_database_name   = aws_rds_cluster.core.database_name
+  target_db_secret_arn   = aws_rds_cluster.core.master_user_secret[0].secret_arn
+  target_db_rotation_arn = aws_secretsmanager_secret_rotation.target.id
+
+  engine_name = aws_rds_cluster.aurora_cluster.engine
+  subnet_ids  = [aws_subnet.private_subnet_a.id, aws_subnet.private_subnet_b.id]
+
+  rds_cluster_security_group_id = aws_security_group.rds_security_group.id
+  vpc_id                        = aws_vpc.application_vpc.id
+}
+
+module "prepare_new_db_service" {
+  source = "./modules/ecs_service"
+
+  cluster_id            = aws_ecs_cluster.cluster.id
+  cluster_name          = aws_ecs_cluster.cluster.name
+  environment           = var.environment
+  maximum_replica_count = 1
+  minimum_replica_count = 1
+  network_params = {
+    subnets = [aws_subnet.private_subnet_a.id, aws_subnet.private_subnet_b.id]
+    vpc_id  = aws_vpc.application_vpc.id
+  }
+  server_type      = "none"
+  server_type_name = "prepare_new_db"
+  task_config = {
+    environment = [{
+      name  = "DB_HOST"
+      value = aws_rds_cluster.core.endpoint
+      },
+      {
+        name  = "DB_NAME"
+        value = aws_rds_cluster.core.database_name
+      },
+      {
+        name  = "RAILS_ENV"
+        value = var.rails_env
+      },
+      {
+        name  = "SENTRY_ENVIRONMENT"
+        value = var.environment
+      },
+      {
+        name  = "MAVIS__CIS2__ENABLED"
+        value = "false"
+      },
+      {
+        name  = "MAVIS__SPLUNK__ENABLED"
+        value = "false"
+      }
+    ]
+    secrets = [
+      {
+        name      = "DB_CREDENTIALS"
+        valueFrom = aws_rds_cluster.core.master_user_secret[0].secret_arn
+      },
+      {
+        name      = "RAILS_MASTER_KEY"
+        valueFrom = var.rails_master_key_path
+      }
+    ]
+    cpu                  = 1024
+    memory               = 2048
+    docker_image         = "${var.account_id}.dkr.ecr.eu-west-2.amazonaws.com/${var.docker_image}@${var.image_digest}"
+    execution_role_arn   = aws_iam_role.ecs_task_execution_role.arn
+    task_role_arn        = aws_iam_role.ecs_task_role.arn
+    log_group_name       = aws_cloudwatch_log_group.ecs_log_group.name
+    region               = var.region
+    health_check_command = ["CMD-SHELL", "echo 'alive' || exit 1"]
+  }
+  depends_on = [aws_rds_cluster_instance.core]
+}
+
+resource "aws_security_group_rule" "db_prepare_access_to_db" {
+  type                     = "ingress"
+  from_port                = aws_rds_cluster.core.port
+  to_port                  = aws_rds_cluster.core.port
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.rds_security_group.id
+  source_security_group_id = module.prepare_new_db_service.security_group_id
+
+  description = "Allow access from the prepare_new_db ECS service to the core RDS cluster"
+}
diff --git a/terraform/app/env/production.tfvars b/terraform/app/env/production.tfvars
@@ -26,9 +26,10 @@ ecs_log_retention_days    = 30
 backup_retention_period   = 7
 ssl_policy                = "ELBSecurityPolicy-TLS13-1-2-2021-06"
 access_logs_bucket        = "nhse-mavis-access-logs-production"
-max_aurora_capacity_units = 16
+max_aurora_capacity_units = 32
 minimum_web_replicas      = 2
 maximum_web_replicas      = 4
 container_insights        = "enhanced"
 
 enable_backup_to_vault = true
+
diff --git a/terraform/app/env/qa.tfvars b/terraform/app/env/qa.tfvars
@@ -24,7 +24,7 @@ http_hosts = {
 appspec_bucket            = "nhse-mavis-appspec-bucket-qa"
 minimum_web_replicas      = 2
 maximum_web_replicas      = 4
-max_aurora_capacity_units = 16
+max_aurora_capacity_units = 32
 container_insights        = "enhanced"
 
 enable_backup_to_vault = true
diff --git a/terraform/app/env/sandbox-alpha.tfvars b/terraform/app/env/sandbox-alpha.tfvars
@@ -24,3 +24,4 @@ appspec_bucket       = "nhse-mavis-appspec-bucket-sandbox-alpha"
 minimum_web_replicas = 1
 maximum_web_replicas = 2
 good_job_replicas    = 1
+
diff --git a/terraform/app/env/test.tfvars b/terraform/app/env/test.tfvars
@@ -21,3 +21,5 @@ http_hosts = {
 appspec_bucket       = "nhse-mavis-appspec-bucket-test"
 minimum_web_replicas = 2
 maximum_web_replicas = 4
+
+max_aurora_capacity_units = 32
diff --git a/terraform/app/env/training.tfvars b/terraform/app/env/training.tfvars
@@ -28,3 +28,5 @@ http_hosts = {
 appspec_bucket       = "nhse-mavis-appspec-bucket-training"
 minimum_web_replicas = 2
 maximum_web_replicas = 4
+
+max_aurora_capacity_units = 32
diff --git a/terraform/app/iam_policy_documents.tf b/terraform/app/iam_policy_documents.tf
@@ -60,7 +60,8 @@ data "aws_iam_policy_document" "ecs_secrets_access" {
     sid     = "dbSecretSid"
     actions = ["secretsmanager:GetSecretValue"]
     resources = [
-      var.db_secret_arn == null ? aws_rds_cluster.aurora_cluster.master_user_secret[0].secret_arn : var.db_secret_arn
+      var.db_secret_arn == null ? aws_rds_cluster.aurora_cluster.master_user_secret[0].secret_arn : var.db_secret_arn,
+      aws_rds_cluster.core.master_user_secret[0].secret_arn
     ]
     effect = "Allow"
   }
diff --git a/terraform/app/kms.tf b/terraform/app/kms.tf
@@ -0,0 +1,36 @@
+data "aws_iam_role" "dms_service_linked_role" {
+  name = "AWSServiceRoleForDMSServerless"
+}
+
+resource "aws_kms_key" "rds_cluster" {
+  description = "Custom KMS key for new Aurora cluster"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = "AllowAccount"
+        Effect = "Allow"
+        Principal = {
+          AWS = ["arn:aws:iam::${var.account_id}:root", "arn:aws:iam::${var.backup_account_id}:root"]
+        }
+        Action   = "kms:*"
+        Resource = "*"
+      },
+      {
+        Sid    = "AllowDMS"
+        Effect = "Allow"
+        Principal = {
+          AWS = data.aws_iam_role.dms_service_linked_role.arn
+        }
+        Action = [
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:DescribeKey"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}
diff --git a/terraform/app/rds.tf b/terraform/app/rds.tf
@@ -33,6 +33,23 @@ resource "aws_db_subnet_group" "aurora_subnet_group" {
   }
 }
 
+resource "aws_rds_cluster_parameter_group" "migration_source" {
+  name        = "${var.environment}-enable-logical-replication"
+  family      = "aurora-postgresql16"
+  description = "Custom parameter group for Aurora PostgreSQL cluster"
+
+  parameter {
+    name         = "rds.logical_replication"
+    value        = 1
+    apply_method = "pending-reboot"
+  }
+  parameter {
+    name         = "max_wal_senders"
+    value        = 20
+    apply_method = "pending-reboot"
+  }
+}
+
 resource "aws_rds_cluster" "aurora_cluster" {
   cluster_identifier              = var.resource_name.db_cluster
   engine                          = "aurora-postgresql"
@@ -50,7 +67,7 @@ resource "aws_rds_cluster" "aurora_cluster" {
   allow_major_version_upgrade     = true
   preferred_backup_window         = "01:00-01:30"
   preferred_maintenance_window    = "sun:02:30-sun:03:00"
-  db_cluster_parameter_group_name = "default.aurora-postgresql16" # Remove this line after it's released. The default parameter group will then be handled internally by AWS.
+  db_cluster_parameter_group_name = aws_rds_cluster_parameter_group.migration_source.name
 
   serverlessv2_scaling_configuration {
     max_capacity = var.max_aurora_capacity_units
@@ -72,3 +89,85 @@ resource "aws_rds_cluster_instance" "aurora_instance" {
   db_subnet_group_name = aws_db_subnet_group.aurora_subnet_group.name
   promotion_tier       = 1
 }
+
+resource "aws_rds_cluster_instance" "old_read_replica" {
+  cluster_identifier   = aws_rds_cluster.aurora_cluster.id
+  identifier           = "mavis-${var.environment}-rds-read-instance"
+  instance_class       = "db.serverless"
+  engine               = aws_rds_cluster.aurora_cluster.engine
+  engine_version       = aws_rds_cluster.aurora_cluster.engine_version
+  db_subnet_group_name = aws_db_subnet_group.aurora_subnet_group.name
+  promotion_tier       = 1
+}
+
+resource "aws_db_subnet_group" "core" {
+  name        = "mavis-${var.environment}-core"
+  subnet_ids  = [aws_subnet.private_subnet_a.id, aws_subnet.private_subnet_b.id]
+  description = "Private subnets for the core aurora RDS cluster"
+  tags = {
+    name = "mavis-${var.environment}-core"
+  }
+}
+
+resource "aws_rds_cluster_parameter_group" "migration_target" {
+  name        = "${var.environment}-disable-constraints"
+  family      = "aurora-postgresql16"
+  description = "Custom parameter group for Aurora PostgreSQL cluster"
+
+  parameter {
+    name         = "session_replication_role"
+    value        = "replica"
+    apply_method = "immediate"
+  }
+  parameter {
+    name         = "max_wal_senders"
+    value        = 20
+    apply_method = "pending-reboot"
+  }
+}
+
+resource "aws_rds_cluster" "core" {
+  cluster_identifier              = "mavis-${var.environment}"
+  engine                          = "aurora-postgresql"
+  engine_mode                     = "provisioned"
+  engine_version                  = "16.8"
+  database_name                   = "manage_vaccinations"
+  master_username                 = "postgres"
+  backup_retention_period         = var.backup_retention_period
+  skip_final_snapshot             = !local.is_production
+  db_subnet_group_name            = aws_db_subnet_group.core.name
+  vpc_security_group_ids          = [aws_security_group.rds_security_group.id]
+  kms_key_id                      = aws_kms_key.rds_cluster.arn
+  storage_encrypted               = true
+  manage_master_user_password     = true
+  enable_http_endpoint            = true
+  deletion_protection             = true
+  allow_major_version_upgrade     = true
+  preferred_backup_window         = "01:00-01:30"
+  preferred_maintenance_window    = "sun:02:30-sun:03:00"
+  db_cluster_parameter_group_name = aws_rds_cluster_parameter_group.migration_target.name
+
+  serverlessv2_scaling_configuration {
+    max_capacity = var.max_aurora_capacity_units
+    min_capacity = 0.5
+  }
+}
+
+resource "aws_secretsmanager_secret_rotation" "target" {
+  secret_id          = aws_rds_cluster.core.master_user_secret[0].secret_arn
+  rotate_immediately = false
+  rotation_rules {
+    schedule_expression = "rate(400 days)"
+  }
+}
+
+resource "aws_rds_cluster_instance" "core" {
+  for_each             = local.db_instances
+  cluster_identifier   = aws_rds_cluster.core.id
+  identifier           = "mavis-${var.environment}-${each.key}"
+  instance_class       = "db.serverless"
+  engine               = aws_rds_cluster.core.engine
+  engine_version       = aws_rds_cluster.core.engine_version
+  db_subnet_group_name = aws_db_subnet_group.core.name
+  promotion_tier       = each.value["promotion_tier"]
+}
diff --git a/terraform/app/variables.tf b/terraform/app/variables.tf

Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,8 @@ data "aws_iam_policy_document" "ecs_secrets_access" {`
`60`	`60`	`sid = "dbSecretSid"`
`61`	`61`	`actions = ["secretsmanager:GetSecretValue"]`
`62`	`62`	`resources = [`
`63`		`- var.db_secret_arn == null ? aws_rds_cluster.aurora_cluster.master_user_secret[0].secret_arn : var.db_secret_arn`
	`63`	`+ var.db_secret_arn == null ? aws_rds_cluster.aurora_cluster.master_user_secret[0].secret_arn : var.db_secret_arn,`
	`64`	`+ aws_rds_cluster.core.master_user_secret[0].secret_arn`
`64`	`65`	`]`
`65`	`66`	`effect = "Allow"`
`66`	`67`	`}`