feat(rds): psql Connection Command as Output (#1036)

cloudposse · May 17, 2024 · e12c805 · e12c805
1 parent 276cedc
commit e12c805
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 2 deletions.
diff --git a/modules/rds/README.md b/modules/rds/README.md
@@ -231,6 +231,7 @@ Example - I want a new instance `rds-example-new` to be provisioned from a snaps
 | Name | Description |
 |------|-------------|
 | <a name="output_exports"></a> [exports](#output\_exports) | Map of exports for use in deployment configuration templates |
+| <a name="output_psql_helper"></a> [psql\_helper](#output\_psql\_helper) | A helper output to use with psql for connecting to this RDS instance. |
 | <a name="output_rds_address"></a> [rds\_address](#output\_rds\_address) | Address of the instance |
 | <a name="output_rds_arn"></a> [rds\_arn](#output\_rds\_arn) | ARN of the instance |
 | <a name="output_rds_database_ssm_key_prefix"></a> [rds\_database\_ssm\_key\_prefix](#output\_rds\_database\_ssm\_key\_prefix) | SSM prefix |

diff --git a/modules/rds/main.tf b/modules/rds/main.tf
@@ -18,6 +18,8 @@ locals {
     local.eks_security_groups,
     var.security_group_ids
   )
+
+  psql_access_enabled = local.enabled && (var.engine == "postgres")
 }
 
 module "rds_client_sg" {

diff --git a/modules/rds/outputs.tf b/modules/rds/outputs.tf
@@ -1,3 +1,15 @@
+locals {
+  ssm_path_as_list        = split("/", local.rds_database_password_path)
+  ssm_path_app            = trim(join("/", slice(local.ssm_path_as_list, 0, length(local.ssm_path_as_list) - 1)), "/")
+  ssm_path_password_value = element(local.ssm_path_as_list, length(local.ssm_path_as_list) - 1)
+  psql_message            = <<EOT
+  Use the following to connect to this RDS instance:
+  (You must have access to read the SSM parameter, have access to the private network if necessary, and have security group access)
+
+  PGPASSWORD=$(chamber read ${local.ssm_path_app} ${local.ssm_path_password_value} -q) psql --host=${module.rds_instance.instance_address} --port=${var.database_port} --username=${local.database_user} --dbname=${var.database_name}
+  EOT
+}
+
 output "rds_name" {
   value       = local.enabled ? var.database_name : null
   description = "RDS DB name"
@@ -66,3 +78,8 @@ output "exports" {
   }
   description = "Map of exports for use in deployment configuration templates"
 }
+
+output "psql_helper" {
+  value       = local.psql_access_enabled ? local.psql_message : ""
+  description = "A helper output to use with psql for connecting to this RDS instance."
+}
diff --git a/modules/rds/systems-manager.tf b/modules/rds/systems-manager.tf
@@ -48,7 +48,8 @@ variable "ssm_key_port" {
 }
 
 locals {
-  ssm_enabled = local.enabled && var.ssm_enabled
+  ssm_enabled                = local.enabled && var.ssm_enabled
+  rds_database_password_path = format(var.ssm_key_format, var.ssm_key_prefix, var.name, var.ssm_key_password)
 }
 
 resource "aws_ssm_parameter" "rds_database_user" {
@@ -64,7 +65,7 @@ resource "aws_ssm_parameter" "rds_database_user" {
 resource "aws_ssm_parameter" "rds_database_password" {
   count = local.ssm_enabled ? 1 : 0
 
-  name        = format(var.ssm_key_format, var.ssm_key_prefix, var.name, var.ssm_key_password)
+  name        = local.rds_database_password_path
   value       = local.database_password
   description = "RDS DB password"
   type        = "SecureString"