diff --git a/terraform/aws/corporate/inputs.tf b/terraform/aws/corporate/inputs.tf index f0a2b302adcf9..c534a2c9f4edf 100644 --- a/terraform/aws/corporate/inputs.tf +++ b/terraform/aws/corporate/inputs.tf @@ -40,6 +40,12 @@ variable "vault_load_balancer_security_group_id" { default = "sg-cb97a3b9" } +variable "vault_security_group_id" { + type = "string" + description = "The VPC security group ID for the Vault nodes / ec2 instances themselves." + default = "sg-49af9b3b" +} + variable "vault_dns_record_name" { type = "string" description = "The record to create on the wpesvc.net to point at Vault's internally facing Application Load Balancer." @@ -58,6 +64,12 @@ variable "corporate_core_metrics_subnet_id" { default = "subnet-d3b549f9" } +variable "metricsdb_security_group_id" { + type = "string" + description = "The VPC security group ID for the metricsdb nodes / ec2 instance." + default = "sg-f4065b8d" +} + variable "cm_subnet_id" { type = "string" description = "Subnet ID for the cm-aws instance" diff --git a/terraform/aws/corporate/main.tf b/terraform/aws/corporate/main.tf index a254775e6b4f9..a7a1edb788aa1 100644 --- a/terraform/aws/corporate/main.tf +++ b/terraform/aws/corporate/main.tf @@ -45,6 +45,17 @@ module "corporate_core_metrics_to_vault" { } } +resource "aws_security_group_rule" "allow_vault_server_to_metricsdb_mysql" { + provider = "aws.corporate" + type = "ingress" + from_port = 3306 + to_port = 3306 + protocol = "tcp" + source_security_group_id = "${var.vault_security_group_id}" + + security_group_id = "${var.metricsdb_security_group_id}" +} + module "cm_to_vault" { source = "git@github.com:wpengine/infraform.git//modules/aws-vpc-peering-to-vault-vpc?ref=v1.42" diff --git a/terraform/aws/development/inputs.tf b/terraform/aws/development/inputs.tf index 513c1a05a3b7c..14a21fa275eb8 100644 --- a/terraform/aws/development/inputs.tf +++ b/terraform/aws/development/inputs.tf @@ -46,6 +46,12 @@ variable "vault_load_balancer_security_group_id" { default = "sg-1b8c8569" } +variable "vault_security_group_id" { + type = "string" + description = "The VPC security group ID for the Vault nodes / ec2 instances themselves." + default = "sg-bb8e87c9" +} + variable "vault_dns_record_name" { type = "string" description = "The record to create on the wpesvc.net to point at Vault's internally facing Application Load Balancer." @@ -64,6 +70,12 @@ variable "corporate_core_metrics_subnet_id" { default = "subnet-88f28fd0" } +variable "metricsdb_security_group_id" { + type = "string" + description = "The VPC security group ID for the metricsdb nodes / ec2 instance." + default = "sg-3d895142" +} + variable "gcp_project" { type = "string" description = "The GCP project to connect to for dev-cm." diff --git a/terraform/aws/development/main.tf b/terraform/aws/development/main.tf index b2a62b9ac10b0..a716f11f101c1 100644 --- a/terraform/aws/development/main.tf +++ b/terraform/aws/development/main.tf @@ -51,6 +51,17 @@ module "corporate_core_metrics_to_vault" { } } +resource "aws_security_group_rule" "allow_vault_server_to_metricsdb_mysql" { + provider = "aws.development" + type = "ingress" + from_port = 3306 + to_port = 3306 + protocol = "tcp" + source_security_group_id = "${var.vault_security_group_id}" + + security_group_id = "${var.metricsdb_security_group_id}" +} + module "dev_cm_to_vault" { source = "git@github.com:wpengine/infraform.git//modules/gcp-vpn-to-vault-vpc?ref=v1.42"