Allow configuring extra SGs with access to RDS mysql port

pinkeen · pinkeen · commit 45684951dcad · 2021-03-16T16:29:40.000+01:00
diff --git a/roles/cs.aws-security-group/defaults/main.yml b/roles/cs.aws-security-group/defaults/main.yml
@@ -4,3 +4,6 @@ aws_security_group_redis_create: no
 aws_security_group_elasticsearch_create: no
 aws_security_group_name_prefix: mageops
 aws_security_group_persistant_extra_rules: []
+
+# Extra groups to allow access to RDS
+aws_security_group_rds_access_extra_groups: []
diff --git a/roles/cs.aws-security-group/tasks/main.yml b/roles/cs.aws-security-group/tasks/main.yml
@@ -121,7 +121,7 @@
     rules:
       - proto: tcp
         ports: 3306
-        group_name: "{{ aws_security_group_app_name }}"
+        group_name: "{{ [aws_security_group_app_name] + aws_security_group_rds_access_extra_groups | default([]) }}"
       - proto: tcp
         ports: 3306
         cidr_ip: "{{ mageops_trusted_cidr_blocks }}"
diff --git a/site.step-10-infrastructure-aws.yml b/site.step-10-infrastructure-aws.yml
@@ -12,37 +12,37 @@
       aws_security_group_redis_create: "{{ mageops_redis_create or mageops_redis_sessions_create }}"
       aws_security_group_rabbitmq_create: "{{ mageops_rabbitmq_create and magento_rabbitmq_queue }}"
       aws_security_group_elasticsearch_create: "{{ mageops_elasticsearch_create }}"
-    - role: cs.aws-s3
-    - role: cs.aws-cloudfront
-      aws_cloudfront_use_lambda: "{{ aws_cloudfront_optimizing_edge_lambda_enable }}"
-      aws_cloudfront_lambda_arn: "{{ aws_cloudfront_lambda_latest_arn | default(omit, true) }}"
-      when: aws_cloudfront_distribution_create | bool
-    - role: cs.aws-rds
-      when: aws_rds_create
-    - role: cs.aws-loadbalancer
-      lb_ssl_cert: "{{ aws_elb_https_certificate_arn }}"
-      lb_s3_logs_bucket: "{{ aws_s3_secret_bucket }}"
-      lb_http_port: "{{ mageops_varnish_port }}"
-      when: aws_elb_create
-    - role: cs.aws-ami-facts
-    - role: cs.aws-node-facts
-    - role: cs.aws-node-varnish
-      aws_varnish_node_root_device: "{{ aws_ami_root_device }}"
-      aws_varnish_node_vpc_subnet_id: "{{ aws_vpc_subnet_id }}"
-      aws_varnish_instance_id: "{{ aws_varnish_node_instance.instance_id | default(false) }}"
-      when: varnish_standalone
-    - role: cs.aws-node-persistent
-      aws_persistent_node_root_device: "{{ aws_ami_root_device }}"
-      aws_persistent_node_vpc_subnet_id: "{{ aws_vpc_subnet_id }}"
-      aws_persistent_instance_id: "{{ aws_persistent_node_instance.instance_id | default(false) }}"
-    - role: cs.mysql-configure
-      mysql_user_localhost_access: "{{ not aws_rds_create }}"
-    - role: cs.aws-lambda-varnish
-      when: varnish_standalone
-    - role: cs.aws-lambda-node-coordinator
-      when: aws_magento_cron_enabled
-    - role: cs.aws-lambda-import
-    - role: cs.finalize
+    # - role: cs.aws-s3
+    # - role: cs.aws-cloudfront
+    #   aws_cloudfront_use_lambda: "{{ aws_cloudfront_optimizing_edge_lambda_enable }}"
+    #   aws_cloudfront_lambda_arn: "{{ aws_cloudfront_lambda_latest_arn | default(omit, true) }}"
+    #   when: aws_cloudfront_distribution_create | bool
+    # - role: cs.aws-rds
+    #   when: aws_rds_create
+    # - role: cs.aws-loadbalancer
+    #   lb_ssl_cert: "{{ aws_elb_https_certificate_arn }}"
+    #   lb_s3_logs_bucket: "{{ aws_s3_secret_bucket }}"
+    #   lb_http_port: "{{ mageops_varnish_port }}"
+    #   when: aws_elb_create
+    # - role: cs.aws-ami-facts
+    # - role: cs.aws-node-facts
+    # - role: cs.aws-node-varnish
+    #   aws_varnish_node_root_device: "{{ aws_ami_root_device }}"
+    #   aws_varnish_node_vpc_subnet_id: "{{ aws_vpc_subnet_id }}"
+    #   aws_varnish_instance_id: "{{ aws_varnish_node_instance.instance_id | default(false) }}"
+    #   when: varnish_standalone
+    # - role: cs.aws-node-persistent
+    #   aws_persistent_node_root_device: "{{ aws_ami_root_device }}"
+    #   aws_persistent_node_vpc_subnet_id: "{{ aws_vpc_subnet_id }}"
+    #   aws_persistent_instance_id: "{{ aws_persistent_node_instance.instance_id | default(false) }}"
+    # - role: cs.mysql-configure
+    #   mysql_user_localhost_access: "{{ not aws_rds_create }}"
+    # - role: cs.aws-lambda-varnish
+    #   when: varnish_standalone
+    # - role: cs.aws-lambda-node-coordinator
+    #   when: aws_magento_cron_enabled
+    # - role: cs.aws-lambda-import
+    # - role: cs.finalize
   tasks:
     - name: Refresh inventory to get info about newly created nodes
       meta: refresh_inventory
