From d579a97d09d3c2df7e75f62dd1f1d8161784a4cc Mon Sep 17 00:00:00 2001
From: Rob Brackett <rob@robbrackett.com>
Date: Mon, 19 Jun 2023 11:50:04 -0700
Subject: [PATCH] Shutdown: Delete database and bastion (#1582)

We've archived final dumps of the database in S3 at archives.getmyvax.org, and all the services and resources that touch the database been been removed. It's time to drop the database, too. That leaves us without any reason for having the bastion server, so this also removes it.

Part of #1550.
---
 terraform/bastion.tf               |  28 -------
 terraform/db.tf                    |  22 ------
 terraform/modules/rds/main.tf      | 100 ------------------------
 terraform/modules/rds/outputs.tf   |  15 ----
 terraform/modules/rds/variables.tf | 118 -----------------------------
 5 files changed, 283 deletions(-)
 delete mode 100644 terraform/bastion.tf
 delete mode 100644 terraform/db.tf
 delete mode 100644 terraform/modules/rds/main.tf
 delete mode 100644 terraform/modules/rds/outputs.tf
 delete mode 100644 terraform/modules/rds/variables.tf

diff --git a/terraform/bastion.tf b/terraform/bastion.tf
deleted file mode 100644
index 17edfe386..000000000
--- a/terraform/bastion.tf
+++ /dev/null
@@ -1,28 +0,0 @@
-# Bastion Server
-#
-# To access to services running on a private subnet, you can SSH into the
-# "bastion" server (which is in one of the public subnets and can see into the
-# private ones) and do your work from that SSH session.
-#
-# The bastion server itself is manually created, and uses this security group.
-resource "aws_security_group" "bastion_security_group" {
-
-  name        = "bastion-security"
-  description = "Allows SSH access to bastion server"
-  vpc_id      = aws_vpc.main.id
-
-  ingress {
-    description = ""
-    from_port   = 22
-    to_port     = 22
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-}
diff --git a/terraform/db.tf b/terraform/db.tf
deleted file mode 100644
index ca3b6f53f..000000000
--- a/terraform/db.tf
+++ /dev/null
@@ -1,22 +0,0 @@
-# Database on RDS
-#
-# The application's database is managed through RDS. The definition here
-# provides a nice roll-up of settings that are important to manage. See the
-# `rds` module for all the guts of how this is implemented in detail.
-module "db" {
-  source = "./modules/rds"
-
-  name     = "univaf-db"
-  database = "univaf" # RDS does not allow hyphens
-  password = var.db_password
-  username = var.db_user
-
-  allocated_storage            = var.db_size
-  instance_class               = var.db_instance
-  engine                       = "postgres"
-  engine_version               = "14"
-  performance_insights_enabled = true
-
-  vpc_id     = aws_vpc.main.id
-  subnet_ids = aws_subnet.private[*].id
-}
diff --git a/terraform/modules/rds/main.tf b/terraform/modules/rds/main.tf
deleted file mode 100644
index cdb59946e..000000000
--- a/terraform/modules/rds/main.tf
+++ /dev/null
@@ -1,100 +0,0 @@
-# Other resources that need access to the database *should* use this security
-# group (get its ID from the outputs). That way they depend on the DB, rather
-# than the other way around when using `var.ingress_allow_security_groups`.
-resource "aws_security_group" "db_access" {
-  name        = "${var.name}-rds-access-group"
-  description = "Grants access to DB ${var.name}"
-  vpc_id      = var.vpc_id
-}
-
-resource "aws_security_group" "main" {
-  name        = "${var.name}-rds"
-  description = "Allows traffic to RDS from other security groups"
-  vpc_id      = var.vpc_id
-
-  ingress {
-    from_port = var.port
-    to_port   = var.port
-    protocol  = "TCP"
-    security_groups = concat(
-      [aws_security_group.db_access.id],
-      var.ingress_allow_security_groups
-    )
-  }
-
-  ingress {
-    from_port   = var.port
-    to_port     = var.port
-    protocol    = "TCP"
-    cidr_blocks = var.ingress_allow_cidr_blocks
-  }
-
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = -1
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags = {
-    Name = "RDS (${var.name})"
-  }
-}
-
-resource "aws_db_subnet_group" "main" {
-  name        = var.name
-  description = "RDS subnet group"
-  subnet_ids  = var.subnet_ids
-}
-
-resource "aws_db_instance" "main" {
-  identifier = var.name
-
-  # Database
-  engine                       = var.engine
-  engine_version               = var.engine_version
-  allow_major_version_upgrade  = var.allow_major_version_upgrade
-  username                     = coalesce(var.username, var.name)
-  password                     = var.password
-  multi_az                     = var.multi_az
-  db_name                      = coalesce(var.database, var.name)
-  performance_insights_enabled = var.performance_insights_enabled
-
-  # Backups / maintenance
-  backup_retention_period   = var.backup_retention_period
-  backup_window             = var.backup_window
-  maintenance_window        = var.maintenance_window
-  monitoring_interval       = var.monitoring_interval
-  monitoring_role_arn       = var.monitoring_role_arn
-  apply_immediately         = var.apply_immediately
-  final_snapshot_identifier = "${var.name}-finalsnapshot"
-
-  # Hardware
-  instance_class    = var.instance_class
-  storage_type      = var.storage_type
-  allocated_storage = var.allocated_storage
-
-  # Network / security
-  db_subnet_group_name   = aws_db_subnet_group.main.id
-  vpc_security_group_ids = [aws_security_group.main.id]
-  publicly_accessible    = var.publicly_accessible
-}
-
-# Monitor critical metrics and send anomalies to SNS topic
-module "aws_db_instance_alarms" {
-  source            = "lorenzoaiello/rds-alarms/aws"
-  version           = "2.2.0"
-  db_instance_id    = aws_db_instance.main.id
-  db_instance_class = aws_db_instance.main.instance_class
-  actions_alarm     = [aws_sns_topic.alarms_sns.arn]
-  actions_ok        = [aws_sns_topic.alarms_sns.arn]
-
-  # Our basic behavior is bursty -- we send hundreds or thousands of updates
-  # in rapid succession every few minutes, so we expect to regularly go below
-  # 100% burst balance, but not *way* below.
-  disk_burst_balance_too_low_threshold = "80"
-}
-
-resource "aws_sns_topic" "alarms_sns" {
-  name = "aws-db-instance-alarms-topic"
-}
diff --git a/terraform/modules/rds/outputs.tf b/terraform/modules/rds/outputs.tf
deleted file mode 100644
index 67a09f68c..000000000
--- a/terraform/modules/rds/outputs.tf
+++ /dev/null
@@ -1,15 +0,0 @@
-output "host" {
-  value = aws_db_instance.main.address
-}
-
-output "db_name" {
-  value = aws_db_instance.main.db_name
-}
-
-output "access_group_id" {
-  value = aws_security_group.db_access.id
-}
-
-output "access_group_arn" {
-  value = aws_security_group.db_access.arn
-}
diff --git a/terraform/modules/rds/variables.tf b/terraform/modules/rds/variables.tf
deleted file mode 100644
index a5beaa65e..000000000
--- a/terraform/modules/rds/variables.tf
+++ /dev/null
@@ -1,118 +0,0 @@
-variable "name" {
-  description = "RDS instance name"
-}
-
-variable "engine" {
-  description = "Database engine: mysql, postgres, etc."
-  default     = "postgres"
-}
-
-variable "engine_version" {
-  description = "Database version"
-  default     = "13.1"
-}
-
-variable "port" {
-  description = "Port for database to listen on"
-  default     = 5432
-}
-
-variable "database" {
-  description = "The database name for the RDS instance (if not specified, `var.name` will be used)"
-  default     = ""
-}
-
-variable "username" {
-  description = "The username for the RDS instance (if not specified, `var.name` will be used)"
-  default     = ""
-}
-
-variable "password" {
-  description = "Postgres user password"
-}
-
-variable "multi_az" {
-  description = "If true, database will be placed in multiple AZs for HA"
-  default     = false
-}
-
-variable "backup_retention_period" {
-  description = "Backup retention, in days"
-  default     = 5
-}
-
-variable "backup_window" {
-  description = "Time window for backups."
-  default     = "00:00-01:00"
-}
-
-variable "maintenance_window" {
-  description = "Time window for maintenance."
-  default     = "Mon:01:00-Mon:02:00"
-}
-
-variable "monitoring_interval" {
-  description = "Seconds between enhanced monitoring metric collection. 0 disables enhanced monitoring."
-  default     = "0"
-}
-
-variable "monitoring_role_arn" {
-  description = "The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to CloudWatch Logs. Required if monitoring_interval > 0."
-  default     = ""
-}
-
-variable "apply_immediately" {
-  description = "If false, apply changes during maintenance window"
-  default     = true
-}
-
-variable "allow_major_version_upgrade" {
-  description = "If true, major version upgrades are allowed"
-  default     = false
-}
-
-variable "instance_class" {
-  description = "Underlying instance type"
-  default     = "db.t2.micro"
-}
-
-variable "storage_type" {
-  description = "Storage type: standard, gp2, or io1"
-  default     = "gp2"
-}
-
-variable "allocated_storage" {
-  description = "Disk size, in GB"
-  default     = 10
-}
-
-variable "publicly_accessible" {
-  description = "If true, the RDS instance will be open to the internet"
-  default     = false
-}
-
-variable "vpc_id" {
-  description = "The VPC ID to use"
-}
-
-variable "ingress_allow_security_groups" {
-  description = "A list of security group IDs to allow traffic from"
-  type        = list(string)
-  default     = []
-}
-
-variable "ingress_allow_cidr_blocks" {
-  description = "A list of CIDR blocks to allow traffic from"
-  type        = list(string)
-  default     = []
-}
-
-variable "subnet_ids" {
-  description = "A list of subnet IDs"
-  type        = list(string)
-}
-
-variable "performance_insights_enabled" {
-  description = "Enable RDS performance insights"
-  default     = false
-}