terraformdsl 0.0.1

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/examples/Rakefile

@@ -0,0 +1,42 @@
+
+task :setenv do
+  ENV['AWS_DEFAULT_REGION'] = "us-east-1"
+  ENV['APP_ENV'] ||= "prod"
+  #ENV['APP_ENV'] ||= "stg"
+  #ENV['APP_ENV'] ||= "dev"
+end
+
+desc "*.rb -> *.tf"
+task :generate => :setenv do
+  sh "ruby aws-infra.rb > aws-infra.tf"
+end
+
+desc "terraform init"
+task :init do
+  sh "terraform init"
+end
+
+desc "terraform plan"
+task :plan => [:generate, :init] do
+  sh "terraform plan"
+end
+
+desc "terraform apply"
+task :apply => [:generate, :init] do
+  sh "terraform apply"
+end
+
+desc "terraform destroy"
+task :destroy do
+  sh "terraform destroy"
+end
+
+desc "terraform output"
+task :output do
+  sh "terraform output"
+end
+
+desc "terraform refresh"
+task :refresh do
+  sh "terraform refresh"
+end

data/examples/aws-infra.rb

@@ -0,0 +1,204 @@
+# -*- coding: utf-8 -*-
+
+begin
+  require 'terraformdsl/aws'
+rescue LoadError
+  require_relative '../lib/terraformdsl/aws'
+end
+
+region    = ENV['AWS_DEFAULT_REGION']  or abort("$AWS_DEFAULT_REGION required.")
+app_env   = ENV['APP_ENV']             or abort("ERROR: $APP_ENV required.")
+app_env =~ /^(prod|stg|dev)$/          or abort("ERROR: invalid $APP_ENV.")
+
+var = TerraformDSL::Variables.new
+var.define :base_domain  , "ex: example.com"
+var.define :office_ip    , "ex: 123.123.123.123"
+var.define :db_user      , "ex: dbuser"
+var.define :db_pass      , "db password"
+
+output = TerraformDSL::Outputs.new
+
+
+vpc = nil
+public_dns_records  = []
+private_dns_records = []
+
+aws_infra = TerraformDSL::AWS.infra()
+
+
+aws_infra.region(region) {
+
+  az_a = AZ("#{region}a")   # ex: 'ap-east-1a'
+  az_b = AZ("#{region}b")   # ex: 'ap-east-1b'
+  az_c = AZ("#{region}c")   # ex: 'ap-east-1c'
+  az_d = AZ("#{region}d")   # ex: 'ap-east-1d'
+
+  t3_nano  = "t3.nano"
+  t3_micro = "t3.micro"
+
+  prefix = app_env.downcase()
+
+  ubuntu_ami = AMI('ubuntu18lts', "099720109477",
+    "ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-20190212.1"
+  )
+
+  vpc = VPC("#{prefix}-vpc", "10.0.0.0/16") {|vpc|
+    vpc_cidr = vpc.cidr
+    ec2_sshkey_name     = "#{prefix}-ubuntu"
+    bastion_sshkey_name = "#{prefix}-bastion"
+
+    ### Internet Gateway
+    gateway   = InternetGateway("#{prefix}-gateway")
+
+    ## Route Table
+    public_rt = RouteTable("#{prefix}-public-routing") {
+      Route(nil, gateway: gateway)
+    }
+    private_rt = RouteTable("#{prefix}-private-routing") {
+      #Route(nil, gateway: gateway)
+    }
+
+    ### Subnet
+    public_a  = Subnet("#{prefix}-public-a" , "10.0.1.0/24" , az_a, public_rt)
+    public_b  = Subnet("#{prefix}-public-b" , "10.0.2.0/24" , az_b, public_rt)
+    public_c  = Subnet("#{prefix}-public-c" , "10.0.3.0/24" , az_c, public_rt)
+    private_a = Subnet("#{prefix}-private-a", "10.0.11.0/24", az_a, private_rt)
+    private_b = Subnet("#{prefix}-private-b", "10.0.12.0/24", az_b, private_rt)
+    private_c = Subnet("#{prefix}-private-c", "10.0.13.0/24", az_c, private_rt)
+
+    ## Security Group
+    bastion_server = "#{prefix}-bastion"
+    bastion_secgrp = SecurityGroup("#{prefix}-bastion-secgrp", "allows ssh") {
+      #Ingress(:any ,    0, :self)
+      Ingress(:tcp ,   22, "#{var.office_ip}/32")  # allows ssh only from office ip
+      Ingress(:icmp,  nil, [vpc_cidr, "#{var.office_ip}/32"])
+      Egress( :any ,    0, nil)
+    }
+    public_secgrp  = SecurityGroup("#{prefix}-public-secgrp", "allows http,https") {
+      Ingress(:any ,    0, :self)
+      Ingress(:tcp ,   22, bastion_server)
+      Ingress(:tcp ,   80, nil)
+      Ingress(:tcp ,  443, nil)
+      Ingress(:icmp,  nil, vpc_cidr)
+      Egress( :any ,    0, nil)
+    }
+    private_secgrp = SecurityGroup("#{prefix}-private-secgrp", "deny inbound, allow outbound") {
+      Ingress(:any ,    0, :self)
+      Ingress(:tcp ,   22, bastion_server)
+      Ingress(:tcp , 5432, public_secgrp)   # PostgreSQL port
+      Ingress(:icmp,  nil, vpc_cidr)
+      Egress( :any ,    0, nil)
+    }
+
+    ### EC2 and EIP
+    let public_a, bastion_secgrp, ubuntu_ami, bastion_sshkey_name do
+      |sn, sg, ami, kn|
+      bastion    = EC2(bastion_server   , t3_nano,  ami, sn, sg, kn)
+      bastion_ip = EIP("#{prefix}-bastion-ip", bastion)
+      public_dns_records  << [:A, "bastion", bastion_ip]
+      private_dns_records << [:A, "bastion", bastion]
+      output[:bastion_ip] = bastion_ip.attr(:public_ip)
+    end
+    let public_a, public_secgrp, ubuntu_ami, ec2_sshkey_name do
+      |sn, sg, ami, kn|
+      www_ec2  = EC2("#{prefix}-www-ec2" , t3_micro, ami, sn, sg, kn)
+      www_ip   = EIP("#{prefix}-www-ip"  , www_ec2)
+      public_dns_records  << [:A, "www"  , www_ip]
+      private_dns_records << [:A, "www"  , www_ec2]
+      output[:www_ip] = www_ip.attr(:public_ip)
+    end
+
+    ### RDS
+    rds_master = nil
+    rds_slave  = nil
+    let do
+      subnetgrp = RDS_SubnetGroup("rds-subnetgrp", [private_a, private_c])
+      paramgrp  = RDS_ParameterGroup("pg10-paramgrp", "postgres10", {
+        #"rds.log_retention_period"   => 10080,   # = 60min * 24h * 7day
+        #"random_page_cost"           => 1.1,
+        "work_mem"                   => 16384,   # = 1024KB * 16MB
+        "maintenance_work_mem"       => 32768,   # = 1024KB * 32MB
+        #"log_filename"               => "postgresql.log.%Y-%m-%d",
+        #"log_rotation_age"           => 1440,    # = 60min * 24h
+        #"log_lock_waits"             => 1,
+        #"log_min_messages"           => "notice",
+        #"log_min_duration_statement" => 200,     # msec
+        #"log_temp_files"             => 0,
+        #"log_connections"            => 1,
+        #"log_disconnections"         => 1,
+        "shared_preload_libraries!"  => "auto_explain,pg_stat_statements",
+        #"auto_explain.log_min_duration" => 200,  # msec
+        #"auto_explain.log_format"    => "text",  # text,xml,json,yaml
+        #"auto_explain.log_analyze"   => 1,
+        #"auto_explain.log_buffers"   => 1,
+        #"auto_explain.log_nested_statements" => 1,
+        #"pg_stat_statements.save"    => 1,       # default: 1
+        #"pg_stat_statements.track"   => "all",   # default: top
+        #"pg_stat_statements.max!"    => 1000,    # default: 1000
+        #"track_activity_query_size!" => 1024,    # default: 1024
+      })
+      #optiongrp = RDS_OptionGroup("")
+      optiongrp = nil
+      #
+      rds_master = RDS_Instance("db-master", "db.t2.small")
+      let rds_master do |rds|
+        rds.database    = {engine: "postgres", version: "10.6",
+                           name: nil, port: 5432,
+                           user: var.db_user, password: var.db_pass,
+                           parameter_group: paramgrp, option_group: optiongrp}
+        rds.network     = {subnet_group: subnetgrp,
+                           security_group: [private_secgrp],
+                           az: az_a, public_access: false, multi_az: false}
+        rds.storage     = {type: :general, size: '20GB'}
+        rds.encryption  = {enable: false}
+        rds.backup      = {days: 14, window: {start: '00:00', hours: 0.5}}
+        rds.monitoring  = {interval: 60}  # 60sec
+        rds.maintenance = {auto_upgrade: true, maintenace_window: nil}
+      end
+      output[:rds_master_endpoint] = rds_master.attr(:endpoint)
+      #
+      rds_slave = RDS_ReadReplica("db-slave", "db.t2.micro", rds_master)
+      let rds_slave do |rds|
+        rds.database    = {port: 5432}
+        rds.network     = {region: region, subnet_group: subnetgrp,
+                           az: az_c, public_access: false, multi_az: false}
+        rds.storage     = {type: :general, size: '20GB'}
+        rds.encryption  = {enable: false}
+        rds.monitoring  = {interval: 60}  # 60sec
+        rds.maintenance = {auto_upgrade: true}
+      end
+      output[:rds_slave_endpoint] = rds_slave.attr(:endpoint)
+    end#let
+
+  }#vpc
+
+}#region
+
+
+aws_infra.global {
+
+  Route53() {
+
+    Zone("public-#{app_env}", var.base_domain) {
+      s = app_env == "prod" ? "" : "#{app_env}-"
+      public_dns_records.each do |type, name, value|
+        Record(type, s+name, value)
+      end
+    }
+
+    PrivateZone("private-#{app_env}", "#{app_env}", vpc) {
+      private_dns_records.each do |type, name, value|
+        Record(type, name, value)
+      end
+    }
+
+  }
+
+}
+
+
+if __FILE__ == $0
+  puts var.generate_tf()
+  puts aws_infra.generate_tf()
+  puts output.generate_tf()
+end

data/examples/aws-infra.tf

@@ -0,0 +1,472 @@
+variable "base_domain"      {
+  description = "ex: example.com"
+}
+variable "office_ip"        {
+  description = "ex: 123.123.123.123"
+}
+variable "db_user"          {
+  description = "ex: dbuser"
+}
+variable "db_pass"          {
+  description = "db password"
+}
+
+provider "aws" {
+  #access_key		= "${var.access_key}"
+  #secret_key		= "${var.secret_key}"
+  region		= "us-east-1"
+}
+
+data "aws_ami" "ubuntu18lts" {
+  most_recent		= true
+  owners                = ["099720109477"]
+  filter {
+    name		= "name"
+    values		= ["ubuntu/images/hvm-ssd/ubuntu-bionic-18.04-amd64-server-20190212.1"]
+  }
+}
+
+resource "aws_vpc" "dev-vpc" {
+  cidr_block		= "10.0.0.0/16"
+  enable_dns_support	= true
+  enable_dns_hostnames	= true
+  tags {
+    Name		= "dev-vpc"
+  }
+}
+
+resource "aws_internet_gateway" "dev-gateway" {
+  vpc_id		= "${aws_vpc.dev-vpc.id}"
+  tags {
+    Name		= "dev-gateway"
+  }
+}
+
+resource "aws_route_table" "dev-public-routing" {
+  vpc_id		= "${aws_vpc.dev-vpc.id}"
+  tags {
+    Name		= "dev-public-routing"
+  }
+  route {
+    cidr_block		= "0.0.0.0/0"
+    gateway_id		= "${aws_internet_gateway.dev-gateway.id}"
+  }
+}
+
+resource "aws_route_table" "dev-private-routing" {
+  vpc_id		= "${aws_vpc.dev-vpc.id}"
+  tags {
+    Name		= "dev-private-routing"
+  }
+}
+
+resource "aws_subnet" "dev-public-a" {
+  vpc_id		= "${aws_vpc.dev-vpc.id}"
+  availability_zone	= "us-east-1a"
+  cidr_block		= "10.0.1.0/24"
+  tags {
+    Name		= "dev-public-a"
+  }
+}
+
+resource "aws_route_table_association" "dev-public-routing-dev-public-a" {
+  route_table_id	= "${aws_route_table.dev-public-routing.id}"
+  subnet_id		= "${aws_subnet.dev-public-a.id}"
+}
+
+resource "aws_subnet" "dev-public-b" {
+  vpc_id		= "${aws_vpc.dev-vpc.id}"
+  availability_zone	= "us-east-1b"
+  cidr_block		= "10.0.2.0/24"
+  tags {
+    Name		= "dev-public-b"
+  }
+}
+
+resource "aws_route_table_association" "dev-public-routing-dev-public-b" {
+  route_table_id	= "${aws_route_table.dev-public-routing.id}"
+  subnet_id		= "${aws_subnet.dev-public-b.id}"
+}
+
+resource "aws_subnet" "dev-public-c" {
+  vpc_id		= "${aws_vpc.dev-vpc.id}"
+  availability_zone	= "us-east-1c"
+  cidr_block		= "10.0.3.0/24"
+  tags {
+    Name		= "dev-public-c"
+  }
+}
+
+resource "aws_route_table_association" "dev-public-routing-dev-public-c" {
+  route_table_id	= "${aws_route_table.dev-public-routing.id}"
+  subnet_id		= "${aws_subnet.dev-public-c.id}"
+}
+
+resource "aws_subnet" "dev-private-a" {
+  vpc_id		= "${aws_vpc.dev-vpc.id}"
+  availability_zone	= "us-east-1a"
+  cidr_block		= "10.0.11.0/24"
+  tags {
+    Name		= "dev-private-a"
+  }
+}
+
+resource "aws_route_table_association" "dev-private-routing-dev-private-a" {
+  route_table_id	= "${aws_route_table.dev-private-routing.id}"
+  subnet_id		= "${aws_subnet.dev-private-a.id}"
+}
+
+resource "aws_subnet" "dev-private-b" {
+  vpc_id		= "${aws_vpc.dev-vpc.id}"
+  availability_zone	= "us-east-1b"
+  cidr_block		= "10.0.12.0/24"
+  tags {
+    Name		= "dev-private-b"
+  }
+}
+
+resource "aws_route_table_association" "dev-private-routing-dev-private-b" {
+  route_table_id	= "${aws_route_table.dev-private-routing.id}"
+  subnet_id		= "${aws_subnet.dev-private-b.id}"
+}
+
+resource "aws_subnet" "dev-private-c" {
+  vpc_id		= "${aws_vpc.dev-vpc.id}"
+  availability_zone	= "us-east-1c"
+  cidr_block		= "10.0.13.0/24"
+  tags {
+    Name		= "dev-private-c"
+  }
+}
+
+resource "aws_route_table_association" "dev-private-routing-dev-private-c" {
+  route_table_id	= "${aws_route_table.dev-private-routing.id}"
+  subnet_id		= "${aws_subnet.dev-private-c.id}"
+}
+
+resource "aws_security_group" "dev-bastion-secgrp" {
+  name			= "dev-bastion-secgrp"
+  description		= "allows ssh"
+  vpc_id		= "${aws_vpc.dev-vpc.id}"
+  tags {
+    Name		= "dev-bastion-secgrp"
+  }
+  ingress {
+    from_port		= "22"
+    to_port		= "22"
+    protocol		= "tcp"
+    cidr_blocks		= ["${var.office_ip}/32"]
+  }
+  ingress {
+    from_port		= "-1"
+    to_port		= "-1"
+    protocol		= "icmp"
+    cidr_blocks		= ["10.0.0.0/16", "${var.office_ip}/32"]
+  }
+  egress {
+    from_port		= "0"
+    to_port		= "0"
+    protocol		= "-1"
+    cidr_blocks		= ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_security_group" "dev-public-secgrp" {
+  name			= "dev-public-secgrp"
+  description		= "allows http,https"
+  vpc_id		= "${aws_vpc.dev-vpc.id}"
+  tags {
+    Name		= "dev-public-secgrp"
+  }
+  ingress {
+    from_port		= "0"
+    to_port		= "0"
+    protocol		= "-1"
+    self		= true
+  }
+  ingress {
+    from_port		= "22"
+    to_port		= "22"
+    protocol		= "tcp"
+    cidr_blocks		= ["${aws_instance.dev-bastion.private_ip}/32"]
+  }
+  ingress {
+    from_port		= "80"
+    to_port		= "80"
+    protocol		= "tcp"
+    cidr_blocks		= ["0.0.0.0/0"]
+  }
+  ingress {
+    from_port		= "443"
+    to_port		= "443"
+    protocol		= "tcp"
+    cidr_blocks		= ["0.0.0.0/0"]
+  }
+  ingress {
+    from_port		= "-1"
+    to_port		= "-1"
+    protocol		= "icmp"
+    cidr_blocks		= ["10.0.0.0/16"]
+  }
+  egress {
+    from_port		= "0"
+    to_port		= "0"
+    protocol		= "-1"
+    cidr_blocks		= ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_security_group" "dev-private-secgrp" {
+  name			= "dev-private-secgrp"
+  description		= "deny inbound, allow outbound"
+  vpc_id		= "${aws_vpc.dev-vpc.id}"
+  tags {
+    Name		= "dev-private-secgrp"
+  }
+  ingress {
+    from_port		= "0"
+    to_port		= "0"
+    protocol		= "-1"
+    self		= true
+  }
+  ingress {
+    from_port		= "22"
+    to_port		= "22"
+    protocol		= "tcp"
+    cidr_blocks		= ["${aws_instance.dev-bastion.private_ip}/32"]
+  }
+  ingress {
+    from_port		= "5432"
+    to_port		= "5432"
+    protocol		= "tcp"
+    security_groups	= ["${aws_security_group.dev-public-secgrp.id}"]
+  }
+  ingress {
+    from_port		= "-1"
+    to_port		= "-1"
+    protocol		= "icmp"
+    cidr_blocks		= ["10.0.0.0/16"]
+  }
+  egress {
+    from_port		= "0"
+    to_port		= "0"
+    protocol		= "-1"
+    cidr_blocks		= ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_instance" "dev-bastion" {
+  instance_type		= "t3.nano"
+  ami			= "${data.aws_ami.ubuntu18lts.image_id}"
+  subnet_id		= "${aws_subnet.dev-public-a.id}"
+  vpc_security_group_ids	= ["${aws_security_group.dev-bastion-secgrp.id}"]
+  key_name		= "dev-bastion"
+  credit_specification {
+    cpu_credits		= "unlimited"
+  }
+  tags {
+    Name		= "dev-bastion"
+  }
+}
+
+resource "aws_eip" "dev-bastion-ip" {
+  vpc			= true
+  instance		= "${aws_instance.dev-bastion.id}"
+  tags {
+    Name		= "dev-bastion-ip"
+  }
+}
+
+resource "aws_instance" "dev-www-ec2" {
+  instance_type		= "t3.micro"
+  ami			= "${data.aws_ami.ubuntu18lts.image_id}"
+  subnet_id		= "${aws_subnet.dev-public-a.id}"
+  vpc_security_group_ids	= ["${aws_security_group.dev-public-secgrp.id}"]
+  key_name		= "dev-ubuntu"
+  credit_specification {
+    cpu_credits		= "unlimited"
+  }
+  tags {
+    Name		= "dev-www-ec2"
+  }
+}
+
+resource "aws_eip" "dev-www-ip" {
+  vpc			= true
+  instance		= "${aws_instance.dev-www-ec2.id}"
+  tags {
+    Name		= "dev-www-ip"
+  }
+}
+
+resource "aws_db_subnet_group" "rds-subnetgrp" {
+  name			= "rds-subnetgrp"
+  subnet_ids		= ["${aws_subnet.dev-private-a.id}", "${aws_subnet.dev-private-c.id}"]
+  tags {
+    Name		= "rds-subnetgrp"
+  }
+}
+
+resource "aws_db_parameter_group" "pg10-paramgrp" {
+  name			= "pg10-paramgrp"
+  family		= "postgres10"
+  parameter {
+    name	= "work_mem"
+    value	= "16384"
+  }
+  parameter {
+    name	= "maintenance_work_mem"
+    value	= "32768"
+  }
+  parameter {
+    name	= "shared_preload_libraries"
+    value	= "auto_explain,pg_stat_statements"
+    apply_method = "pending-reboot"
+  }
+}
+
+resource "aws_db_instance" "db-master" {
+  allocated_storage	= "20"
+  auto_minor_version_upgrade	= "true"
+  availability_zone	= "us-east-1a"
+  backup_retention_period	= "14"
+  backup_window		= "00:00-00:30"
+  copy_tags_to_snapshot	= "true"
+  db_subnet_group_name	= "rds-subnetgrp"
+  engine		= "postgres"
+  engine_version	= "10.6"
+  identifier		= "db-master"
+  instance_class	= "db.t2.small"
+  monitoring_interval	= "60"
+  monitoring_role_arn	= "${aws_iam_role.rds-monitoring-role.arn}"
+  multi_az		= "false"
+  parameter_group_name	= "pg10-paramgrp"
+  password		= "${var.db_pass}"
+  port			= "5432"
+  publicly_accessible	= "false"
+  storage_encrypted	= "false"
+  storage_type		= "gp2"
+  #timezone		= "UTC"
+  username		= "${var.db_user}"
+  vpc_security_group_ids	= ["${aws_security_group.dev-private-secgrp.id}"]
+  #tags			= {
+  #  Name		= "db-master"
+  #}
+}
+
+resource "aws_db_instance" "db-slave" {
+  allocated_storage	= "20"
+  availability_zone	= "us-east-1c"
+  copy_tags_to_snapshot	= "true"
+  identifier		= "db-slave"
+  instance_class	= "db.t2.micro"
+  monitoring_interval	= "60"
+  monitoring_role_arn	= "${aws_iam_role.rds-monitoring-role.arn}"
+  multi_az		= "false"
+  parameter_group_name	= "pg10-paramgrp"
+  port			= "5432"
+  publicly_accessible	= "false"
+  replicate_source_db	= "${aws_db_instance.db-master.id}"
+  storage_encrypted	= "false"
+  storage_type		= "gp2"
+  #timezone		= "UTC"
+  vpc_security_group_ids	= ["${aws_security_group.dev-private-secgrp.id}"]
+  #tags			= {
+  #  Name		= "db-slave"
+  #}
+}
+
+resource "aws_route53_zone" "public-dev" {
+  name			= "${var.base_domain}"
+  tags {
+    Name		= "public-dev"
+  }
+}
+
+resource "aws_route53_record" "public-dev-dev-bastion-A" {
+  zone_id		= "${aws_route53_zone.public-dev.zone_id}"
+  type			= "A"
+  name			= "dev-bastion"
+  ttl			= "5"
+  records		= ["${aws_eip.dev-bastion-ip.public_ip}"]
+}
+
+resource "aws_route53_record" "public-dev-dev-www-A" {
+  zone_id		= "${aws_route53_zone.public-dev.zone_id}"
+  type			= "A"
+  name			= "dev-www"
+  ttl			= "5"
+  records		= ["${aws_eip.dev-www-ip.public_ip}"]
+}
+
+resource "aws_route53_zone" "private-dev" {
+  name			= "dev"
+  vpc {
+    vpc_id		= "${aws_vpc.dev-vpc.id}"
+  }
+  tags {
+    Name		= "private-dev"
+  }
+}
+
+resource "aws_route53_record" "private-dev-bastion-A" {
+  zone_id		= "${aws_route53_zone.private-dev.zone_id}"
+  type			= "A"
+  name			= "bastion"
+  ttl			= "5"
+  records		= ["${aws_instance.dev-bastion.private_ip}"]
+}
+
+resource "aws_route53_record" "private-dev-www-A" {
+  zone_id		= "${aws_route53_zone.private-dev.zone_id}"
+  type			= "A"
+  name			= "www"
+  ttl			= "5"
+  records		= ["${aws_instance.dev-www-ec2.private_ip}"]
+}
+
+resource "aws_iam_role" "rds-monitoring-role" {
+  name                  = "rds-monitoring-role"
+  path                  = "/"
+  assume_role_policy    = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "monitoring.rds.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_policy_attachment" "AmazonRDSEnhancedMonitoringRole-policy-attachment" {
+
+  name                  = "AmazonRDSEnhancedMonitoringRole-policy-attachment"
+  policy_arn            = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
+  groups                = []
+  users                 = []
+  roles                 = ["rds-monitoring-role"]
+}
+
+output "bastion_ip" {
+  value = "${aws_eip.dev-bastion-ip.public_ip}"
+}
+
+output "www_ip" {
+  value = "${aws_eip.dev-www-ip.public_ip}"
+}
+
+output "rds_master_endpoint" {
+  value = "${aws_db_instance.db-master.endpoint}"
+}
+
+output "rds_slave_endpoint" {
+  value = "${aws_db_instance.db-slave.endpoint}"
+}
+