タダです.

RDS MySQL でのユーザーやデーターベース管理を Terraform でやりたいと思い,MySQL Provider を使ってみたのでこの記事にまとめていきます.

MySQL Provider について

まず MySQL Providerですが,公式はリポジトリがアーカイブになっています.現状開発が行われているのがコミュニティの下記の Provider になります.そのため,この記事では下記のものを使って検証しています.

registry.terraform.io

Provider の設定

MySQL Provider を使用するための設定例に則って Aurora のデータベースを作ることをやってみます.

terraform {
  required_version = "1.3.4"
  required_providers {
    mysql = {
      source  = "petoju/mysql"
      version = "3.0.23"
    }
  }
}
provider "mysql" {
  endpoint              = "test.cluster-c5fumzy2ihj5.ap-northeast-1.rds.amazonaws.com"
  username              = var.terraform_exec_user
  password              = var.password
}

terraform plan/apply の実行

RDS は一般的にプライベートサブネットに配置されているため,terraform plan と terraform apply をローカルから実行してもネットワーク的に到達しないため AWS のネットワーク内で実行する必要がありますが,今回は GitHub Actions -> CodeBuild を実行して Terraform の実行をしてみます.GitHub Actions -> CodeBuild のキックは aws-actions/aws-codebuild-run-build を使って行いました.

Terraform の定義

データベースの定義は次のようにしてます.本当にシンプルなコードです.

resource "mysql_database" "app" {
  name = "codebuild_terraform_db"
}

registry.terraform.io

GitHub Actions の定義

GitHub Actions の定義は次のようにしています.GitHub Actions -> CodeBuild を実行する権限は README にあるものを設定して OIDC 経由で実行するようにしてます.加えてネットワーク周りを整えてあげて terraform plan と terraform apply してみます.

name: Run Codebuild

on:
  push:
    branches:
      - main

permissions:
  id-token: write
  contents: read

env:
  REGION: ap-northeast-1
  PROJECT_NAME: gha-codebuild-test

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - name: Configure AWS Credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        role-to-assume: arn:aws:iam::11111111111111:role/gha-codebuild-run-role
        aws-region: ${{ env.REGION }}
    - name: Run CodeBuild
      uses: aws-actions/aws-codebuild-run-build@v1
      with:
        project-name: ${{ env.PROJECT_NAME }}

CodeBuild の実行結果

CodeBuild の実行結果は以下のような形で確認できたのと,対象の Aurora にもデータベースができてることを確認できました.

CodeBuild の実行結果

[Container] 2022/11/07 02:48:15 Running command cd terraform
terraform init
terraform plan -var 'password=$TF_ENV_password'


Initializing the backend...

Initializing provider plugins...
- Finding petoju/mysql versions matching "3.0.23"...
- Installing petoju/mysql v3.0.23...
- Installed petoju/mysql v3.0.23 (self-signed, key ID 298A405CE1C450D2)

Partner and community providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://www.terraform.io/docs/cli/plugins/signing.html

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # mysql_database.app will be created
  + resource "mysql_database" "app" {
      + default_character_set = "utf8mb4"
      + default_collation     = "utf8mb4_general_ci"
      + id                    = (known after apply)
      + name                  = "codebuild_terraform_db"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't
guarantee to take exactly these actions if you run "terraform apply" now.

[Container] 2022/11/07 02:48:19 Phase complete: BUILD State: SUCCEEDED

MySQL での確認結果

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 23
Server version: 8.0.23 Source distribution

Copyright (c) 2000, 2022, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+------------------------+
| Database               |
+------------------------+
| codebuild_terraform_db |
| information_schema     |
| mysql                  |
| performance_schema     |
| sys                    |
+------------------------+
5 rows in set (0.00 sec)