Deployed version of Documenso.

documenso/terraform/main.tf

@@ -25,6 +25,7 @@ locals {
   ses_domain          = coalesce(var.ses_identity_domain, var.hosted_zone_name)
   smtp_host           = "email-smtp.${var.aws_region}.amazonaws.com"
   s3_bucket_name      = coalesce(var.upload_bucket_name, "${local.name_prefix}-${data.aws_caller_identity.current.account_id}-${var.aws_region}")
+  app_secret_name     = coalesce(var.app_secret_name, "${local.name_prefix}/${replace(var.domain_name, ".", "-")}/app")
   common_tags = merge(var.tags, {
     Application = var.project_name
     ManagedBy   = "Terraform"
@@ -192,6 +193,13 @@ resource "aws_route_table_association" "public" {
   route_table_id = aws_route_table.public.id
 }
 
+resource "aws_route_table_association" "database_public" {
+  count = var.db_publicly_accessible ? length(aws_subnet.database) : 0
+
+  subnet_id      = aws_subnet.database[count.index].id
+  route_table_id = aws_route_table.public.id
+}
+
 resource "aws_security_group" "alb" {
   name        = "${local.name_prefix}-alb-sg"
   description = "Public ingress to the Documenso load balancer"
@@ -259,6 +267,17 @@ resource "aws_security_group" "db" {
     security_groups = [aws_security_group.ecs.id]
   }
 
+  dynamic "ingress" {
+    for_each = var.db_allowed_cidrs
+
+    content {
+      from_port   = 5432
+      to_port     = 5432
+      protocol    = "tcp"
+      cidr_blocks = [ingress.value]
+    }
+  }
+
   egress {
     from_port   = 0
     to_port     = 0
@@ -306,7 +325,7 @@ resource "aws_db_instance" "postgres" {
   skip_final_snapshot             = !var.db_final_snapshot_on_destroy
   final_snapshot_identifier       = var.db_final_snapshot_on_destroy ? "${local.name_prefix}-final-${random_id.final_snapshot.hex}" : null
   auto_minor_version_upgrade      = true
-  publicly_accessible             = false
+  publicly_accessible             = var.db_publicly_accessible
   apply_immediately               = false
   db_subnet_group_name            = aws_db_subnet_group.this.name
   vpc_security_group_ids          = [aws_security_group.db.id]
@@ -314,6 +333,8 @@ resource "aws_db_instance" "postgres" {
   performance_insights_enabled    = false
   enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"]
 
+  depends_on = [aws_route_table_association.database_public]
+
   tags = merge(local.common_tags, {
     Name = "${local.name_prefix}-postgres"
   })
@@ -327,7 +348,7 @@ resource "aws_cloudwatch_log_group" "documenso" {
 }
 
 resource "aws_secretsmanager_secret" "app" {
-  name                    = "${local.name_prefix}/app"
+  name                    = local.app_secret_name
   recovery_window_in_days = 7
 
   tags = local.common_tags
@@ -383,7 +404,7 @@ resource "aws_s3_bucket" "uploads" {
   bucket = local.s3_bucket_name
 
   lifecycle {
-    prevent_destroy = true #Remove this to tear down the bucket.
+    prevent_destroy = false #Remove this to tear down the bucket.
   }
 
   tags = merge(local.common_tags, {
@@ -693,29 +714,37 @@ resource "aws_route53_record" "app" {
 }
 
 resource "aws_ses_domain_identity" "this" {
+  count = var.manage_ses_resources ? 1 : 0
+
   domain = local.ses_domain
 }
 
 resource "aws_route53_record" "ses_verification" {
-  zone_id = data.aws_route53_zone.primary.zone_id
-  name    = "_amazonses.${aws_ses_domain_identity.this.domain}"
-  type    = "TXT"
-  ttl     = 600
-  records = [aws_ses_domain_identity.this.verification_token]
+  count = var.manage_ses_resources ? 1 : 0
+
+  zone_id         = data.aws_route53_zone.primary.zone_id
+  name            = "_amazonses.${aws_ses_domain_identity.this[0].domain}"
+  type            = "TXT"
+  ttl             = 600
+  records         = [aws_ses_domain_identity.this[0].verification_token]
+  allow_overwrite = true
 }
 
 resource "aws_ses_domain_dkim" "this" {
-  domain = aws_ses_domain_identity.this.domain
+  count = var.manage_ses_resources ? 1 : 0
+
+  domain = aws_ses_domain_identity.this[0].domain
 }
 
 resource "aws_route53_record" "ses_dkim" {
-  count = 3
+  count = var.manage_ses_resources ? 3 : 0
 
-  zone_id = data.aws_route53_zone.primary.zone_id
-  name    = "${aws_ses_domain_dkim.this.dkim_tokens[count.index]}._domainkey.${aws_ses_domain_identity.this.domain}"
-  type    = "CNAME"
-  ttl     = 600
-  records = ["${aws_ses_domain_dkim.this.dkim_tokens[count.index]}.dkim.amazonses.com"]
+  zone_id         = data.aws_route53_zone.primary.zone_id
+  name            = "${aws_ses_domain_dkim.this[0].dkim_tokens[count.index]}._domainkey.${aws_ses_domain_identity.this[0].domain}"
+  type            = "CNAME"
+  ttl             = 600
+  records         = ["${aws_ses_domain_dkim.this[0].dkim_tokens[count.index]}.dkim.amazonses.com"]
+  allow_overwrite = true
 }
 
 resource "aws_ecs_task_definition" "documenso" {
@@ -727,6 +756,8 @@ resource "aws_ecs_task_definition" "documenso" {
   execution_role_arn       = aws_iam_role.ecs_task_execution.arn
   task_role_arn            = aws_iam_role.ecs_task.arn
 
+  depends_on = [aws_secretsmanager_secret_version.app]
+
   container_definitions = jsonencode([
     {
       name      = "documenso"