cloudposse · osterman · Jan 5, 2019 · Jan 5, 2019 · Jan 6, 2019 · Jan 6, 2019
diff --git a/README.md b/README.md
@@ -108,7 +108,6 @@ Available targets:
   lint                                Lint terraform code
 
 ```
-
 ## Inputs
 
 | Name | Description | Type | Default | Required |
@@ -136,12 +135,14 @@ Available targets:
 | host_name | The DB host name created in Route53 | string | `db` | no |
 | instance_class | Class of RDS instance | string | - | yes |
 | iops | The amount of provisioned IOPS. Setting this implies a storage_type of 'io1'. Default is 0 if rds storage type is not 'io1' | string | `0` | no |
+| kms_key_id | The ARN for the KMS encryption key. If creating an encrypted replica, set this to the destination KMS ARN | string | - | yes |
 | maintenance_window | The window to perform maintenance in. Syntax: 'ddd:hh24:mi-ddd:hh24:mi' UTC | string | `Mon:03:00-Mon:04:00` | no |
 | multi_az | Set to true if multi AZ deployment must be supported | string | `false` | no |
 | name | The Name of the application or solution  (e.g. `bastion` or `portal`) | string | - | yes |
 | namespace | Namespace (e.g. `eg` or `cp`) | string | - | yes |
 | parameter_group_name | Name of the DB parameter group to associate | string | `` | no |
 | publicly_accessible | Determines if database can be publicly available (NOT recommended) | string | `false` | no |
+| replicate_source_db | Specifies that this resource is a Replicate database, and to use this value as the source database. This correlates to the identifier of another Amazon RDS Database to replicate. Note that if you are creating a cross-region replica of an encrypted database you will also need to specify a kms_key_id. See [DB Instance Replication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Replication.html) and [Working with PostgreSQL and MySQL Read Replicas](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReadRepl.html) for more information on using Replication. | string | `` | no |
 | security_group_ids | he IDs of the security groups from which to allow `ingress` traffic to the DB instance | list | `<list>` | no |
 | skip_final_snapshot | If true (default), no snapshot will be made before deleting DB | string | `true` | no |
 | snapshot_identifier | Snapshot identifier e.g: rds:production-2015-06-26-06-05. If specified, the module create cluster from the snapshot | string | `` | no |
@@ -245,7 +246,7 @@ In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
 
 ## Copyright
 
-Copyright © 2017-2018 [Cloud Posse, LLC](https://cpco.io/copyright)
+Copyright © 2017-2019 [Cloud Posse, LLC](https://cpco.io/copyright)
 
 
 

diff --git a/docs/terraform.md b/docs/terraform.md
@@ -1,4 +1,3 @@
-
 ## Inputs
 
 | Name | Description | Type | Default | Required |
@@ -26,12 +25,14 @@
 | host_name | The DB host name created in Route53 | string | `db` | no |
 | instance_class | Class of RDS instance | string | - | yes |
 | iops | The amount of provisioned IOPS. Setting this implies a storage_type of 'io1'. Default is 0 if rds storage type is not 'io1' | string | `0` | no |
+| kms_key_id | The ARN for the KMS encryption key. If creating an encrypted replica, set this to the destination KMS ARN | string | - | yes |
 | maintenance_window | The window to perform maintenance in. Syntax: 'ddd:hh24:mi-ddd:hh24:mi' UTC | string | `Mon:03:00-Mon:04:00` | no |
 | multi_az | Set to true if multi AZ deployment must be supported | string | `false` | no |
 | name | The Name of the application or solution  (e.g. `bastion` or `portal`) | string | - | yes |
 | namespace | Namespace (e.g. `eg` or `cp`) | string | - | yes |
 | parameter_group_name | Name of the DB parameter group to associate | string | `` | no |
 | publicly_accessible | Determines if database can be publicly available (NOT recommended) | string | `false` | no |
+| replicate_source_db | Specifies that this resource is a Replicate database, and to use this value as the source database. This correlates to the identifier of another Amazon RDS Database to replicate. Note that if you are creating a cross-region replica of an encrypted database you will also need to specify a kms_key_id. See [DB Instance Replication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Replication.html) and [Working with PostgreSQL and MySQL Read Replicas](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReadRepl.html) for more information on using Replication. | string | `` | no |
 | security_group_ids | he IDs of the security groups from which to allow `ingress` traffic to the DB instance | list | `<list>` | no |
 | skip_final_snapshot | If true (default), no snapshot will be made before deleting DB | string | `true` | no |
 | snapshot_identifier | Snapshot identifier e.g: rds:production-2015-06-26-06-05. If specified, the module create cluster from the snapshot | string | `` | no |

diff --git a/main.tf b/main.tf
@@ -1,5 +1,6 @@
 module "label" {
   source     = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.3.3"
+  enabled    = "${var.enabled}"
   namespace  = "${var.namespace}"
   name       = "${var.name}"
   stage      = "${var.stage}"
@@ -10,6 +11,7 @@ module "label" {
 
 module "final_snapshot_label" {
   source     = "git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.3.3"
+  enabled    = "${var.enabled}"
   namespace  = "${var.namespace}"
   name       = "${var.name}"
   stage      = "${var.stage}"
@@ -18,8 +20,23 @@ module "final_snapshot_label" {
   tags       = "${var.tags}"
 }
 
+locals {
+  enabled                   = "${var.enabled == "true"}"
+  parameter_group_name      = "${length(var.parameter_group_name) > 0 ? var.parameter_group_name : join("", aws_db_parameter_group.default.*.name)}"
+  final_snapshot_identifier = "${length(var.final_snapshot_identifier) > 0 ? var.final_snapshot_identifier : module.final_snapshot_label.id}"
+  kms_key_id                = "${length(var.kms_key_id) > 0 ? var.kms_key_id : join("", aws_kms_key.default.*.id)}"
+}
+
+resource "aws_kms_key" "default" {
+  count                   = "${local.enabled && length(var.kms_key_id) == 0 ? 1 : 0}"
+  description             = "${module.label.id}"
+  deletion_window_in_days = 10
+  enable_key_rotation     = true
+  tags                    = "${module.label.tags}"
+}
+
 resource "aws_db_instance" "default" {
-  count                       = "${var.enabled == "true" ? 1 : 0}"
+  count                       = "${local.enabled ? 1 : 0}"
   identifier                  = "${module.label.id}"
   name                        = "${var.database_name}"
   username                    = "${var.database_user}"
@@ -32,7 +49,7 @@ resource "aws_db_instance" "default" {
   storage_encrypted           = "${var.storage_encrypted}"
   vpc_security_group_ids      = "${aws_security_group.default.*.id}"
   db_subnet_group_name        = "${join("", aws_db_subnet_group.default.*.name)}"
-  parameter_group_name        = "${length(var.parameter_group_name) > 0 ? var.parameter_group_name : join("", aws_db_parameter_group.default.*.name)}"
+  parameter_group_name        = "${local.parameter_group_name}"
   multi_az                    = "${var.multi_az}"
   storage_type                = "${var.storage_type}"
   iops                        = "${var.iops}"
@@ -47,45 +64,58 @@ resource "aws_db_instance" "default" {
   backup_retention_period     = "${var.backup_retention_period}"
   backup_window               = "${var.backup_window}"
   tags                        = "${module.label.tags}"
-  final_snapshot_identifier   = "${length(var.final_snapshot_identifier) > 0 ? var.final_snapshot_identifier : module.final_snapshot_label.id}"
+  final_snapshot_identifier   = "${local.final_snapshot_identifier}"
+  kms_key_id                  = "${local.kms_key_id}"
+  monitoring_interval         = "${var.monitoring_interval}"
+  replicate_source_db         = "${var.replicate_source_db}"
 }
 
 resource "aws_db_parameter_group" "default" {
-  count     = "${(length(var.parameter_group_name) == 0 && var.enabled == "true") ? 1 : 0}"
+  count     = "${local.enabled && (length(var.parameter_group_name) == 0) ? 1 : 0}"
   name      = "${module.label.id}"
   family    = "${var.db_parameter_group}"
   tags      = "${module.label.tags}"
   parameter = "${var.db_parameter}"
 }
 
 resource "aws_db_subnet_group" "default" {
-  count      = "${var.enabled == "true" ? 1 : 0}"
+  count      = "${local.enabled ? 1 : 0}"
   name       = "${module.label.id}"
   subnet_ids = ["${var.subnet_ids}"]
   tags       = "${module.label.tags}"
 }
 
 resource "aws_security_group" "default" {
-  count       = "${var.enabled == "true" ? 1 : 0}"
+  count       = "${local.enabled ? 1 : 0}"
   name        = "${module.label.id}"
   description = "Allow inbound traffic from the security groups"
   vpc_id      = "${var.vpc_id}"
 
-  ingress {
-    from_port       = "${var.database_port}"
-    to_port         = "${var.database_port}"
-    protocol        = "tcp"
-    security_groups = ["${var.security_group_ids}"]
-  }
+  tags = "${module.label.tags}"
+}
+
+locals {
+  security_group_id = "${join("", aws_security_group.default.*.id)}"
+}
 
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
+resource "aws_security_group_rule" "allow_ingress" {
+  count                    = "${local.enabled ? length(var.security_group_ids) : 0}"
+  security_group_id        = "${local.security_group_id}"
+  type                     = "ingress"
+  from_port                = "${var.database_port}"
+  to_port                  = "${var.database_port}"
+  protocol                 = "tcp"
+  source_security_group_id = "${var.security_group_ids[count.index]}"
+}
 
-  tags = "${module.label.tags}"
+resource "aws_security_group_rule" "allow_egress" {
+  count             = "${local.enabled ? 1 : 0}"
+  security_group_id = "${local.security_group_id}"
+  type              = "egress"
+  from_port         = 0
+  to_port           = 0
+  protocol          = "-1"
+  cidr_blocks       = ["0.0.0.0/0"]
 }
 
 module "dns_host_name" {
@@ -95,5 +125,5 @@ module "dns_host_name" {
   stage     = "${var.stage}"
   zone_id   = "${var.dns_zone_id}"
   records   = "${aws_db_instance.default.*.address}"
-  enabled   = "${(length(var.dns_zone_id) > 0 && var.enabled == "true") ? "true" : "false"}"
+  enabled   = "${local.enabled && length(var.dns_zone_id) > 0 ? "true" : "false"}"
 }
diff --git a/variables.tf b/variables.tf
@@ -39,6 +39,7 @@ variable "security_group_ids" {
 variable "database_name" {
   type        = "string"
   description = "The name of the database to create when the DB instance is created"
+  default     = ""
 }
 
 variable "database_user" {
@@ -82,13 +83,15 @@ variable "iops" {
 
 variable "allocated_storage" {
   description = "The allocated storage in GBs"
+  default     = ""
 
   # Number, e.g. 10
 }
 
 variable "engine" {
   type        = "string"
   description = "Database engine type"
+  default     = ""
 
   # http://docs.aws.amazon.com/cli/latest/reference/rds/create-db-instance.html
   # - mysql
@@ -100,6 +103,7 @@ variable "engine" {
 variable "engine_version" {
   type        = "string"
   description = "Database engine version, depends on engine type"
+  default     = ""
 
   # http://docs.aws.amazon.com/cli/latest/reference/rds/create-db-instance.html
 }
@@ -116,6 +120,7 @@ variable "instance_class" {
 variable "db_parameter_group" {
   type        = "string"
   description = "Parameter group, depends on DB engine used"
+  default     = ""
 
   # "mysql5.6"
   # "postgres9.5"
@@ -225,3 +230,19 @@ variable "parameter_group_name" {
   description = "Name of the DB parameter group to associate"
   default     = ""
 }
+
+variable "kms_key_id" {
+  type        = "string"
+  description = "The ARN for the KMS encryption key. If creating an encrypted replica, set this to the destination KMS ARN"
+  default     = ""
+}
+
+variable "replicate_source_db" {
+  description = "Specifies that this resource is a Replicate database, and to use this value as the source database. This correlates to the identifier of another Amazon RDS Database to replicate. Note that if you are creating a cross-region replica of an encrypted database you will also need to specify a kms_key_id. See [DB Instance Replication](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Replication.html) and [Working with PostgreSQL and MySQL Read Replicas](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReadRepl.html) for more information on using Replication."
+  default     = ""
+}
+
+variable "monitoring_interval" {
+  description = "The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. Valid Values are 0, 1, 5, 10, 15, 30, 60."
+  default     = "0"
+}