terraform-aws-rds

Terraform module for AWS RDS instances

Documentation

Requirements

Name	Version
terraform	>= 1.6.0
aws	>= 6.26.0
random	>= 3.7.2

Providers

Name	Version
aws	>= 6.26.0
null	n/a
random	>= 3.7.2

Modules

Name	Source	Version
cluster_parameters	./modules/cluster_parameter_group	n/a
cw_log_group	./modules/cloudwatch_log_groups	n/a
db_cluster_serverless	./modules/rds_aurora	n/a
db_instance	./modules/rds_instance	n/a
db_multi_az_cluster	./modules/rds_aurora	n/a
db_parameter_group	./modules/instance_parameter_group	n/a
db_proxy	./modules/rds_proxy	n/a
db_subnet_group	./modules/rds_subnet_group	n/a
enhanced_monitoring_iam_role	./modules/enhanced_monitoring_role	n/a
security_group	./modules/security_group	n/a
security_group_proxy	./modules/security_group	n/a

Resources

Name	Type
null_resource.validate_instance_type_proxy	resource
random_id.snapshot_identifier	resource
aws_iam_account_alias.current	data source
aws_rds_engine_version.engine_info	data source
aws_ssm_parameter.oidc_provider	data source
aws_vpc.selected	data source
aws_vpc_peering_connection.kubernetes_access	data source
aws_vpc_peering_connections.peering	data source

Inputs

Name	Description	Type	Default	Required
additional_backup_retention	Specify additional backup retention. Valid Values: 30days, 60days, 180days, 1year, 10year Notes: This set the dfds.backup_retention tag. See recommendations here.	string	null	no
additional_rds_proxy_security_groups	Specify additional security groups to attach by ID to the RDS proxy. Valid Values: . Notes: .}	list(string)	[]	no
additional_rds_security_group_rules	Specify additional security group rules for the RDS instance. Valid Values: . Notes: Use only for special cases.	object({ ingress_rules = list(any) ingress_with_self = optional(list(any), []) egress_rules = optional(list(any), []) })	{ "egress_rules": [], "ingress_rules": [], "ingress_with_self": [] }	no
additional_rds_security_groups	Specify additional security groups to attach by ID to the RDS instance. Valid Values: . Notes: .}	list(string)	[]	no
allocated_storage	Specify the allocated storage in gigabytes. Valid Values: . Notes: .	number	null	no
allow_major_version_upgrade	Specify whether or not that major version upgrades are allowed. Valid Values: . Notes: Changing this parameter does not result in an outage and the change is asynchronously applied as soon as possible"	bool	true	no
apply_immediately	Specifiy whether any database modifications are applied immediately, or during the next maintenance window Valid Values: . Notes: apply_immediately can result in a brief downtime as the server reboots. See documentation for more information.	bool	false	no
auto_minor_version_upgrade	Specify whether or not that minor engine upgrades can be applied automatically to the DB instance". Valid Values: . Notes: Minor engine upgrades will be applied automatically to the DB instance during the maintenance window.	bool	true	no
automation_initiator_location	Specify the URL to the repo of automation script. Valid Values: URL to repo. Example: "https://github.com/dfds/terraform-aws-rds" Notes: This set the dfds.automation.initiator.location tag. See recommendations here.	string	null	no
availability_zone	Specify the Availability Zone for the RDS instance.. Valid Values: Notes: Only available for DB instances that do not have multi-AZ enabled.	string	null	no
ca_cert_identifier	Specify the identifier of the CA certificate for the DB instance. Valid Values: . Notes: If this variable is omitted, the latest CA certificate will be used.	string	null	no
cloudwatch_log_group_kms_key_id	Specify the ARN of the KMS Key to use when encrypting log data. Valid Values: . Notes: .	string	null	no
cloudwatch_log_group_retention_in_days	Specify the retention period in days for the CloudWatch logs. Valid Values: Number of days Notes: - If omitted, the default value is set to 7 days for production and 1 day for non-production environments. - If set to 0, logs will be retained indefinitely. - -1 is an invalid value. It is used to express that the value is omitted and thus enabling the logic to calculate the default value.	number	-1	no
cloudwatch_log_group_skip_destroy_on_deletion	Specify whether or not to skip the deletion of the CloudWatch log group on deletion. Valid Values: . Notes: .	bool	false	no
cluster_parameters	A list of DB parameters (map) to apply	list(map(string))	[]	no
cluster_use_name_prefix	Whether to use name as a prefix for the cluster	bool	false	no
copy_tags_to_snapshot	Specifies whether or not to copy all Instance tags to the final snapshot on deletion. Valid Values: . Notes: Default value is set to true. Snapshots will be created by the AWS backup job assuming that this resource is properly tagged, see here for more info.	bool	false	no
cost_centre	Provide a cost centre for the resource. Valid Values: . Notes: This set the dfds.cost_centre tag. See recommendations here.	string	n/a	yes
data_classification	Specify data classification. Valid Values: public, private, confidential, restricted Notes: This set the dfds.data.classification tag. See recommendations here.	string	n/a	yes
db_name	Specifies The DB name to create. Valid Values: . Notes: If omitted, no database is created initially.	string	null	no
delete_automated_backups	Specify whether or not whether to remove automated backups immediately after the DB instance is deleted. Valid Values: . Notes: .	bool	false	no
deletion_protection	Specify whether or not to prevent the DB instance from being deleted. Valid Values: . Notes: The database can't be deleted when this value is set to true.	bool	true	no
enable_default_backup	Specify whether or not to enable default backup. Valid Values: . Notes: - This set the dfds.backup tag. See recommendations here. - If omitted, the default value is set to true for production and false for non-production environments.	bool	null	no
enabled_log_exports	Specify the list of log types to enable for exporting to CloudWatch logs. Valid Values: postgresql (PostgreSQL), upgrade (PostgreSQL) Notes: If omitted, no logs will be exported.	list(string)	[]	no
engine_version	Specify engine version to use. Valid Values: Specific version number, for example, "15.3" or major version number, for example, "15". Notes: - If this is omitted, the preffered version will be used. - If major version is specified, the preffered version will be used. - When using a specific version. The version must be valid. A valid version can be obtained from this documentation	string	null	no
enhanced_monitoring_interval	Specify the interval between points when Enhanced Monitoring metrics are collected for the DB instance. Valid Values: 0, 1, 5, 10, 15, 30, 60 (in seconds) Notes: Specify 0 to disable collecting Enhanced Monitoring metrics.	number	0	no
environment	Specify the staging environment. Valid Values: "dev", "test", "staging", "uat", "training", "prod". Notes: The value will set configuration defaults according to DFDS policies.	string	n/a	yes
final_snapshot_identifier_prefix	Specifies the name which is prefixed to the final snapshot on cluster destroy. Valid Values: . Notes: .	string	"final"	no
iam_database_authentication_enabled	Set this to true to enable authentication using IAM. Valid Values: . Notes: This requires creating mappings between IAM users/roles and database accounts in the RDS instance for this to work properly.	bool	false	no
identifier	Specify the name of the RDS instance to create. Valid Values: . Notes: .	string	n/a	yes
instance_class	Specify instance type of the RDS instance. Valid Values: "db.t3.micro", "db.t3.small", "db.t3.medium", "db.t3.large", "db.t3.xlarge", "db.t3.2xlarge", "db.r6g.xlarge", "db.m6g.large", "db.m6g.xlarge", "db.t2.micro", "db.t2.small", "db.t2.medium", "db.m4.large", "db.m5d.large", "db.m6i.large", "db.m5.xlarge", "db.t4g.micro", "db.t4g.small", "db.t4g.large", "db.t4g.xlarge" Notes: If omitted, the instance type will be set to db.t3.micro.	string	null	no
instance_is_multi_az	Specify if the RDS instance is multi-AZ. Valid Values: . Notes: - This creates a primary DB instance and a standby DB instance in a different AZ for high availability and data redundancy. - Standby DB instance doesn't support connections for read workloads. - If this variable is omitted: - This value is set to true by default for production environments. - This value is set to false by default for non-production environments.	bool	null	no
instance_parameters	Specify a list of DB parameters (map) to modify. Valid Values: Example: instance_parameters = [{ name = "rds.force_ssl" value = 1 apply_method = "pending-reboot", ... # Other parameters }] Notes: See documentation for more information.	list(map(string))	[]	no
instance_terraform_timeouts	Specify Terraform resource management timeouts. Valid Values: . Notes: Applies to aws_db_instance in particular to permit resource management times. See documentation for more information.	map(string)	{}	no
iops	Specify The amount of provisioned IOPS. Valid Values: . Notes: Setting this implies a storage_type of 'io1' or gp3. See notes for limitations regarding this variable for gp3"	number	null	no
is_cluster	[Experiemental Feature] Specify whether or not to deploy the instance as multi-az database cluster. Valid Values: . Notes: - This feature is currently in beta and is subject to change. - It creates a DB cluster with a primary DB instance and two readable standby DB instances, - Each DB instance in a different Availability Zone (AZ). - Provides high availability, data redundancy and increases capacity to serve read workloads - Proxy is not supported for cluster instances. - For smaller workloads we recommend considering using a single instance instead of a cluster.	bool	false	no
is_kubernetes_app_enabled	Specify whether or not to enable access from Kubernetes pods. Valid Values: . Notes: Enabling this will create the following resources: - IAM role for service account (IRSA) - IAM policy for service account (IRSA) - Peering connection from EKS Cluster requires a VPC peering deployed in the AWS account.	bool	false	no
is_proxy_included	Specify whether or not to include proxy. Valid Values: . Notes: Proxy helps managing database connections. See documentation for more information.	bool	false	no
is_publicly_accessible	Specify whether or not this instance is publicly accessible. Valid Values: . Notes: - Setting this to true will do the followings: - Assign a public IP address and the host name of the DB instance will resolve to the public IP address. - Access from within the VPC can be achived by using the private IP address of the assigned Network Interface. - Create a security group rule to allow inbound traffic from the specified CIDR blocks. - It is required to set public_access_ip_whitelist to allow access from specific IP addresses.	bool	false	no
maintenance_window	Specify the window to perform maintenance in. Valid Values: Syntax: ddd:hh24:mi-ddd:hh24:mi. Eg: "Mon:00:00-Mon:03:00". Notes: Default value is set to "Sat:18:00-Sat:20:00". This is adjusted in accordance with AWS Backup schedule, see info here.	string	"Sat:18:00-Sat:20:00"	no
manage_cloudwatch_log_group_with_terraform	Specify whether or not to manage the CloudWatch log group with Terraform. This will help on setting the retention policy for the log group. Valid Values: . Notes: If set to true, the log group will be managed by Terraform. If set to false, the log group will not be managed by Terraform. - If set to true, the log group will be created and managed by Terraform. - If set to false, the log group will be created automatically but will not be managed by Terraform."	bool	false	no
manage_master_user_password	Set to true to allow RDS to manage the master user password in Secrets Manager. Valid Values: . Notes: - Default value is set to true. It is recommended to use this feature. - If set to true, the password variable will be ignored.	bool	true	no
max_allocated_storage	Set the value to enable Storage Autoscaling and to set the max allocated storage. Valid Values: . Notes: - If this variable is omitted: - This value is set to 50 by default for production environments. - This value is set to 0 by default for non-production environments.	number	null	no
network_type	Specify the network type of the DB instance. Valid Values: IPV4, DUAL Notes: .	string	null	no
optional_data_specific_tags	Provide list of optional dfds.data.* to be applied on data specific resources. Valid Values: . Notes: - Use this only for optional data tags. Required tags are supplied through dedicated variables. - This variable will apply tags only on the relevant data resources. - See recommendations here.	map(string)	{}	no
optional_tags	Provide list of optional dfds.* tags to be applied on all resources. Valid Values: . Notes: - Use this only for optional tags. Required tags are supplied through dedicated variables. - See recommendations here.	map(string)	{}	no
password	Specify password for the master DB user. Valid Values: . Notes: - This password may show up in logs, and it will be stored in the state file. - If manage_master_user_password is set to true, this value will be ignored.	string	null	no
performance_insights_enabled	Specify whether or not to enable Performance Insights. Valid Values: . Notes: - If this variable is omitted: - This value is set to true by default for production environments. Default retention period is set to 7 days. - This value is set to false by default for non-production environments.	bool	null	no
performance_insights_kms_key_id	Specify the ARN for the KMS key to encrypt Performance Insights data. Valid Values: . Notes: - When specifying performance_insights_kms_key_id, performance_insights_enabled needs to be set to true. - Once KMS key is set, it can never be changed	string	null	no
performance_insights_retention_period	Specify the retention period for Performance Insights. Valid Values: 7, 731 (2 years) or a multiple of 31 Notes: Set the value Default value when performance_insights_enabled is set to true.	number	null	no
pipeline_location	Specify a valid URL path to the pipeline file used for automation script. Valid Values: URL to repo. Example: "https://github.com/dfds/terraform-aws-rds/actions/workflows/qa.yml" Notes: This set the dfds.automation.initiator.pipeline tag. See recommendations here.	string	null	no
port	Specify the port number on which the DB accepts connections. Valid Values: . Notes: Default value is set to 5432.	number	5432	no
proxy_additional_security_group_rules	Specify additional security group rules for the RDS proxy. Valid Values: . Notes: - Public access is not supported on RDS Proxy. See documentation for more information. - Only ingress(inbound) rules are supported. - Ingress rules are set to "Allow outbound traffic to PostgreSQL instance" – Ingress rules are set to "Allow inbound traffic from same security group on specified database port"	object({ ingress_rules = list(any) ingress_with_self = optional(list(any), []) })	{ "ingress_rules": [] }	no
proxy_debug_logging_is_enabled	Turn on debug logging for the proxy. Valid Values: . Notes: .	bool	false	no
proxy_engine_family	Specify engine family of the RDS proxy. Valid Values: POSTGRESQL Notes: .	string	"POSTGRESQL"	no
proxy_iam_auth	Specify whether or not to use IAM authentication for the proxy. Valid Values: DISABLED, REQUIRED Notes: .	string	"DISABLED"	no
proxy_idle_client_timeout	Specify idle client timeout of the RDS proxy (keep connection alive). Valid Values: . Notes: .	number	1800	no
proxy_require_tls	Specify whether or not to require TLS for the proxy. Valid Values: . Notes: Default value is set to true.	bool	true	no
public_access_ip_whitelist	Provide a list of IP addresses to whitelist for public access Valid Values: List of CIDR blocks. For example ["x.x.x.x/32", "y.y.y.y/32"] Notes: - In case of publicly accessible RDS, this list will be used to whitelist the IP addresses. - It is best practice to specify the IP addresses that require access to the RDS instance. - Setting this value to ["0.0.0.0/0"] will mean that the RDS instance will be open to the world! Following are examples where it can be necessary: - Access is done from workloads with randomly assigned public IP adresses. - A VPC peering is not configured.	list(string)	[]	no
replicate_source_db	Inidicate that this resource is a Replicate database, and to use this value as the source database. Valid Values: The identifier of another Amazon RDS Database to replicate in the same region. Notes: In case of cross-region replication, specify the ARN of the source DB instance.	string	null	no
resource_owner_contact_email	Provide an email address for the resource owner (e.g. team or individual). Valid Values: . Notes: This set the dfds.owner tag. See recommendations here.	string	null	no
service_availability	Specify service availability. Valid Values: low, medium, high Notes: This set the dfds.service.availability tag. See recommendations here.	string	n/a	yes
skip_final_snapshot	Setting this will determine whether a final DB snapshot is created before the DB instance is deleted. Valid Values: Specific version number, for example, "15.3" or major version number, for example, "15". Notes: - If true is specified, no DB Snapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted. - Default value is set to true. Snapshots will be created by the AWS backup job assuming that this resource is properly tagged, see here for more info.	bool	true	no
source_snapshot_identifier	Provide the ID of the snapshot to create this instance from. Valid Values: This correlates to the snapshot ID you'd find in the RDS console, e.g: rds:production-2015-06-26-06-05" Notes: Setting this will cause the instance to restore from the specified snapshot.	string	null	no
storage_throughput	Speficy storage throughput value for the DB instance. Valid Values: . Notes: See notes for limitations regarding this variable for gp3.	number	null	no
storage_type	Specify the storage type. Valid Values: One of 'standard' (magnetic), 'gp2' (general purpose SSD), 'gp3' (new generation of general purpose SSD), or 'io1' (provisioned IOPS SSD). Notes: Default is 'io1' if iops is specified, 'gp2' if not. If you specify 'io1' or 'gp3' , you must also include a value for the 'iops' parameter.	string	"gp3"	no
subnet_ids	Provide a list of VPC subnet IDs. Valid Values: . Notes: - IDs of the subnets must be in the same VPC as the RDS instance. Example: ["subnet-aaaaaaaaaaa", "subnet-bbbbbbbbbbb", "subnet-cccccccccc"] - For Subnet IDs, use the following: - Use Private Subnets for private databases - Use Public Subnets for public databases. This options should be used when setting is_kubernetes_app_enabled to true. See guide here for information on how to fetch them.	list(string)	n/a	yes
username	Specify Username for the master DB user. Valid Values: . Notes: .	string	n/a	yes
vpc_id	Specify the VPC ID. Valid Values: . Notes: .	string	n/a	yes

Outputs

Name	Description
iam_instance_profile_for_ec2	The name of the EC2 instance profile that is using the IAM Role that give AWS services access to the RDS instance and Secrets Manager
iam_role_arn_for_aws_services	The ARN of the IAM Role that give AWS services access to the RDS instance and Secrets Manager
kubernetes_serviceaccount	If you create this Kubernetes ServiceAccount, you will get access to the RDS through IRSA
peering	n/a