This module will build and configure an RDS instance or Aurora cluster with additional readers
This repository is a READ-ONLY sub-tree split. See https://github.com/FriendsOfTerraform/modules to create issues or submit pull requests.
module "rds_demo" {
source = "github.com/FriendsOfTerraform/aws-rds.git?ref=v1.0.0"
engine = {
type = "mysql"
version = "8.0.34"
}
name = "singleinstance"
authentication_config = {
db_master_account = {
username = "admin"
manage_password_in_secrets_manager = true
}
}
instance_class = "db.m5d.large"
storage_config = {
type = "gp3"
allocated_storage = 200
}
networking_config = {
db_subnet_group_name = "db-subnet-group"
security_group_ids = ["sg-00ce17012345abcde"]
}
db_name = "demo"
}module "multiazinstance_demo" {
source = "github.com/FriendsOfTerraform/aws-rds.git?ref=v1.0.0"
engine = {
type = "mysql"
version = "8.0.34"
}
deployment_option = "MultiAZInstance"
name = "multiazinstance"
authentication_config = {
db_master_account = {
username = "admin"
manage_password_in_secrets_manager = true
}
}
instance_class = "db.m5d.large"
storage_config = {
type = "gp3"
allocated_storage = 2000
max_allocated_storage = 10000
provisioned_iops = 12000
storage_throughput = 1000
}
networking_config = {
db_subnet_group_name = "db-subnet-group"
security_group_ids = ["sg-00ce17012345abcde"]
}
monitoring_config = {
enable_enhanced_monitoring = {
interval = 60
}
enable_performance_insight = {
retention_period = 7
}
}
db_name = "demo"
enable_automated_backup = {
retention_period = 7
window = "00:00-06:00" #PST 1700-2300
copy_tags_to_snapshot = true
}
cloudwatch_log_exports = ["audit", "error", "general", "slowquery"]
maintenance_config = {
enable_auto_minor_version_upgrade = true
window = "sat:07:00-sat:15:00" #PST saturday 0000 - 0800
}
}module "multiazcluster_demo" {
source = "github.com/FriendsOfTerraform/aws-rds.git?ref=v1.0.0"
engine = {
type = "mysql"
version = "8.0.34"
}
deployment_option = "MultiAZCluster"
name = "multiazcluster-demo"
authentication_config = {
db_master_account = {
username = "admin"
manage_password_in_secrets_manager = true
}
}
instance_class = "db.m5d.large"
# Multi-AZ cluster only supports provisioned IOPS storage
storage_config = {
type = "io1"
allocated_storage = 400
provisioned_iops = 3000
}
networking_config = {
db_subnet_group_name = "test-subnet-group"
security_group_ids = ["sg-00ce17012345abcde"]
}
}module "aurora_regional_demo" {
source = "github.com/FriendsOfTerraform/aws-rds.git?ref=v1.0.0"
engine = {
type = "aurora-mysql"
version = "8.0.mysql_aurora.3.04.0"
}
name = "aurora-regional-demo"
authentication_config = {
db_master_account = {
username = "admin"
manage_password_in_secrets_manager = true
}
iam_database_authentication = {
enabled = true
# Creates IAM policies to allow connection to this RDS cluster
# The name of the db users must already existed in the DB
# IAM policies must be attached to an IAM principal
create_iam_policies_for_db_users = ["peter", "jane"]
}
}
instance_class = "db.t3.medium"
networking_config = {
db_subnet_group_name = "db-subnet-group"
security_group_ids = ["sg-00ce17012345abcde"]
}
db_name = "demo"
enable_automated_backup = {
retention_period = 7
window = "00:00-06:00" #PST 1700-2300
copy_tags_to_snapshot = true
}
cloudwatch_log_exports = ["audit", "error", "general", "slowquery"]
maintenance_config = {
window = "sat:07:00-sat:15:00" #PST saturday 0000 - 0800
}
cluster_instances = {
# The key of the map will be the instance's name
primary = {}
secondary = {
networking_config = { availability_zone = "us-east-1b" }
}
}
}module "aurora_global_demo" {
source = "github.com/FriendsOfTerraform/aws-rds.git?ref=v1.0.0"
# Creates a new global cluster
aurora_global_cluster = {
name = "global-cluster-demo"
}
engine = {
type = "aurora-mysql"
version = "8.0.mysql_aurora.3.04.0"
}
name = "us-east-1-cluster"
authentication_config = {
db_master_account = {
username = "admin"
manage_password_in_secrets_manager = true
}
}
instance_class = "db.serverless"
serverless_capacity = {
max_acus = 50
min_acus = 20
}
networking_config = {
db_subnet_group_name = "db-subnet-group"
security_group_ids = ["sg-00ce17012345abcde"]
}
db_name = "demo"
enable_automated_backup = {
retention_period = 7
window = "00:00-06:00" #PST 1700-2300
copy_tags_to_snapshot = true
}
cloudwatch_log_exports = ["audit", "error", "general", "slowquery"]
maintenance_config = {
window = "sat:07:00-sat:15:00" #PST saturday 0000 - 0800
}
cluster_instances = {
# The key of the map will be the instance's name
primary = {}
secondary = {}
}
}-
(object)
authentication_config[since v1.0.0]Configures RDS authentication methods
-
(object)
db_master_account[since v1.0.0]Manages the DB master account
-
(string)
username[since v1.0.0]Username for the master DB user
-
(string)
customer_kms_key_id = null[since v1.0.0]Specify the KMS key to encrypt the master password in secrets manager. If not specified, the default KMS key for your AWS account is used. Used when
manage_password_in_secrets_manager = true -
(bool)
manage_password_in_secrets_manager = false[since v1.0.0]Set to true to allow RDS to manage the master user password in Secrets Manager. Mutually exclusive with
password. This feature does not support Aurora global cluster. -
(string)
password = null[since v1.0.0]Password for the master DB user. Mutually exclusive with
manage_password_in_secrets_manager
-
-
(bool)
iam_database_authentication = null[since v1.0.0]Configures AWS Identity and Access Management (IAM) accounts to database accounts. Cannot be used when
deployment_option = "MultiAZCluster". Plesae refer to the following documentations for instruction to each DB engine.-
(bool)
enabled = true[since v1.0.0]Specify whether IAM DB authentication is enabled. See example
-
(list(string))
create_iam_policies_for_db_users = [][since v1.0.0]Specify a list of DB user names to create IAM policies for RDS IAM Authentication. This will allow an IAM principal such as an IAM role to request authentication token for the specific DB user. Please refer to this documentation for more information.
-
-
(object)
engine[since v1.0.0]Configures RDS engine options
-
(string)
type[since v1.0.0]Specify the engine type, This module currently supports:
"aurora-mysql","aurora-postgresql","mysql","postgres","mariadb -
(string)
version[since v1.0.0]Specify the engine version. You can get a list of engine version with
aws rds describe-db-engine-versions --engine aurora-mysql --query DBEngineVersions[].[EngineVersion]
-
-
(string)
instance_class[since v1.0.0]The compute and memory capacity of the DB instance, for example
"db.m5.large". For the full list of DB instance classes, please refer to DB instance class and Aurora DB instance class -
(string)
name[since v1.0.0]Specify the name of the RDS instance or the RDS cluster
-
(object)
networking_config[since v1.0.0]Configures RDS connectivity options
-
(string)
db_subnet_group_name[since v1.0.0]Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. A DB subnet group with at least three AZs must be specified if
deployment_option = "MultiAZCluster" -
(list(string))
security_group_ids[since v1.0.0]List of VPC security groups to associate to the RDS instance or cluster
-
(string)
availability_zone = null[since v1.0.0]The availability zone to deploy the RDS instance in
-
(string)
ca_cert_identifier = null[since v1.0.0]The certificate authority (CA) is the certificate that identifies the root CA at the top of the certificate chain. The CA signs the DB server certificate, which is installed on each DB instance. The DB server certificate identifies the DB instance as a trusted server. Please refer to this documentation for valid values. Defaults to
"rds-ca-2019". Refers to the following documentations for requirements to connect to each DB engine with SSL. -
(bool)
enable_ipv6 = false[since v1.0.0]Specify whether the RDS instance or cluster supports IPv6
-
(bool)
enable_public_access = false[since v1.0.0]Specify whether the RDS instance or cluster is publicly accessible
-
(string)
port = null[since v1.0.0]Specify the port on which the DB accepts connections.
-
-
(map(string))
additional_tags = {}[since v1.0.0]Additional tags for the RDS instance or cluster
-
(map(string))
additional_tags_all = {}[since v1.0.0]Additional tags for all resources deployed with this module
-
(bool)
apply_immediately = null[since v1.0.0]Specifies whether any database modifications are applied immediately, or during the next maintenance window. Using
apply_immediatelycan result in a brief downtime as the server reboots. -
(object)
aurora_global_cluster = null[since v1.0.0]Creates new or join existing Aurora Global cluster. Must be used with an
"aurora-*"engine type-
(string)
join_existing_global_cluster = null[since v1.0.0]The name of an existing global Aurora cluster to join. Cannot be used with
name -
(string)
name = null[since v1.0.0]Specify the name of the global cluster to be created. Cannot be used with
join_existing_global_cluster
-
-
(list(string))
cloudwatch_log_exports = null[since v1.0.0]Set of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported. Valid values (depending on engine). MySQL and MariaDB:
"audit","error","general","slowquery". PostgreSQL:"postgresql". -
(map(object))
cluster_instances = {}[since v1.0.0]Manages multiple instances for an Aurora cluster. Must be used with an
"aurora-*"engine type. See example-
(map(string))
additional_tags = {}[since v1.0.0]Additional tags for the individual cluster instance
-
(string)
db_parameter_group = null[since v1.0.0]Specify the name of the DB parameter group to be associated to the instance.
-
(number)
failover_priority = null[since v1.0.0]Default 0. Failover Priority setting on instance level. The reader who has lower tier has higher priority to get promoted to writer.
-
(string)
instance_class = null[since v1.0.0]Specify the DB instance class for the individual instance. Do not use for serverless cluster. See example
-
(object)
networking_config = null[since v1.0.0]Configures connectivity options for the individual instance
-
(string)
availability_zone = null[since v1.0.0]The availability zone to deploy the RDS instance in
-
(bool)
enable_public_access = null[since v1.0.0]Specify whether the RDS instance is publicly accessible
-
-
-
(string)
db_name = null[since v1.0.0]The name of the database to create when the DB instance or cluster is created. If this parameter is not specified, no database is created.
-
(string)
db_cluster_parameter_group = null[since v1.0.0]Specify the name of the DB parameter group to be attached to all instances in the cluster
-
(string)
db_parameter_group = null[since v1.0.0]Specify the name of the DB parameter group to be attached to the instance
-
(bool)
delete_protection_enabled = false[since v1.0.0]Prevent the instance or cluster from deletion when this value is set to
true -
(string)
deployment_option = SingleInstance[since v1.0.0]Specify the option for non-aurora deployment. Valid values are:
"SingleInstance", "MultiAZInstance", "MultiAZCluster".MultiAZInstanceandMultiAZClusteronly support the"mysql"and"postgres"engine type. -
(object)
enable_automated_backup = null[since v1.0.0]Configures RDS automated backup
-
(number)
retention_period[since v1.0.0]The number of days (1-35) for which automatic backups are kept.
-
(bool)
copy_tags_to_snapshot = true[since v1.0.0]Indicates whether to copy all of the user-defined tags from the DB instance to snapshots of the DB instance
-
(string)
window = null[since v1.0.0]Daily time range (in UTC) during which automated backups are created. In the
"hh24:mi-hh24:mi"format. For example"04:00-09:00"
-
-
(object)
enable_encryption = null[since v1.0.0]Enables RDS DB encryption to encrypt the DB instance
-
(string)
kms_key_arn[since v1.0.0]The KMS CMK used to encrypt the DB and storage
-
-
(object)
maintenance_config = null[since v1.0.0]Configures RDS maintenance options
-
(string)
window[since v1.0.0]Window to perform maintenance in (in UTC). Syntax:
"ddd:hh24:mi-ddd:hh24:mi". For example"Mon:00:00-Mon:03:00". -
(bool)
enable_auto_minor_version_upgrade = true[since v1.0.0]Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window
-
-
(object)
monitoring_config = null[since v1.0.0]Configures RDS monitoring options
-
(object)
enable_enhanced_monitoring = null[since v1.0.0]Enables RDS enhanced monitoring
-
(number)
interval[since v1.0.0]Interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. Valid Values:
0,1,5,10,15,30,60. -
(string)
iam_role_arn = null[since v1.0.0]ARN for the IAM role that permits RDS to send enhanced monitoring metrics to CloudWatch Logs. Please refer to this documentation for information of the required IAM permissions. One will be created if not specified.
-
-
(object)
enable_performance_insight = null[since v1.0.0]Enables RDS performance insight
-
(number)
retention_period[since v1.0.0]Amount of time in days to retain Performance Insights data. Valid values are
7,731(2 years) or amultiple of 31. -
(string)
kms_key_id = null[since v1.0.0]ARN for the KMS key to encrypt Performance Insights data.
-
-
-
(string)
option_group = null[since v1.0.0]Specify the name of the option group to be attached to the instance
-
(object)
serverless_capacity = null[since v1.0.0]Specify the capacity range of the serverless instance. Must be used with
instance_class = "db.serverless"and an"aurora-*"engine type, see example. Refer to this documentation for more details.-
(number)
min_acus[since v1.0.0]Specify the minimum Aurora capacity unit. Each ACU corresponds to approximately 2 GiB of memory
-
(number)
max_acus = null[since v1.0.0]Specify the maximum Aurora capacity unit. Each ACU corresponds to approximately 2 GiB of memory. Must be greater than
min_acus, if unspecified, the value ofmin_acuswill be used.
-
-
(bool)
skip_final_snapshot = null[since v1.0.0]Determines whether a final DB snapshot is created before the DB cluster is deleted
-
(object)
storage_config = null[since v1.0.0]Configures RDS storage options
-
(number)
allocated_storage[since v1.0.0]The allocated storage in gibibytes
-
(string)
type[since v1.0.0]Specify the storage type. Valid values are:
"gp3"and"io1" -
(number)
max_allocated_storage = null[since v1.0.0]When configured, the upper limit to which Amazon RDS can automatically scale the storage of the DB instance. Configuring this will automatically ignore differences to
allocated_storage. Must be greater than or equal to allocated_storage or0to disable Storage Autoscaling -
(number)
provisioned_iops = null[since v1.0.0]The amount of provisioned IOPS. Can only be set when
typeis"io1"or"gp3". Please refer to this documentation for more details. -
(number)
storage_throughput = null[since v1.0.0]The storage throughput value for the DB instance. Can only be set when
type = "gp3". Please refer to this documentation for more details.
-
-
(string)
aurora_cluster_endpoint[since v1.0.0]DNS address of the Writer instance
-
(list(string))
aurora_cluster_members[since v1.0.0]List of RDS Instances that are a part of this Aurora cluster
-
(string)
aurora_cluster_reader_endpoint[since v1.0.0]Read-only endpoint for the Aurora cluster, automatically load-balanced across replicas
-
(string)
aurora_global_cluster_arn[since v1.0.0]The ARN of the Aurora global cluster created by this module
-
(string)
aurora_global_cluster_identifier[since v1.0.0]The name of the Aurora global cluster created by this module
-
(string)
cluster_arn[since v1.0.0]The ARN of the RDS cluster. Only applicable if deploying an
Aurora clusteror aMulti-AZ Cluster -
(string)
cluster_identifier[since v1.0.0]The name of the RDS cluster. Only applicable if deploying an
Aurora clusteror aMulti-AZ Cluster -
(object)
master_user_secret[since v1.0.0]Retrive master user secret. Only available when
authentication_config.db_master_account.manage_password_in_secrets_manager = true-
(string)
kms_key_id[since v1.0.0]Amazon Web Services KMS key identifier that is used to encrypt the secret.
-
(string)
secret_arn[since v1.0.0]Amazon Resource Name (ARN) of the secret.
-
(string)
secret_status[since v1.0.0]Status of the secret. Value can be:
"creating","active","rotating", or"impaired".
-
-
(map(string))
rds_connect_iam_policy_arns[since v1.0.0]The map of IAM policy ARNs for RDS connect. Only available when
authentication_config.iam_database_authentication.enabled = true