OWASP · arkid15r · Dec 6, 2025 · Dec 5, 2025 · Dec 5, 2025 · Dec 5, 2025
@@ -41,6 +41,7 @@ resource "aws_db_instance" "main" {
   copy_tags_to_snapshot           = var.db_copy_tags_to_snapshot
   db_name                         = var.db_name
   db_subnet_group_name            = aws_db_subnet_group.main.name
+  deletion_protection             = var.db_deletion_protection
   enabled_cloudwatch_logs_exports = var.db_enabled_cloudwatch_logs_exports
   engine                          = "postgres"
   engine_version                  = var.db_engine_version

@@ -33,6 +33,12 @@ variable "db_copy_tags_to_snapshot" {
   default     = true
 }
 
+variable "db_deletion_protection" {
+  description = "Specifies whether to prevent database deletion."
+  type        = bool
+  default     = true
+}
+
 variable "db_enabled_cloudwatch_logs_exports" {
   description = "List of log types to export to CloudWatch Logs."
   type        = list(string)
@@ -70,7 +76,7 @@ variable "db_password" {
 variable "db_skip_final_snapshot" {
   description = "Determines whether a final DB snapshot is created before the DB instance is deleted."
   type        = bool
-  default     = true
+  default     = false
 }
 
 variable "db_storage_type" {
@@ -107,7 +113,7 @@ variable "proxy_security_group_ids" {
 variable "secret_recovery_window_in_days" {
   description = "The number of days that Secrets Manager waits before it can delete the secret. Set to 0 to delete immediately."
   type        = number
-  default     = 0
+  default     = 7
 }
 
 variable "security_group_ids" {

@@ -34,21 +34,23 @@ module "cache" {
 module "database" {
   source = "../modules/database"
 
-  common_tags                = local.common_tags
-  create_rds_proxy           = var.create_rds_proxy
-  db_allocated_storage       = var.db_allocated_storage
-  db_backup_retention_period = var.db_backup_retention_period
-  db_engine_version          = var.db_engine_version
-  db_instance_class          = var.db_instance_class
-  db_name                    = var.db_name
-  db_password                = var.db_password
-  db_storage_type            = var.db_storage_type
-  db_subnet_ids              = module.networking.private_subnet_ids
-  db_user                    = var.db_user
-  environment                = var.environment
-  project_name               = var.project_name
-  proxy_security_group_ids   = [module.security.rds_proxy_sg_id]
-  security_group_ids         = [module.security.rds_sg_id]
+  common_tags                    = local.common_tags
+  create_rds_proxy               = var.create_rds_proxy
+  db_allocated_storage           = var.db_allocated_storage
+  db_backup_retention_period     = var.db_backup_retention_period
+  db_deletion_protection         = var.db_deletion_protection
+  db_engine_version              = var.db_engine_version
+  db_instance_class              = var.db_instance_class
+  db_name                        = var.db_name
+  db_password                    = var.db_password
+  db_storage_type                = var.db_storage_type
+  db_subnet_ids                  = module.networking.private_subnet_ids
+  db_user                        = var.db_user
+  environment                    = var.environment
+  project_name                   = var.project_name
+  proxy_security_group_ids       = [module.security.rds_proxy_sg_id]
+  secret_recovery_window_in_days = var.secret_recovery_window_in_days
+  security_group_ids             = [module.security.rds_sg_id]
 }
 
 module "ecs" {

@@ -1,9 +1,8 @@
-availability_zones   = ["us-east-2a", "us-east-2b", "us-east-2c"]
-aws_region   = "us-east-2"
-create_rds_proxy           = false
-db_backup_retention_period = 0
-db_name                    = "owasp_nest"
-db_user                    = "owasp_nest_db_user"
-db_port                    = 5432
-environment  = "staging"
-project_name = "owasp-nest"
+availability_zones             = ["us-east-2a", "us-east-2b", "us-east-2c"]
+aws_region                     = "us-east-2"
+create_rds_proxy               = true
+db_name                        = "owasp_nest"
+db_user                        = "owasp_nest_db_user"
+db_port                        = 5432
+environment                    = "staging"
+project_name                   = "owasp-nest"
@@ -13,7 +13,7 @@ variable "availability_zones" {
 variable "create_rds_proxy" {
   description = "Whether to create an RDS proxy"
   type        = bool
-  default     = false
+  default     = true
 }
 
 variable "db_allocated_storage" {
@@ -28,6 +28,12 @@ variable "db_backup_retention_period" {
   default     = 7
 }
 
+variable "db_deletion_protection" {
+  description = "Specifies whether to prevent database deletion."
+  type        = bool
+  default     = true
+}
+
 variable "db_engine_version" {
   description = "The version of the PostgreSQL engine"
   type        = string
@@ -129,6 +135,12 @@ variable "redis_port" {
   default     = 6379
 }
 
+variable "secret_recovery_window_in_days" {
+  description = "The number of days that Secrets Manager waits before it can delete the secret. Set to 0 to delete immediately."
+  type        = number
+  default     = 7
+}
+
 variable "vpc_cidr" {
   description = "The CIDR block for the VPC"
   type        = string