Terraform module for AWS RDS instances
| Name | Version |
|---|---|
| terraform | >= 1.3.0, < 1.6.0 |
| aws | ~> 5.0 |
| random | >= 3.1 |
| Name | Version |
|---|---|
| aws | ~> 5.0 |
| null | n/a |
| random | >= 3.1 |
| Name | Source | Version |
|---|---|---|
| cluster_parameters | ./modules/cluster_parameter_group | n/a |
| cw_log_group | ./modules/cloudwatch_log_groups | n/a |
| db_cluster_serverless | ./modules/rds_aurora | n/a |
| db_instance | ./modules/rds_instance | n/a |
| db_multi_az_cluster | ./modules/rds_aurora | n/a |
| db_parameter_group | ./modules/instance_parameter_group | n/a |
| db_proxy | ./modules/rds_proxy | n/a |
| db_subnet_group | ./modules/rds_subnet_group | n/a |
| enhanced_monitoring_iam_role | ./modules/enhanced_monitoring_role | n/a |
| security_group | ./modules/security_group | n/a |
| security_group_proxy | ./modules/security_group | n/a |
| Name | Type |
|---|---|
| null_resource.validate_instance_type_proxy | resource |
| random_id.snapshot_identifier | resource |
| aws_iam_account_alias.current | data source |
| aws_rds_engine_version.engine_info | data source |
| aws_ssm_parameter.oidc_provider | data source |
| aws_vpc.selected | data source |
| aws_vpc_peering_connection.kubernetes_access | data source |
| aws_vpc_peering_connections.peering | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_backup_retention | Specify additional backup retention. Valid Values: 30days, 60days, 180days, 1year, 10year Notes: This set the dfds.backup_retention tag. See recommendations here. |
string |
null |
no |
| additional_rds_proxy_security_groups | Specify additional security groups to attach by ID to the RDS proxy. Valid Values: . Notes: .} |
list(string) |
[] |
no |
| additional_rds_security_group_rules | Specify additional security group rules for the RDS instance. Valid Values: . Notes: Use only for special cases. |
object({ |
{ |
no |
| additional_rds_security_groups | Specify additional security groups to attach by ID to the RDS instance. Valid Values: . Notes: .} |
list(string) |
[] |
no |
| allocated_storage | Specify the allocated storage in gigabytes. Valid Values: . Notes: . |
number |
null |
no |
| allow_major_version_upgrade | Specify whether or not that major version upgrades are allowed. Valid Values: . Notes: Changing this parameter does not result in an outage and the change is asynchronously applied as soon as possible" |
bool |
true |
no |
| apply_immediately | Specifiy whether any database modifications are applied immediately, or during the next maintenance window Valid Values: . Notes: apply_immediately can result in a brief downtime as the server reboots. See documentation for more information. |
bool |
false |
no |
| auto_minor_version_upgrade | Specify whether or not that minor engine upgrades can be applied automatically to the DB instance". Valid Values: . Notes: Minor engine upgrades will be applied automatically to the DB instance during the maintenance window. |
bool |
true |
no |
| automation_initiator_location | Specify the URL to the repo of automation script. Valid Values: URL to repo. Example: "https://github.com/dfds/terraform-aws-rds"Notes: This set the dfds.automation.initiator.location tag. See recommendations here. |
string |
null |
no |
| availability_zone | Specify the Availability Zone for the RDS instance.. Valid Values: Notes: Only available for DB instances that do not have multi-AZ enabled. |
string |
null |
no |
| ca_cert_identifier | Specify the identifier of the CA certificate for the DB instance. Valid Values: . Notes: If this variable is omitted, the latest CA certificate will be used. |
string |
null |
no |
| cloudwatch_log_group_kms_key_id | Specify the ARN of the KMS Key to use when encrypting log data. Valid Values: . Notes: . |
string |
null |
no |
| cloudwatch_log_group_retention_in_days | Specify the retention period in days for the CloudWatch logs. Valid Values: Number of days Notes: - If omitted, the default value is set to 7 days for production and 1 day for non-production environments. - If set to 0, logs will be retained indefinitely. - -1 is an invalid value. It is used to express that the value is omitted and thus enabling the logic to calculate the default value. |
number |
-1 |
no |
| cloudwatch_log_group_skip_destroy_on_deletion | Specify whether or not to skip the deletion of the CloudWatch log group on deletion. Valid Values: . Notes: . |
bool |
false |
no |
| cluster_parameters | A list of DB parameters (map) to apply | list(map(string)) |
[] |
no |
| cluster_use_name_prefix | Whether to use name as a prefix for the cluster |
bool |
false |
no |
| copy_tags_to_snapshot | Specifies whether or not to copy all Instance tags to the final snapshot on deletion. Valid Values: . Notes: Default value is set to true. Snapshots will be created by the AWS backup job assuming that this resource is properly tagged, see here for more info. |
bool |
false |
no |
| cost_centre | Provide a cost centre for the resource. Valid Values: . Notes: This set the dfds.cost_centre tag. See recommendations here. |
string |
n/a | yes |
| data_classification | Specify data classification. Valid Values: public, private, confidential, restricted Notes: This set the dfds.data.classification tag. See recommendations here. |
string |
n/a | yes |
| db_name | Specifies The DB name to create. Valid Values: . Notes: If omitted, no database is created initially. |
string |
null |
no |
| delete_automated_backups | Specify whether or not whether to remove automated backups immediately after the DB instance is deleted. Valid Values: . Notes: . |
bool |
true |
no |
| deletion_protection | Specify whether or not to prevent the DB instance from being deleted. Valid Values: . Notes: The database can't be deleted when this value is set to true. |
bool |
true |
no |
| enable_default_backup | Specify whether or not to enable default backup. Valid Values: . Notes: - This set the dfds.backup tag. See recommendations here. - If omitted, the default value is set to true for production and false for non-production environments. |
bool |
null |
no |
| enabled_cloudwatch_logs_exports | Specify the list of log types to enable for exporting to CloudWatch logs. Valid Values: postgresql (PostgreSQL), upgrade (PostgreSQL) Notes: If omitted, no logs will be exported. |
list(string) |
[] |
no |
| engine_version | Specify engine version to use. Valid Values: Specific version number, for example, "15.3" or major version number, for example, "15". Notes: - If this is omitted, the preffered version will be used. - If major version is specified, the preffered version will be used. - When using a specific version. The version must be valid. A valid version can be obtained from this documentation |
string |
null |
no |
| enhanced_monitoring_interval | Specify the interval between points when Enhanced Monitoring metrics are collected for the DB instance. Valid Values: 0, 1, 5, 10, 15, 30, 60 (in seconds) Notes: Specify 0 to disable collecting Enhanced Monitoring metrics. |
number |
0 |
no |
| environment | Specify the staging environment. Valid Values: "dev", "test", "staging", "uat", "training", "prod". Notes: The value will set configuration defaults according to DFDS policies. |
string |
n/a | yes |
| final_snapshot_identifier_prefix | Specifies the name which is prefixed to the final snapshot on cluster destroy. Valid Values: . Notes: . |
string |
"final" |
no |
| iam_database_authentication_enabled | Set this to true to enable authentication using IAM. Valid Values: . Notes: This requires creating mappings between IAM users/roles and database accounts in the RDS instance for this to work properly. |
bool |
false |
no |
| identifier | Specify the name of the RDS instance to create. Valid Values: . Notes: . |
string |
n/a | yes |
| instance_class | Specify instance type of the RDS instance. Valid Values: "db.t3.micro", "db.t3.small", "db.t3.medium", "db.t3.large", "db.t3.xlarge", "db.t3.2xlarge", "db.r6g.xlarge", "db.m6g.large", "db.m6g.xlarge", "db.t2.micro", "db.t2.small", "db.t2.medium", "db.m4.large", "db.m5d.large", "db.m6i.large", "db.m5.xlarge", "db.t4g.micro", "db.t4g.small", "db.t4g.large", "db.t4g.xlarge" Notes: If omitted, the instance type will be set to db.t3.micro. |
string |
null |
no |
| instance_is_multi_az | Specify if the RDS instance is multi-AZ. Valid Values: . Notes: - This creates a primary DB instance and a standby DB instance in a different AZ for high availability and data redundancy. - Standby DB instance doesn't support connections for read workloads. - If this variable is omitted: - This value is set to true by default for production environments. - This value is set to false by default for non-production environments. |
bool |
null |
no |
| instance_parameters | Specify a list of DB parameters (map) to modify. Valid Values: Example: instance_parameters = [{ name = "rds.force_ssl" value = 1 apply_method = "pending-reboot", ... # Other parameters }] Notes: See documentation for more information. |
list(map(string)) |
[] |
no |
| instance_terraform_timeouts | Specify Terraform resource management timeouts. Valid Values: . Notes: Applies to aws_db_instance in particular to permit resource management times. See documentation for more information. |
map(string) |
{} |
no |
| iops | Specify The amount of provisioned IOPS. Valid Values: . Notes: Setting this implies a storage_type of 'io1' or gp3. See notes for limitations regarding this variable for gp3" |
number |
null |
no |
| is_cluster | [Experiemental Feature] Specify whether or not to deploy the instance as multi-az database cluster. Valid Values: . Notes: - This feature is currently in beta and is subject to change. - It creates a DB cluster with a primary DB instance and two readable standby DB instances, - Each DB instance in a different Availability Zone (AZ). - Provides high availability, data redundancy and increases capacity to serve read workloads - Proxy is not supported for cluster instances. - For smaller workloads we recommend considering using a single instance instead of a cluster. |
bool |
false |
no |
| is_kubernetes_app_enabled | Specify whether or not to enable access from Kubernetes pods. Valid Values: . Notes: Enabling this will create the following resources: - IAM role for service account (IRSA) - IAM policy for service account (IRSA) - Peering connection from EKS Cluster requires a VPC peering deployed in the AWS account. |
bool |
false |
no |
| is_proxy_included | Specify whether or not to include proxy. Valid Values: . Notes: Proxy helps managing database connections. See documentation for more information. |
bool |
false |
no |
| is_publicly_accessible | Specify whether or not this instance is publicly accessible. Valid Values: . Notes: - Setting this to true will do the followings: - Assign a public IP address and the host name of the DB instance will resolve to the public IP address. - Access from within the VPC can be achived by using the private IP address of the assigned Network Interface. - Create a security group rule to allow inbound traffic from the specified CIDR blocks. - It is required to set public_access_ip_whitelist to allow access from specific IP addresses. |
bool |
false |
no |
| maintenance_window | Specify the window to perform maintenance in. Valid Values: Syntax: ddd:hh24:mi-ddd:hh24:mi. Eg: "Mon:00:00-Mon:03:00".Notes: Default value is set to "Sat:18:00-Sat:20:00". This is adjusted in accordance with AWS Backup schedule, see info here. |
string |
"Sat:18:00-Sat:20:00" |
no |
| manage_master_user_password | Set to true to allow RDS to manage the master user password in Secrets Manager. Valid Values: . Notes: - Default value is set to true. It is recommended to use this feature. - If set to true, the password variable will be ignored. |
bool |
true |
no |
| max_allocated_storage | Set the value to enable Storage Autoscaling and to set the max allocated storage. Valid Values: . Notes: - If this variable is omitted: - This value is set to 50 by default for production environments. - This value is set to 0 by default for non-production environments. |
number |
null |
no |
| network_type | Specify the network type of the DB instance. Valid Values: IPV4, DUAL Notes: . |
string |
null |
no |
| optional_data_specific_tags | Provide list of optional dfds.data.* to be applied on data specific resources. Valid Values: . Notes: - Use this only for optional data tags. Required tags are supplied through dedicated variables. - This variable will apply tags only on the relevant data resources. - See recommendations here. |
map(string) |
{} |
no |
| optional_tags | Provide list of optional dfds.* tags to be applied on all resources. Valid Values: . Notes: - Use this only for optional tags. Required tags are supplied through dedicated variables. - See recommendations here. |
map(string) |
{} |
no |
| password | Specify password for the master DB user. Valid Values: . Notes: - This password may show up in logs, and it will be stored in the state file. - If manage_master_user_password is set to true, this value will be ignored. |
string |
null |
no |
| performance_insights_enabled | Specify whether or not to enable Performance Insights. Valid Values: . Notes: - If this variable is omitted: - This value is set to true by default for production environments. Default retention period is set to 7 days. - This value is set to false by default for non-production environments. |
bool |
null |
no |
| performance_insights_kms_key_id | Specify the ARN for the KMS key to encrypt Performance Insights data. Valid Values: . Notes: - When specifying performance_insights_kms_key_id, performance_insights_enabled needs to be set to true. - Once KMS key is set, it can never be changed |
string |
null |
no |
| performance_insights_retention_period | Specify the retention period for Performance Insights. Valid Values: 7, 731 (2 years) or a multiple of 31Notes: Set the value Default value when performance_insights_enabled is set to true. |
number |
null |
no |
| pipeline_location | Specify a valid URL path to the pipeline file used for automation script. Valid Values: URL to repo. Example: "https://github.com/dfds/terraform-aws-rds/actions/workflows/qa.yml"Notes: This set the dfds.automation.initiator.pipeline tag. See recommendations here. |
string |
null |
no |
| port | Specify the port number on which the DB accepts connections. Valid Values: . Notes: Default value is set to 5432. |
number |
5432 |
no |
| proxy_additional_security_group_rules | Specify additional security group rules for the RDS proxy. Valid Values: . Notes: - Public access is not supported on RDS Proxy. See documentation for more information. - Only ingress(inbound) rules are supported. - Ingress rules are set to "Allow outbound traffic to PostgreSQL instance" – Ingress rules are set to "Allow inbound traffic from same security group on specified database port" |
object({ |
{ |
no |
| proxy_debug_logging_is_enabled | Turn on debug logging for the proxy. Valid Values: . Notes: . |
bool |
false |
no |
| proxy_engine_family | Specify engine family of the RDS proxy. Valid Values: POSTGRESQL Notes: . |
string |
"POSTGRESQL" |
no |
| proxy_iam_auth | Specify whether or not to use IAM authentication for the proxy. Valid Values: DISABLED, REQUIRED Notes: . |
string |
"DISABLED" |
no |
| proxy_idle_client_timeout | Specify idle client timeout of the RDS proxy (keep connection alive). Valid Values: . Notes: . |
number |
1800 |
no |
| proxy_require_tls | Specify whether or not to require TLS for the proxy. Valid Values: . Notes: Default value is set to true. |
bool |
true |
no |
| public_access_ip_whitelist | Provide a list of IP addresses to whitelist for public access Valid Values: List of CIDR blocks. For example ["x.x.x.x/32", "y.y.y.y/32"] Notes: - In case of publicly accessible RDS, this list will be used to whitelist the IP addresses. - It is best practice to specify the IP addresses that require access to the RDS instance. - Setting this value to ["0.0.0.0/0"] will mean that the RDS instance will be open to the world! Following are examples where it can be necessary: - Access is done from workloads with randomly assigned public IP adresses. - A VPC peering is not configured. |
list(string) |
[] |
no |
| replicate_source_db | Inidicate that this resource is a Replicate database, and to use this value as the source database. Valid Values: The identifier of another Amazon RDS Database to replicate in the same region. Notes: In case of cross-region replication, specify the ARN of the source DB instance. |
string |
null |
no |
| resource_owner_contact_email | Provide an email address for the resource owner (e.g. team or individual). Valid Values: . Notes: This set the dfds.owner tag. See recommendations here. |
string |
null |
no |
| service_availability | Specify service availability. Valid Values: low, medium, high Notes: This set the dfds.service.availability tag. See recommendations here. |
string |
n/a | yes |
| skip_final_snapshot | Setting this will determine whether a final DB snapshot is created before the DB instance is deleted. Valid Values: Specific version number, for example, "15.3" or major version number, for example, "15". Notes: - If true is specified, no DB Snapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted. - Default value is set to true. Snapshots will be created by the AWS backup job assuming that this resource is properly tagged, see here for more info. |
bool |
true |
no |
| source_snapshot_identifier | Provide the ID of the snapshot to create this instance from. Valid Values: This correlates to the snapshot ID you'd find in the RDS console, e.g: rds:production-2015-06-26-06-05" Notes: Setting this will cause the instance to restore from the specified snapshot. |
string |
null |
no |
| storage_throughput | Speficy storage throughput value for the DB instance. Valid Values: . Notes: See notes for limitations regarding this variable for gp3. |
number |
null |
no |
| storage_type | Specify the storage type. Valid Values: One of 'standard' (magnetic), 'gp2' (general purpose SSD), 'gp3' (new generation of general purpose SSD), or 'io1' (provisioned IOPS SSD). Notes: Default is 'io1' if iops is specified, 'gp2' if not. If you specify 'io1' or 'gp3' , you must also include a value for the 'iops' parameter. |
string |
"gp3" |
no |
| subnet_ids | Provide a list of VPC subnet IDs. Valid Values: . Notes: IDs of the subnets must be in the same VPC as the RDS instance. Example: ["subnet-aaaaaaaaaaa", "subnet-bbbbbbbbbbb", "subnet-cccccccccc"] |
list(string) |
n/a | yes |
| username | Specify Username for the master DB user. Valid Values: . Notes: . |
string |
n/a | yes |
| vpc_id | Specify the VPC ID. Valid Values: . Notes: . |
string |
n/a | yes |
| Name | Description |
|---|---|
| iam_instance_profile_for_ec2 | The name of the EC2 instance profile that is using the IAM Role that give AWS services access to the RDS instance and Secrets Manager |
| iam_role_arn_for_aws_services | The ARN of the IAM Role that give AWS services access to the RDS instance and Secrets Manager |
| kubernetes_serviceaccount | If you create this Kubernetes ServiceAccount, you will get access to the RDS through IRSA |
| peering | n/a |