AWS RDS Terraform module
Terraform module which creates RDS resources on AWS.
Root module calls these modules which can also be used separately to create independent resources:
- db_instance - creates RDS DB instance
- db_subnet_group - creates RDS DB subnet group
- db_parameter_group - creates RDS DB parameter group
- db_option_group - creates RDS DB option group
Usage
module "db" {
source = "terraform-aws-modules/rds/aws"
identifier = "demodb"
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t3a.large"
allocated_storage = 5
db_name = "demodb"
username = "user"
port = "3306"
iam_database_authentication_enabled = true
vpc_security_group_ids = ["sg-12345678"]
maintenance_window = "Mon:00:00-Mon:03:00"
backup_window = "03:00-06:00"
# Enhanced Monitoring - see example for details on how to create the role
# by yourself, in case you don't want to create it automatically
monitoring_interval = "30"
monitoring_role_name = "MyRDSMonitoringRole"
create_monitoring_role = true
tags = {
Owner = "user"
Environment = "dev"
}
# DB subnet group
create_db_subnet_group = true
subnet_ids = ["subnet-12345678", "subnet-87654321"]
# DB parameter group
family = "mysql5.7"
# DB option group
major_engine_version = "5.7"
# Database Deletion Protection
deletion_protection = true
parameters = [
{
name = "character_set_client"
value = "utf8mb4"
},
{
name = "character_set_server"
value = "utf8mb4"
}
]
options = [
{
option_name = "MARIADB_AUDIT_PLUGIN"
option_settings = [
{
name = "SERVER_AUDIT_EVENTS"
value = "CONNECT"
},
{
name = "SERVER_AUDIT_FILE_ROTATIONS"
value = "37"
},
]
},
]
}
Conditional creation
The following values are provided to toggle on/off creation of the associated resources as desired:
module "db" {
source = "terraform-aws-modules/rds/aws"
# Disable creation of RDS instance(s)
create_db_instance = false
# Disable creation of option group - provide an option group or default AWS default
create_db_option_group = false
# Disable creation of parameter group - provide a parameter group or default to AWS default
create_db_parameter_group = false
# Enable creation of subnet group (disabled by default)
create_db_subnet_group = true
# Enable creation of monitoring IAM role
create_monitoring_role = true
# ... omitted
}
Option Groups
Users have the ability to:
- Create an option group with the name provided:
option_group_name = "prod-instance-mysql-8.0"
option_group_use_name_prefix = false
- Create an option group using a unique prefix beginning with the name provided:
option_group_name = "prod-instance-mysql-8.0"
- Pass the name of an option group to use that has been created outside of the module:
create_db_option_group = false
option_group_name = "prod-instance-mysql-8.0" # must already exist in AWS
- Skip creating an option group for PostgreSQL entirely as that is not supported
engine = "postgres"
option_group_name = "prod-instance-postgresql-11.0" # this will be ignored, no option group created
- Use a default option group provided by AWS
create_db_option_group = false
Parameter Groups
Users have the ability to:
- Create a parameter group with the name provided:
parameter_group_name = "prod-instance-mysql-8.0"
parameter_group_use_name_prefix = false
- Create a parameter group using a unique prefix beginning with the name provided:
parameter_group_name = "prod-instance-mysql-8.0"
- Pass the name of a parameter group to use that has been created outside of the module:
create_db_parameter_group = false
parameter_group_name = "prod-instance-mysql-8.0" # must already exist in AWS
- Use a default parameter group provided by AWS
create_db_parameter_group = false
Examples
- Complete RDS example for MSSQL
- Complete RDS example for MySQL
- Complete RDS example for Oracle
- Complete RDS example for PostgreSQL
- Enhanced monitoring example
- Replica RDS example for MySQL
- Replica RDS example for PostgreSQL
- S3 import example for MySQL
Notes
- This module does not create RDS security group. Use terraform-aws-security-group module for this.
- For an RDS instance with
storage_type
usinggp3
, be aware thatiops
andstorage_throughput
cannot be specified if theallocated_storage
value is below a per-engine
threshold. See the RDS User Guide for details.
Requirements
Name | Version |
---|---|
terraform | >= 1.0 |
aws | >= 5.0 |
Providers
No providers.
Modules
Name | Source | Version |
---|---|---|
db_instance | ./modules/db_instance | n/a |
db_option_group | ./modules/db_option_group | n/a |
db_parameter_group | ./modules/db_parameter_group | n/a |
db_subnet_group | ./modules/db_subnet_group | n/a |
Resources
No resources.
Inputs
Name | Description | Type | Default | Required |
---|---|---|---|---|
allocated_storage | The allocated storage in gigabytes | string |
null |
no |
allow_major_version_upgrade | Indicates that major version upgrades are allowed. Changing this parameter does not result in an outage and the change is asynchronously applied as soon as possible | bool |
false |
no |
apply_immediately | Specifies whether any database modifications are applied immediately, or during the next maintenance window | bool |
false |
no |
auto_minor_version_upgrade | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window | bool |
true |
no |
availability_zone | The Availability Zone of the RDS instance | string |
null |
no |
backup_retention_period | The days to retain backups for | number |
null |
no |
backup_window | The daily time range (in UTC) during which automated backups are created if they are enabled. Example: '09:46-10:16'. Must not overlap with maintenance_window | string |
null |
no |
blue_green_update | Enables low-downtime updates using RDS Blue/Green deployments. | map(string) |
{} |
no |
ca_cert_identifier | Specifies the identifier of the CA certificate for the DB instance | string |
null |
no |
character_set_name | The character set name to use for DB encoding in Oracle instances. This can't be changed. See Oracle Character Sets Supported in Amazon RDS and Collations and Character Sets for Microsoft SQL Server for more information. This can only be set on creation | string |
null |
no |
cloudwatch_log_group_kms_key_id | The ARN of the KMS Key to use when encrypting log data | string |
null |
no |
cloudwatch_log_group_retention_in_days | The number of days to retain CloudWatch logs for the DB instance | number |
7 |
no |
copy_tags_to_snapshot | On delete, copy all Instance tags to the final snapshot | bool |
false |
no |
create_cloudwatch_log_group | Determines whether a CloudWatch log group is created for each enabled_cloudwatch_logs_exports |
bool |
false |
no |
create_db_instance | Whether to create a database instance | bool |
true |
no |
create_db_option_group | Create a database option group | bool |
true |
no |
create_db_parameter_group | Whether to create a database parameter group | bool |
true |
no |
create_db_subnet_group | Whether to create a database subnet group | bool |
false |
no |
create_monitoring_role | Create IAM role with a defined name that permits RDS to send enhanced monitoring metrics to CloudWatch Logs | bool |
false |
no |
custom_iam_instance_profile | RDS custom iam instance profile | string |
null |
no |
db_instance_tags | Additional tags for the DB instance | map(string) |
{} |
no |
db_name | The DB name to create. If omitted, no database is created initially | string |
null |
no |
db_option_group_tags | Additional tags for the DB option group | map(string) |
{} |
no |
db_parameter_group_tags | Additional tags for the DB parameter group | map(string) |
{} |
no |
db_subnet_group_description | Description of the DB subnet group to create | string |
null |
no |
db_subnet_group_name | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC | string |
null |
no |
db_subnet_group_tags | Additional tags for the DB subnet group | map(string) |
{} |
no |
db_subnet_group_use_name_prefix | Determines whether to use subnet_group_name as is or create a unique name beginning with the subnet_group_name as the prefix |
bool |
true |
no |
delete_automated_backups | Specifies whether to remove automated backups immediately after the DB instance is deleted | bool |
true |
no |
deletion_protection | The database can't be deleted when this value is set to true | bool |
false |
no |
domain | The ID of the Directory Service Active Directory domain to create the instance in | string |
null |
no |
domain_iam_role_name | (Required if domain is provided) The name of the IAM role to be used when making API calls to the Directory Service | string |
null |
no |
enabled_cloudwatch_logs_exports | List of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported. Valid values (depending on engine): alert, audit, error, general, listener, slowquery, trace, postgresql (PostgreSQL), upgrade (PostgreSQL) | list(string) |
[] |
no |
engine | The database engine to use | string |
null |
no |
engine_version | The engine version to use | string |
null |
no |
family | The family of the DB parameter group | string |
null |
no |
final_snapshot_identifier_prefix | The name which is prefixed to the final snapshot on cluster destroy | string |
"final" |
no |
iam_database_authentication_enabled | Specifies whether or not the mappings of AWS Identity and Access Management (IAM) accounts to database accounts are enabled | bool |
false |
no |
identifier | The name of the RDS instance | string |
n/a | yes |
instance_class | The instance type of the RDS instance | string |
null |
no |
instance_use_identifier_prefix | Determines whether to use identifier as is or create a unique identifier beginning with identifier as the specified prefix |
bool |
false |
no |
iops | The amount of provisioned IOPS. Setting this implies a storage_type of 'io1' or gp3 . See notes for limitations regarding this variable for gp3 |
number |
null |
no |
kms_key_id | The ARN for the KMS encryption key. If creating an encrypted replica, set this to the destination KMS ARN. If storage_encrypted is set to true and kms_key_id is not specified the default KMS key created in your account will be used. Be sure to use the full ARN, not a key alias. | string |
null |
no |
license_model | License model information for this DB instance. Optional, but required for some DB engines, i.e. Oracle SE1 | string |
null |
no |
maintenance_window | The window to perform maintenance in. Syntax: 'ddd:hh24:mi-ddd:hh24:mi'. Eg: 'Mon:00:00-Mon:03:00' | string |
null |
no |
major_engine_version | Specifies the major version of the engine that this option group should be associated with | string |
null |
no |
manage_master_user_password | Set to true to allow RDS to manage the master user password in Secrets Manager | bool |
true |
no |
master_user_secret_kms_key_id | The key ARN, key ID, alias ARN or alias name for the KMS key to encrypt the master user password secret in Secrets Manager. If not specified, the default KMS key for your Amazon Web Services account is used. |
string |
null |
no |
max_allocated_storage | Specifies the value for Storage Autoscaling | number |
0 |
no |
monitoring_interval | The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. The default is 0. Valid Values: 0, 1, 5, 10, 15, 30, 60 | number |
0 |
no |
monitoring_role_arn | The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to CloudWatch Logs. Must be specified if monitoring_interval is non-zero | string |
null |
no |
monitoring_role_description | Description of the monitoring IAM role | string |
null |
no |
monitoring_role_name | Name of the IAM role which will be created when create_monitoring_role is enabled | string |
"rds-monitoring-role" |
no |
monitoring_role_permissions_boundary | ARN of the policy that is used to set the permissions boundary for the monitoring IAM role | string |
null |
no |
monitoring_role_use_name_prefix | Determines whether to use monitoring_role_name as is or create a unique identifier beginning with monitoring_role_name as the specified prefix |
bool |
false |
no |
multi_az | Specifies if the RDS instance is multi-AZ | bool |
false |
no |
nchar_character_set_name | The national character set is used in the NCHAR, NVARCHAR2, and NCLOB data types for Oracle instances. This can't be changed. | string |
null |
no |
network_type | The type of network stack to use | string |
null |
no |
option_group_description | The description of the option group | string |
null |
no |
option_group_name | Name of the option group | string |
null |
no |
option_group_timeouts | Define maximum timeout for deletion of aws_db_option_group resource |
map(string) |
{} |
no |
option_group_use_name_prefix | Determines whether to use option_group_name as is or create a unique name beginning with the option_group_name as the prefix |
bool |
true |
no |
options | A list of Options to apply | any |
[] |
no |
parameter_group_description | Description of the DB parameter group to create | string |
null |
no |
parameter_group_name | Name of the DB parameter group to associate or create | string |
null |
no |
parameter_group_use_name_prefix | Determines whether to use parameter_group_name as is or create a unique name beginning with the parameter_group_name as the prefix |
bool |
true |
no |
parameters | A list of DB parameters (map) to apply | list(map(string)) |
[] |
no |
password | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. The password provided will not be used if manage_master_user_password is set to true. |
string |
null |
no |
performance_insights_enabled | Specifies whether Performance Insights are enabled | bool |
false |
no |
performance_insights_kms_key_id | The ARN for the KMS key to encrypt Performance Insights data | string |
null |
no |
performance_insights_retention_period | The amount of time in days to retain Performance Insights data. Valid values are 7 , 731 (2 years) or a multiple of 31 |
number |
7 |
no |
port | The port on which the DB accepts connections | string |
null |
no |
publicly_accessible | Bool to control if instance is publicly accessible | bool |
false |
no |
putin_khuylo | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! | bool |
true |
no |
replica_mode | Specifies whether the replica is in either mounted or open-read-only mode. This attribute is only supported by Oracle instances. Oracle replicas operate in open-read-only mode unless otherwise specified | string |
null |
no |
replicate_source_db | Specifies that this resource is a Replicate database, and to use this value as the source database. This correlates to the identifier of another Amazon RDS Database to replicate | string |
null |
no |
restore_to_point_in_time | Restore to a point in time (MySQL is NOT supported) | map(string) |
null |
no |
s3_import | Restore from a Percona Xtrabackup in S3 (only MySQL is supported) | map(string) |
null |
no |
skip_final_snapshot | Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted | bool |
false |
no |
snapshot_identifier | Specifies whether or not to create this database from a snapshot. This correlates to the snapshot ID you'd find in the RDS console, e.g: rds:production-2015-06-26-06-05 | string |
null |
no |
storage_encrypted | Specifies whether the DB instance is encrypted | bool |
true |
no |
storage_throughput | Storage throughput value for the DB instance. See notes for limitations regarding this variable for gp3 |
number |
null |
no |
storage_type | One of 'standard' (magnetic), 'gp2' (general purpose SSD), 'gp3' (new generation of general purpose SSD), or 'io1' (provisioned IOPS SSD). The default is 'io1' if iops is specified, 'gp2' if not. If you specify 'io1' or 'gp3' , you must also include a value for the 'iops' parameter | string |
null |
no |
subnet_ids | A list of VPC subnet IDs | list(string) |
[] |
no |
tags | A mapping of tags to assign to all resources | map(string) |
{} |
no |
timeouts | Updated Terraform resource management timeouts. Applies to aws_db_instance in particular to permit resource management times |
map(string) |
{} |
no |
timezone | Time zone of the DB instance. timezone is currently only supported by Microsoft SQL Server. The timezone can only be set on creation. See MSSQL User Guide for more information | string |
null |
no |
username | Username for the master DB user | string |
null |
no |
vpc_security_group_ids | List of VPC security groups to associate | list(string) |
[] |
no |
Outputs
Name | Description |
---|---|
db_instance_address | The address of the RDS instance |
db_instance_arn | The ARN of the RDS instance |
db_instance_availability_zone | The availability zone of the RDS instance |
db_instance_ca_cert_identifier | Specifies the identifier of the CA certificate for the DB instance |
db_instance_cloudwatch_log_groups | Map of CloudWatch log groups created and their attributes |
db_instance_domain | The ID of the Directory Service Active Directory domain the instance is joined to |
db_instance_domain_iam_role_name | The name of the IAM role to be used when making API calls to the Directory Service |
db_instance_endpoint | The connection endpoint |
db_instance_engine | The database engine |
db_instance_engine_version_actual | The running version of the database |
db_instance_hosted_zone_id | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) |
db_instance_identifier | The RDS instance identifier |
db_instance_master_user_secret_arn | The ARN of the master user secret (Only available when manage_master_user_password is set to true) |
db_instance_name | The database name |
db_instance_port | The database port |
db_instance_resource_id | The RDS Resource ID of this instance |
db_instance_status | The RDS instance status |
db_instance_username | The master username for the database |
db_listener_endpoint | Specifies the listener connection endpoint for SQL Server Always On |
db_option_group_arn | The ARN of the db option group |
db_option_group_id | The db option group id |
db_parameter_group_arn | The ARN of the db parameter group |
db_parameter_group_id | The db parameter group id |
db_subnet_group_arn | The ARN of the db subnet group |
db_subnet_group_id | The db subnet group name |
enhanced_monitoring_iam_role_arn | The Amazon Resource Name (ARN) specifying the monitoring role |
enhanced_monitoring_iam_role_name | The name of the monitoring role |
Authors
Module is maintained by Anton Babenko with help from these awesome contributors.
License
Apache 2 Licensed. See LICENSE for full details.
Additional information for users from Russia and Belarus
- Russia has illegally annexed Crimea in 2014 and brought the war in Donbas followed by full-scale invasion of Ukraine in 2022.
- Russia has brought sorrow and devastations to millions of Ukrainians, killed hundreds of innocent people, damaged thousands of buildings, and forced several million people to flee.
- Putin khuylo!