RDS Module
This module creates an Amazon Relational Database Service (RDS) cluster that can run MySQL, Postgres, MariaDB, Oracle, or SQL Server. The cluster is managed by AWS and automatically handles standby failover, read replicas, backups, patching, and encryption.
img
About RDS
Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the AWS Cloud. It provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks. Refer to the What is Amazon RDS page for more information.
Common Gotcha's
- All RDS upgrades (version upgrades, instance type upgrades, etc.) require a few minutes of scheduled downtime.
- If an RDS instance that uses Multi-AZ fails, Amazon will automatically kick off a fail-over, but you will still experience about 3 - 5 minutes of downtime.
- Based on the above, make sure you've written your app to gracefully handle database downtime.
- An RDS instance that runs out of disk space will stop working, so be sure to monitor and set an alert on the FreeStorageSpace CloudWatch Metric. Consider monitoring other RDS CloudWatch Metrics as well.
How do you scale this database?
- Storage: Use the
allocated_storage
variable. - Vertical scaling: To scale vertically (i.e. bigger DB instances with more CPU and RAM), use the
instance_type
,storage_type
, andiops
input variables. For a list of AWS RDS server types, see DB Instance Class - Horizontal scaling: To scale horizontally, you can add more replicas using the
num_read_replicas
input variable, and RDS will automatically deploy the new instances, begin asynchronous replication, and make them available as read replicas. For more info, see Working with PostgreSQL, MySQL, and MariaDB Read Replicas. - Storage performance: N.B: only available when
var.storage_type
is set togp3
. When you are using gp3, you can optionally fine-tune storage performance characteristics via thestorage_throughput
variable. See the RDS User Guide for more information.
How do you connect to the database?
This module provides the connection details as Terraform output variables:
- Primary endpoint: The endpoint for the primary DB. You should always use this URL for writes, as it points to the primary.
- Read replica endpoints: A comma-separated list of read replica URLs.
- Port: The port to use to connect to the endpoints above.
You can programmatically extract these variables in your Terraform templates and pass them to other resources (e.g.
pass them to User Data in your EC2 instances). You'll also see the variables at the end of each terraform apply
call
or if you run terraform output
.
Note that the database is likely behind a Bastion Host, so you may need to first connect to the Bastion Host (or use SSH Tunneling) before you can connect to the database.
Deployment
Before making any deployment for the RDS database, start by backing up the database and taking a snapshot of the infrastructure state. Review the release notes for any breaking changes and new features. Update the infrastructure code by modifying the Terraform configurations and testing them in a non-production environment. Conduct post-upgrade testing to ensure application functionality and performance, while monitoring the database health. Communicate the potential downtime to relevant stakeholders and involve them in the process.
Minor version upgrades
RDS supports automatically installing minor version upgrades. For example, it can automatically update a MySQL database from version 5.7.10 to 5.7.11. To enable this functionality, follow these steps:
- Set the
auto_minor_version_upgrade
parameter totrue
. - Set the
engine_version
parameter toMAJOR.MINOR
and omit thePATCH
number.
Major Version Upgrade
RDS supports automatically installing major version upgrades. To enable this functionality, follow these steps:
- Set the
allow_major_version_upgrade
parameter totrue
. - Set the
engine_version
parameter toMAJOR.MINOR
and omit thePATCH
number.
Note: consider temporarily setting parameter and option group variables to engine defaults during the major version upgrade process. This step is important to prevent upgrade failures that might occur due to custom configurations not being compatible with the new version. By reverting these configurations to default settings temporarily, you minimize the risk of incompatibility issues during the upgrade process. After the upgrade is successfully completed, these configurations can be reverted back to their custom values, ensuring that your database operates with the desired settings while being compatible with the upgraded version.
Note: A minimal downtime is expected during a major version upgrade. Make sure to communicate the potential downtime to relevant stakeholders in advance.
Blue/Green Deployment for Low-Downtime Updates
By default, RDS updates DB Instances in-place, which can cause service interruptions. Low-downtime updates minimize interruptions by using an RDS Blue/Green deployment. To enable this, set the enable_blue_green_update
variable to true
.
Note that low-downtime updates are only supported for MySQL, MariaDB, and Postgresql, and backups must be enabled. When using terraform, the Blue/Green Deployment won't finish until the Green instances become the new instance and the Blue instance is deleted. Therefore, Blue/Green Deployment cannot be used for scenarios outside of terraform's resource update, such as manual testing of the Green deployment or reverting back to the Blue deployment.
Standby Deployment
Set multi_az=true
. When setting up a multi-AZ (Availability Zone) RDS deployment in AWS, both the primary and standby RDS instances are created in different Availability Zones for high availability. However, this doesn't mean they will have different endpoints. Both instances will have the same DNS endpoint, and AWS's internal infrastructure will handle the failover process transparently for you. AWS RDS provides automatic failover support for DB instances using Multi-AZ deployments for the supported database engines. Failover is automatically handled by RDS without any manual intervention.
Sample Usage
- Terraform
- Terragrunt
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S RDS MODULE
# ------------------------------------------------------------------------------------------------------
module "rds" {
source = "git::git@github.com:gruntwork-io/terraform-aws-data-storage.git//modules/rds?ref=v0.40.1"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# The DB engine to use (e.g. mysql).
engine = <string>
# The version of var.engine to use (e.g. 5.7.11 for mysql). If
# var.auto_minor_version_upgrade is set to true, set the version number to
# MAJOR.MINOR and omit the PATCH (e.g., set it to 5.7 and not 5.7.11) to avoid
# state drift. See
# https://www.terraform.io/docs/providers/aws/r/db_instance.html#engine_version
# for more details.
engine_version = <string>
# The instance type to use for the db (e.g. db.t2.micro)
instance_type = <string>
# The name used to namespace all resources created by these templates,
# including the DB instance (e.g. drupaldb). Must be unique for this region.
# May contain only lowercase alphanumeric characters, hyphens, underscores,
# periods, and spaces.
name = <string>
# The port the DB will listen on (e.g. 3306)
port = <number>
# A list of subnet ids where the database should be deployed. In the standard
# Gruntwork VPC setup, these should be the private persistence subnet ids.
# This is ignored if create_subnet_group=false.
subnet_ids = <list(string)>
# The id of the VPC in which this DB should be deployed.
vpc_id = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# List of IDs of AWS Security Groups to attach to the primary RDS instance.
additional_primary_instance_security_group_ids = []
# List of IDs of AWS Security Groups to attach to the read replica RDS
# instance.
additional_read_replica_instance_security_group_ids = []
# The amount of storage space the DB should use, in GB. If
# max_allocated_storage is configured, this argument represents the initial
# storage allocation and differences from the configuration will be ignored
# automatically when Storage Autoscaling occurs.
allocated_storage = null
# A list of CIDR-formatted IP address ranges that can connect to this DB.
# Should typically be the CIDR blocks of the private app subnet in this VPC
# plus the private subnet in the mgmt VPC.
allow_connections_from_cidr_blocks = []
# A list of CIDR-formatted IP address ranges that can connect to read replica
# instances. If not set read replica instances will use the same security
# group as master instance.
allow_connections_from_cidr_blocks_to_read_replicas = []
# A list of Security Groups that can connect to this DB.
allow_connections_from_security_groups = []
# A list of Security Groups that can connect to read replica instances. If not
# set read replica instances will use the same security group as master
# instance.
allow_connections_from_security_groups_to_read_replicas = []
# Indicates whether major version upgrades (e.g. 9.4.x to 9.5.x) will ever be
# permitted. Note that these updates must always be manually performed and
# will never automatically applied.
allow_major_version_upgrade = true
# A list of CIDR-formatted IP address ranges that the database is allowed to
# send traffit to. Should typically be the CIDR blocks of the private app
# subnet in this VPC plus the private subnet in the mgmt VPC.
allow_outbound_connections_to_cidr_blocks = []
# The availability zones within which it should be possible to spin up
# replicas
allowed_replica_zones = []
# Specifies whether any cluster modifications are applied immediately, or
# during the next maintenance window. Note that cluster modifications may
# cause degraded performance or downtime.
apply_immediately = false
# Indicates that minor engine upgrades will be applied automatically to the DB
# instance during the maintenance window. If set to true, you should set
# var.engine_version to MAJOR.MINOR and omit the .PATCH at the end (e.g., use
# 5.7 and not 5.7.11); otherwise, you'll get Terraform state drift. See
# https://www.terraform.io/docs/providers/aws/r/db_instance.html#engine_version
# for more details.
auto_minor_version_upgrade = true
# The description of the aws_db_security_group that is created. Defaults to
# 'Security group for the var.name DB' if not specified.
aws_db_security_group_description = null
# The name of the aws_db_security_group that is created. Defaults to var.name
# if not specified.
aws_db_security_group_name = null
# The description of the aws_db_subnet_group that is created. Defaults to
# 'Subnet group for the var.name DB' if not specified.
aws_db_subnet_group_description = null
# The name of the aws_db_subnet_group that is created, or an existing one to
# use if create_subnet_group is false. Defaults to var.name if not specified.
aws_db_subnet_group_name = null
# How many days to keep backup snapshots around before cleaning them up. Must
# be 1 or greater to support read replicas. 0 means disable automated backups.
backup_retention_period = 21
# The daily time range during which automated backups are created (e.g.
# 04:00-09:00). Time zone is UTC. Performance may be degraded while a backup
# runs.
backup_window = "06:00-07:00"
# The Certificate Authority (CA) certificates bundle to use on the RDS
# instance.
ca_cert_identifier = null
# The character set name to use for DB encoding in Oracle and Microsoft SQL
# instances (collation). This must be null for all other engine types. Note
# that this is only relevant at create time - it can not be changed after
# creation.
character_set_name = null
# Copy all the RDS instance tags to snapshots. Default is false.
copy_tags_to_snapshot = false
# If false, the DB will bind to aws_db_subnet_group_name and the CIDR will be
# ignored (allow_connections_from_cidr_blocks)
create_subnet_group = true
# Timeout for DB creating
creating_timeout = "40m"
# The instance profile associated with the underlying Amazon EC2 instance of
# an RDS Custom DB instance.
custom_iam_instance_profile = null
# Configure a custom parameter group for the RDS DB. This will create a new
# parameter group with the given parameters. When null, the database will be
# launched with the default parameter group.
custom_parameter_group = null
# A map of custom tags to apply to the RDS Instance and the Security Group
# created for it. The key is the tag name and the value is the tag value.
custom_tags = {}
# The name for your database of up to 8 alpha-numeric characters. If you do
# not provide a name, Amazon RDS will not create a database in the DB cluster
# you are creating.
db_name = null
# A map of the default license to use for each supported RDS engine.
default_license_models = {"mariadb":"general-public-license","mysql":"general-public-license","oracle-ee":"bring-your-own-license","oracle-ee-cdb":"bring-your-own-license","oracle-se":"bring-your-own-license","oracle-se1":"bring-your-own-license","oracle-se2":"bring-your-own-license","oracle-se2-cdb":"bring-your-own-license","postgres":"postgresql-license","sqlserver-ee":"license-included","sqlserver-ex":"license-included","sqlserver-se":"license-included","sqlserver-web":"license-included"}
# Specifies whether to remove automated backups immediately after the DB
# instance is deleted
delete_automated_backups = true
# Timeout for DB deleting
deleting_timeout = "60m"
# The database can't be deleted when this value is set to true. The default is
# false.
deletion_protection = false
# Enable blue/green deployment to minimize down time due to changes made to
# the RDS Instance. See
# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/blue-green-deployments-overview.html
# for more detailed information.
enable_blue_green_update = false
# List of log types to enable for exporting to CloudWatch logs. If omitted, no
# logs will be exported. Valid values (depending on engine): alert, audit,
# error, general, listener, slowquery, trace, postgresql (PostgreSQL) and
# upgrade (PostgreSQL).
enabled_cloudwatch_logs_exports = []
# The name of the final_snapshot_identifier. Defaults to
# var.name-final-snapshot if not specified.
final_snapshot_name = null
# Specifies whether IAM database authentication is enabled. This option is
# only available for MySQL and PostgreSQL engines.
iam_database_authentication_enabled = null
# The amount of provisioned IOPS for the primary instance. Setting this
# implies a storage_type of 'io1','io2, or 'gp3'. Set to 0 to disable.
iops = 0
# The ARN of a KMS key that should be used to encrypt data on disk. Only used
# if var.storage_encrypted is true. If you leave this blank, the default RDS
# KMS key for the account will be used. This variable needs to be set to an
# AWS KMS CMK if provisioning a custom RDS instance.
kms_key_arn = null
# The license model to use for this DB. Check the docs for your RDS DB for
# available license models. Valid values: general-public-license,
# postgresql-license, license-included, bring-your-own-license.
license_model = null
# The weekly day and time range during which system maintenance can occur
# (e.g. wed:04:00-wed:04:30). Time zone is UTC. Performance may be degraded or
# there may even be a downtime during maintenance windows.
maintenance_window = "sun:07:00-sun:08:00"
# Set to true to allow RDS to manage the master user password in Secrets
# Manager. Cannot be set if password is provided.
manage_master_user_password = null
# The password for the master user. If var.snapshot_identifier is non-empty,
# this value is ignored.
master_password = null
# The Amazon Web Services KMS key identifier is the key ARN, key ID, alias
# ARN, or alias name for the KMS key. To use a KMS key in a different Amazon
# Web Services account, specify the key ARN or alias ARN. If not specified,
# the default KMS key for your Amazon Web Services account is used.
master_user_secret_kms_key_id = null
# The username for the master user.
master_username = null
# When configured, the upper limit to which Amazon RDS can automatically scale
# the storage of the DB instance. Configuring this will automatically ignore
# differences to allocated_storage. Must be greater than or equal to
# allocated_storage or 0 to disable Storage Autoscaling.
max_allocated_storage = 0
# The interval, in seconds, between points when Enhanced Monitoring metrics
# are collected for the DB instance. To disable collecting Enhanced Monitoring
# metrics, specify 0. Valid Values: 0, 1, 5, 10, 15, 30, 60. Enhanced
# Monitoring metrics are useful when you want to see how different processes
# or threads on a DB instance use the CPU.
monitoring_interval = 0
# The ARN for the IAM role that permits RDS to send enhanced monitoring
# metrics to CloudWatch Logs. If monitoring_interval is greater than 0, but
# monitoring_role_arn is let as an empty string, a default IAM role that
# allows enhanced monitoring will be created.
monitoring_role_arn = null
# Optionally add a path to the IAM monitoring role. If left blank, it will
# default to just /.
monitoring_role_arn_path = "/"
# The name of the enhanced_monitoring_role that is created. Defaults to
# var.name-monitoring-role if not specified.
monitoring_role_name = null
# Specifies if a standby instance should be deployed in another availability
# zone. If the primary fails, this instance will automatically take over.
multi_az = true
# The national character set is used in the NCHAR, NVARCHAR2, and NCLOB data
# types for Oracle instances. This must be null for all other engine types.
# Note that this is only relevant at create time - it can not be changed after
# creation.
nchar_character_set_name = null
# (Optional) The network type of the DB instance. Valid values: IPV4, DUAL. By
# default, it's set to IPV4
network_type = null
# The number of read replicas to create. RDS will asynchronously replicate all
# data from the master to these replicas, which you can use to horizontally
# scale reads traffic.
num_read_replicas = 0
# Name of a DB option group to associate.
option_group_name = null
# Name of a DB parameter group to associate.
parameter_group_name = null
# Name of a DB parameter group to associate with read replica instances.
# Defaults to var.parameter_group_name if not set.
parameter_group_name_for_read_replicas = null
# Specifies whether Performance Insights are enabled. Performance Insights can
# be enabled for specific versions of database engines. See
# https://aws.amazon.com/rds/performance-insights/ for more details.
performance_insights_enabled = false
# The ARN for the KMS key to encrypt Performance Insights data. When
# specifying performance_insights_kms_key_id, performance_insights_enabled
# needs to be set to true. Once KMS key is set, it can never be changed. When
# set to `null` default aws/rds KMS for given region is used.
performance_insights_kms_key_id = null
# The amount of time in days to retain Performance Insights data. Either 7 (7
# days) or 731 (2 years). When specifying
# performance_insights_retention_period, performance_insights_enabled needs to
# be set to true. Defaults to `7`.
performance_insights_retention_period = null
# The ARN of the policy that is used to set the permissions boundary for the
# role of enhanced monitoring role. This policy should be created outside of
# this module.
permissions_boundary_arn = null
# WARNING: - In nearly all cases a database should NOT be publicly accessible.
# Only set this to true if you want the database open to the internet.
publicly_accessible = false
# Redefine replica instance type, if you want to define a different RDS
# instance type for replica.
read_replica_instance_type = null
# The amount of provisioned IOPS for read replicas. If null, the replica will
# use the same value as the primary, which is set in var.iops.
read_replica_iops = null
# The type of storage to use for read replicas. If null, the replica will use
# the same value as the primary, which is set in var.storage_type.
read_replica_storage_type = null
# How many days to keep backup snapshots around before cleaning them up on the
# read replicas. Must be 1 or greater to support read replicas. 0 means
# disable automated backups.
replica_backup_retention_period = 0
# A configuration block for restoring a DB instance to an arbitrary point in
# time. Refer to
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#restore-to-point-in-time
# for more details
restore_to_point_in_time = null
# Determines whether a final DB snapshot is created before the DB instance is
# deleted. Be very careful setting this to true; if you do, and you delete
# this DB instance, you will not have any backups of the data!
skip_final_snapshot = false
# If non-null, the RDS Instance will be restored from the given Snapshot ID.
# This is the Snapshot ID you'd find in the RDS console, e.g:
# rds:production-2015-06-26-06-05.
snapshot_identifier = null
# Specifies whether the DB instance is encrypted.
storage_encrypted = true
# The storage throughput value for the DB instance. Can only be set when
# var.storage_type is 'gp3'. Cannot be specified if the allocated_storage
# value is below a per-engine threshold. See the RDS User Guide:
# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html#gp3-storage
storage_throughput = null
# The type of storage to use for the primary instance. Must be one of
# 'standard' (magnetic), 'gp2' (general purpose SSD), 'gp3' (general purpose
# SSD), io1' (provisioned IOPS SSD), or 'io2' (2nd gen provisioned IOPS SSD).
storage_type = "gp2"
# Timeout for DB updating
updating_timeout = "80m"
}
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S RDS MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-data-storage.git//modules/rds?ref=v0.40.1"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# The DB engine to use (e.g. mysql).
engine = <string>
# The version of var.engine to use (e.g. 5.7.11 for mysql). If
# var.auto_minor_version_upgrade is set to true, set the version number to
# MAJOR.MINOR and omit the PATCH (e.g., set it to 5.7 and not 5.7.11) to avoid
# state drift. See
# https://www.terraform.io/docs/providers/aws/r/db_instance.html#engine_version
# for more details.
engine_version = <string>
# The instance type to use for the db (e.g. db.t2.micro)
instance_type = <string>
# The name used to namespace all resources created by these templates,
# including the DB instance (e.g. drupaldb). Must be unique for this region.
# May contain only lowercase alphanumeric characters, hyphens, underscores,
# periods, and spaces.
name = <string>
# The port the DB will listen on (e.g. 3306)
port = <number>
# A list of subnet ids where the database should be deployed. In the standard
# Gruntwork VPC setup, these should be the private persistence subnet ids.
# This is ignored if create_subnet_group=false.
subnet_ids = <list(string)>
# The id of the VPC in which this DB should be deployed.
vpc_id = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# List of IDs of AWS Security Groups to attach to the primary RDS instance.
additional_primary_instance_security_group_ids = []
# List of IDs of AWS Security Groups to attach to the read replica RDS
# instance.
additional_read_replica_instance_security_group_ids = []
# The amount of storage space the DB should use, in GB. If
# max_allocated_storage is configured, this argument represents the initial
# storage allocation and differences from the configuration will be ignored
# automatically when Storage Autoscaling occurs.
allocated_storage = null
# A list of CIDR-formatted IP address ranges that can connect to this DB.
# Should typically be the CIDR blocks of the private app subnet in this VPC
# plus the private subnet in the mgmt VPC.
allow_connections_from_cidr_blocks = []
# A list of CIDR-formatted IP address ranges that can connect to read replica
# instances. If not set read replica instances will use the same security
# group as master instance.
allow_connections_from_cidr_blocks_to_read_replicas = []
# A list of Security Groups that can connect to this DB.
allow_connections_from_security_groups = []
# A list of Security Groups that can connect to read replica instances. If not
# set read replica instances will use the same security group as master
# instance.
allow_connections_from_security_groups_to_read_replicas = []
# Indicates whether major version upgrades (e.g. 9.4.x to 9.5.x) will ever be
# permitted. Note that these updates must always be manually performed and
# will never automatically applied.
allow_major_version_upgrade = true
# A list of CIDR-formatted IP address ranges that the database is allowed to
# send traffit to. Should typically be the CIDR blocks of the private app
# subnet in this VPC plus the private subnet in the mgmt VPC.
allow_outbound_connections_to_cidr_blocks = []
# The availability zones within which it should be possible to spin up
# replicas
allowed_replica_zones = []
# Specifies whether any cluster modifications are applied immediately, or
# during the next maintenance window. Note that cluster modifications may
# cause degraded performance or downtime.
apply_immediately = false
# Indicates that minor engine upgrades will be applied automatically to the DB
# instance during the maintenance window. If set to true, you should set
# var.engine_version to MAJOR.MINOR and omit the .PATCH at the end (e.g., use
# 5.7 and not 5.7.11); otherwise, you'll get Terraform state drift. See
# https://www.terraform.io/docs/providers/aws/r/db_instance.html#engine_version
# for more details.
auto_minor_version_upgrade = true
# The description of the aws_db_security_group that is created. Defaults to
# 'Security group for the var.name DB' if not specified.
aws_db_security_group_description = null
# The name of the aws_db_security_group that is created. Defaults to var.name
# if not specified.
aws_db_security_group_name = null
# The description of the aws_db_subnet_group that is created. Defaults to
# 'Subnet group for the var.name DB' if not specified.
aws_db_subnet_group_description = null
# The name of the aws_db_subnet_group that is created, or an existing one to
# use if create_subnet_group is false. Defaults to var.name if not specified.
aws_db_subnet_group_name = null
# How many days to keep backup snapshots around before cleaning them up. Must
# be 1 or greater to support read replicas. 0 means disable automated backups.
backup_retention_period = 21
# The daily time range during which automated backups are created (e.g.
# 04:00-09:00). Time zone is UTC. Performance may be degraded while a backup
# runs.
backup_window = "06:00-07:00"
# The Certificate Authority (CA) certificates bundle to use on the RDS
# instance.
ca_cert_identifier = null
# The character set name to use for DB encoding in Oracle and Microsoft SQL
# instances (collation). This must be null for all other engine types. Note
# that this is only relevant at create time - it can not be changed after
# creation.
character_set_name = null
# Copy all the RDS instance tags to snapshots. Default is false.
copy_tags_to_snapshot = false
# If false, the DB will bind to aws_db_subnet_group_name and the CIDR will be
# ignored (allow_connections_from_cidr_blocks)
create_subnet_group = true
# Timeout for DB creating
creating_timeout = "40m"
# The instance profile associated with the underlying Amazon EC2 instance of
# an RDS Custom DB instance.
custom_iam_instance_profile = null
# Configure a custom parameter group for the RDS DB. This will create a new
# parameter group with the given parameters. When null, the database will be
# launched with the default parameter group.
custom_parameter_group = null
# A map of custom tags to apply to the RDS Instance and the Security Group
# created for it. The key is the tag name and the value is the tag value.
custom_tags = {}
# The name for your database of up to 8 alpha-numeric characters. If you do
# not provide a name, Amazon RDS will not create a database in the DB cluster
# you are creating.
db_name = null
# A map of the default license to use for each supported RDS engine.
default_license_models = {"mariadb":"general-public-license","mysql":"general-public-license","oracle-ee":"bring-your-own-license","oracle-ee-cdb":"bring-your-own-license","oracle-se":"bring-your-own-license","oracle-se1":"bring-your-own-license","oracle-se2":"bring-your-own-license","oracle-se2-cdb":"bring-your-own-license","postgres":"postgresql-license","sqlserver-ee":"license-included","sqlserver-ex":"license-included","sqlserver-se":"license-included","sqlserver-web":"license-included"}
# Specifies whether to remove automated backups immediately after the DB
# instance is deleted
delete_automated_backups = true
# Timeout for DB deleting
deleting_timeout = "60m"
# The database can't be deleted when this value is set to true. The default is
# false.
deletion_protection = false
# Enable blue/green deployment to minimize down time due to changes made to
# the RDS Instance. See
# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/blue-green-deployments-overview.html
# for more detailed information.
enable_blue_green_update = false
# List of log types to enable for exporting to CloudWatch logs. If omitted, no
# logs will be exported. Valid values (depending on engine): alert, audit,
# error, general, listener, slowquery, trace, postgresql (PostgreSQL) and
# upgrade (PostgreSQL).
enabled_cloudwatch_logs_exports = []
# The name of the final_snapshot_identifier. Defaults to
# var.name-final-snapshot if not specified.
final_snapshot_name = null
# Specifies whether IAM database authentication is enabled. This option is
# only available for MySQL and PostgreSQL engines.
iam_database_authentication_enabled = null
# The amount of provisioned IOPS for the primary instance. Setting this
# implies a storage_type of 'io1','io2, or 'gp3'. Set to 0 to disable.
iops = 0
# The ARN of a KMS key that should be used to encrypt data on disk. Only used
# if var.storage_encrypted is true. If you leave this blank, the default RDS
# KMS key for the account will be used. This variable needs to be set to an
# AWS KMS CMK if provisioning a custom RDS instance.
kms_key_arn = null
# The license model to use for this DB. Check the docs for your RDS DB for
# available license models. Valid values: general-public-license,
# postgresql-license, license-included, bring-your-own-license.
license_model = null
# The weekly day and time range during which system maintenance can occur
# (e.g. wed:04:00-wed:04:30). Time zone is UTC. Performance may be degraded or
# there may even be a downtime during maintenance windows.
maintenance_window = "sun:07:00-sun:08:00"
# Set to true to allow RDS to manage the master user password in Secrets
# Manager. Cannot be set if password is provided.
manage_master_user_password = null
# The password for the master user. If var.snapshot_identifier is non-empty,
# this value is ignored.
master_password = null
# The Amazon Web Services KMS key identifier is the key ARN, key ID, alias
# ARN, or alias name for the KMS key. To use a KMS key in a different Amazon
# Web Services account, specify the key ARN or alias ARN. If not specified,
# the default KMS key for your Amazon Web Services account is used.
master_user_secret_kms_key_id = null
# The username for the master user.
master_username = null
# When configured, the upper limit to which Amazon RDS can automatically scale
# the storage of the DB instance. Configuring this will automatically ignore
# differences to allocated_storage. Must be greater than or equal to
# allocated_storage or 0 to disable Storage Autoscaling.
max_allocated_storage = 0
# The interval, in seconds, between points when Enhanced Monitoring metrics
# are collected for the DB instance. To disable collecting Enhanced Monitoring
# metrics, specify 0. Valid Values: 0, 1, 5, 10, 15, 30, 60. Enhanced
# Monitoring metrics are useful when you want to see how different processes
# or threads on a DB instance use the CPU.
monitoring_interval = 0
# The ARN for the IAM role that permits RDS to send enhanced monitoring
# metrics to CloudWatch Logs. If monitoring_interval is greater than 0, but
# monitoring_role_arn is let as an empty string, a default IAM role that
# allows enhanced monitoring will be created.
monitoring_role_arn = null
# Optionally add a path to the IAM monitoring role. If left blank, it will
# default to just /.
monitoring_role_arn_path = "/"
# The name of the enhanced_monitoring_role that is created. Defaults to
# var.name-monitoring-role if not specified.
monitoring_role_name = null
# Specifies if a standby instance should be deployed in another availability
# zone. If the primary fails, this instance will automatically take over.
multi_az = true
# The national character set is used in the NCHAR, NVARCHAR2, and NCLOB data
# types for Oracle instances. This must be null for all other engine types.
# Note that this is only relevant at create time - it can not be changed after
# creation.
nchar_character_set_name = null
# (Optional) The network type of the DB instance. Valid values: IPV4, DUAL. By
# default, it's set to IPV4
network_type = null
# The number of read replicas to create. RDS will asynchronously replicate all
# data from the master to these replicas, which you can use to horizontally
# scale reads traffic.
num_read_replicas = 0
# Name of a DB option group to associate.
option_group_name = null
# Name of a DB parameter group to associate.
parameter_group_name = null
# Name of a DB parameter group to associate with read replica instances.
# Defaults to var.parameter_group_name if not set.
parameter_group_name_for_read_replicas = null
# Specifies whether Performance Insights are enabled. Performance Insights can
# be enabled for specific versions of database engines. See
# https://aws.amazon.com/rds/performance-insights/ for more details.
performance_insights_enabled = false
# The ARN for the KMS key to encrypt Performance Insights data. When
# specifying performance_insights_kms_key_id, performance_insights_enabled
# needs to be set to true. Once KMS key is set, it can never be changed. When
# set to `null` default aws/rds KMS for given region is used.
performance_insights_kms_key_id = null
# The amount of time in days to retain Performance Insights data. Either 7 (7
# days) or 731 (2 years). When specifying
# performance_insights_retention_period, performance_insights_enabled needs to
# be set to true. Defaults to `7`.
performance_insights_retention_period = null
# The ARN of the policy that is used to set the permissions boundary for the
# role of enhanced monitoring role. This policy should be created outside of
# this module.
permissions_boundary_arn = null
# WARNING: - In nearly all cases a database should NOT be publicly accessible.
# Only set this to true if you want the database open to the internet.
publicly_accessible = false
# Redefine replica instance type, if you want to define a different RDS
# instance type for replica.
read_replica_instance_type = null
# The amount of provisioned IOPS for read replicas. If null, the replica will
# use the same value as the primary, which is set in var.iops.
read_replica_iops = null
# The type of storage to use for read replicas. If null, the replica will use
# the same value as the primary, which is set in var.storage_type.
read_replica_storage_type = null
# How many days to keep backup snapshots around before cleaning them up on the
# read replicas. Must be 1 or greater to support read replicas. 0 means
# disable automated backups.
replica_backup_retention_period = 0
# A configuration block for restoring a DB instance to an arbitrary point in
# time. Refer to
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#restore-to-point-in-time
# for more details
restore_to_point_in_time = null
# Determines whether a final DB snapshot is created before the DB instance is
# deleted. Be very careful setting this to true; if you do, and you delete
# this DB instance, you will not have any backups of the data!
skip_final_snapshot = false
# If non-null, the RDS Instance will be restored from the given Snapshot ID.
# This is the Snapshot ID you'd find in the RDS console, e.g:
# rds:production-2015-06-26-06-05.
snapshot_identifier = null
# Specifies whether the DB instance is encrypted.
storage_encrypted = true
# The storage throughput value for the DB instance. Can only be set when
# var.storage_type is 'gp3'. Cannot be specified if the allocated_storage
# value is below a per-engine threshold. See the RDS User Guide:
# https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html#gp3-storage
storage_throughput = null
# The type of storage to use for the primary instance. Must be one of
# 'standard' (magnetic), 'gp2' (general purpose SSD), 'gp3' (general purpose
# SSD), io1' (provisioned IOPS SSD), or 'io2' (2nd gen provisioned IOPS SSD).
storage_type = "gp2"
# Timeout for DB updating
updating_timeout = "80m"
}
Reference
- Inputs
- Outputs
Required
engine
stringThe DB engine to use (e.g. mysql).
engine_version
stringThe version of engine
to use (e.g. 5.7.11 for mysql). If auto_minor_version_upgrade
is set to true, set the version number to MAJOR.MINOR and omit the PATCH (e.g., set it to 5.7 and not 5.7.11) to avoid state drift. See https://www.terraform.io/docs/providers/aws/r/db_instance.html#engine_version for more details.
instance_type
stringThe instance type to use for the db (e.g. db.t2.micro)
name
stringThe name used to namespace all resources created by these templates, including the DB instance (e.g. drupaldb). Must be unique for this region. May contain only lowercase alphanumeric characters, hyphens, underscores, periods, and spaces.
port
numberThe port the DB will listen on (e.g. 3306)
subnet_ids
list(string)A list of subnet ids where the database should be deployed. In the standard Gruntwork VPC setup, these should be the private persistence subnet ids. This is ignored if create_subnet_group=false.
vpc_id
stringThe id of the VPC in which this DB should be deployed.
Optional
additional_primary_instance_security_group_ids
list(string)List of IDs of AWS Security Groups to attach to the primary RDS instance.
[]
List of IDs of AWS Security Groups to attach to the read replica RDS instance.
[]
allocated_storage
numberThe amount of storage space the DB should use, in GB. If max_allocated_storage is configured, this argument represents the initial storage allocation and differences from the configuration will be ignored automatically when Storage Autoscaling occurs.
null
allow_connections_from_cidr_blocks
list(string)A list of CIDR-formatted IP address ranges that can connect to this DB. Should typically be the CIDR blocks of the private app subnet in this VPC plus the private subnet in the mgmt VPC.
[]
A list of CIDR-formatted IP address ranges that can connect to read replica instances. If not set read replica instances will use the same security group as master instance.
[]
allow_connections_from_security_groups
list(string)A list of Security Groups that can connect to this DB.
[]
A list of Security Groups that can connect to read replica instances. If not set read replica instances will use the same security group as master instance.
[]
Indicates whether major version upgrades (e.g. 9.4.x to 9.5.x) will ever be permitted. Note that these updates must always be manually performed and will never automatically applied.
true
allow_outbound_connections_to_cidr_blocks
list(string)A list of CIDR-formatted IP address ranges that the database is allowed to send traffit to. Should typically be the CIDR blocks of the private app subnet in this VPC plus the private subnet in the mgmt VPC.
[]
allowed_replica_zones
list(string)The availability zones within which it should be possible to spin up replicas
[]
Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Note that cluster modifications may cause degraded performance or downtime.
false
Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. If set to true, you should set engine_version
to MAJOR.MINOR and omit the .PATCH at the end (e.g., use 5.7 and not 5.7.11); otherwise, you'll get Terraform state drift. See https://www.terraform.io/docs/providers/aws/r/db_instance.html#engine_version for more details.
true
The description of the aws_db_security_group that is created. Defaults to 'Security group for the name
DB' if not specified.
null
The name of the aws_db_security_group that is created. Defaults to name
if not specified.
null
The description of the aws_db_subnet_group that is created. Defaults to 'Subnet group for the name
DB' if not specified.
null
aws_db_subnet_group_name
stringThe name of the aws_db_subnet_group that is created, or an existing one to use if create_subnet_group is false. Defaults to name
if not specified.
null
backup_retention_period
numberHow many days to keep backup snapshots around before cleaning them up. Must be 1 or greater to support read replicas. 0 means disable automated backups.
21
backup_window
stringThe daily time range during which automated backups are created (e.g. 04:00-09:00). Time zone is UTC. Performance may be degraded while a backup runs.
"06:00-07:00"
ca_cert_identifier
stringThe Certificate Authority (CA) certificates bundle to use on the RDS instance.
null
character_set_name
stringThe character set name to use for DB encoding in Oracle and Microsoft SQL instances (collation). This must be null for all other engine types. Note that this is only relevant at create time - it can not be changed after creation.
null
Copy all the RDS instance tags to snapshots. Default is false.
false
If false, the DB will bind to aws_db_subnet_group_name and the CIDR will be ignored (allow_connections_from_cidr_blocks)
true
creating_timeout
stringTimeout for DB creating
"40m"
The instance profile associated with the underlying Amazon EC2 instance of an RDS Custom DB instance.
null
custom_parameter_group
object(…)Configure a custom parameter group for the RDS DB. This will create a new parameter group with the given parameters. When null, the database will be launched with the default parameter group.
object({
# Name of the parameter group to create
name = string
# The family of the DB parameter group.
family = string
# The parameters to configure on the created parameter group.
parameters = list(object({
# Parameter name to configure.
name = string
# Vaue to set the parameter.
value = string
# When to apply the parameter. "immediate" or "pending-reboot".
apply_method = string
}))
})
null
Details
The family of the DB parameter group.
Details
The parameters to configure on the created parameter group.
Details
Vaue to set the parameter.
Details
When to apply the parameter. "immediate" or "pending-reboot".
custom_tags
map(string)A map of custom tags to apply to the RDS Instance and the Security Group created for it. The key is the tag name and the value is the tag value.
{}
db_name
stringThe name for your database of up to 8 alpha-numeric characters. If you do not provide a name, Amazon RDS will not create a database in the DB cluster you are creating.
null
default_license_models
map(string)A map of the default license to use for each supported RDS engine.
{
mariadb = "general-public-license",
mysql = "general-public-license",
oracle-ee = "bring-your-own-license",
oracle-ee-cdb = "bring-your-own-license",
oracle-se = "bring-your-own-license",
oracle-se1 = "bring-your-own-license",
oracle-se2 = "bring-your-own-license",
oracle-se2-cdb = "bring-your-own-license",
postgres = "postgresql-license",
sqlserver-ee = "license-included",
sqlserver-ex = "license-included",
sqlserver-se = "license-included",
sqlserver-web = "license-included"
}
Specifies whether to remove automated backups immediately after the DB instance is deleted
true
deleting_timeout
stringTimeout for DB deleting
"60m"
The database can't be deleted when this value is set to true. The default is false.
false
Enable blue/green deployment to minimize down time due to changes made to the RDS Instance. See https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/blue-green-deployments-overview.html for more detailed information.
false
enabled_cloudwatch_logs_exports
list(string)List of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported. Valid values (depending on engine): alert, audit, error, general, listener, slowquery, trace, postgresql (PostgreSQL) and upgrade (PostgreSQL).
[]
final_snapshot_name
stringThe name of the final_snapshot_identifier. Defaults to name
-final-snapshot if not specified.
null
Specifies whether IAM database authentication is enabled. This option is only available for MySQL and PostgreSQL engines.
null
iops
numberThe amount of provisioned IOPS for the primary instance. Setting this implies a storage_type of 'io1','io2, or 'gp3'. Set to 0 to disable.
0
kms_key_arn
stringThe ARN of a KMS key that should be used to encrypt data on disk. Only used if storage_encrypted
is true. If you leave this blank, the default RDS KMS key for the account will be used. This variable needs to be set to an AWS KMS CMK if provisioning a custom RDS instance.
null
license_model
stringThe license model to use for this DB. Check the docs for your RDS DB for available license models. Valid values: general-public-license, postgresql-license, license-included, bring-your-own-license.
null
maintenance_window
stringThe weekly day and time range during which system maintenance can occur (e.g. wed:04:00-wed:04:30). Time zone is UTC. Performance may be degraded or there may even be a downtime during maintenance windows.
"sun:07:00-sun:08:00"
Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if password is provided.
null
master_password
stringThe password for the master user. If snapshot_identifier
is non-empty, this value is ignored.
null
The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN. If not specified, the default KMS key for your Amazon Web Services account is used.
null
master_username
stringThe username for the master user.
null
max_allocated_storage
numberWhen configured, the upper limit to which Amazon RDS can automatically scale the storage of the DB instance. Configuring this will automatically ignore differences to allocated_storage. Must be greater than or equal to allocated_storage or 0 to disable Storage Autoscaling.
0
monitoring_interval
numberThe interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. Valid Values: 0, 1, 5, 10, 15, 30, 60. Enhanced Monitoring metrics are useful when you want to see how different processes or threads on a DB instance use the CPU.
0
monitoring_role_arn
stringThe ARN for the IAM role that permits RDS to send enhanced monitoring metrics to CloudWatch Logs. If monitoring_interval is greater than 0, but monitoring_role_arn is let as an empty string, a default IAM role that allows enhanced monitoring will be created.
null
monitoring_role_arn_path
stringOptionally add a path to the IAM monitoring role. If left blank, it will default to just /.
"/"
monitoring_role_name
stringThe name of the enhanced_monitoring_role that is created. Defaults to name
-monitoring-role if not specified.
null
multi_az
boolSpecifies if a standby instance should be deployed in another availability zone. If the primary fails, this instance will automatically take over.
true
nchar_character_set_name
stringThe national character set is used in the NCHAR, NVARCHAR2, and NCLOB data types for Oracle instances. This must be null for all other engine types. Note that this is only relevant at create time - it can not be changed after creation.
null
network_type
string(Optional) The network type of the DB instance. Valid values: IPV4, DUAL. By default, it's set to IPV4
null
num_read_replicas
numberThe number of read replicas to create. RDS will asynchronously replicate all data from the master to these replicas, which you can use to horizontally scale reads traffic.
0
option_group_name
stringName of a DB option group to associate.
null
parameter_group_name
stringName of a DB parameter group to associate.
null
Name of a DB parameter group to associate with read replica instances. Defaults to parameter_group_name
if not set.
null
Specifies whether Performance Insights are enabled. Performance Insights can be enabled for specific versions of database engines. See https://aws.amazon.com/rds/performance-insights/ for more details.
false
The ARN for the KMS key to encrypt Performance Insights data. When specifying performance_insights_kms_key_id, performance_insights_enabled needs to be set to true. Once KMS key is set, it can never be changed. When set to null
default aws/rds KMS for given region is used.
null
The amount of time in days to retain Performance Insights data. Either 7 (7 days) or 731 (2 years). When specifying performance_insights_retention_period, performance_insights_enabled needs to be set to true. Defaults to 7
.
null
permissions_boundary_arn
stringThe ARN of the policy that is used to set the permissions boundary for the role of enhanced monitoring role. This policy should be created outside of this module.
null
WARNING: - In nearly all cases a database should NOT be publicly accessible. Only set this to true if you want the database open to the internet.
false
Redefine replica instance type, if you want to define a different RDS instance type for replica.
null
read_replica_iops
numberThe amount of provisioned IOPS for read replicas. If null, the replica will use the same value as the primary, which is set in iops
.
null
The type of storage to use for read replicas. If null, the replica will use the same value as the primary, which is set in storage_type
.
null
How many days to keep backup snapshots around before cleaning them up on the read replicas. Must be 1 or greater to support read replicas. 0 means disable automated backups.
0
restore_to_point_in_time
map(object(…))A configuration block for restoring a DB instance to an arbitrary point in time. Refer to https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#restore-to-point-in-time for more details
map(object({
restore_time = string
source_db_instance_identifier = string
source_db_instance_automated_backups_arn = string
source_dbi_resource_id = string
use_latest_restorable_time = string
}))
null
Determines whether a final DB snapshot is created before the DB instance is deleted. Be very careful setting this to true; if you do, and you delete this DB instance, you will not have any backups of the data!
false
snapshot_identifier
stringIf non-null, the RDS Instance will be restored from the given Snapshot ID. This is the Snapshot ID you'd find in the RDS console, e.g: rds:production-2015-06-26-06-05.
null
Specifies whether the DB instance is encrypted.
true
storage_throughput
stringThe storage throughput value for the DB instance. Can only be set when storage_type
is 'gp3'. Cannot be specified if the allocated_storage value is below a per-engine threshold. See the RDS User Guide: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html#gp3-storage
null
storage_type
stringThe type of storage to use for the primary instance. Must be one of 'standard' (magnetic), 'gp2' (general purpose SSD), 'gp3' (general purpose SSD), io1' (provisioned IOPS SSD), or 'io2' (2nd gen provisioned IOPS SSD).
"gp2"
updating_timeout
stringTimeout for DB updating
"80m"