RDS Read Replicas Module
This module creates a read replica (read-only copy) of a DB instance.
About RDS Read Replicas
A read replica is a read-only copy of a DB instance. You can reduce the load on your primary DB instance by routing queries from your applications to the read replica. Refer to Working with DB instance read replicas for more information.
Promoting Read Replica as Primary
For disaster recovery, you may need to promote a read replica as a primary instance. Promoting an RDS replica to be a primary instance is not a supported operation in Terraform and requires direct interaction with AWS APIs. Subsequent steps are then required to ensure your Terraform state is up-to-date. Please see the following walk-through for steps to promote a replica to primary.
- Promote the replica: Run AWS CLI command to promote read replica as primary with the following command:
aws rds promote-read-replica \
--db-instance-identifier <replica-identifier> \
--region <region>
Note: This command triggers the promotion process and takes an additional 30-60 mins to complete the modification.
- Update the Terraform configuration: Modify your Terraform configuration file (e.g., main.tf) to reflect the new state. There's no way to automatically reflect the new state in terraform.
- Import the new primary instance into Terraform state: Run the
terraform import
command. This command associates the resource in your Terraform configuration with the existing resource in AWS.
terraform import aws_db_instance.<identifier> <primary_instance_arn>
- Refresh the Terraform state: Run
terraform refresh
to fetch the current state of the primary instance from AWS and update the Terraform state file accordingly. This ensures that Terraform is aware of the new primary instance's attributes. - Verify the Terraform plan: Run
terraform plan
to review the changes that Terraform will apply based on the updated configuration and current state. Make sure the plan reflects the desired changes, including the new primary instance attributes. - Apply the Terraform changes: If the plan looks correct, apply the changes by running
terraform apply
. Terraform will update the resources to match the desired configuration, reflecting the newly promoted primary instance.
Sample Usage
- Terraform
- Terragrunt
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S RDS-REPLICAS MODULE
# ------------------------------------------------------------------------------------------------------
module "rds_replicas" {
source = "git::git@github.com:gruntwork-io/terraform-aws-data-storage.git//modules/rds-replicas?ref=v0.40.1"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# The instance type to use for the db (e.g. db.t2.micro)
instance_type = <string>
# The name used to namespace all resources created by these templates,
# including the DB instance (e.g. drupaldb). Must be unique for this region.
# May contain only lowercase alphanumeric characters, hyphens, underscores,
# periods, and spaces.
name = <string>
# The port the DB will listen on (e.g. 3306)
port = <number>
# An ID of the primary DB instance to create read replicas from
primary_instance_id = <string>
# The id of the VPC in which this DB should be deployed.
vpc_id = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# List of IDs of AWS Security Groups to attach to the read replica RDS
# instance.
additional_security_group_ids = []
# A list of CIDR-formatted IP address ranges that can connect to read replica
# instances. If not set read replica instances will use the same security
# group as master instance.
allow_connections_from_cidr_blocks = []
# A list of Security Groups that can connect to read replica instances. If not
# set read replica instances will use the same security group as master
# instance.
allow_connections_from_security_groups = []
# Indicates whether major version upgrades (e.g. 9.4.x to 9.5.x) will ever be
# permitted. Note that these updates must always be manually performed and
# will never automatically applied.
allow_major_version_upgrade = true
# The availability zones within which it should be possible to spin up
# replicas
allowed_replica_zones = []
# Specifies whether any cluster modifications are applied immediately, or
# during the next maintenance window. Note that cluster modifications may
# cause degraded performance or downtime.
apply_immediately = false
# Indicates that minor engine upgrades will be applied automatically to the DB
# instance during the maintenance window. If set to true, you should set
# var.engine_version to MAJOR.MINOR and omit the .PATCH at the end (e.g., use
# 5.7 and not 5.7.11); otherwise, you'll get Terraform state drift. See
# https://www.terraform.io/docs/providers/aws/r/db_instance.html#engine_version
# for more details.
auto_minor_version_upgrade = true
# The description of the aws_db_subnet_group that is created. Defaults to
# 'Subnet group for the var.name DB' if not specified.
aws_db_subnet_group_description = null
# The name of the aws_db_subnet_group that is created, or an existing one to
# use if create_subnet_group is false. Defaults to var.name if not specified.
aws_db_subnet_group_name = null
# How many days to keep backup snapshots around before cleaning them up. Must
# be 1 or greater to support read replicas. 0 means disable automated backups.
backup_retention_period = 21
# The daily time range during which automated backups are created (e.g.
# 04:00-09:00). Time zone is UTC. Performance may be degraded while a backup
# runs.
backup_window = null
# The Certificate Authority (CA) certificates bundle to use on the RDS
# instance.
ca_cert_identifier = null
# Copy all the RDS instance tags to snapshots. Default is false.
copy_tags_to_snapshot = false
# When working with read replicas, only configure db subnet group if the
# source database specifies an instance in another AWS Region. If true, it
# will create a new subnet group.
create_subnet_group = false
# Timeout for DB creating
creating_timeout = "40m"
# A map of custom tags to apply to the RDS Instance and the Security Group
# created for it. The key is the tag name and the value is the tag value.
custom_tags = {}
# Specifies whether to remove automated backups immediately after the DB
# instance is deleted
delete_automated_backups = null
# Timeout for DB deleting
deleting_timeout = "60m"
# The database can't be deleted when this value is set to true. The default is
# false.
deletion_protection = false
# List of log types to enable for exporting to CloudWatch logs. If omitted, no
# logs will be exported. Valid values (depending on engine): alert, audit,
# error, general, listener, slowquery, trace, postgresql (PostgreSQL) and
# upgrade (PostgreSQL).
enabled_cloudwatch_logs_exports = []
# Specifies whether IAM database authentication is enabled. This option is
# only available for MySQL and PostgreSQL engines.
iam_database_authentication_enabled = null
# The amount of provisioned IOPS for the primary instance. Setting this
# implies a storage_type of 'io1','io2, or 'gp3'. Set to 0 to disable.
iops = 0
# The ARN of a KMS key that should be used to encrypt data on disk. Only used
# if var.storage_encrypted is true. If you leave this blank, the default RDS
# KMS key for the account will be used.
kms_key_arn = null
# The weekly day and time range during which system maintenance can occur
# (e.g. wed:04:00-wed:04:30). Time zone is UTC. Performance may be degraded or
# there may even be a downtime during maintenance windows.
maintenance_window = null
# When configured, the upper limit to which Amazon RDS can automatically scale
# the storage of the DB instance. Configuring this will automatically ignore
# differences to allocated_storage. Must be greater than or equal to
# allocated_storage or 0 to disable Storage Autoscaling.
max_allocated_storage = 0
# The interval, in seconds, between points when Enhanced Monitoring metrics
# are collected for the DB instance. To disable collecting Enhanced Monitoring
# metrics, specify 0. Valid Values: 0, 1, 5, 10, 15, 30, 60. Enhanced
# Monitoring metrics are useful when you want to see how different processes
# or threads on a DB instance use the CPU.
monitoring_interval = 0
# The ARN for the IAM role that permits RDS to send enhanced monitoring
# metrics to CloudWatch Logs. If monitoring_interval is greater than 0, but
# monitoring_role_arn is let as an empty string, a default IAM role that
# allows enhanced monitoring will be created.
monitoring_role_arn = null
# Specifies if a standby instance should be deployed in another availability
# zone. If the primary fails, this instance will automatically take over.
multi_az = false
# (Optional) The network type of the DB instance. Valid values: IPV4, DUAL. By
# default, it's set to IPV4.
network_type = null
# The number of read replicas to create. RDS will asynchronously replicate all
# data from the master to these replicas, which you can use to horizontally
# scale reads traffic.
num_read_replicas = 0
# Name of a DB parameter group to associate.
parameter_group_name = null
# Specifies whether Performance Insights are enabled. Performance Insights can
# be enabled for specific versions of database engines. See
# https://aws.amazon.com/rds/performance-insights/ for more details.
performance_insights_enabled = false
# The ARN for the KMS key to encrypt Performance Insights data. When
# specifying performance_insights_kms_key_id, performance_insights_enabled
# needs to be set to true. Once KMS key is set, it can never be changed. When
# set to `null` default aws/rds KMS for given region is used.
performance_insights_kms_key_id = null
# The amount of time in days to retain Performance Insights data. Either 7 (7
# days) or 731 (2 years). When specifying
# performance_insights_retention_period, performance_insights_enabled needs to
# be set to true. Defaults to `7`.
performance_insights_retention_period = null
# WARNING: - In nearly all cases a database should NOT be publicly accessible.
# Only set this to true if you want the database open to the internet.
publicly_accessible = false
# Identifiers of the replica you want to create. Use this variable if you want
# to set custom identifier for your read replicas.
replica_identifiers = null
# Determines whether a final DB snapshot is created before the DB instance is
# deleted. Be very careful setting this to true; if you do, and you delete
# this DB instance, you will not have any backups of the data!
skip_final_snapshot = false
# Specifies whether the DB instance is encrypted.
storage_encrypted = true
# The type of storage to use for the primary instance. Must be one of
# 'standard' (magnetic), 'gp2' (general purpose SSD), 'gp3' (general purpose
# SSD), io1' (provisioned IOPS SSD), or 'io2' (2nd gen provisioned IOPS SSD).
storage_type = "gp2"
# A list of subnet ids where the database should be deployed. In the standard
# Gruntwork VPC setup, these should be the private persistence subnet ids.
# This is ignored if create_subnet_group=false.
subnet_ids = null
# Timeout for DB updating
updating_timeout = "80m"
}
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S RDS-REPLICAS MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-data-storage.git//modules/rds-replicas?ref=v0.40.1"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# The instance type to use for the db (e.g. db.t2.micro)
instance_type = <string>
# The name used to namespace all resources created by these templates,
# including the DB instance (e.g. drupaldb). Must be unique for this region.
# May contain only lowercase alphanumeric characters, hyphens, underscores,
# periods, and spaces.
name = <string>
# The port the DB will listen on (e.g. 3306)
port = <number>
# An ID of the primary DB instance to create read replicas from
primary_instance_id = <string>
# The id of the VPC in which this DB should be deployed.
vpc_id = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# List of IDs of AWS Security Groups to attach to the read replica RDS
# instance.
additional_security_group_ids = []
# A list of CIDR-formatted IP address ranges that can connect to read replica
# instances. If not set read replica instances will use the same security
# group as master instance.
allow_connections_from_cidr_blocks = []
# A list of Security Groups that can connect to read replica instances. If not
# set read replica instances will use the same security group as master
# instance.
allow_connections_from_security_groups = []
# Indicates whether major version upgrades (e.g. 9.4.x to 9.5.x) will ever be
# permitted. Note that these updates must always be manually performed and
# will never automatically applied.
allow_major_version_upgrade = true
# The availability zones within which it should be possible to spin up
# replicas
allowed_replica_zones = []
# Specifies whether any cluster modifications are applied immediately, or
# during the next maintenance window. Note that cluster modifications may
# cause degraded performance or downtime.
apply_immediately = false
# Indicates that minor engine upgrades will be applied automatically to the DB
# instance during the maintenance window. If set to true, you should set
# var.engine_version to MAJOR.MINOR and omit the .PATCH at the end (e.g., use
# 5.7 and not 5.7.11); otherwise, you'll get Terraform state drift. See
# https://www.terraform.io/docs/providers/aws/r/db_instance.html#engine_version
# for more details.
auto_minor_version_upgrade = true
# The description of the aws_db_subnet_group that is created. Defaults to
# 'Subnet group for the var.name DB' if not specified.
aws_db_subnet_group_description = null
# The name of the aws_db_subnet_group that is created, or an existing one to
# use if create_subnet_group is false. Defaults to var.name if not specified.
aws_db_subnet_group_name = null
# How many days to keep backup snapshots around before cleaning them up. Must
# be 1 or greater to support read replicas. 0 means disable automated backups.
backup_retention_period = 21
# The daily time range during which automated backups are created (e.g.
# 04:00-09:00). Time zone is UTC. Performance may be degraded while a backup
# runs.
backup_window = null
# The Certificate Authority (CA) certificates bundle to use on the RDS
# instance.
ca_cert_identifier = null
# Copy all the RDS instance tags to snapshots. Default is false.
copy_tags_to_snapshot = false
# When working with read replicas, only configure db subnet group if the
# source database specifies an instance in another AWS Region. If true, it
# will create a new subnet group.
create_subnet_group = false
# Timeout for DB creating
creating_timeout = "40m"
# A map of custom tags to apply to the RDS Instance and the Security Group
# created for it. The key is the tag name and the value is the tag value.
custom_tags = {}
# Specifies whether to remove automated backups immediately after the DB
# instance is deleted
delete_automated_backups = null
# Timeout for DB deleting
deleting_timeout = "60m"
# The database can't be deleted when this value is set to true. The default is
# false.
deletion_protection = false
# List of log types to enable for exporting to CloudWatch logs. If omitted, no
# logs will be exported. Valid values (depending on engine): alert, audit,
# error, general, listener, slowquery, trace, postgresql (PostgreSQL) and
# upgrade (PostgreSQL).
enabled_cloudwatch_logs_exports = []
# Specifies whether IAM database authentication is enabled. This option is
# only available for MySQL and PostgreSQL engines.
iam_database_authentication_enabled = null
# The amount of provisioned IOPS for the primary instance. Setting this
# implies a storage_type of 'io1','io2, or 'gp3'. Set to 0 to disable.
iops = 0
# The ARN of a KMS key that should be used to encrypt data on disk. Only used
# if var.storage_encrypted is true. If you leave this blank, the default RDS
# KMS key for the account will be used.
kms_key_arn = null
# The weekly day and time range during which system maintenance can occur
# (e.g. wed:04:00-wed:04:30). Time zone is UTC. Performance may be degraded or
# there may even be a downtime during maintenance windows.
maintenance_window = null
# When configured, the upper limit to which Amazon RDS can automatically scale
# the storage of the DB instance. Configuring this will automatically ignore
# differences to allocated_storage. Must be greater than or equal to
# allocated_storage or 0 to disable Storage Autoscaling.
max_allocated_storage = 0
# The interval, in seconds, between points when Enhanced Monitoring metrics
# are collected for the DB instance. To disable collecting Enhanced Monitoring
# metrics, specify 0. Valid Values: 0, 1, 5, 10, 15, 30, 60. Enhanced
# Monitoring metrics are useful when you want to see how different processes
# or threads on a DB instance use the CPU.
monitoring_interval = 0
# The ARN for the IAM role that permits RDS to send enhanced monitoring
# metrics to CloudWatch Logs. If monitoring_interval is greater than 0, but
# monitoring_role_arn is let as an empty string, a default IAM role that
# allows enhanced monitoring will be created.
monitoring_role_arn = null
# Specifies if a standby instance should be deployed in another availability
# zone. If the primary fails, this instance will automatically take over.
multi_az = false
# (Optional) The network type of the DB instance. Valid values: IPV4, DUAL. By
# default, it's set to IPV4.
network_type = null
# The number of read replicas to create. RDS will asynchronously replicate all
# data from the master to these replicas, which you can use to horizontally
# scale reads traffic.
num_read_replicas = 0
# Name of a DB parameter group to associate.
parameter_group_name = null
# Specifies whether Performance Insights are enabled. Performance Insights can
# be enabled for specific versions of database engines. See
# https://aws.amazon.com/rds/performance-insights/ for more details.
performance_insights_enabled = false
# The ARN for the KMS key to encrypt Performance Insights data. When
# specifying performance_insights_kms_key_id, performance_insights_enabled
# needs to be set to true. Once KMS key is set, it can never be changed. When
# set to `null` default aws/rds KMS for given region is used.
performance_insights_kms_key_id = null
# The amount of time in days to retain Performance Insights data. Either 7 (7
# days) or 731 (2 years). When specifying
# performance_insights_retention_period, performance_insights_enabled needs to
# be set to true. Defaults to `7`.
performance_insights_retention_period = null
# WARNING: - In nearly all cases a database should NOT be publicly accessible.
# Only set this to true if you want the database open to the internet.
publicly_accessible = false
# Identifiers of the replica you want to create. Use this variable if you want
# to set custom identifier for your read replicas.
replica_identifiers = null
# Determines whether a final DB snapshot is created before the DB instance is
# deleted. Be very careful setting this to true; if you do, and you delete
# this DB instance, you will not have any backups of the data!
skip_final_snapshot = false
# Specifies whether the DB instance is encrypted.
storage_encrypted = true
# The type of storage to use for the primary instance. Must be one of
# 'standard' (magnetic), 'gp2' (general purpose SSD), 'gp3' (general purpose
# SSD), io1' (provisioned IOPS SSD), or 'io2' (2nd gen provisioned IOPS SSD).
storage_type = "gp2"
# A list of subnet ids where the database should be deployed. In the standard
# Gruntwork VPC setup, these should be the private persistence subnet ids.
# This is ignored if create_subnet_group=false.
subnet_ids = null
# Timeout for DB updating
updating_timeout = "80m"
}
Reference
- Inputs
- Outputs
Required
instance_type
stringThe instance type to use for the db (e.g. db.t2.micro)
name
stringThe name used to namespace all resources created by these templates, including the DB instance (e.g. drupaldb). Must be unique for this region. May contain only lowercase alphanumeric characters, hyphens, underscores, periods, and spaces.
port
numberThe port the DB will listen on (e.g. 3306)
primary_instance_id
stringAn ID of the primary DB instance to create read replicas from
vpc_id
stringThe id of the VPC in which this DB should be deployed.
Optional
additional_security_group_ids
list(string)List of IDs of AWS Security Groups to attach to the read replica RDS instance.
[]
allow_connections_from_cidr_blocks
list(string)A list of CIDR-formatted IP address ranges that can connect to read replica instances. If not set read replica instances will use the same security group as master instance.
[]
allow_connections_from_security_groups
list(string)A list of Security Groups that can connect to read replica instances. If not set read replica instances will use the same security group as master instance.
[]
Indicates whether major version upgrades (e.g. 9.4.x to 9.5.x) will ever be permitted. Note that these updates must always be manually performed and will never automatically applied.
true
allowed_replica_zones
list(string)The availability zones within which it should be possible to spin up replicas
[]
Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Note that cluster modifications may cause degraded performance or downtime.
false
Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. If set to true, you should set engine_version
to MAJOR.MINOR and omit the .PATCH at the end (e.g., use 5.7 and not 5.7.11); otherwise, you'll get Terraform state drift. See https://www.terraform.io/docs/providers/aws/r/db_instance.html#engine_version for more details.
true
The description of the aws_db_subnet_group that is created. Defaults to 'Subnet group for the name
DB' if not specified.
null
aws_db_subnet_group_name
stringThe name of the aws_db_subnet_group that is created, or an existing one to use if create_subnet_group is false. Defaults to name
if not specified.
null
backup_retention_period
numberHow many days to keep backup snapshots around before cleaning them up. Must be 1 or greater to support read replicas. 0 means disable automated backups.
21
backup_window
stringThe daily time range during which automated backups are created (e.g. 04:00-09:00). Time zone is UTC. Performance may be degraded while a backup runs.
null
ca_cert_identifier
stringThe Certificate Authority (CA) certificates bundle to use on the RDS instance.
null
Copy all the RDS instance tags to snapshots. Default is false.
false
When working with read replicas, only configure db subnet group if the source database specifies an instance in another AWS Region. If true, it will create a new subnet group.
false
creating_timeout
stringTimeout for DB creating
"40m"
custom_tags
map(string)A map of custom tags to apply to the RDS Instance and the Security Group created for it. The key is the tag name and the value is the tag value.
{}
Specifies whether to remove automated backups immediately after the DB instance is deleted
null
deleting_timeout
stringTimeout for DB deleting
"60m"
The database can't be deleted when this value is set to true. The default is false.
false
enabled_cloudwatch_logs_exports
list(string)List of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported. Valid values (depending on engine): alert, audit, error, general, listener, slowquery, trace, postgresql (PostgreSQL) and upgrade (PostgreSQL).
[]
Specifies whether IAM database authentication is enabled. This option is only available for MySQL and PostgreSQL engines.
null
iops
numberThe amount of provisioned IOPS for the primary instance. Setting this implies a storage_type of 'io1','io2, or 'gp3'. Set to 0 to disable.
0
kms_key_arn
stringThe ARN of a KMS key that should be used to encrypt data on disk. Only used if storage_encrypted
is true. If you leave this blank, the default RDS KMS key for the account will be used.
null
maintenance_window
stringThe weekly day and time range during which system maintenance can occur (e.g. wed:04:00-wed:04:30). Time zone is UTC. Performance may be degraded or there may even be a downtime during maintenance windows.
null
max_allocated_storage
numberWhen configured, the upper limit to which Amazon RDS can automatically scale the storage of the DB instance. Configuring this will automatically ignore differences to allocated_storage. Must be greater than or equal to allocated_storage or 0 to disable Storage Autoscaling.
0
monitoring_interval
numberThe interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. Valid Values: 0, 1, 5, 10, 15, 30, 60. Enhanced Monitoring metrics are useful when you want to see how different processes or threads on a DB instance use the CPU.
0
monitoring_role_arn
stringThe ARN for the IAM role that permits RDS to send enhanced monitoring metrics to CloudWatch Logs. If monitoring_interval is greater than 0, but monitoring_role_arn is let as an empty string, a default IAM role that allows enhanced monitoring will be created.
null
multi_az
boolSpecifies if a standby instance should be deployed in another availability zone. If the primary fails, this instance will automatically take over.
false
network_type
string(Optional) The network type of the DB instance. Valid values: IPV4, DUAL. By default, it's set to IPV4.
null
num_read_replicas
numberThe number of read replicas to create. RDS will asynchronously replicate all data from the master to these replicas, which you can use to horizontally scale reads traffic.
0
parameter_group_name
stringName of a DB parameter group to associate.
null
Specifies whether Performance Insights are enabled. Performance Insights can be enabled for specific versions of database engines. See https://aws.amazon.com/rds/performance-insights/ for more details.
false
The ARN for the KMS key to encrypt Performance Insights data. When specifying performance_insights_kms_key_id, performance_insights_enabled needs to be set to true. Once KMS key is set, it can never be changed. When set to null
default aws/rds KMS for given region is used.
null
The amount of time in days to retain Performance Insights data. Either 7 (7 days) or 731 (2 years). When specifying performance_insights_retention_period, performance_insights_enabled needs to be set to true. Defaults to 7
.
null
WARNING: - In nearly all cases a database should NOT be publicly accessible. Only set this to true if you want the database open to the internet.
false
replica_identifiers
list(string)Identifiers of the replica you want to create. Use this variable if you want to set custom identifier for your read replicas.
null
Determines whether a final DB snapshot is created before the DB instance is deleted. Be very careful setting this to true; if you do, and you delete this DB instance, you will not have any backups of the data!
false
Specifies whether the DB instance is encrypted.
true
storage_type
stringThe type of storage to use for the primary instance. Must be one of 'standard' (magnetic), 'gp2' (general purpose SSD), 'gp3' (general purpose SSD), io1' (provisioned IOPS SSD), or 'io2' (2nd gen provisioned IOPS SSD).
"gp2"
subnet_ids
list(string)A list of subnet ids where the database should be deployed. In the standard Gruntwork VPC setup, these should be the private persistence subnet ids. This is ignored if create_subnet_group=false.
null
updating_timeout
stringTimeout for DB updating
"80m"