RDS Read Replicas Module
This module creates a read replica (read-only copy) of a DB instance.
View Source Release NotesFeatures
- Deploy a fully-managed native relational database replica
- Supports, MySQL, PostgreSQL, SQL Server, Oracle, and MariaDB
- Automatic scaling of storage
- CloudWatch Alarms for alerting when CPU, memory, and disk metrics exceed certain thresholds
- CloudWatch dashboard widgets for RDS statistics
Sample Usage
- Terraform
- Terragrunt
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S RDS-REPLICA MODULE
# ------------------------------------------------------------------------------------------------------
module "rds_replica" {
source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/rds-replica?ref=v0.118.5"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# The name used to namespace all the RDS resources created by these templates,
# including the cluster and cluster instances (e.g. mysql-stage). Must be
# unique in this region. Must be a lowercase string.
name = <string>
# An ID of the primary DB instance to create read replicas from
primary_instance_id = <string>
# The ID of the VPC in which to deploy RDS.
vpc_id = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and
# disk space usage) should send notifications. Also used for the alarms if the
# share snapshot backup job fails.
alarms_sns_topic_arns = []
# The list of network CIDR blocks to allow network access to RDS from. One of
# var.allow_connections_from_cidr_blocks or
# var.allow_connections_from_security_groups must be specified for the
# database to be reachable.
allow_connections_from_cidr_blocks = []
# The list of IDs or Security Groups to allow network access to RDS from. All
# security groups must either be in the VPC specified by var.vpc_id, or a
# peered VPC with the VPC specified by var.vpc_id. One of
# var.allow_connections_from_cidr_blocks or
# var.allow_connections_from_security_groups must be specified for the
# database to be reachable.
allow_connections_from_security_groups = []
# Indicates whether major version upgrades (e.g. 9.4.x to 9.5.x) will ever be
# permitted. Note that these updates must always be manually performed and
# will never be automatically applied.
allow_major_version_upgrade = true
# If true, both the CMK's Key Policy and IAM Policies (permissions) can be
# used to grant permissions on the CMK. If false, only the CMK's Key Policy
# can be used to grant permissions on the CMK. False is more secure (and
# generally preferred), but true is more flexible and convenient.
allow_manage_key_permissions_with_iam = false
# Specifies whether any cluster modifications are applied immediately, or
# during the next maintenance window. Note that cluster modifications may
# cause degraded performance or downtime.
apply_immediately = false
# Indicates that minor engine upgrades will be applied automatically to the DB
# instance during the maintenance window. If set to true, you should set
# var.engine_version to MAJOR.MINOR and omit the .PATCH at the end (e.g., use
# 5.7 and not 5.7.11); otherwise, you'll get Terraform state drift. See
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance.html#engine_version
# for more details.
auto_minor_version_upgrade = true
# How many days to keep backup snapshots around before cleaning them up. Must
# be 1 or greater to support read replicas.
backup_retention_period = 30
# A list of IAM ARNs for users who should be given administrator access to
# this CMK (e.g. arn:aws:iam::<aws-account-id>:user/<iam-user-arn>). If this
# list is empty, and var.kms_key_arn is null, the ARN of the current user will
# be used.
cmk_administrator_iam_arns = []
# A list of IAM ARNs for users from external AWS accounts who should be given
# permissions to use this CMK (e.g. arn:aws:iam::<aws-account-id>:root).
cmk_external_user_iam_arns = []
# A list of IAM ARNs for users who should be given permissions to use this CMK
# (e.g. arn:aws:iam::<aws-account-id>:user/<iam-user-arn>). If this list is
# empty, and var.kms_key_arn is null, the ARN of the current user will be
# used.
cmk_user_iam_arns = []
# Copy all the RDS instance tags to snapshots. Default is false.
copy_tags_to_snapshot = false
# If set to true, create a KMS CMK and use it to encrypt data on disk in the
# database. The permissions for this CMK will be assigned by the following
# variables: cmk_administrator_iam_arns, cmk_user_iam_arns,
# cmk_external_user_iam_arns, allow_manage_key_permissions.
create_custom_kms_key = false
# Set to true if you want a DNS record automatically created and pointed at
# the RDS endpoints.
create_route53_entry = false
# Configure a custom parameter group for the RDS DB. This will create a new
# parameter group with the given parameters. When null, the database will be
# launched with the default parameter group.
custom_parameter_group = null
# A map of custom tags to apply to the RDS Instance and the Security Group
# created for it. The key is the tag name and the value is the tag value.
custom_tags = {}
# Parameters for the cpu usage widget to output for use in a CloudWatch
# dashboard.
dashboard_cpu_usage_widget_parameters = {"height":6,"period":60,"width":8}
# Parameters for the database connections widget to output for use in a
# CloudWatch dashboard.
dashboard_db_connections_widget_parameters = {"height":6,"period":60,"width":8}
# Parameters for the available disk space widget to output for use in a
# CloudWatch dashboard.
dashboard_disk_space_widget_parameters = {"height":6,"period":60,"width":8}
# Parameters for the available memory widget to output for use in a CloudWatch
# dashboard.
dashboard_memory_widget_parameters = {"height":6,"period":60,"width":8}
# Parameters for the read latency widget to output for use in a CloudWatch
# dashboard.
dashboard_read_latency_widget_parameters = {"height":6,"period":60,"width":8}
# Parameters for the read latency widget to output for use in a CloudWatch
# dashboard.
dashboard_write_latency_widget_parameters = {"height":6,"period":60,"width":8}
# Set to true to enable several basic CloudWatch alarms around CPU usage,
# memory usage, and disk space usage. If set to true, make sure to specify SNS
# topics to send notifications to using var.alarms_sns_topic_arn.
enable_cloudwatch_alarms = true
# When true, enable CloudWatch metrics for the manual snapshots created for
# the purpose of sharing with another account.
enable_cloudwatch_metrics = true
# Enable deletion protection on the RDS instance. If this is enabled, the
# database cannot be deleted prior to disabling
enable_deletion_protection = false
# Set to true to enable alarms related to performance, such as read and write
# latency alarms. Set to false to disable those alarms if you aren't sure what
# would be reasonable perf numbers for your RDS set up or if those numbers are
# too unpredictable.
enable_perf_alarms = true
# List of log types to enable for exporting to CloudWatch logs. If omitted, no
# logs will be exported. Valid values (depending on engine): alert, audit,
# error, general, listener, slowquery, trace, postgresql (PostgreSQL) and
# upgrade (PostgreSQL).
enabled_cloudwatch_logs_exports = []
# The period, in seconds, over which to measure the CPU utilization
# percentage.
high_cpu_utilization_period = 60
# Trigger an alarm if the DB instance has a CPU utilization percentage above
# this threshold.
high_cpu_utilization_threshold = 90
# Sets how this alarm should handle entering the INSUFFICIENT_DATA state.
# Based on
# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
# Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
high_cpu_utilization_treat_missing_data = "missing"
# The period, in seconds, over which to measure the read latency.
high_read_latency_period = 60
# Trigger an alarm if the DB instance read latency (average amount of time
# taken per disk I/O operation), in seconds, is above this threshold.
high_read_latency_threshold = 5
# The period, in seconds, over which to measure the write latency.
high_write_latency_period = 60
# Trigger an alarm if the DB instance write latency (average amount of time
# taken per disk I/O operation), in seconds, is above this threshold.
high_write_latency_threshold = 5
# The ID of the Route 53 hosted zone into which the Route 53 DNS record should
# be written
hosted_zone_id = null
# Specifies whether mappings of AWS Identity and Access Management (IAM)
# accounts to database accounts is enabled. Disabled by default.
iam_database_authentication_enabled = false
# The instance type to use for the db (e.g. db.t3.micro)
instance_type = "db.t3.micro"
# The amount of provisioned IOPS for the primary instance. Setting this
# implies a storage_type of 'io1'. Can only be set when storage_type is 'gp3'
# or 'io1'. Set to 0 to disable.
iops = 0
# The Amazon Resource Name (ARN) of an existing KMS customer master key (CMK)
# that will be used to encrypt/decrypt backup files. If you leave this blank,
# the default RDS KMS key for the account will be used. If you set
# var.create_custom_kms_key to true, this value will be ignored and a custom
# key will be created and used instead.
kms_key_arn = null
# The period, in seconds, over which to measure the available free disk space.
low_disk_space_available_period = 60
# Trigger an alarm if the amount of disk space, in Bytes, on the DB instance
# drops below this threshold.
low_disk_space_available_threshold = 1000000000
# Sets how this alarm should handle entering the INSUFFICIENT_DATA state.
# Based on
# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
# Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
low_disk_space_available_treat_missing_data = "missing"
# The period, in seconds, over which to measure the available free memory.
low_memory_available_period = 60
# Trigger an alarm if the amount of free memory, in Bytes, on the DB instance
# drops below this threshold.
low_memory_available_threshold = 100000000
# Sets how this alarm should handle entering the INSUFFICIENT_DATA state.
# Based on
# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
# Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
low_memory_available_treat_missing_data = "missing"
# When configured, the upper limit to which Amazon RDS can automatically scale
# the storage of the DB instance. Configuring this will automatically ignore
# differences to allocated_storage. Must be greater than or equal to
# allocated_storage or 0 to disable Storage Autoscaling.
max_allocated_storage = 0
# The number of read replicas to deploy
num_read_replicas = 0
# Specifies whether Performance Insights are enabled. Performance Insights can
# be enabled for specific versions of database engines. See
# https://aws.amazon.com/rds/performance-insights/ for more details.
performance_insights_enabled = false
# The port the DB will listen on (e.g. 3306). Alternatively, this can be
# provided via AWS Secrets Manager. See the description of
# db_config_secrets_manager_id.
port = null
# If you wish to make your database accessible from the public Internet, set
# this flag to true (WARNING: NOT RECOMMENDED FOR REGULAR USAGE!!). The
# default is false, which means the database is only accessible from within
# the VPC, which is much more secure. This flag MUST be false for serverless
# mode.
publicly_accessible = false
# The domain name to create a route 53 record for the read replicas of the RDS
# database.
replica_domain_name = null
# Determines whether a final DB snapshot is created before the DB instance is
# deleted. Be very careful setting this to true; if you do, and you delete
# this DB instance, you will not have any backups of the data! You almost
# never want to set this to true, unless you are doing automated or manual
# testing.
skip_final_snapshot = false
# Specifies whether the DB instance is encrypted.
storage_encrypted = true
# The type of storage to use for the primary instance. Must be one of
# 'standard' (magnetic), 'gp2' (general purpose SSD), 'gp3' (general purpose
# SSD that needs iops independently), or 'io1' (provisioned IOPS SSD).
storage_type = "gp2"
# Trigger an alarm if the number of connections to the DB instance goes above
# this threshold.
too_many_db_connections_threshold = null
# Sets how this alarm should handle entering the INSUFFICIENT_DATA state.
# Based on
# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
# Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
too_many_db_connections_treat_missing_data = "missing"
}
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S RDS-REPLICA MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-service-catalog.git//modules/data-stores/rds-replica?ref=v0.118.5"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# The name used to namespace all the RDS resources created by these templates,
# including the cluster and cluster instances (e.g. mysql-stage). Must be
# unique in this region. Must be a lowercase string.
name = <string>
# An ID of the primary DB instance to create read replicas from
primary_instance_id = <string>
# The ID of the VPC in which to deploy RDS.
vpc_id = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and
# disk space usage) should send notifications. Also used for the alarms if the
# share snapshot backup job fails.
alarms_sns_topic_arns = []
# The list of network CIDR blocks to allow network access to RDS from. One of
# var.allow_connections_from_cidr_blocks or
# var.allow_connections_from_security_groups must be specified for the
# database to be reachable.
allow_connections_from_cidr_blocks = []
# The list of IDs or Security Groups to allow network access to RDS from. All
# security groups must either be in the VPC specified by var.vpc_id, or a
# peered VPC with the VPC specified by var.vpc_id. One of
# var.allow_connections_from_cidr_blocks or
# var.allow_connections_from_security_groups must be specified for the
# database to be reachable.
allow_connections_from_security_groups = []
# Indicates whether major version upgrades (e.g. 9.4.x to 9.5.x) will ever be
# permitted. Note that these updates must always be manually performed and
# will never be automatically applied.
allow_major_version_upgrade = true
# If true, both the CMK's Key Policy and IAM Policies (permissions) can be
# used to grant permissions on the CMK. If false, only the CMK's Key Policy
# can be used to grant permissions on the CMK. False is more secure (and
# generally preferred), but true is more flexible and convenient.
allow_manage_key_permissions_with_iam = false
# Specifies whether any cluster modifications are applied immediately, or
# during the next maintenance window. Note that cluster modifications may
# cause degraded performance or downtime.
apply_immediately = false
# Indicates that minor engine upgrades will be applied automatically to the DB
# instance during the maintenance window. If set to true, you should set
# var.engine_version to MAJOR.MINOR and omit the .PATCH at the end (e.g., use
# 5.7 and not 5.7.11); otherwise, you'll get Terraform state drift. See
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance.html#engine_version
# for more details.
auto_minor_version_upgrade = true
# How many days to keep backup snapshots around before cleaning them up. Must
# be 1 or greater to support read replicas.
backup_retention_period = 30
# A list of IAM ARNs for users who should be given administrator access to
# this CMK (e.g. arn:aws:iam::<aws-account-id>:user/<iam-user-arn>). If this
# list is empty, and var.kms_key_arn is null, the ARN of the current user will
# be used.
cmk_administrator_iam_arns = []
# A list of IAM ARNs for users from external AWS accounts who should be given
# permissions to use this CMK (e.g. arn:aws:iam::<aws-account-id>:root).
cmk_external_user_iam_arns = []
# A list of IAM ARNs for users who should be given permissions to use this CMK
# (e.g. arn:aws:iam::<aws-account-id>:user/<iam-user-arn>). If this list is
# empty, and var.kms_key_arn is null, the ARN of the current user will be
# used.
cmk_user_iam_arns = []
# Copy all the RDS instance tags to snapshots. Default is false.
copy_tags_to_snapshot = false
# If set to true, create a KMS CMK and use it to encrypt data on disk in the
# database. The permissions for this CMK will be assigned by the following
# variables: cmk_administrator_iam_arns, cmk_user_iam_arns,
# cmk_external_user_iam_arns, allow_manage_key_permissions.
create_custom_kms_key = false
# Set to true if you want a DNS record automatically created and pointed at
# the RDS endpoints.
create_route53_entry = false
# Configure a custom parameter group for the RDS DB. This will create a new
# parameter group with the given parameters. When null, the database will be
# launched with the default parameter group.
custom_parameter_group = null
# A map of custom tags to apply to the RDS Instance and the Security Group
# created for it. The key is the tag name and the value is the tag value.
custom_tags = {}
# Parameters for the cpu usage widget to output for use in a CloudWatch
# dashboard.
dashboard_cpu_usage_widget_parameters = {"height":6,"period":60,"width":8}
# Parameters for the database connections widget to output for use in a
# CloudWatch dashboard.
dashboard_db_connections_widget_parameters = {"height":6,"period":60,"width":8}
# Parameters for the available disk space widget to output for use in a
# CloudWatch dashboard.
dashboard_disk_space_widget_parameters = {"height":6,"period":60,"width":8}
# Parameters for the available memory widget to output for use in a CloudWatch
# dashboard.
dashboard_memory_widget_parameters = {"height":6,"period":60,"width":8}
# Parameters for the read latency widget to output for use in a CloudWatch
# dashboard.
dashboard_read_latency_widget_parameters = {"height":6,"period":60,"width":8}
# Parameters for the read latency widget to output for use in a CloudWatch
# dashboard.
dashboard_write_latency_widget_parameters = {"height":6,"period":60,"width":8}
# Set to true to enable several basic CloudWatch alarms around CPU usage,
# memory usage, and disk space usage. If set to true, make sure to specify SNS
# topics to send notifications to using var.alarms_sns_topic_arn.
enable_cloudwatch_alarms = true
# When true, enable CloudWatch metrics for the manual snapshots created for
# the purpose of sharing with another account.
enable_cloudwatch_metrics = true
# Enable deletion protection on the RDS instance. If this is enabled, the
# database cannot be deleted prior to disabling
enable_deletion_protection = false
# Set to true to enable alarms related to performance, such as read and write
# latency alarms. Set to false to disable those alarms if you aren't sure what
# would be reasonable perf numbers for your RDS set up or if those numbers are
# too unpredictable.
enable_perf_alarms = true
# List of log types to enable for exporting to CloudWatch logs. If omitted, no
# logs will be exported. Valid values (depending on engine): alert, audit,
# error, general, listener, slowquery, trace, postgresql (PostgreSQL) and
# upgrade (PostgreSQL).
enabled_cloudwatch_logs_exports = []
# The period, in seconds, over which to measure the CPU utilization
# percentage.
high_cpu_utilization_period = 60
# Trigger an alarm if the DB instance has a CPU utilization percentage above
# this threshold.
high_cpu_utilization_threshold = 90
# Sets how this alarm should handle entering the INSUFFICIENT_DATA state.
# Based on
# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
# Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
high_cpu_utilization_treat_missing_data = "missing"
# The period, in seconds, over which to measure the read latency.
high_read_latency_period = 60
# Trigger an alarm if the DB instance read latency (average amount of time
# taken per disk I/O operation), in seconds, is above this threshold.
high_read_latency_threshold = 5
# The period, in seconds, over which to measure the write latency.
high_write_latency_period = 60
# Trigger an alarm if the DB instance write latency (average amount of time
# taken per disk I/O operation), in seconds, is above this threshold.
high_write_latency_threshold = 5
# The ID of the Route 53 hosted zone into which the Route 53 DNS record should
# be written
hosted_zone_id = null
# Specifies whether mappings of AWS Identity and Access Management (IAM)
# accounts to database accounts is enabled. Disabled by default.
iam_database_authentication_enabled = false
# The instance type to use for the db (e.g. db.t3.micro)
instance_type = "db.t3.micro"
# The amount of provisioned IOPS for the primary instance. Setting this
# implies a storage_type of 'io1'. Can only be set when storage_type is 'gp3'
# or 'io1'. Set to 0 to disable.
iops = 0
# The Amazon Resource Name (ARN) of an existing KMS customer master key (CMK)
# that will be used to encrypt/decrypt backup files. If you leave this blank,
# the default RDS KMS key for the account will be used. If you set
# var.create_custom_kms_key to true, this value will be ignored and a custom
# key will be created and used instead.
kms_key_arn = null
# The period, in seconds, over which to measure the available free disk space.
low_disk_space_available_period = 60
# Trigger an alarm if the amount of disk space, in Bytes, on the DB instance
# drops below this threshold.
low_disk_space_available_threshold = 1000000000
# Sets how this alarm should handle entering the INSUFFICIENT_DATA state.
# Based on
# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
# Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
low_disk_space_available_treat_missing_data = "missing"
# The period, in seconds, over which to measure the available free memory.
low_memory_available_period = 60
# Trigger an alarm if the amount of free memory, in Bytes, on the DB instance
# drops below this threshold.
low_memory_available_threshold = 100000000
# Sets how this alarm should handle entering the INSUFFICIENT_DATA state.
# Based on
# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
# Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
low_memory_available_treat_missing_data = "missing"
# When configured, the upper limit to which Amazon RDS can automatically scale
# the storage of the DB instance. Configuring this will automatically ignore
# differences to allocated_storage. Must be greater than or equal to
# allocated_storage or 0 to disable Storage Autoscaling.
max_allocated_storage = 0
# The number of read replicas to deploy
num_read_replicas = 0
# Specifies whether Performance Insights are enabled. Performance Insights can
# be enabled for specific versions of database engines. See
# https://aws.amazon.com/rds/performance-insights/ for more details.
performance_insights_enabled = false
# The port the DB will listen on (e.g. 3306). Alternatively, this can be
# provided via AWS Secrets Manager. See the description of
# db_config_secrets_manager_id.
port = null
# If you wish to make your database accessible from the public Internet, set
# this flag to true (WARNING: NOT RECOMMENDED FOR REGULAR USAGE!!). The
# default is false, which means the database is only accessible from within
# the VPC, which is much more secure. This flag MUST be false for serverless
# mode.
publicly_accessible = false
# The domain name to create a route 53 record for the read replicas of the RDS
# database.
replica_domain_name = null
# Determines whether a final DB snapshot is created before the DB instance is
# deleted. Be very careful setting this to true; if you do, and you delete
# this DB instance, you will not have any backups of the data! You almost
# never want to set this to true, unless you are doing automated or manual
# testing.
skip_final_snapshot = false
# Specifies whether the DB instance is encrypted.
storage_encrypted = true
# The type of storage to use for the primary instance. Must be one of
# 'standard' (magnetic), 'gp2' (general purpose SSD), 'gp3' (general purpose
# SSD that needs iops independently), or 'io1' (provisioned IOPS SSD).
storage_type = "gp2"
# Trigger an alarm if the number of connections to the DB instance goes above
# this threshold.
too_many_db_connections_threshold = null
# Sets how this alarm should handle entering the INSUFFICIENT_DATA state.
# Based on
# https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data.
# Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
too_many_db_connections_treat_missing_data = "missing"
}
Reference
- Inputs
- Outputs
Required
name
stringThe name used to namespace all the RDS resources created by these templates, including the cluster and cluster instances (e.g. mysql-stage). Must be unique in this region. Must be a lowercase string.
primary_instance_id
stringAn ID of the primary DB instance to create read replicas from
vpc_id
stringThe ID of the VPC in which to deploy RDS.
Optional
alarms_sns_topic_arns
list(string)The ARNs of SNS topics where CloudWatch alarms (e.g., for CPU, memory, and disk space usage) should send notifications. Also used for the alarms if the share snapshot backup job fails.
[]
allow_connections_from_cidr_blocks
list(string)The list of network CIDR blocks to allow network access to RDS from. One of allow_connections_from_cidr_blocks
or allow_connections_from_security_groups
must be specified for the database to be reachable.
[]
allow_connections_from_security_groups
list(string)The list of IDs or Security Groups to allow network access to RDS from. All security groups must either be in the VPC specified by vpc_id
, or a peered VPC with the VPC specified by vpc_id
. One of allow_connections_from_cidr_blocks
or allow_connections_from_security_groups
must be specified for the database to be reachable.
[]
Indicates whether major version upgrades (e.g. 9.4.x to 9.5.x) will ever be permitted. Note that these updates must always be manually performed and will never be automatically applied.
true
If true, both the CMK's Key Policy and IAM Policies (permissions) can be used to grant permissions on the CMK. If false, only the CMK's Key Policy can be used to grant permissions on the CMK. False is more secure (and generally preferred), but true is more flexible and convenient.
false
Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Note that cluster modifications may cause degraded performance or downtime.
false
Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. If set to true, you should set engine_version
to MAJOR.MINOR and omit the .PATCH at the end (e.g., use 5.7 and not 5.7.11); otherwise, you'll get Terraform state drift. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance.html#engine_version for more details.
true
backup_retention_period
numberHow many days to keep backup snapshots around before cleaning them up. Must be 1 or greater to support read replicas.
30
cmk_administrator_iam_arns
list(string)A list of IAM ARNs for users who should be given administrator access to this CMK (e.g. arn:aws:iam::<aws-account-id>:user/<iam-user-arn>). If this list is empty, and kms_key_arn
is null, the ARN of the current user will be used.
[]
cmk_external_user_iam_arns
list(string)A list of IAM ARNs for users from external AWS accounts who should be given permissions to use this CMK (e.g. arn:aws:iam::<aws-account-id>:root).
[]
cmk_user_iam_arns
list(object(…))A list of IAM ARNs for users who should be given permissions to use this CMK (e.g. arn:aws:iam::<aws-account-id>:user/<iam-user-arn>). If this list is empty, and kms_key_arn
is null, the ARN of the current user will be used.
list(object({
name = list(string)
conditions = list(object({
test = string
variable = string
values = list(string)
}))
}))
[]
Example
[
{
name = "arn:aws:iam::0000000000:user/dev"
conditions = [{
test = "StringLike"
variable = "kms:ViaService"
values = ["s3.ca-central-1.amazonaws.com"]
}]
},
]
Copy all the RDS instance tags to snapshots. Default is false.
false
If set to true, create a KMS CMK and use it to encrypt data on disk in the database. The permissions for this CMK will be assigned by the following variables: cmk_administrator_iam_arns, cmk_user_iam_arns, cmk_external_user_iam_arns, allow_manage_key_permissions.
false
Set to true if you want a DNS record automatically created and pointed at the RDS endpoints.
false
custom_parameter_group
object(…)Configure a custom parameter group for the RDS DB. This will create a new parameter group with the given parameters. When null, the database will be launched with the default parameter group.
object({
# Name of the parameter group to create
name = string
# The family of the DB parameter group.
family = string
# The parameters to configure on the created parameter group.
parameters = list(object({
# Parameter name to configure.
name = string
# Vaue to set the parameter.
value = string
# When to apply the parameter. "immediate" or "pending-reboot".
apply_method = string
}))
})
null
Details
The family of the DB parameter group.
Details
The parameters to configure on the created parameter group.
Details
Vaue to set the parameter.
Details
When to apply the parameter. "immediate" or "pending-reboot".
custom_tags
map(string)A map of custom tags to apply to the RDS Instance and the Security Group created for it. The key is the tag name and the value is the tag value.
{}
Parameters for the cpu usage widget to output for use in a CloudWatch dashboard.
object({
# The period in seconds for metrics to sample across.
period = number
# The width and height of the widget in grid units in a 24 column grid. E.g., a value of 12 will take up half the
# space.
width = number
height = number
})
{
height = 6,
period = 60,
width = 8
}
Details
The width and height of the widget in grid units in a 24 column grid. E.g., a value of 12 will take up half the
space.
Parameters for the database connections widget to output for use in a CloudWatch dashboard.
object({
# The period in seconds for metrics to sample across.
period = number
# The width and height of the widget in grid units in a 24 column grid. E.g., a value of 12 will take up half the
# space.
width = number
height = number
})
{
height = 6,
period = 60,
width = 8
}
Details
The width and height of the widget in grid units in a 24 column grid. E.g., a value of 12 will take up half the
space.
Parameters for the available disk space widget to output for use in a CloudWatch dashboard.
object({
# The period in seconds for metrics to sample across.
period = number
# The width and height of the widget in grid units in a 24 column grid. E.g., a value of 12 will take up half the
# space.
width = number
height = number
})
{
height = 6,
period = 60,
width = 8
}
Details
The width and height of the widget in grid units in a 24 column grid. E.g., a value of 12 will take up half the
space.
dashboard_memory_widget_parameters
object(…)Parameters for the available memory widget to output for use in a CloudWatch dashboard.
object({
# The period in seconds for metrics to sample across.
period = number
# The width and height of the widget in grid units in a 24 column grid. E.g., a value of 12 will take up half the
# space.
width = number
height = number
})
{
height = 6,
period = 60,
width = 8
}
Details
The width and height of the widget in grid units in a 24 column grid. E.g., a value of 12 will take up half the
space.
Parameters for the read latency widget to output for use in a CloudWatch dashboard.
object({
# The period in seconds for metrics to sample across.
period = number
# The width and height of the widget in grid units in a 24 column grid. E.g., a value of 12 will take up half the
# space.
width = number
height = number
})
{
height = 6,
period = 60,
width = 8
}
Details
The width and height of the widget in grid units in a 24 column grid. E.g., a value of 12 will take up half the
space.
Parameters for the read latency widget to output for use in a CloudWatch dashboard.
object({
# The period in seconds for metrics to sample across.
period = number
# The width and height of the widget in grid units in a 24 column grid. E.g., a value of 12 will take up half the
# space.
width = number
height = number
})
{
height = 6,
period = 60,
width = 8
}
Details
The width and height of the widget in grid units in a 24 column grid. E.g., a value of 12 will take up half the
space.
Set to true to enable several basic CloudWatch alarms around CPU usage, memory usage, and disk space usage. If set to true, make sure to specify SNS topics to send notifications to using alarms_sns_topic_arn
.
true
When true, enable CloudWatch metrics for the manual snapshots created for the purpose of sharing with another account.
true
Enable deletion protection on the RDS instance. If this is enabled, the database cannot be deleted prior to disabling
false
Set to true to enable alarms related to performance, such as read and write latency alarms. Set to false to disable those alarms if you aren't sure what would be reasonable perf numbers for your RDS set up or if those numbers are too unpredictable.
true
enabled_cloudwatch_logs_exports
list(string)List of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported. Valid values (depending on engine): alert, audit, error, general, listener, slowquery, trace, postgresql (PostgreSQL) and upgrade (PostgreSQL).
[]
The period, in seconds, over which to measure the CPU utilization percentage.
60
Trigger an alarm if the DB instance has a CPU utilization percentage above this threshold.
90
Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
"missing"
high_read_latency_period
numberThe period, in seconds, over which to measure the read latency.
60
Trigger an alarm if the DB instance read latency (average amount of time taken per disk I/O operation), in seconds, is above this threshold.
5
The period, in seconds, over which to measure the write latency.
60
Trigger an alarm if the DB instance write latency (average amount of time taken per disk I/O operation), in seconds, is above this threshold.
5
hosted_zone_id
stringThe ID of the Route 53 hosted zone into which the Route 53 DNS record should be written
null
Specifies whether mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled. Disabled by default.
false
instance_type
stringThe instance type to use for the db (e.g. db.t3.micro)
"db.t3.micro"
iops
numberThe amount of provisioned IOPS for the primary instance. Setting this implies a storage_type of 'io1'. Can only be set when storage_type is 'gp3' or 'io1'. Set to 0 to disable.
0
kms_key_arn
stringThe Amazon Resource Name (ARN) of an existing KMS customer master key (CMK) that will be used to encrypt/decrypt backup files. If you leave this blank, the default RDS KMS key for the account will be used. If you set create_custom_kms_key
to true, this value will be ignored and a custom key will be created and used instead.
null
The period, in seconds, over which to measure the available free disk space.
60
Trigger an alarm if the amount of disk space, in Bytes, on the DB instance drops below this threshold.
1000000000
Details
Default is 1GB (1 billion bytes)
Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
"missing"
The period, in seconds, over which to measure the available free memory.
60
Trigger an alarm if the amount of free memory, in Bytes, on the DB instance drops below this threshold.
100000000
Details
Default is 100MB (100 million bytes)
Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
"missing"
max_allocated_storage
numberWhen configured, the upper limit to which Amazon RDS can automatically scale the storage of the DB instance. Configuring this will automatically ignore differences to allocated_storage. Must be greater than or equal to allocated_storage or 0 to disable Storage Autoscaling.
0
num_read_replicas
numberThe number of read replicas to deploy
0
Specifies whether Performance Insights are enabled. Performance Insights can be enabled for specific versions of database engines. See https://aws.amazon.com/rds/performance-insights/ for more details.
false
port
numberThe port the DB will listen on (e.g. 3306). Alternatively, this can be provided via AWS Secrets Manager. See the description of db_config_secrets_manager_id.
null
If you wish to make your database accessible from the public Internet, set this flag to true (WARNING: NOT RECOMMENDED FOR REGULAR USAGE!!). The default is false, which means the database is only accessible from within the VPC, which is much more secure. This flag MUST be false for serverless mode.
false
replica_domain_name
stringThe domain name to create a route 53 record for the read replicas of the RDS database.
null
Determines whether a final DB snapshot is created before the DB instance is deleted. Be very careful setting this to true; if you do, and you delete this DB instance, you will not have any backups of the data! You almost never want to set this to true, unless you are doing automated or manual testing.
false
Specifies whether the DB instance is encrypted.
true
storage_type
stringThe type of storage to use for the primary instance. Must be one of 'standard' (magnetic), 'gp2' (general purpose SSD), 'gp3' (general purpose SSD that needs iops independently), or 'io1' (provisioned IOPS SSD).
"gp2"
Trigger an alarm if the number of connections to the DB instance goes above this threshold.
null
Details
The max number of connections allowed by RDS depends a) the type of DB, b) the DB instance type, and c) the
use case, and it can vary from ~30 all the way up to 5,000, so we cannot pick a reasonable default here.
Sets how this alarm should handle entering the INSUFFICIENT_DATA state. Based on https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-missing-data. Must be one of: 'missing', 'ignore', 'breaching' or 'notBreaching'.
"missing"
A list of all the CloudWatch Dashboard metric widgets available in this module.
A CloudWatch Dashboard widget that graphs CPU usage (percentage) on the RDS DB instance.
A CloudWatch Dashboard widget that graphs the number of active database connections on the RDS DB Instance.
A CloudWatch Dashboard widget that graphs available disk space (in bytes) on the RDS DB instance.
A CloudWatch Dashboard widget that graphs available memory (in bytes) on the RDS DB instance.
A CloudWatch Dashboard widget that graphs the average amount of time taken per disk I/O operation on reads.
A CloudWatch Dashboard widget that graphs the average amount of time taken per disk I/O operation on writes.
The name of the RDS DB instance.
The number of read replicas for the RDS DB instance.
The port of the RDS DB instance.
A list of ARNs of the RDS DB instance's read replicas.
A list of endpoints of the RDS DB instance's read replicas.
A list of IDs of the RDS DB instance's read replicas.