Skip to content

dasmeta/terraform-aws-rds

BranchesTags

Repository files navigation

This terraform module allows to create aws rds cluster by using various engine types and configurations, it allows also to enable/create rds cluster attached rds proxy.

NOTEs:

  • When creating rds with proxy, first create the rds only and then enable proxy and re-apply
  • When you have parameters that require instance restart(for example static params) make sure you did restart the instance

module upgrade guide

  • from <1.4.0 versions to >=1.4.0 version upgrade
    • make sure you moved the state of "db" underlying module by using command like following 
      terraform state mv module.<rds-module-name>.module.db module.<rds-module-name>.module.db[0]
    • if you had no storage_type set explicitly then set it to "gp2"
  • from version <1.6.5 to >=1.7.0
    • the aurora cluster auto-scaling related configs have been moved under aurora_configs.autoscaling object so make sure to update old aurora_configs.autoscaling_* options into corresponding aurora_configs.autoscaling.* ones
    • there is new options in aurora_configs.autoscaling to manage auto scaling related configs and also new ability to define scheduled autoscaling
    • NOTE, that in case you have auto scaled instances created in cluster and want to destroy cluster via terraform code you have to scale down and remove those instances manually before applying cluster destruct code

How to use (more examples/tests can be found in ./tests folder)

Case 1. Create Security group and create RDS

data "aws_vpc" "main" {
  id = "vpc-xxxxxxx"
}

module "rds" {
    source  = "dasmeta/rds/aws"
    version = "1.4.0"

    allocated_storage    = 20
    storage_type         = "gp2"
    engine               = "mysql"
    engine_version       = "5.7.26"
    instance_class       = "db.t2.micro"
    identifier           = "db"
    db_name              = "db"
    db_username          = "root"
    db_password          = "some-password"
    parameter_group_name = "default.mysql5.7"
    vpc_id               = "${data.aws_vpc.main.id}"
    subnet_ids           = ["subnet-xxxxxxxx","subnet-xxxxxx"]
}

Case 2. Create RDS and pass custom/external created security group ids

module "rds" {
    source  = "dasmeta/rds/aws"
    version = "1.4.0"

    allocated_storage    = 20
    storage_type         = "gp2"
    engine               = "mysql"
    engine_version       = "5.7.26"
    instance_class       = "db.t2.micro"
    identifier           = "db"
    db_name              = "db"
    db_username          = "root"
    db_password          = "some-password"
    parameter_group_name = "default.mysql5.7"

    vpc_id                 = "vpc-xxxxxxxxxxxx"
    subnet_ids             = ["subnet-xxxxxxx","subnet-xxxxxxxx"]

    create_security_group = false
    vpc_security_group_ids = ["sg-xxxxxxxxx"]
}

contribution

please enable git hooks by running the following command

git config --global core.hooksPath ./githooks # enables git hooks globally

Requirements

No requirements.

Providers

Name Version
aws n/a

Modules

Name Source Version
cloudwatch_metric_filters dasmeta/monitoring/aws//modules/cloudwatch-log-based-metrics 1.13.2
cw_alerts dasmeta/monitoring/aws//modules/alerts 1.3.5
db terraform-aws-modules/rds/aws 6.12.0
db_aurora terraform-aws-modules/rds-aurora/aws 9.15.0
proxy ./modules/proxy n/a
scheduled_scale ./modules/scheduled-scale n/a
security_group terraform-aws-modules/security-group/aws 5.2.0

Resources

Name Type
aws_db_instance.database data source
aws_ec2_instance_type.this data source
aws_vpc.this data source

Inputs

Name Description Type Default Required
alarms n/a 
object({
    enabled       = optional(bool, true)
    sns_topic     = string
    custom_values = optional(any, {})
  })
 n/a yes
allocated_storage The allocated storage in gigabytes number 20 no
allow_major_version_upgrade Indicates that major version upgrades are allowed. Changing this parameter does not result in an outage and the change is asynchronously applied as soon as possible bool false no
apply_immediately Specifies whether any database modifications are applied immediately, or during the next maintenance window bool false no
aurora_configs The aws rd aurora specific configurations 
object({
    engine_mode = optional(string, "provisioned") # The database engine mode. Valid values: global, multimaster, parallelquery, provisioned, serverless(serverless is deprecated)
    instances   = optional(any, {})               # Cluster instances configs
    autoscaling = optional(object({
      enabled                = optional(bool, false)                              # Whether autoscaling enabled
      min_capacity           = optional(number, 0)                                # Min number of read replicas, NOTE: at cluster creation if we have set >0 value(for example 1) sometime it do not create the replicas at this min and there is need to go to aws UI and edit/save without any change the auto-scale config to trigger the read replica creation with provided min size
      max_capacity           = optional(number, 2)                                # Max number of read replicas permitted
      predefined_metric_type = optional(string, "RDSReaderAverageCPUUtilization") # The metric type to scale on. Valid values are RDSReaderAverageCPUUtilization and RDSReaderAverageDatabaseConnections
      scale_in_cooldown      = optional(number, 300)                              # Cooldown in seconds before allowing further scaling operations after a scale in
      scale_out_cooldown     = optional(number, 300)                              # Cooldown in seconds before allowing further scaling operations after a scale out
      target_cpu             = optional(number, 70)                               # CPU threshold which will initiate autoscaling
      target_connections     = optional(number, 700)                              # Average number of connections threshold which will initiate autoscaling. Default value is 70% of db.r4/r5/r6g.large's default max_connections
      schedules = optional(list(object({                                          # List of scheduled autoscale configs
        name         = string                                                     # The name of scheduled scale
        schedule     = string                                                     # The schedule time to apply auto scale, can be cron(min hour day month week-day year ), at(yyyy-mm-ddThh:mm:ss) or rate(value unit) formats
        min_capacity = optional(number)                                           # If not set defaults to aurora_configs.autoscaling_min_capacity
        max_capacity = optional(number)                                           # If not set defaults to aurora_configs.autoscaling_max_capacity
        timezone     = optional(string, null)                                     # By default it uses UTC, available values can be found here: https://www.joda.org/joda-time/timezones.html
      })), [])

      scaling_configuration              = optional(any, {}) # map of nested attributes with scaling properties. Only valid when engine_mode is set to serverless
      serverlessv2_scaling_configuration = optional(any, {}) # for enabling serverless-2(the serverless-1(engine_mode=serverless, scaling_configuration is set) is deprecated), valid when engine_mode is set to provisioned
    }), {})
  })
 {} no
backup_retention_period The days to retain backups for number 35 no
backup_window The daily time range (in UTC) during which automated backups are created if they are enabled. Example: '09:46-10:16'. Must not overlap with maintenance_window string "03:00-06:00" no
cloudwatch_log_group_retention_in_days The number of days to retain CloudWatch logs for the DB instance number 30 no
create_cloudwatch_log_group Determines whether a CloudWatch log group is created for each enabled_cloudwatch_logs_exports bool true no
create_db_option_group Create a database option group bool false no
create_db_parameter_group Whether to create a database parameter group bool true no
create_db_subnet_group Whether to create a database subnet group bool true no
create_monitoring_role Create IAM role with a defined name that permits RDS to send enhanced monitoring metrics to CloudWatch Logs bool false no
create_security_group Whether to create security group and attach ingress/egress rules which will be used for rds instances(and rds proxy if we enabled it), if you already have one and do not want to create new security group you can explicitly set this variable to false and pass group id by using var.vpc_security_group_ids bool true no
database_insights_mode The mode of Database Insights to enable for the DB cluster. Valid values: standard, advanced string null no
db_instance_tags Additional tags for the DB instance map(any) {} no
db_name The DB name to create. If omitted, no database is created initially string "" no
db_option_group_tags Additional tags for the DB option group map(any) {} no
db_parameter_group_tags n/a map(any) {} no
db_password Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file string "" no
db_subnet_group_name Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC string null no
db_subnet_group_tags Additional tags for the DB parameter group map(any) {} no
db_subnet_group_use_name_prefix Determines whether to use subnet_group_name as is or create a unique name beginning with the subnet_group_name as the prefix bool false no
db_username Username for the master DB user string "" no
deletion_protection The database can't be deleted when this value is set to true bool false no
egress_with_cidr_blocks n/a list(map(string)) [] no
enable_full_monitoring Config allowing to enable all available monitoring toolings on database. This is just wrapper shortcut to not set performance insights and database queries monitoring all configs manually bool false no
enabled_cloudwatch_logs_exports List of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported. Valid values (depending on engine): alert, audit, error, general, listener, slowquery, trace, postgresql (PostgreSQL), upgrade (PostgreSQL) list(string) [] no
enforce_client_tls parameter to enforce tls connections from clients bool true no
engine The database engine to use string "mysql" no
engine_version The engine version to use string "5.7.26" no
iam_database_authentication_enabled Specifies whether or not the mappings of AWS Identity and Access Management (IAM) accounts to database accounts are enabled bool true no
identifier Specifies the identifier of the CA certificate for the DB instance string n/a yes
ingress_with_cidr_blocks n/a list(map(string)) [] no
instance_class The instance type of the RDS instance string "db.t3.micro" no
maintenance_window The window to perform maintenance in. Syntax: 'ddd:hh24:mi-ddd:hh24:mi'. Eg: 'Mon:00:00-Mon:03:00' string "Mon:01:00-Mon:02:00" no
major_engine_version Specifies the major version of the engine that this option group should be associated with string "5.7" no
manage_master_user_password Set to true to allow RDS to manage the master user password in Secrets Manager bool false no
max_allocated_storage Specifies the value for Storage Autoscaling number 100 no
monitoring_interval The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. The default is 0. Valid Values: 0, 1, 5, 10, 15, 30, 60 number 0 no
monitoring_role_name Name of the IAM role which will be created when create_monitoring_role is enabled string null no
multi_az Specifies if the RDS instance is multi-AZ bool true no
options A list of Options to apply list(any) 
[
  {
    "option_name": "MARIADB_AUDIT_PLUGIN",
    "option_settings": [
      {
        "name": "SERVER_AUDIT_EVENTS",
        "value": "CONNECT"
      },
      {
        "name": "SERVER_AUDIT_FILE_ROTATIONS",
        "value": "37"
      }
    ]
  }
]
 no
parameters A list of DB parameters (map) to apply 
list(object({
    name         = string
    value        = string
    context      = optional(string, "instance")  # The context where parameter will be used, supported values are "instance" and "cluster"
    apply_method = optional(string, "immediate") # The apply method for parameter, supported values are "immediate" and "pending-reboot"
  }))
 [] no
performance_insights_enabled Specifies whether Performance Insights is enabled or not, the default is false bool false no
performance_insights_kms_key_arn Specifies the KMS Key ID to encrypt Performance Insights data. If not specified, the default RDS KMS key will be used (aws/rds) string null no
performance_insights_retention_period Specifies the amount of time to retain performance insights data for. Defaults to 7 days if Performance Insights are enabled. Valid values are 7, month * 31 (where month is a number of months from 1-23), and 731. When using advanced database_insights_mode this value should be at least 465 number null no
port The port on which the DB accepts connections number null no
proxy The aws rds proxy specific configurations 
object({
    enabled             = optional(bool, false)                     # whether rds proxy is enabled
    endpoints           = optional(any, {})                         # map of {: } additional proxy endpoints(by default we have already one read/write endpoint), for more info check resource doc https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_proxy_endpoint
    client_auth_type    = optional(string, "MYSQL_NATIVE_PASSWORD") # The type of authentication the proxy uses for connections from clients
    iam_auth            = optional(string, "DISABLED")              # Whether IAM auth enabled
    target_db_cluster   = optional(bool, true)                      # Whether the target db is cluster
    debug_logging       = optional(bool, false)                     # Whether enhanced logging is enabled
    idle_client_timeout = optional(number, 1800)                    # The timeout of idle connections, default is 30 minutes
  })
 {} no
publicly_accessible Whether the database is accessible publicly. Note that if you need to enable this you have to place db on public subnets bool false no
replication_source_identifier ARN of a source DB cluster or DB instance if this DB cluster is to be created as a Read Replica string null no
security_group_description n/a string "MySQL security group" no
security_group_name n/a string "db_security_group" no
set_vpc_security_group_rules Whether to automatically add security group rules allowing access to db from vpc network bool true no
skip_final_snapshot Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted bool false no
slow_queries n/a 
object({
    enabled        = optional(bool, true)
    query_duration = optional(number, 3)
  })
 
{
  "enabled": true,
  "query_duration": 3
}
 no
storage_encrypted Specifies whether the DB instance is encrypted bool true no
storage_type One of 'standard' (magnetic), 'gp2' (general purpose SSD), gp3, or 'io1' (provisioned IOPS SSD). The default is 'io1' if iops is specified, 'gp2' if not string null no
subnet_ids A list of VPC subnet IDs list(string) n/a yes
tags A mapping of tags to assign to all resources map(any) {} no
vpc_id n/a string "" no
vpc_security_group_ids List of VPC security groups to associate list(string) [] no

Outputs

Name Description
cluster_endpoint aurora cluster read/write endpoint
cluster_instance_endpoint_suffix aurora cluster instances endpoint suffix part in form '...rds.amazonaws.com'
cluster_reader_endpoint aurora cluster read endpoint
db_instance_address The address of the RDS instance
db_instance_arn The ARN of the RDS instance
db_instance_cloudwatch_log_groups Map of CloudWatch log groups created and their attributes
db_instance_endpoint The connection endpoint
db_instance_port The database port
db_password DB password
db_username DB username

About

Terraform Aws RDS module

www.dasmeta.com

Topics

aws database module terraform rds terraform-module

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 37

v1.10.2 Latest
Sep 24, 2025
+ 36 releases

Packages

No packages published

Contributors 7

Languages