The SourceFuse AWS Reference Architecture (ARC) Terraform module offers a comprehensive solution for efficiently managing Aurora, RDS cluster, RDS proxy and RDS (Relational Database Service) instances within the Amazon Web Services (AWS) environment. This Terraform module is designed to streamline the provisioning, configuration, and management of these database instances, leveraging best practices.
For more information about this repository and its usage, please see Terraform AWS ARC DB Usage Guide.
To see a full example, check out the main.tf file in the example folder.
| Name | Version |
|---|---|
| terraform | >= 1.3, < 2.0.0 |
| aws | >= 4.0, < 6.0 |
| null | >= 3.1 |
| random | >= 3.4 |
| Name | Version |
|---|---|
| aws | 5.73.0 |
| random | 3.6.3 |
| Name | Source | Version |
|---|---|---|
| proxy_security_group | ./modules/security-group | n/a |
| security_group | ./modules/security-group | n/a |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| allocated_storage | (optional) Storage for RDS instance | string |
20 |
no |
| allow_major_version_upgrade | Whether major version upgrades are allowed during maintenance windows. | bool |
false |
no |
| apply_immediately | Whether to apply changes immediately or during the next maintenance window. | bool |
false |
no |
| auto_minor_version_upgrade | Whether minor engine upgrades are applied automatically during the maintenance window. | bool |
true |
no |
| backup_retention_period | The number of days to retain backups for the DB cluster. | number |
7 |
no |
| ca_cert_identifier | The identifier of the CA certificate for the DB instance. If not specified, the RDS default CA is used. | string |
null |
no |
| ca_certificate_identifier | (optional) The CA certificate identifier to use for the DB cluster's server certificate. | string |
null |
no |
| copy_tags_to_snapshot | Whether to copy all tags to snapshots. | bool |
true |
no |
| database_name | The name of the database to create when the cluster is created. | string |
null |
no |
| db_cluster_parameter_group_name | (optional) A cluster parameter group to associate with the cluster. | string |
null |
no |
| db_instance_parameter_group_name | (optional) Instance parameter group to associate with all instances of the DB cluster. The db_instance_parameter_group_name parameter is only valid in combination with the allow_major_version_upgrade parameter. | string |
null |
no |
| db_server_class | Instance class for RDS instance | string |
"db.t3.medium" |
no |
| db_subnet_group_data | (optional) DB Subnet Group details | object({ |
n/a | yes |
| delete_automated_backups | (optional) Specifies whether to remove automated backups immediately after the DB cluster is deleted. Default is true. | string |
true |
no |
| deletion_protection | Whether to enable deletion protection for the DB cluster. | bool |
false |
no |
| enable_multi_az | Whether to enable Multi-AZ deployment for the RDS instance. | bool |
false |
no |
| enabled_cloudwatch_logs_exports | List of log types to export to CloudWatch Logs. Valid values: audit, error, general, slowquery. | list(string) |
[] |
no |
| engine | The database engine to use for the RDS cluster (e.g., aurora, aurora-mysql, aurora-postgresql). | string |
n/a | yes |
| engine_lifecycle_support | (optional) The life cycle type for this DB instance. This setting is valid for cluster types Aurora DB clusters and Multi-AZ DB clusters. Valid values are open-source-rds-extended-support, open-source-rds-extended-support-disabled. Default value is open-source-rds-extended-support | string |
"open-source-rds-extended-support" |
no |
| engine_mode | (optional) Database engine mode. Valid values: global (only valid for Aurora MySQL 1.21 and earlier), parallelquery, provisioned, serverless. Defaults to: provisioned Note :- For Serverless V2 , engine_mode should be "provisioned" but for simplecity "serverless" is expected Refer : https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#rds-serverless-v2-cluster |
string |
"provisioned" |
no |
| engine_type | (optional) Engine type, valid values are 'rds' or 'cluster' | string |
n/a | yes |
| engine_version | The version of the database engine to use. | string |
n/a | yes |
| environment | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | string |
n/a | yes |
| final_snapshot_identifier | (optional) Name of your final DB snapshot when this DB cluster is deleted. If omitted, no final snapshot will be made. | string |
null |
no |
| iam_database_authentication_enabled | Enable IAM database authentication for the RDS cluster. | bool |
false |
no |
| iops | The amount of provisioned IOPS. Required if using io1 storage type. | number |
0 |
no |
| kms_data | Configuration for KMS key settings for RDS encryption and performance insights: - create: (Optional) If true, a new KMS key is created. - kms_key_id: (Optional) The ID of an existing KMS key for RDS encryption. If null it used AWS managed keys - performance_insights_kms_key_id: (Optional) Key ID for Performance Insights. If null it used AWS managed keys - description: (Optional) description for the KMS key. - policy: (Optional) Specific policy for the KMS key. - deletion_window_in_days: (Optional) Number of days before deletion, default is 7. - enable_key_rotation: (Optional) Enables key rotation for security; defaults to true. |
object({ |
{ |
no |
| license_model | The license model for the DB instance (e.g., license-included, bring-your-own-license, general-public-license). | string |
n/a | yes |
| manage_user_password | (optional) Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if master_password is provided." null - is equal to 'false', don't set it to false , known bug : hashicorp/terraform-provider-aws#31179 |
bool |
null |
no |
| monitoring_interval | The interval, in seconds, between points when Enhanced Monitoring metrics are collected. Valid values are 0, 1, 5, 10, 15, 30, 60. | number |
0 |
no |
| monitoring_role_arn | The ARN for the IAM role that allows RDS to send Enhanced Monitoring metrics to CloudWatch Logs. | string |
null |
no |
| name | The identifier for the RDS instance or cluster. | string |
n/a | yes |
| namespace | Namespace for the resources. | string |
n/a | yes |
| network_type | (optional) Network type of the cluster. Valid values: IPV4, DUAL. | string |
"IPV4" |
no |
| option_group_config | Configuration for RDS option group, with attributes to create or specify a group name, engine details, and database options including settings, ports, and versions. | object({ |
{ |
no |
| parameter_group_config | Configuration for RDS parameter group, with options to create or specify a group name, family, and a map of database parameters including settings and apply methods. | object({ |
{ |
no |
| password | The password for the database. | string |
null |
no |
| performance_insights_enabled | (optional) Valid only for Non-Aurora Multi-AZ DB Clusters. Enables Performance Insights for the RDS Cluster | bool |
false |
no |
| performance_insights_retention_period | The retention period (in days) for Performance Insights data. Valid values are 7, 731, or any value between 8 and 730. | number |
7 |
no |
| port | Port on which the DB accepts connections | number |
n/a | yes |
| preferred_backup_window | The daily time range during which backups are taken. | string |
"07:00-09:00" |
no |
| preferred_maintenance_window | The weekly time range during which maintenance can occur. | string |
"sun:06:00-sun:07:00" |
no |
| proxy_config | Configuration object for setting up an AWS RDS Proxy. It includes options for creating the proxy, connection pooling, authentication, and other proxy-specific settings. - create (optional): A boolean that determines whether to create the RDS Proxy resource. Defaults to false. - name (optional): The name of the RDS Proxy. If not specified, Terraform will create a default name. - engine_family: The database engine family for the proxy (e.g., "MYSQL", "POSTGRESQL"). - vpc_subnet_ids: List of VPC subnet IDs in which the proxy will be deployed. - security_group_data: List of security groups to associate with the RDS Proxy. - require_tls (optional): Boolean flag to enforce the use of TLS for client connections to the proxy. Defaults to false. - debug_logging (optional): Boolean flag to enable debug logging for the proxy. Defaults to false. - idle_client_timeout_secs (optional): Number of seconds before the proxy closes idle client connections. The minimum is 60 seconds (1 minute), and the maximum is 28,800 seconds (8 hours). Defaults to 1,800 seconds (30 minutes). - role_arn (optional): The ARN of the IAM role used by the proxy for accessing database credentials in AWS Secrets Manager. If null, Terraform will create a new IAM role. Authentication settings: - auth.auth_scheme: The authentication scheme to use (e.g., "SECRETS"). - auth.description (optional): A description of the authentication method. Defaults to null. - auth.iam_auth (optional): Specifies whether to use IAM authentication for the proxy. Defaults to "DISABLED". - auth.secret_arn: The ARN of the AWS Secrets Manager secret that contains the database credentials. - auth.client_password_auth_type: Specifies the password authentication type for the database. Connection pool configuration: - connection_pool_config.connection_borrow_timeout (optional): The amount of time (in seconds) a client connection can be held open before being returned to the pool. Defaults to 5 seconds. - connection_pool_config.init_query (optional): An optional initialization query executed when a connection is first established. Defaults to null. - connection_pool_config.max_connections_percent (optional): The maximum percentage of available database connections that the proxy can use. Defaults to 100%. - connection_pool_config.max_idle_connections_percent (optional): The maximum percentage of idle database connections that the proxy can keep open. Defaults to 50%. - connection_pool_config.session_pinning_filters (optional): List of filters for controlling session pinning behavior. Defaults to an empty list. |
object({ |
{ |
no |
| publicly_accessible | Whether the RDS instance should be publicly accessible. | bool |
false |
no |
| rds_cluster_instances | "(optional) A list of objects defining configurations for RDS Cluster instances. Each object represents a single RDS instance configuration within the cluster, including options for instance class, monitoring, performance insights, maintenance windows, and other instance-specific settings." name: Optional. Name of the instance (default: null). instance_class: The instance class for the RDS instance (e.g., db.r5.large). availability_zone: Optional. Specifies the availability zone for the instance (default: null). publicly_accessible: Optional. Whether the instance is publicly accessible (default: false). db_parameter_group_name: Optional. The name of the DB parameter group to associate with the instance (default: null). apply_immediately: Optional. Apply modifications immediately or during the next maintenance window (default: false). ca_cert_identifier: Optional. Identifier for the CA certificate for the instance (default: null). promotion_tier: Optional. Promotion tier for the instance within the cluster (default: 0). copy_tags_to_snapshot: Optional. Copy tags to snapshots (default: true). |
list(object({ |
[] |
no |
| security_group_data | (optional) Security Group data | object({ |
{ |
no |
| serverlessv2_scaling_config | Configuration for Serverless V2 scaling: - max_capacity: (Required) The maximum ACU capacity for scaling (e.g., 256.0). - min_capacity: (Required) The minimum ACU capacity for scaling (e.g., 0.5). |
object({ |
{ |
no |
| skip_final_snapshot | (optional) Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final_snapshot_identifier. Default is false. | string |
true |
no |
| storage_encrypted | Whether to enable storage encryption. | bool |
true |
no |
| storage_type | (optional) Required for Multi-AZ DB cluster) (Forces new for Multi-AZ DB clusters) Specifies the storage type to be associated with the DB cluster. For Aurora DB clusters, storage_type modifications can be done in-place. For Multi-AZ DB Clusters, the iops argument must also be set. Valid values are: "", aurora-iopt1 (Aurora DB Clusters); io1, io2 (Multi-AZ DB Clusters). Default: "" (Aurora DB Clusters); io1 (Multi-AZ DB Clusters). | string |
"" |
no |
| tags | A map of tags to assign to the DB Cluster. | map(string) |
{} |
no |
| username | The username for the database. | string |
n/a | yes |
| vpc_id | VPC Id for creating security group | string |
n/a | yes |
| Name | Description |
|---|---|
| arn | Instance or Cluster ARN |
| database | database name |
| endpoint | Instance or Cluster Endpoint |
| id | Instance or Cluster ID |
| identifier | Instance or Cluster Identifier |
| kms_key_id | Instance or Cluster KM Key ID |
| monitoring_role_arn | Instance or Cluster Monitoring role arn |
| performance_insights_kms_key_id | Instance or Cluster Performance insight KM Key ID |
| port | Dtabase server port |
| username | Username for the Database |
- Configure pre-commit hooks
pre-commit installwhile Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch
For Example
git commit -m "your commit message #major"By specifying this , it will bump the version and if you dont specify this in your commit message then by default it will consider patch and will bump that accordingly
- Tests are available in
testdirectory - Configure the dependencies
cd test
go mod init github.com/sourcefuse/terraform-aws-ref-arch-db
go get github.com/gruntwork-io/terratest/modules/terraform- Now execute the test
cd test/
go testThis project is authored by:
- SourceFuse ARC Team