Skip to content

Latest commit

 

History

History
543 lines (400 loc) · 44 KB

README.md

File metadata and controls

543 lines (400 loc) · 44 KB

terraform-aws-rds Latest Release Slack Community

README Header

Cloud Posse

Terraform module to provision AWS RDS instances


This project is part of our comprehensive "SweetOps" approach towards DevOps.

Terraform Open Source Modules

It's 100% Open Source and licensed under the APACHE2.

We literally have hundreds of terraform modules that are Open Source and well-maintained. Check them out!

Introduction

The module will create:

  • DB instance (MySQL, Postgres, SQL Server, Oracle)
  • DB Option Group (will create a new one or you may use an existing)
  • DB Parameter Group
  • DB Subnet Group
  • DB Security Group
  • DNS Record in Route53 for the DB endpoint

Security & Compliance

Security scanning is graciously provided by Bridgecrew. Bridgecrew is the leading fully hosted, cloud-native solution providing continuous Terraform security and compliance.

Benchmark Description
Infrastructure Security Infrastructure Security Compliance
CIS KUBERNETES Center for Internet Security, KUBERNETES Compliance
CIS AWS Center for Internet Security, AWS Compliance
CIS AZURE Center for Internet Security, AZURE Compliance
PCI-DSS Payment Card Industry Data Security Standards Compliance
NIST-800-53 National Institute of Standards and Technology Compliance
ISO27001 Information Security Management System, ISO/IEC 27001 Compliance
SOC2 Service Organization Control 2 Compliance
CIS GCP Center for Internet Security, GCP Compliance
HIPAA Health Insurance Portability and Accountability Compliance

Usage

IMPORTANT: We do not pin modules to versions in our examples because of the difficulty of keeping the versions in the documentation in sync with the latest released versions. We highly recommend that in your code you pin the version to the exact version you are using so that your infrastructure remains stable, and update versions in a systematic way so that they do not catch you by surprise.

Also, because of a bug in the Terraform registry (hashicorp/terraform#21417), the registry shows many of our inputs as required when in fact they are optional. The table below correctly indicates which inputs are required.

module "rds_instance" {
    source = "cloudposse/rds/aws"
    # Cloud Posse recommends pinning every module to a specific version
    # version = "x.x.x"
    namespace                   = "eg"
    stage                       = "prod"
    name                        = "app"
    dns_zone_id                 = "Z89FN1IW975KPE"
    host_name                   = "db"
    security_group_ids          = ["sg-xxxxxxxx"]
    ca_cert_identifier          = "rds-ca-2019"
    allowed_cidr_blocks         = ["XXX.XXX.XXX.XXX/32"]
    database_name               = "wordpress"
    database_user               = "admin"
    database_password           = "xxxxxxxxxxxx"
    database_port               = 3306
    multi_az                    = true
    storage_type                = "gp2"
    allocated_storage           = 100
    storage_encrypted           = true
    engine                      = "mysql"
    engine_version              = "5.7.17"
    major_engine_version        = "5.7"
    instance_class              = "db.t2.medium"
    db_parameter_group          = "mysql5.7"
    option_group_name           = "mysql-options"
    publicly_accessible         = false
    subnet_ids                  = ["sb-xxxxxxxxx", "sb-xxxxxxxxx"]
    vpc_id                      = "vpc-xxxxxxxx"
    snapshot_identifier         = "rds:production-2015-06-26-06-05"
    auto_minor_version_upgrade  = true
    allow_major_version_upgrade = false
    apply_immediately           = false
    maintenance_window          = "Mon:03:00-Mon:04:00"
    skip_final_snapshot         = false
    copy_tags_to_snapshot       = true
    backup_retention_period     = 7
    backup_window               = "22:00-03:00"

    db_parameter = [
      { name  = "myisam_sort_buffer_size"   value = "1048576" },
      { name  = "sort_buffer_size"          value = "2097152" }
    ]

    db_options = [
      { option_name = "MARIADB_AUDIT_PLUGIN"
          option_settings = [
            { name = "SERVER_AUDIT_EVENTS"           value = "CONNECT" },
            { name = "SERVER_AUDIT_FILE_ROTATIONS"   value = "37" }
          ]
      }
    ]
}

Character Sets

If you wish to create the database in a specific character set you can use one of the following options depending on your database engine of choice.

For Oracle and Microsoft SQL you can specify charset name as an input variable to this module. For example, for Microsoft SQL, you could use:

module "rds_instance" {
  ...
  charset_name                   = "Korean_Wansung_CI_AS"
  ...
}

For mysql and mariadb engines character set of the database can be defined via db_parameter. In this example the database is created with utf8mb4 (character set) and utf8mb4_unicode_ci (collation):

module "rds_instance" {
  ...
  db_parameter = [
    {
      name = "character_set_server"
      value = "utf8mb4"
      apply_method = "immediate"
    },
    {
      name = "collation_server"
      value = "utf8mb4_unicode_ci"
      apply_method = "immediate"
    }
  ]
  ...
}

Makefile Targets

Available targets:

  help                                Help screen
  help/all                            Display help for all targets
  help/short                          This help short screen
  lint                                Lint terraform code

Requirements

Name Version
terraform >= 1.0.0
aws >= 4.9.0

Providers

Name Version
aws >= 4.9.0

Modules

Name Source Version
dns_host_name cloudposse/route53-cluster-hostname/aws 0.12.2
final_snapshot_label cloudposse/label/null 0.25.0
this cloudposse/label/null 0.25.0

Resources

Name Type
aws_db_instance.default resource
aws_db_option_group.default resource
aws_db_parameter_group.default resource
aws_db_subnet_group.default resource
aws_security_group.default resource
aws_security_group_rule.egress resource
aws_security_group_rule.ingress_cidr_blocks resource
aws_security_group_rule.ingress_security_groups resource

Inputs

Name Description Type Default Required
additional_tag_map Additional key-value pairs to add to each map in tags_as_list_of_maps. Not added to tags or id.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration.
map(string) {} no
allocated_storage The allocated storage in GBs. Required unless a snapshot_identifier or replicate_source_db is provided. number null no
allow_major_version_upgrade Allow major version upgrade bool false no
allowed_cidr_blocks The whitelisted CIDRs which to allow ingress traffic to the DB instance list(string) [] no
apply_immediately Specifies whether any database modifications are applied immediately, or during the next maintenance window bool false no
associate_security_group_ids The IDs of the existing security groups to associate with the DB instance list(string) [] no
attributes ID element. Additional attributes (e.g. workers or cluster) to add to id,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the delimiter
and treated as a single ID element.
list(string) [] no
auto_minor_version_upgrade Allow automated minor version upgrade (e.g. from Postgres 9.5.3 to Postgres 9.5.4) bool true no
availability_zone The AZ for the RDS instance. Specify one of subnet_ids, db_subnet_group_name or availability_zone. If availability_zone is provided, the instance will be placed into the default VPC or EC2 Classic string null no
backup_retention_period Backup retention period in days. Must be > 0 to enable backups number 0 no
backup_window When AWS can perform DB snapshots, can't overlap with maintenance window string "22:00-03:00" no
ca_cert_identifier The identifier of the CA certificate for the DB instance string null no
charset_name The character set name to use for DB encoding. Oracle & Microsoft SQL only. For other engines use db_parameter string null no
context Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as null to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged.
any
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
no
copy_tags_to_snapshot Copy tags from DB to a snapshot bool true no
database_name The name of the database to create when the DB instance is created string null no
database_password Password for the primary DB user. Required unless a snapshot_identifier or replicate_source_db is provided. string null no
database_port Database port (_e.g._ 3306 for MySQL). Used in the DB Security Group to allow access to the DB instance from the provided security_group_ids number n/a yes
database_user Username for the primary DB user. Required unless a snapshot_identifier or replicate_source_db is provided. string null no
db_options A list of DB options to apply with an option group. Depends on DB engine
list(object({
db_security_group_memberships = list(string)
option_name = string
port = number
version = string
vpc_security_group_memberships = list(string)

option_settings = list(object({
name = string
value = string
}))
}))
[] no
db_parameter A list of DB parameters to apply. Note that parameters may differ from a DB family to another
list(object({
apply_method = string
name = string
value = string
}))
[] no
db_parameter_group The DB parameter group family name. The value depends on DB engine used. See DBParameterGroupFamily for instructions on how to retrieve applicable value. string n/a yes
db_subnet_group_name Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. Specify one of subnet_ids, db_subnet_group_name or availability_zone string null no
deletion_protection Set to true to enable deletion protection on the RDS instance bool false no
delimiter Delimiter to be used between ID elements.
Defaults to - (hyphen). Set to "" to use no delimiter at all.
string null no
descriptor_formats Describe additional descriptors to be output in the descriptors output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
{<br> format = string<br> labels = list(string)<br>}
(Type is any so the map values can later be enhanced to provide additional options.)
format is a Terraform format string to be passed to the format() function.
labels is a list of labels, in order, to pass to format() function.
Label values will be normalized before being passed to format() so they will be
identical to how they appear in id.
Default is {} (descriptors output will be empty).
any {} no
dns_zone_id The ID of the DNS Zone in Route53 where a new DNS record will be created for the DB host name string "" no
enabled Set to false to prevent the module from creating any resources bool null no
enabled_cloudwatch_logs_exports List of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported. Valid values (depending on engine): alert, audit, error, general, listener, slowquery, trace, postgresql (PostgreSQL), upgrade (PostgreSQL). list(string) [] no
engine Database engine type. Required unless a snapshot_identifier or replicate_source_db is provided. string null no
engine_version Database engine version, depends on engine type. Required unless a snapshot_identifier or replicate_source_db is provided. string n/a yes
environment ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' string null no
final_snapshot_identifier Final snapshot identifier e.g.: some-db-final-snapshot-2019-06-26-06-05 string "" no
host_name The DB host name created in Route53 string "db" no
iam_database_authentication_enabled Specifies whether or mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled bool false no
id_length_limit Limit id to this many characters (minimum 6).
Set to 0 for unlimited length.
Set to null for keep the existing setting, which defaults to 0.
Does not affect id_full.
number null no
instance_class Class of RDS instance string n/a yes
iops The amount of provisioned IOPS. Setting this implies a storage_type of 'io1'. Default is 0 if rds storage type is not 'io1' number 0 no
kms_key_arn The ARN of the existing KMS key to encrypt storage string "" no
label_key_case Controls the letter case of the tags keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the tags input.
Possible values: lower, title, upper.
Default value: title.
string null no
label_order The order in which the labels (ID elements) appear in the id.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
list(string) null no
label_value_case Controls the letter case of ID elements (labels) as included in id,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the tags input.
Possible values: lower, title, upper and none (no transformation).
Set this to title and set delimiter to "" to yield Pascal Case IDs.
Default value: lower.
string null no
labels_as_tags Set of labels (ID elements) to include as tags in the tags output.
Default is to include all labels.
Tags with empty values will not be included in the tags output.
Set to [] to suppress all generated tags.
Notes:
The value of the name tag, if included, will be the id, not the name.
Unlike other null-label inputs, the initial setting of labels_as_tags cannot be
changed in later chained modules. Attempts to change it will be silently ignored.
set(string)
[
"default"
]
no
license_model License model for this DB. Optional, but required for some DB Engines. Valid values: license-included | bring-your-own-license | general-public-license string "" no
maintenance_window The window to perform maintenance in. Syntax: 'ddd:hh24:mi-ddd:hh24:mi' UTC string "Mon:03:00-Mon:04:00" no
major_engine_version Database MAJOR engine version, depends on engine type string "" no
max_allocated_storage The upper limit to which RDS can automatically scale the storage in GBs number 0 no
monitoring_interval The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. Valid Values are 0, 1, 5, 10, 15, 30, 60. string "0" no
monitoring_role_arn The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to CloudWatch Logs string null no
multi_az Set to true if multi AZ deployment must be supported bool false no
name ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a tag.
The "name" tag is set to the full id string. There is no tag with the value of the name input.
string null no
namespace ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique string null no
option_group_name Name of the DB option group to associate string "" no
parameter_group_name Name of the DB parameter group to associate string "" no
performance_insights_enabled Specifies whether Performance Insights are enabled. bool false no
performance_insights_kms_key_id The ARN for the KMS key to encrypt Performance Insights data. Once KMS key is set, it can never be changed. string null no
performance_insights_retention_period The amount of time in days to retain Performance Insights data. Either 7 (7 days) or 731 (2 years). number 7 no
publicly_accessible Determines if database can be publicly available (NOT recommended) bool false no
regex_replace_chars Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, "/[^a-zA-Z0-9-]/" is used to remove all characters other than hyphens, letters and digits.
string null no
replicate_source_db Specifies that this resource is a Replicate database, and to use this value as the source database. This correlates to the identifier of another Amazon RDS Database to replicate (if replicating within a single region) or ARN of the Amazon RDS Database to replicate (if replicating cross-region). Note that if you are creating a cross-region replica of an encrypted database you will also need to specify a kms_key_id. See DB Instance Replication and Working with PostgreSQL and MySQL Read Replicas for more information on using Replication. string null no
security_group_ids The IDs of the security groups from which to allow ingress traffic to the DB instance list(string) [] no
skip_final_snapshot If true (default), no snapshot will be made before deleting DB bool true no
snapshot_identifier Snapshot identifier e.g: rds:production-2019-06-26-06-05. If specified, the module create cluster from the snapshot string null no
stage ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' string null no
storage_encrypted (Optional) Specifies whether the DB instance is encrypted. The default is false if not specified bool true no
storage_type One of 'standard' (magnetic), 'gp2' (general purpose SSD), or 'io1' (provisioned IOPS SSD) string "standard" no
subnet_ids List of subnet IDs for the DB. DB instance will be created in the VPC associated with the DB subnet group provisioned using the subnet IDs. Specify one of subnet_ids, db_subnet_group_name or availability_zone list(string) [] no
tags Additional tags (e.g. {'BusinessUnit': 'XYZ'}).
Neither the tag keys nor the tag values will be modified by this module.
map(string) {} no
tenant ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for string null no
timezone Time zone of the DB instance. timezone is currently only supported by Microsoft SQL Server. The timezone can only be set on creation. See MSSQL User Guide for more information. string null no
vpc_id VPC ID the DB instance will be created in string n/a yes

Outputs

Name Description
hostname DNS host name of the instance
instance_address Address of the instance
instance_arn ARN of the instance
instance_endpoint DNS Endpoint of the instance
instance_id ID of the instance
option_group_id ID of the Option Group
parameter_group_id ID of the Parameter Group
resource_id The RDS Resource ID of this instance.
security_group_id ID of the Security Group
subnet_group_id ID of the created Subnet Group

Share the Love

Like this project? Please give it a ★ on our GitHub! (it helps us a lot)

Are you using this project or any of our other projects? Consider leaving a testimonial. =)

Related Projects

Check out these related projects.

Help

Got a question? We got answers.

File a GitHub issue, send us an email or join our Slack Community.

README Commercial Support

DevOps Accelerator for Startups

We are a DevOps Accelerator. We'll help you build your cloud infrastructure from the ground up so you can own it. Then we'll show you how to operate it and stick around for as long as you need us.

Learn More

Work directly with our team of DevOps experts via email, slack, and video conferencing.

We deliver 10x the value for a fraction of the cost of a full-time engineer. Our track record is not even funny. If you want things done right and you need it done FAST, then we're your best bet.

  • Reference Architecture. You'll get everything you need from the ground up built using 100% infrastructure as code.
  • Release Engineering. You'll have end-to-end CI/CD with unlimited staging environments.
  • Site Reliability Engineering. You'll have total visibility into your apps and microservices.
  • Security Baseline. You'll have built-in governance with accountability and audit logs for all changes.
  • GitOps. You'll be able to operate your infrastructure via Pull Requests.
  • Training. You'll receive hands-on training so your team can operate what we build.
  • Questions. You'll have a direct line of communication between our teams via a Shared Slack channel.
  • Troubleshooting. You'll get help to triage when things aren't working.
  • Code Reviews. You'll receive constructive feedback on Pull Requests.
  • Bug Fixes. We'll rapidly work with you to fix any bugs in our projects.

Slack Community

Join our Open Source Community on Slack. It's FREE for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally sweet infrastructure.

Discourse Forums

Participate in our Discourse Forums. Here you'll find answers to commonly asked questions. Most questions will be related to the enormous number of projects we support on our GitHub. Come here to collaborate on answers, find solutions, and get ideas about the products and services we value. It only takes a minute to get started! Just sign in with SSO using your GitHub account.

Newsletter

Sign up for our newsletter that covers everything on our technology radar. Receive updates on what we're up to on GitHub as well as awesome new projects we discover.

Office Hours

Join us every Wednesday via Zoom for our weekly "Lunch & Learn" sessions. It's FREE for everyone!

zoom

Contributing

Bug Reports & Feature Requests

Please use the issue tracker to report any bugs or file feature requests.

Developing

If you are interested in being a contributor and want to get involved in developing this project or help out with our other projects, we would love to hear from you! Shoot us an email.

In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.

  1. Fork the repo on GitHub
  2. Clone the project to your own machine
  3. Commit changes to your own branch
  4. Push your work back up to your fork
  5. Submit a Pull Request so that we can review your changes

NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!

Copyright

Copyright © 2017-2022 Cloud Posse, LLC

License

License

See LICENSE for full details.

Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements.  See the NOTICE file
distributed with this work for additional information
regarding copyright ownership.  The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License.  You may obtain a copy of the License at

  https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied.  See the License for the
specific language governing permissions and limitations
under the License.

Trademarks

All other trademarks referenced herein are the property of their respective owners.

About

This project is maintained and funded by Cloud Posse, LLC. Like it? Please let us know by leaving a testimonial!

Cloud Posse

We're a DevOps Professional Services company based in Los Angeles, CA. We ❤️ Open Source Software.

We offer paid support on all of our projects.

Check out our other projects, follow us on twitter, apply for a job, or hire us to help with your cloud strategy and implementation.

Contributors

Erik Osterman
Erik Osterman
Andriy Knysh
Andriy Knysh
Sergey Vasilyev
Sergey Vasilyev
Valeriy
Valeriy
Konstantin B
Konstantin B
drmikecrowe
drmikecrowe
Oscar Sullivan
Oscar Sullivan
Federico Márquez
Federico Márquez

README Footer Beacon