RDS PostgreSQL
module "rds_postgres" {
source = "<your_select_source>"
prefix = "<customer_name>"
name = "<paas_name>"
environment = "dev"
#db instance (server)
engine = "postgres"
engine_version = "14.1"
instance_class = "db.t3.small"
#db instance (storage)
allocated_storage = 20
storage_encrypted = true
max_allocated_storage = 50
#db instance (schema)
username = "postgres"
password = "qwertyuiop[]"
port = 5432
#db instance (monitoring)
is_enable_monitoring = true
monitoring_interval = 60
performance_insights_enabled = true
performance_insights_use_cmk = true
performance_insights_retention_period = 7
#db instance (backup)
maintenance_window = "Mon:00:00-Mon:03:00"
backup_window = "03:00-06:00"
backup_retention_period = 7
#db instance (additional)
skip_final_snapshot = false
deletion_protection = false
#db instance (logging)
enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"]
#security group
vpc_id = "vpc-0736560f271b12fa3"
additional_client_security_group_ingress_rules = [{
cidr_blocks = ["0.0.0.0/0"]
description = "allow from any"
from_port = 5432
is_cidr = true
is_sg = false
protocol = "tcp"
source_security_group_id = ""
to_port = 5432
},
{
cidr_blocks = ["0.0.0.0/0"]
description = "allow from any"
from_port = 80
is_cidr = false
is_sg = true
protocol = "tcp"
source_security_group_id = "<sg-id>"
to_port = 80
}]
additional_client_security_group_egress_rules = [{
cidr_blocks = ["0.0.0.0/0"]
description = "allow to any"
from_port = -1
is_cidr = true
is_sg = false
protocol = "all"
source_security_group_id = ""
to_port = -1
}]
#parameter group
family = "postgres14"
parameters = [{
"name" = "timezone"
"value" = "Asia/Bangkok"
"apply_method" = "immediate"
}]
#subnet group
subnet_ids = ["subnet-09ef78e7234432ce6", "subnet-0b8e065bee1ab6d50", "subnet-0e0c33e9873deaff8"]
custom_tags = {
"Workspace" : "<workspace_name>"
}
}Microsoft SQL
module "rds_mssql" {
source = "<your_select_source>"
prefix = "<customer_name>"
name = "<paas_name>"
environment = "dev"
#db instance (server)
engine = "sqlserver-web"
engine_version = "15.00.4153.1.v1"
instance_class = "db.t3.small"
license_model = "license-included"
timezone = "GMT Standard Time"
#db instance (storage)
allocated_storage = 20
storage_encrypted = true
max_allocated_storage = 50
#db instance (schema)
username = "admin"
password = "qwertyuiop[]"
port = 1433
#db instance (monitoring)
is_enable_monitoring = true
monitoring_interval = 60
performance_insights_enabled = true
performance_insights_use_cmk = true
performance_insights_retention_period = 7
#db instance (backup)
maintenance_window = "Mon:00:00-Mon:03:00"
backup_window = "03:00-06:00"
backup_retention_period = 7
#db instance (additional)
skip_final_snapshot = false
deletion_protection = false
#db instance (logging)
enabled_cloudwatch_logs_exports = ["agent", "error"]
#security group
vpc_id = "vpc-0736560f271b12fa3"
additional_client_security_group_ingress_rules = [{
cidr_blocks = ["0.0.0.0/0"]
description = "allow from any"
from_port = 1433
is_cidr = true
is_sg = false
protocol = "tcp"
source_security_group_id = ""
to_port = 1433
},
{
cidr_blocks = ["0.0.0.0/0"]
description = "allow from any"
from_port = 80
is_cidr = false
is_sg = true
protocol = "tcp"
source_security_group_id = "<sg-id>"
to_port = 80
}]
additional_client_security_group_egress_rules = [{
cidr_blocks = ["0.0.0.0/0"]
description = "allow to any"
from_port = -1
is_cidr = true
is_sg = false
protocol = "all"
source_security_group_id = ""
to_port = -1
}]
#parameter group
family = "sqlserver-web-15.0"
parameters = [{
name = "<parameter_name>"
value = "<value>"
apply_method = immediate
}]
#subnet group
subnet_ids = ["subnet-09ef78e7234432ce6", "subnet-0b8e065bee1ab6d50", "subnet-0e0c33e9873deaff8"]
#option group
is_create_option_group = true
db_option_engine_name = "sqlserver-web"
db_option_major_engine_version = "15.00"
db_options = [{
option_name = "SQLSERVER_BACKUP_RESTORE"
db_security_group_memberships = []
port = null
version = ""
vpc_security_group_memberships = []
option_settings = [{
name = "IAM_ROLE_ARN"
value = "<role-backup-s3-arn>"
}]
}]
custom_tags = {
"Workspace" : "<workspace_name>"
}
}| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| aws | >= 4.0.0 |
| Name | Version |
|---|---|
| aws | 4.65.0 |
| Name | Source | Version |
|---|---|---|
| cloudwatch_log_group_kms | oozou/kms-key/aws | 1.0.0 |
| custom_rds_alarms | oozou/cloudwatch-alarm/aws | 1.0.0 |
| rds_kms | oozou/kms-key/aws | 1.0.0 |
| Name | Type |
|---|---|
| aws_cloudwatch_log_group.this | resource |
| aws_cloudwatch_metric_alarm.cpu_utilization_too_high | resource |
| aws_cloudwatch_metric_alarm.free_storage_space_too_low | resource |
| aws_cloudwatch_metric_alarm.freeable_memory_too_low | resource |
| aws_db_event_subscription.default | resource |
| aws_db_instance.this | resource |
| aws_db_option_group.this | resource |
| aws_db_parameter_group.this | resource |
| aws_db_subnet_group.this | resource |
| aws_iam_role.enhanced_monitoring | resource |
| aws_security_group.client | resource |
| aws_security_group.cluster | resource |
| aws_security_group_rule.additional_client_egress | resource |
| aws_security_group_rule.additional_client_ingress | resource |
| aws_security_group_rule.additional_cluster_ingress | resource |
| aws_security_group_rule.from_client | resource |
| aws_security_group_rule.to_cluster | resource |
| aws_security_group_rule.to_internet | resource |
| aws_caller_identity.this | data source |
| aws_iam_policy_document.cloudwatch_log_group_kms_policy | data source |
| aws_region.this | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_client_security_group_egress_rules | Additional egress rule for client security group. | list(object({ |
[] |
no |
| additional_client_security_group_ingress_rules | Additional ingress rule for client security group. | list(object({ |
[] |
no |
| additional_cluster_security_group_ingress_rules | Additional ingress rule for cluster security group. | list(object({ |
[] |
no |
| additional_kms_key_policies | Additional IAM policies block, input as data source. Ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document | list(string) |
[] |
no |
| allocated_storage | The allocated storage in gigabytes | number |
n/a | yes |
| allow_major_version_upgrade | Indicates that major version upgrades are allowed. Changing this parameter does not result in an outage and the change is asynchronously applied as soon as possible | bool |
false |
no |
| apply_immediately | Specifies whether any database modifications are applied immediately, or during the next maintenance window | bool |
false |
no |
| auto_minor_version_upgrade | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window | bool |
true |
no |
| availability_zone | The AZ for the RDS instance. | string |
"" |
no |
| backup_retention_period | The days to retain backups for. Mostly, for non-production is 7 days and production is 30 days. Default to 7 days | number |
30 |
no |
| backup_window | The daily time range (in UTC) during which automated backups are created if they are enabled. Example: '09:46-10:16'. Must not overlap with maintenance_window | string |
null |
no |
| ca_cert_identifier | The identifier of the CA certificate for the DB instance | string |
null |
no |
| cloudwatch_log_kms_key_arn | The ARN for the KMS encryption key. | string |
null |
no |
| cloudwatch_log_retention_in_days | Specifies the number of days you want to retain log events Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire | number |
90 |
no |
| copy_tags_to_snapshot | On delete, copy all Instance tags to the final snapshot (if final_snapshot_identifier is specified) | bool |
true |
no |
| custom_rds_alarms_configure | custom_rds_alarms_configure = { cpu_utilization_too_high = { metric_name = "CPUUtilization" statistic = "Average" comparison_operator = ">=" threshold = "85" period = "300" evaluation_periods = "1" alarm_actions = [sns_topic_arn] ok_actions = [sns_topic_arn] } } |
any |
{} |
no |
| custom_tags | Tags to add more; default tags contian {terraform=true, environment=var.environment} | map(string) |
{} |
no |
| db_option_engine_name | Specifies the name of the engine that this option group should be associated with. If is_create_option_group is set to true this parameter is required. Ref:https://docs.aws.amazon.com/cli/latest/reference/rds/create-option-group.html | string |
"" |
no |
| db_option_group_name | if is_create_option_group is false, input existed option group name. If unspecified, the default option group will be used. | string |
"" |
no |
| db_option_major_engine_version | Database MAJOR engine version, depends on engine type | string |
"" |
no |
| db_options | A list of DB options to apply with an option group. Depends on DB engine | list(object({ |
[] |
no |
| db_parameter_group_name_id | if is_create_parameter_group is false, input existed parameter group name id. If unspecified, the default parameter group will be used. | string |
null |
no |
| db_subnet_group_name | if is_create_db_subnet_group is false, input existed subnet group name. If unspecified, the default vpc subnet group will be used. | string |
"" |
no |
| default_alarm_actions | The list of actions to execute when this alarm transitions into an ALARM state from any other state. Each action is specified as an Amazon Resource Name (ARN). | list(string) |
[] |
no |
| default_ok_actions | The list of actions to execute when this alarm transitions into an OK state from any other state. Each action is specified as an Amazon Resource Name (ARN). | list(string) |
[] |
no |
| deletion_protection | The database can't be deleted when this value is set to true. | bool |
false |
no |
| enabled_cloudwatch_logs_exports | List of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported. Valid values (depending on engine): MySQL and MariaDB: audit, error, general, slowquery. PostgreSQL: postgresql, upgrade. MSSQL: agent , error. Oracle: alert, audit, listener, trace. | list(string) |
[] |
no |
| engine | The database engine to use | string |
n/a | yes |
| engine_version | The engine version to use. If auto_minor_version_upgrade is enabled, you can provide a prefix of the version such as 5.7 (for 5.7.10). The actual engine version used is returned in the attribute engine_version_actual, defined below. | string |
n/a | yes |
| environment | Environment name used as environment resources name. | string |
n/a | yes |
| event_categories | A list of event categories for a SourceType that you want to subscribe to See http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.html | list(string) |
[ |
no |
| family | The database family to use | string |
n/a | yes |
| iam_database_authentication_enabled | Specifies whether or mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled | string |
false |
no |
| instance_class | The instance type of the RDS instance | string |
n/a | yes |
| iops | The amount of provisioned IOPS. Setting this implies a storage_type of 'io1' or 'gp3' | number |
null |
no |
| is_create_db_instance | Whether to create db instance or not | bool |
true |
no |
| is_create_db_subnet_group | Whether to create db subnet group or not | bool |
true |
no |
| is_create_default_kms | Whether to create cloudwatch log group kms or not | bool |
true |
no |
| is_create_option_group | Whether to create db option group or not (Require for some DB engine) | bool |
false |
no |
| is_create_parameter_group | Whether to create parameter group or not | bool |
true |
no |
| is_create_security_group | Determines whether to create security group for RDS cluster | bool |
true |
no |
| is_enable_default_alarms | if enable the default alarms | bool |
false |
no |
| is_enable_internet_access | Determines whether to enable the outbound internet access | bool |
false |
no |
| is_enable_monitoring | Whether to enable enhanced monitoring. | bool |
false |
no |
| kms_key_id | The ARN for the KMS encryption key. If creating an encrypted replica, set this to the destination KMS ARN. If storage_encrypted is set to true and kms_key_id is not specified the default KMS key created in your account will be used | string |
null |
no |
| license_model | License model for this DB. Optional, but required for some DB Engines. Valid values: license-included | bring-your-own-license | general-public-license | string |
"" |
no |
| maintenance_window | The window to perform maintenance in. Syntax: 'ddd:hh24:mi-ddd:hh24:mi'. Eg: 'Mon:00:00-Mon:03:00' | string |
null |
no |
| max_allocated_storage | When configured, the upper limit to which Amazon RDS can automatically scale the storage of the DB instance. Must be greater than or equal to allocated_storage or leave as default to disable Storage Autoscaling | number |
0 |
no |
| monitoring_interval | The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. The default is 0. Valid Values: 0, 1, 5, 10, 15, 30, 60. | number |
0 |
no |
| monitoring_role_arn | The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to CloudWatch Logs. Must be specified if monitoring_interval is non-zero. If unspecified, terraform will create new role. | string |
"" |
no |
| multi_az | Specifies if the RDS instance is multi-AZ | bool |
false |
no |
| name | Name used as a resources name. | string |
n/a | yes |
| parameters | A list of DB parameter maps to apply | list(object({ |
[] |
no |
| password | (Required unless a snapshot_identifier or replicate_source_db is provided) Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. | string |
n/a | yes |
| performance_insights_enabled | whether Performance Insights are enabled. | bool |
false |
no |
| performance_insights_kms_key_id | The ARN for the KMS key to encrypt Performance Insights data. Once KMS key is set, it can never be changed. If performance_insights_enabled is set to true and performance_insights_use_cmk is set to false and performance_insights_kms_key_id is not specified the default KMS key in your account will be used | string |
null |
no |
| performance_insights_retention_period | The amount of time in days to retain Performance Insights data. Either 7 (7 days) or 731 (2 years). | number |
null |
no |
| performance_insights_use_cmk | whether Performance Insights encryption using customer managed key(KMS). | bool |
false |
no |
| port | The port on which the DB accepts connections. Mostly, postgres=5432, mssql=1433, mariadb=3306 | number |
n/a | yes |
| prefix | The prefix name of customer to be displayed in AWS console and resource. | string |
n/a | yes |
| publicly_accessible | Bool to control if instance is publicly accessible | bool |
false |
no |
| skip_final_snapshot | Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted, using the value from final_snapshot_identifier | bool |
false |
no |
| snapshot_identifier | Specifies whether or not to create this database from a snapshot. This correlates to the snapshot ID you'd find in the RDS console, e.g: rds:production-2015-06-26-06-05. | string |
null |
no |
| storage_encrypted | Specifies whether the DB instance is encrypted | bool |
true |
no |
| storage_throughput | he storage throughput value for the DB instance. Can only be set when storage_type is 'gp3' | number |
null |
no |
| storage_type | One of 'standard' (magnetic), 'gp2' (general purpose SSD), or 'io1' (provisioned IOPS SSD). The default is 'io1' if iops is specified, 'standard' if not. Note that this behaviour is different from the AWS web console, where the default is 'gp2'. | string |
"gp2" |
no |
| subnet_ids | A list of VPC subnet IDs | list(string) |
[] |
no |
| timeouts | Updated Terraform resource management timeouts. Applies to aws_db_instance in particular to permit resource management times |
map(string) |
{ |
no |
| timezone | Time zone of the DB instance. timezone is currently only supported by Microsoft SQL Server. The timezone can only be set on creation. See MSSQL User Guide for more information. | string |
"" |
no |
| username | (Required unless a snapshot_identifier or replicate_source_db is provided) Username for the master DB user. Cannot be specified for a replica. | string |
n/a | yes |
| vpc_id | ID of the VPC where to create security group | string |
n/a | yes |
| Name | Description |
|---|---|
| db_client_security_group_id | Security group id for the rds client. |
| db_instance_address | The address of the RDS instance |
| db_instance_arn | The ARN of the RDS instance |
| db_instance_availability_zone | The availability zone of the RDS instance |
| db_instance_ca_cert_identifier | Specifies the identifier of the CA certificate for the DB instance |
| db_instance_domain | The ID of the Directory Service Active Directory domain the instance is joined to |
| db_instance_domain_iam_role_name | The name of the IAM role to be used when making API calls to the Directory Service. |
| db_instance_endpoint | The connection endpoint |
| db_instance_hosted_zone_id | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) |
| db_instance_id | The RDS instance ID |
| db_instance_master_password | The master password |
| db_instance_name | The database name |
| db_instance_port | The database port |
| db_instance_resource_id | The RDS Resource ID of this instance |
| db_instance_status | The RDS instance status |
| db_instance_username | The master username for the database |
| db_security_group_id | Security group id for the rds. |