RDS Instance (PostgreSQL/MySQL)
Single-instance or Multi-AZ RDS with subnet/parameter/option groups, backups, and monitoring wired correctly.
Verification
Live-testedReally deployed, verified, idempotent and destroyed in a cloud sandbox.
Conformance
- Static validation (fmt · validate · tflint)
- Security scan: findings disclosed (Checkov)
- Plan tests (mocked: validation rules · outputs)
Provenance
- SHA-256 checksum
- Signature (pending)
Functional
- Live-tested — applied, verified, destroyed
Last verified 2026-06-19 · how we verify
Documentation
aws-rds
Single-instance or Multi-AZ RDS (PostgreSQL/MySQL/MariaDB) with subnet,
parameter, and option groups, backups, and monitoring wired correctly. Works
with Terraform and OpenTofu (>= 1.6), AWS provider >= 6.0, < 7.0.
Secure defaults:
- Storage always encrypted (AWS-managed
aws/rdskey, or your CMK viakms_key_arn) - Master password generated by RDS and stored in Secrets Manager — never in state
publicly_accessible = false, dedicated subnet group on your private subnets- Deletion protection on and final snapshot kept (both overridable for test stacks)
- 7-day automated backups, tags copied to snapshots, auto minor version upgrades
- Dedicated parameter group — never the shared AWS default
- Enhanced monitoring: set
monitoring_interval > 0and the module creates the IAM role
Usage
module "db" {
source = "./aws-rds"
identifier = "myapp-prod"
engine = "postgres"
engine_version = "16.6"
parameter_group_family = "postgres16"
instance_class = "db.r6g.large"
multi_az = true
subnet_ids = ["subnet-aaa", "subnet-bbb"]
vpc_security_group_ids = ["sg-12345"]
database_name = "myapp"
monitoring_interval = 60
tags = { Environment = "prod" }
}
The managed master password lands in Secrets Manager; read it via
master_user_secret_arn. For ephemeral environments set
deletion_protection = false and skip_final_snapshot = true.
Inputs
| Name | Type | Default | Description |
|---|---|---|---|
identifier | string | — | Instance identifier; also names the groups (required) |
engine | string | — | postgres, mysql, or mariadb (required) |
engine_version | string | null | Engine version; null = AWS default |
instance_class | string | "db.t4g.micro" | Instance class |
parameter_group_family | string | — | e.g. postgres16, mysql8.0 (required) |
parameters | list(object) | [] | Parameters {name, value, apply_method} |
create_option_group | bool | false | Create an option group (MySQL/MariaDB) |
major_engine_version | string | null | Required with create_option_group |
options | list(object) | [] | Option-group options + settings |
database_name | string | null | Initial database to create |
master_username | string | "dbadmin" | Master username |
master_password | string | null | Explicit password; null = Secrets-Manager-managed |
port | number | null | Listener port; null = engine default |
multi_az | bool | false | Multi-AZ standby |
subnet_ids | list(string) | — | >= 2 private subnets (required) |
vpc_security_group_ids | list(string) | — | Security groups (required) |
storage_type | string | "gp3" | gp3/gp2/io1/io2 |
allocated_storage | number | 20 | Initial storage GiB |
max_allocated_storage | number | 100 | Autoscaling ceiling; 0 disables |
iops | number | null | Provisioned IOPS |
storage_throughput | number | null | gp3 throughput MiBps |
kms_key_arn | string | null | CMK for storage encryption |
backup_retention_period | number | 7 | Backup retention days (0–35) |
preferred_backup_window | string | "02:00-03:00" | Daily backup window (UTC) |
preferred_maintenance_window | string | "sun:04:00-sun:05:00" | Maintenance window |
delete_automated_backups | bool | false | Drop backups on delete |
skip_final_snapshot | bool | false | Skip final snapshot on destroy |
deletion_protection | bool | true | Deletion protection |
apply_immediately | bool | false | Apply changes immediately |
enabled_cloudwatch_logs_exports | list(string) | [] | Log types to export |
monitoring_interval | number | 0 | Enhanced monitoring seconds (0/1/5/10/15/30/60) |
monitoring_role_arn | string | null | BYO monitoring role; null = module-created |
performance_insights_enabled | bool | false | Performance Insights (unsupported on micro/small classes) |
performance_insights_retention_period | number | 7 | PI retention days |
performance_insights_kms_key_id | string | null | CMK for PI data |
iam_database_authentication_enabled | bool | false | IAM DB auth (postgres/mysql) |
ca_cert_identifier | string | null | CA bundle |
tags | map(string) | {} | Tags for all resources |
Outputs
instance_id, instance_arn, instance_address, instance_endpoint,
instance_port, instance_resource_id, master_user_secret_arn,
db_subnet_group_name, parameter_group_name, option_group_name,
monitoring_role_arn.
Requirements
- Terraform or OpenTofu
>= 1.6 hashicorp/aws>= 6.0, < 7.0
Verification
Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.
License
Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).