Skip to content

guardianproject-ops/terraform-aws-rds-postgresql

BranchesTags

Repository files navigation

terraform-aws-rds-postgresql

The Guardian

Terraform module with opinions about deploying AWS RDS for Postgres

It's 100% Open Source and licensed under the GNU General Public License.

Introduction

This is an opinionated wrapper around the terraform-aws-modules/rds/aws module for easily deploying a Postgres RDS instance.

This module assumes

  • Your application/infra will create its own user and own database inside the RDS, and not use the root user
  • You want to run the latest minor version for your chosen major version 🏁
  • You will use an admin user to create other users and databases for your application, you will not use the admin user or db directly
  • AWS Secrets Manager will store the admin user password
  • AWS Secrets Manager will rotate the admin user password 🏁
  • You want cloudwatch alarms piping alerts into SNS 🏁

🏁 : indicates there are escape hatches using extra input variables

Defaults

  • You specify your chosen major version, and the minor version is automatically upgraded to latest
  • The master user is root, and the password is in AWS Secrets Manager and rotated every 7 days

Recomendations

  • Use RDS IAM Authentication for your users
  • Pin your major version
  • Set the iops var to an appropriate level for your workload
  • Set appropriate maintenance windows for minor version upgrades
  • Do not use the "root" user for your application, only admin operations
  • Use init containers or our ansible RDS playbook for initializing your user and database
  • Set max_allocated_storage to get storage autoscaling

Usage

IMPORTANT: We do not pin modules to versions in our examples because of the difficulty of keeping the versions in the documentation in sync with the latest released versions. We highly recommend that in your code you pin the version to the exact version you are using so that your infrastructure remains stable, and update versions in a systematic way so that they do not catch you by surprise.

Also, because of a bug in the Terraform registry (hashicorp/terraform#21417), the registry shows many of our inputs as required when in fact they are optional. The table below correctly indicates which inputs are required.

See examples/simple.

You choose your major postgres version with the postgres_major_version variable. If you want to pin to a specific minor version, then you also must specifiy engine_version and family. Refer to the Amazon RDS for PostgreSQL updates docs for current values.

module "db" {
  source                              = "guardianproject-ops/rds-postgresql/aws"
  context                             = module.label_db.context
  allocated_storage                   = 20
  allow_access_cidr_blocks            = [var.cidr_allowed_to_talk_to_my_rds]
  apply_immediately                   = true
  deletion_protection_enabled         = false
  postgres_major_version              = "17"
  instance_class                      = "db.t3.medium"
  alarms_sns_topics                   = [var.my_alarm_topic]
  subnet_ids                          = var.subnet_ids
  vpc_id                              = var.vpc_id
}

Notes

  1. For an RDS instance with storage_type using gp3, be aware that iops and storage_throughput cannot be specified if the allocated_storage value is below a per-engine threshold. See the RDS User Guide for details.

Requirements

Name Version
terraform >= 1.5.7
aws >= 5.78.0

Providers

Name Version
aws >= 5.78.0

Modules

Name Source Version
db terraform-aws-modules/rds/aws 6.10.0
rds_alarms lorenzoaiello/rds-alarms/aws 2.4.1
this cloudposse/label/null 0.25.0

Resources

Name Type
aws_security_group.this resource
aws_caller_identity.this data source
aws_rds_engine_version.this data source
aws_region.this data source
aws_secretsmanager_secret.db data source

Inputs

Name Description Type Default Required
additional_tag_map Additional key-value pairs to add to each map in tags_as_list_of_maps. Not added to tags or id.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration.		 map(string) {} no
admin_username The username for the root/admin account on the RDS instance string "root" no
alarms_enabled Whether or not to enable cloudwatch alarms bool true no
alarms_sns_topics List of ARNs for the SNS topics that will be notified when cloudwatch alarms trigger list(string) null no
allocated_storage The allocated storage in gigabytes number null no
allow_access_cidr_blocks List of CIDR strings to allow access on port 5432 to the database list(string) null no
allow_major_version_upgrade Indicates that major version upgrades are allowed. Changing this parameter does not result in an outage and the change is asynchronously applied as soon as possible bool false no
apply_immediately Specifies whether any database modifications are applied immediately, or during the next maintenance window bool false no
attributes ID element. Additional attributes (e.g. workers or cluster) to add to id,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the delimiter
and treated as a single ID element.		 list(string) [] no
auto_minor_version_upgrade Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window bool true no
backup_retention_period The days to retain backups for number null no
backup_window The daily time range (in UTC) during which automated backups are created if they are enabled. Example: '09:46-10:16'. Must not overlap with maintenance_window string "03:00-06:00" no
context Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as null to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged.		 any 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
 no
create_security_group Whether or not to create a security group for the RDS instance bool true no
deletion_protection_enabled The database can't be deleted when this value is set to true bool false no
delimiter Delimiter to be used between ID elements.
Defaults to - (hyphen). Set to "" to use no delimiter at all.		 string null no
descriptor_formats Describe additional descriptors to be output in the descriptors output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
{<br/> format = string<br/> labels = list(string)<br/>}
(Type is any so the map values can later be enhanced to provide additional options.)
format is a Terraform format string to be passed to the format() function.
labels is a list of labels, in order, to pass to format() function.
Label values will be normalized before being passed to format() so they will be
identical to how they appear in id.
Default is {} (descriptors output will be empty).		 any {} no
enabled Set to false to prevent the module from creating any resources bool null no
engine_version The engine version to use string null no
environment ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' string null no
family The family of the DB parameter group string null no
iam_database_authentication_enabled Specifies whether or not the mappings of AWS Identity and Access Management (IAM) accounts to database accounts are enabled bool false no
id_length_limit Limit id to this many characters (minimum 6).
Set to 0 for unlimited length.
Set to null for keep the existing setting, which defaults to 0.
Does not affect id_full.		 number null no
instance_class The instance type of the RDS instance string null no
iops The amount of provisioned IOPS. Setting this implies a storage_type of 'io1' or gp3. See notes for limitations regarding this variable for gp3 number null no
kms_key_id The ARN for the KMS encryption key. If creating an encrypted replica, set this to the destination KMS ARN. If storage_encrypted is set to true and kms_key_id is not specified the default KMS key created in your account will be used. Be sure to use the full ARN, not a key alias. string null no
label_key_case Controls the letter case of the tags keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the tags input.
Possible values: lower, title, upper.
Default value: title.		 string null no
label_order The order in which the labels (ID elements) appear in the id.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.		 list(string) null no
label_value_case Controls the letter case of ID elements (labels) as included in id,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the tags input.
Possible values: lower, title, upper and none (no transformation).
Set this to title and set delimiter to "" to yield Pascal Case IDs.
Default value: lower.		 string null no
labels_as_tags Set of labels (ID elements) to include as tags in the tags output.
Default is to include all labels.
Tags with empty values will not be included in the tags output.
Set to [] to suppress all generated tags.
Notes:
The value of the name tag, if included, will be the id, not the name.
Unlike other null-label inputs, the initial setting of labels_as_tags cannot be
changed in later chained modules. Attempts to change it will be silently ignored.		 set(string) 
[
  "default"
]
 no
maintenance_window The window to perform maintenance in. Syntax: 'ddd:hh24:mi-ddd:hh24:mi'. Eg: 'Mon:00:00-Mon:03:00' string "Mon:00:00-Mon:03:00" no
major_engine_version Specifies the major version of the engine that this option group should be associated with string null no
manage_master_user_password_rotation Whether to manage the master user password rotation. By default, false on creation, rotation is managed by RDS. Setting this value to false after previously having been set to true will disable automatic rotation. bool true no
master_user_password_rotate_immediately Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window. bool null no
master_user_password_rotation_automatically_after_days Specifies the number of days between automatic scheduled rotations of the secret. Either automatically_after_days or schedule_expression must be specified. number 7 no
master_user_password_rotation_duration The length of the rotation window in hours. For example, 3h for a three hour window. string null no
master_user_password_rotation_schedule_expression A cron() or rate() expression that defines the schedule for rotating your secret. Either automatically_after_days or schedule_expression must be specified. string null no
max_allocated_storage Specifies the value for Storage Autoscaling number 0 no
monitoring_interval The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. The default is 0. Valid Values: 0, 1, 5, 10, 15, 30, 60 number 60 no
name ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a tag.
The "name" tag is set to the full id string. There is no tag with the value of the name input.		 string null no
namespace ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique string null no
postgres_major_version The postgres major version you want to run. The specific major version is then calculated by the module. Example: 16, 17, etc string n/a yes
regex_replace_chars Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, "/[^a-zA-Z0-9-]/" is used to remove all characters other than hyphens, letters and digits.		 string null no
skip_final_snapshot Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted bool false no
snapshot_identifier Specifies whether or not to create this database from a snapshot. This correlates to the snapshot ID you'd find in the RDS console, e.g: rds:production-2015-06-26-06-05 string null no
stage ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' string null no
storage_type One of 'standard' (magnetic), 'gp2' (general purpose SSD), 'gp3' (new generation of general purpose SSD), or 'io1' (provisioned IOPS SSD). The default is 'io1' if iops is specified, 'gp3' if not. If you specify 'io1' or 'gp3' , you must also include a value for the 'iops' parameter string "gp3" no
subnet_ids A list of VPC subnet IDs list(string) [] no
tags Additional tags (e.g. {'BusinessUnit': 'XYZ'}).
Neither the tag keys nor the tag values will be modified by this module.		 map(string) {} no
tenant ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for string null no
vpc_id The VPC ID where the security group will be created string null no
vpc_security_group_ids List of VPC security groups to associate list(string) [] no

Outputs

Name Description
address The address of the RDS instance
admin_username The master username for the database
arn The ARN of the RDS instance
availability_zone The availability zone of the RDS instance
ca_cert_identifier Specifies the identifier of the CA certificate for the DB instance
db_iam_dbuser_arn_prefix The resource ARN prefix for a db user to connect with IAM database authentication. You should append /your-iam-db-user to this value.
As per: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
endpoint The connection endpoint
identifier The RDS instance identifier
master_user_secret_arn The ARN of the master user secret
master_user_secret_name The name of the master user secret
name The database name
port The database port
resource_id The RDS Resource ID of this instance
status The RDS instance status
this Reach into here if you need something specific we don't expose

Help

Got a question? We got answers.

File a GitLab issue, send us an email or join our Matrix Community.

Matrix Community

Matrix badge

Join our Open Source Community on Matrix. It's FREE for everyone! This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build on our open source code.

Contributing

Bug Reports & Feature Requests

Please use the issue tracker to report any bugs or file feature requests.

Developing

If you are interested in being a contributor and want to get involved in developing this project or help out with our other projects, we would love to hear from you! Shoot us an email.

In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.

  1. Fork the repo on GitLab
  2. Clone the project to your own machine
  3. Commit changes to your own branch
  4. Push your work back up to your fork
  5. Submit a Pull Request so that we can review your changes

NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!

Copyright

Copyright © 2021-2024 The Guardian Project

License

License: GPL v3

GNU GENERAL PUBLIC LICENSE
Version 3, 29 June 2007

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <https://www.gnu.org/licenses/>.

Trademarks

All other trademarks referenced herein are the property of their respective owners.

About

This project is maintained by The Guardian Project.

The Guardian Project

We're a collective of designers, developers, and ops folk focused on useable privacy and security with a focus on digital human rights and humanitarian projects.

Everything we do is 100% FOSS.

Follow us on Mastodon or twitter, apply for a job, or partner with us.

We offer paid support on all of our projects.

Check out our other DevOps projects or our entire other set of projects related to privacy and security related software, or hire us to get support with using our projects.

Contributors

Abel Luck
Abel Luck

About

Terraform module that creates an AWS RDS PostgreSQL instance (AWS) (Mirror of https://gitlab.com/guardianproject-ops/terraform-aws-rds-postgresql)

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

 
 
 

Contributors

Languages