Opinionated Terraform module for provisioning and managing an AWS Aurora PostgreSQL cluster for OHID workloads.
This module assumes:
- A pre-existing VPC with an account/region-unique name.
- Database subnets in the target VPC, tagged
Type: Database. - Private subnets in the target VPC, tagged
Type: Private. - A DB subnet group aligned to the database subnets. By default, this module looks up a DB subnet group named
<name_prefix>-vpc-main; setdb_subnet_group_nameto override. - An environment classification via environment_tier. This should be either Production, PreProduction or Development.
The module does not create core networking (VPCs, subnets, routing, NAT, VPC endpoints) and is assumed to be already existing.
This module intentionally does not try to be a generic Aurora abstraction. The below are not intended to be achieved by this:
- Managing CloudWatch alarms. Alerting is handled by external platform tooling.
- Supporting public database access patterns (for example, public subnets or Internet-facing DB endpoints).
- Supporting non-Aurora PostgreSQL engines (for example, standard RDS PostgreSQL, MySQL, MariaDB).
- Supporting every possible Aurora topology or advanced feature from day one (for example, global databases, cross-region replication, blue/green deployment orchestration).
- Exposing all upstream module knobs as pass-through variables.
- Owning application-level database objects or migrations (schemas, roles, grants, extensions, seed data).
- Encode secure defaults and consistent operational behavior.
- Optimise for repeatable environment provisioning.
- Keep the input contract small and explicit.
- Naming is centralised in Terraform
localsand derived from environment metadata. - Maintenance and backup windows are standardised by
environment_tier(Development,PreProduction,Production) with optional overrides. - A security-focused Aurora cluster parameter group is managed by this module (SSL enforced, connection/disconnection logging enabled).
- Master credentials are managed by RDS and stored in AWS Secrets Manager. These are automatically rotated on a 30 day schedule.
- IAM database authentication is enabled and Data API is disabled by default.
- Control Tower backup schedule tags (hourly/daily/weekly/monthly) are disabled by default but can be toggled individually.
- In
Production, at least one Control Tower backup schedule tag must remain enabled.
See examples/basic for a complete runnable example against existing network resources.
cd examples/basic
terraform init
terraform planSet engine_version to the Aurora PostgreSQL major version only, for example 16.
The module enables auto_minor_version_upgrade on every cluster instance and sets engine_version on the cluster and instances to that major line, so AWS can apply minor upgrades during the maintenance window without Terraform reporting drift.
Example:
module "aurora_postgresql" {
source = "../.."
engine_version = "16"
}| Name | Version |
|---|---|
| terraform | >= 1.5.7 |
| aws | >= 6.0 |
| Name | Version |
|---|---|
| aws | >= 6.0 |
| Name | Source | Version |
|---|---|---|
| kms | terraform-aws-modules/kms/aws | 4.2.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| backup_central_account_id | Optional AWS account ID for the central backup account that will copy recovery points encrypted by this Aurora KMS key. | string |
null |
no |
| backup_retention_period | Optional override for backup retention days. If null, environment_tier defaults are used. | number |
null |
no |
| db_subnet_group_name | Optional existing DB subnet group name. If null, defaults to the VPC name pattern (<name_prefix>-vpc-main). | string |
null |
no |
| deletion_protection | Flag to protect the RDS instance from accidental deletion. | bool |
true |
no |
| enable_control_tower_backup_daily | Enable Control Tower daily backup tag on the cluster. | bool |
false |
no |
| enable_control_tower_backup_hourly | Enable Control Tower hourly backup tag on the cluster. | bool |
false |
no |
| enable_control_tower_backup_monthly | Enable Control Tower monthly backup tag on the cluster. | bool |
false |
no |
| enable_control_tower_backup_weekly | Enable Control Tower weekly backup tag on the cluster. | bool |
false |
no |
| enable_http_endpoint | Enable Aurora Data API (disabled by default for tighter security posture) | bool |
false |
no |
| engine_version | Major version of the Aurora engine. | string |
n/a | yes |
| environment_name | The name of the environment | string |
"dev" |
no |
| environment_tier | Environment policy tier that controls opinionated defaults. | string |
"Development" |
no |
| instance_count | Number of Aurora cluster instances to create. | number |
1 |
no |
| master_username | Master username for Aurora cluster. | string |
"root" |
no |
| max_capacity | The maximum number of Aurora capacity units (ACUs) for a DB instance in an Aurora Serverless v2 cluster. | number |
n/a | yes |
| min_capacity | The minimum number of Aurora capacity units (ACUs) for a DB instance in an Aurora Serverless v2 cluster. | number |
n/a | yes |
| preferred_backup_window | Optional override for backup window (UTC), e.g. 03:00-04:00. | string |
null |
no |
| preferred_maintenance_window | Optional override for maintenance window (UTC), e.g. sun:04:00-sun:05:00. | string |
null |
no |
| project_short_name | Short project identifier used in resource naming prefix (e.g. c25k). | string |
n/a | yes |
| Name | Description |
|---|---|
| db_master_secret_arn | Secrets Manager ARN containing Aurora master username/password. |