CloudWiki

Amazon Web Service (AWS)

RDS

Database
Amazon Relational Database Service (RDS) is a distributed relational database management service that simplifies the setup, operation, management and scalability of SQL databases in the cloud.
aws_db_instance
RDS
attributes:
  • allocated_storage - (Required unless a snapshot_identifier or replicate_source_db is provided) The allocated storage in gibibytes. If max_allocated_storage is configured, this argument represents the initial storage allocation and differences from the configuration will be ignored automatically when Storage Autoscaling occurs. If replicate_source_db is set, the value is ignored during the creation of the instance.
  • allow_major_version_upgrade - (Optional) Indicates that major version upgrades are allowed. Changing this parameter does not result in an outage and the change is asynchronously applied as soon as possible.
  • apply_immediately - (Optional) Specifies whether any database modifications are applied immediately, or during the next maintenance window. Default is false. See Amazon RDS Documentation for more information.
  • auto_minor_version_upgrade - (Optional) Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. Defaults to true.
  • availability_zone - (Optional) The AZ for the RDS instance.
  • backup_retention_period - (Optional) The days to retain backups for. Must be between 0 and 35. Must be greater than 0 if the database is used as a source for a Read Replica. See Read Replica.
  • backup_window - (Optional) The daily time range (in UTC) during which automated backups are created if they are enabled. Example: "09:46-10:16". Must not overlap with maintenance_window.
  • ca_cert_identifier - (Optional) The identifier of the CA certificate for the DB instance.
  • character_set_name - (Optional) The character set name to use for DB encoding in Oracle and Microsoft SQL instances (collation). This can't be changed. See Oracle Character Sets Supported in Amazon RDS or Server-Level Collation for Microsoft SQL Server for more information.
  • copy_tags_to_snapshot – (Optional, boolean) Copy all Instance tags to snapshots. Default is false.
  • custom_iam_instance_profile - (Optional) The instance profile associated with the underlying Amazon EC2 instance of an RDS Custom DB instance.
  • db_name - (Optional) The name of the database to create when the DB instance is created. If this parameter is not specified, no database is created in the DB instance. Note that this does not apply for Oracle or SQL Server engines. See the AWS documentation for more details on what applies for those engines. If you are providing an Oracle db name, it needs to be in all upper case. Cannot be specified for a replica.
  • db_subnet_group_name - (Optional) Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. When working with read replicas, it should be specified only if the source database specifies an instance in another AWS Region. See DBSubnetGroupName in API action CreateDBInstanceReadReplica for additional read replica contraints.
  • delete_automated_backups - (Optional) Specifies whether to remove automated backups immediately after the DB instance is deleted. Default is true.
  • deletion_protection - (Optional) If the DB instance should have deletion protection enabled. The database can't be deleted when this value is set to true. The default is false.
  • domain - (Optional) The ID of the Directory Service Active Directory domain to create the instance in.
  • domain_iam_role_name - (Optional, but required if domain is provided) The name of the IAM role to be used when making API calls to the Directory Service.
  • enabled_cloudwatch_logs_exports - (Optional) Set of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported. Valid values (depending on engine). MySQL and MariaDB: audit, error, general, slowquery. PostgreSQL: postgresql, upgrade. MSSQL: agent , error. Oracle: alert, audit, listener, trace.
  • engine - (Required unless a snapshot_identifier or replicate_source_db is provided) The database engine to use. For supported values, see the Engine parameter in API action CreateDBInstance. Cannot be specified for a replica. Note that for Amazon Aurora instances the engine must match the DB cluster's engine'. For information on the difference between the available Aurora MySQL engines see Comparison between Aurora MySQL 1 and Aurora MySQL 2 in the Amazon RDS User Guide.
  • engine_version - (Optional) The engine version to use. If auto_minor_version_upgrade is enabled, you can provide a prefix of the version such as 5.7 (for 5.7.10). The actual engine version used is returned in the attribute engine_version_actual, see Attributes Reference below. For supported values, see the EngineVersion parameter in API action CreateDBInstance. Note that for Amazon Aurora instances the engine version must match the DB cluster's engine version'. Cannot be specified for a replica.
  • final_snapshot_identifier - (Optional) The name of your final DB snapshot when this DB instance is deleted. Must be provided if skip_final_snapshot is set to false. The value must begin with a letter, only contain alphanumeric characters and hyphens, and not end with a hyphen or contain two consecutive hyphens. Must not be provided when deleting a read replica.
  • iam_database_authentication_enabled - (Optional) Specifies whether or mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled.
  • identifier - (Optional, Forces new resource) The name of the RDS instance, if omitted, Terraform will assign a random, unique identifier. Required if restore_to_point_in_time is specified.
  • identifier_prefix - (Optional, Forces new resource) Creates a unique identifier beginning with the specified prefix. Conflicts with identifier.
  • instance_class - (Required) The instance type of the RDS instance.
  • iops - (Optional) The amount of provisioned IOPS. Setting this implies a storage_type of "io1".
  • kms_key_id - (Optional) The ARN for the KMS encryption key. If creating an encrypted replica, set this to the destination KMS ARN.
  • license_model - (Optional, but required for some DB engines, i.e., Oracle SE1) License model information for this DB instance.
  • maintenance_window - (Optional) The window to perform maintenance in. Syntax: "ddd:hh24:mi-ddd:hh24:mi". Eg: "Mon:00:00-Mon:03:00". See RDS Maintenance Window docs for more information.
  • max_allocated_storage - (Optional) When configured, the upper limit to which Amazon RDS can automatically scale the storage of the DB instance. Configuring this will automatically ignore differences to allocated_storage. Must be greater than or equal to allocated_storage or 0 to disable Storage Autoscaling.
  • monitoring_interval - (Optional) The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. The default is 0. Valid Values: 0, 1, 5, 10, 15, 30, 60.
  • monitoring_role_arn - (Optional) The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to CloudWatch Logs. You can find more information on the AWS Documentation what IAM permissions are needed to allow Enhanced Monitoring for RDS Instances.
  • multi_az - (Optional) Specifies if the RDS instance is multi-AZ
  • name - (Optional, Deprecated use db_name instead) The name of the database to create when the DB instance is created. If this parameter is not specified, no database is created in the DB instance. Note that this does not apply for Oracle or SQL Server engines. See the AWS documentation for more details on what applies for those engines. If you are providing an Oracle db name, it needs to be in all upper case. Cannot be specified for a replica.
  • nchar_character_set_name - (Optional, Forces new resource) The national character set is used in the NCHAR, NVARCHAR2, and NCLOB data types for Oracle instances. This can't be changed. See Oracle Character Sets Supported in Amazon RDS.
  • network_type - (Optional) The network type of the DB instance. Valid values: IPV4, DUAL.
  • option_group_name - (Optional) Name of the DB option group to associate.
  • parameter_group_name - (Optional) Name of the DB parameter group to associate.
  • password - (Required unless a snapshot_identifier or replicate_source_db is provided) Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file.
  • performance_insights_enabled - (Optional) Specifies whether Performance Insights are enabled. Defaults to false.
  • performance_insights_kms_key_id - (Optional) The ARN for the KMS key to encrypt Performance Insights data. When specifying performance_insights_kms_key_id, performance_insights_enabled needs to be set to true. Once KMS key is set, it can never be changed.
  • performance_insights_retention_period - (Optional) Amount of time in days to retain Performance Insights data. Valid values are 7, 731 (2 years) or a multiple of 31. When specifying performance_insights_retention_period, performance_insights_enabled needs to be set to true. Defaults to '7'.
  • port - (Optional) The port on which the DB accepts connections.
  • publicly_accessible - (Optional) Bool to control if instance is publicly accessible. Default is false.
  • replica_mode - (Optional) Specifies whether the replica is in either mounted or open-read-only mode. This attribute is only supported by Oracle instances. Oracle replicas operate in open-read-only mode unless otherwise specified. See Working with Oracle Read Replicas for more information.
  • replicate_source_db - (Optional) Specifies that this resource is a Replicate database, and to use this value as the source database. This correlates to the identifier of another Amazon RDS Database to replicate (if replicating within a single region) or ARN of the Amazon RDS Database to replicate (if replicating cross-region). Note that if you are creating a cross-region replica of an encrypted database you will also need to specify a kms_key_id. See DB Instance Replication and Working with PostgreSQL and MySQL Read Replicas for more information on using Replication.
  • restore_to_point_in_time - (Optional, Forces new resource) A configuration block for restoring a DB instance to an arbitrary point in time. Requires the identifier argument to be set with the name of the new DB instance to be created.
  • s3_import - (Optional) Restore from a Percona Xtrabackup in S3. See Importing Data into an Amazon RDS MySQL DB Instance
  • security_group_names - (Optional/Deprecated) List of DB Security Groups to associate. Only used for DB Instances on the EC2-Classic Platform.
  • skip_final_snapshot - (Optional) Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted, using the value from final_snapshot_identifier. Default is false.
  • snapshot_identifier - (Optional) Specifies whether or not to create this database from a snapshot. This correlates to the snapshot ID you'd find in the RDS console, e.g: rds:production-2015-06-26-06-05.
  • storage_encrypted - (Optional) Specifies whether the DB instance is encrypted. Note that if you are creating a cross-region read replica this field is ignored and you should instead declare kms_key_id with a valid ARN. The default is false if not specified.
  • storage_type - (Optional) One of "standard" (magnetic), "gp2" (general purpose SSD), or "io1" (provisioned IOPS SSD). The default is "io1" if iops is specified, "gp2" if not.
  • tags - (Optional) A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
  • timezone - (Optional) Time zone of the DB instance. timezone is currently only supported by Microsoft SQL Server. The timezone can only be set on creation. See MSSQL User Guide for more information.
  • username - (Required unless a snapshot_identifier or replicate_source_db is provided) Username for the master DB user. Cannot be specified for a replica.
  • vpc_security_group_ids - (Optional) List of VPC security groups to associate.
  • customer_owned_ip_enabled - (Optional) Indicates whether to enable a customer-owned IP address (CoIP) for an RDS on Outposts DB instance. See CoIP for RDS on Outposts for more information.


Restore To Point In Time

The restore_to_point_in_time block supports the following arguments:

  • restore_time - (Optional) The date and time to restore from. Value must be a time in Universal Coordinated Time (UTC) format and must be before the latest restorable time for the DB instance. Cannot be specified with use_latest_restorable_time.
  • source_db_instance_identifier - (Optional) The identifier of the source DB instance from which to restore. Must match the identifier of an existing DB instance. Required if source_db_instance_automated_backups_arn or source_dbi_resource_id is not specified.
  • source_db_instance_automated_backups_arn - (Optional) The ARN of the automated backup from which to restore. Required if source_db_instance_identifier or source_dbi_resource_id is not specified.
  • source_dbi_resource_id - (Optional) The resource ID of the source DB instance from which to restore. Required if source_db_instance_identifier or source_db_instance_automated_backups_arn is not specified.
  • use_latest_restorable_time - (Optional) A boolean value that indicates whether the DB instance is restored from the latest backup time. Defaults to false. Cannot be specified with restore_time.

S3 Import Options

  • bucket_name - (Required) The bucket name where your backup is stored
  • bucket_prefix - (Optional) Can be blank, but is the path to your backup
  • ingestion_role - (Required) Role applied to load the data.
  • source_engine - (Required, as of Feb 2018 only 'mysql' supported) Source engine for the backup
  • source_engine_version - (Required, as of Feb 2018 only '5.6' supported) Version of the source engine used to make the backup
  • This will not recreate the resource if the S3 object changes in some way. It's only used to initialize the database

Associating resources with a
RDS
Resources do not "belong" to a
RDS
Rather, one or more Security Groups are associated to a resource.
Create
RDS
via Terraform:
The following HCL creates a basic RDS instance resource
Syntax:

resource "aws_db_instance" "default" {
 allocated_storage    = 10
 db_name              = "mydb"
 engine               = "mysql"
 engine_version       = "5.7"
 instance_class       = "db.t3.micro"
 username             = "foo"
 password             = "foobarbaz"
 parameter_group_name = "default.mysql5.7"
 skip_final_snapshot  = true
}

Create
RDS
via CLI:
Parametres:

create-db-instance
[--db-name <value>]
--db-instance-identifier <value>
[--allocated-storage <value>]
--db-instance-class <value>
--engine <value>
[--master-username <value>]
[--master-user-password <value>]
[--db-security-groups <value>]
[--vpc-security-group-ids <value>]
[--availability-zone <value>]
[--db-subnet-group-name <value>]
[--preferred-maintenance-window <value>]
[--db-parameter-group-name <value>]
[--backup-retention-period <value>]
[--preferred-backup-window <value>]
[--port <value>]
[--multi-az | --no-multi-az]
[--engine-version <value>]
[--auto-minor-version-upgrade | --no-auto-minor-version-upgrade]
[--license-model <value>]
[--iops <value>]
[--option-group-name <value>]
[--character-set-name <value>]
[--nchar-character-set-name <value>]
[--publicly-accessible | --no-publicly-accessible]
[--tags <value>]
[--db-cluster-identifier <value>]
[--storage-type <value>]
[--tde-credential-arn <value>]
[--tde-credential-password <value>]
[--storage-encrypted | --no-storage-encrypted]
[--kms-key-id <value>]
[--domain <value>]
[--copy-tags-to-snapshot | --no-copy-tags-to-snapshot]
[--monitoring-interval <value>]
[--monitoring-role-arn <value>]
[--domain-iam-role-name <value>]
[--promotion-tier <value>]
[--timezone <value>]
[--enable-iam-database-authentication | --no-enable-iam-database-authentication]
[--enable-performance-insights | --no-enable-performance-insights]
[--performance-insights-kms-key-id <value>]
[--performance-insights-retention-period <value>]
[--enable-cloudwatch-logs-exports <value>]
[--processor-features <value>]
[--deletion-protection | --no-deletion-protection]
[--max-allocated-storage <value>]
[--enable-customer-owned-ip | --no-enable-customer-owned-ip]
[--custom-iam-instance-profile <value>]
[--backup-target <value>]
[--network-type <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws rds create-db-instance \
   --db-instance-identifier test-mysql-instance \
   --db-instance-class db.t3.micro \
   --engine mysql \
   --master-username admin \
   --master-user-password secret99 \
   --allocated-storage 20

Best Practices for
RDS

Categorized by Availability, Security & Compliance and Cost

Warning
Ensure RDS Instances have IAM Database Authentication enabled
Info
Ensure RDS MySQL and PostgreSQL database instances have Performance Insights feature enabled
Info
Ensure RDS database instances have Copy Tags to Snapshots enabled
Warning
Ensure RDS database instances have Deletion Protection enabled
Critical
Ensure RDS database instances have storage encryption enabled
Warning
Ensure RDS instances are configured with Auto Minor Version Upgrade
Warning
Ensure RDS instances are using General Purpose SSD storage and not Provisioned IOPS SSD storage
Warning
Ensure RDS instances have Multi-AZ disabled in dev environments
Warning
Ensure RDS instances have Multi-AZ enabled in Production
Info
Ensure RDS instances have Performance Insights feature enabled
Warning
Ensure RDS instances have Storage AutoScaling feature enabled
No items found.
Warning
Ensure RDS instances have backup policy
Info
Ensure RDS is not using the default port 1433
Info
Ensure RDS is not using the default port 1521
Info
Ensure RDS is not using the default port 3306
Info
Ensure RDS is not using the default port 5432
Critical
Ensure default security groups are not in use by RDS
Warning
Ensure stopped RDS instances are removed
Warning
RDS database delete alarm
No items found.
Info
Resource has access to RDS database
No items found.
Critical
Resource with over permissive RDS permissions
No items found.
Critical
Resource with over permissive RDS permissions (via IAM Role inline)
No items found.
Explore all the rules our platform covers
All Resources