diff --git a/README.md b/README.md
index 0896e2d..9c49238 100644
--- a/README.md
+++ b/README.md
@@ -89,21 +89,21 @@ To see a full example, check out the [main.tf](https://github.com/sourcefuse/ter
| [db\_cluster\_parameter\_group\_name](#input\_db\_cluster\_parameter\_group\_name) | (optional) A cluster parameter group to associate with the cluster. | `string` | `null` | no |
| [db\_instance\_parameter\_group\_name](#input\_db\_instance\_parameter\_group\_name) | (optional) Instance parameter group to associate with all instances of the DB cluster. The db\_instance\_parameter\_group\_name parameter is only valid in combination with the allow\_major\_version\_upgrade parameter. | `string` | `null` | no |
| [db\_server\_class](#input\_db\_server\_class) | Instance class for RDS instance | `string` | `"db.t3.medium"` | no |
-| [db\_subnet\_group\_data](#input\_db\_subnet\_group\_data) | (optional) DB Subnet Group details | object({
name = string
create = optional(bool, false)
description = optional(string, null)
subnet_ids = optional(list(string), [])
}) | n/a | yes |
+| [db\_subnet\_group\_data](#input\_db\_subnet\_group\_data) | (optional) DB Subnet Group details | object({
name = string
create = optional(bool, false)
description = optional(string, null)
subnet_ids = optional(list(string), [])
}) | n/a | yes |
| [delete\_automated\_backups](#input\_delete\_automated\_backups) | (optional) Specifies whether to remove automated backups immediately after the DB cluster is deleted. Default is true. | `string` | `true` | no |
| [deletion\_protection](#input\_deletion\_protection) | Whether to enable deletion protection for the DB cluster. | `bool` | `false` | no |
| [enable\_multi\_az](#input\_enable\_multi\_az) | Whether to enable Multi-AZ deployment for the RDS instance. | `bool` | `false` | no |
| [enabled\_cloudwatch\_logs\_exports](#input\_enabled\_cloudwatch\_logs\_exports) | List of log types to export to CloudWatch Logs. Valid values: audit, error, general, slowquery. | `list(string)` | `[]` | no |
| [engine](#input\_engine) | The database engine to use for the RDS cluster (e.g., aurora, aurora-mysql, aurora-postgresql). | `string` | n/a | yes |
| [engine\_lifecycle\_support](#input\_engine\_lifecycle\_support) | (optional) The life cycle type for this DB instance. This setting is valid for cluster types Aurora DB clusters and Multi-AZ DB clusters. Valid values are open-source-rds-extended-support, open-source-rds-extended-support-disabled. Default value is open-source-rds-extended-support | `string` | `"open-source-rds-extended-support"` | no |
-| [engine\_mode](#input\_engine\_mode) | (optional) Database engine mode. Valid values: global (only valid for Aurora MySQL 1.21 and earlier), parallelquery, provisioned, serverless. Defaults to: provisioned
Note :- For Serverless V2 , engine\_mode should be "provisioned" but for simplecity "serverless" is expected
Refer : https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#rds-serverless-v2-cluster | `string` | `"provisioned"` | no |
+| [engine\_mode](#input\_engine\_mode) | (optional) Database engine mode. Valid values: global (only valid for Aurora MySQL 1.21 and earlier), parallelquery, provisioned, serverless. Defaults to: provisioned
Note :- For Serverless V2 , engine\_mode should be "provisioned" but for simplecity "serverless" is expected
Refer : https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#rds-serverless-v2-cluster | `string` | `"provisioned"` | no |
| [engine\_type](#input\_engine\_type) | (optional) Engine type, valid values are 'rds' or 'cluster' | `string` | n/a | yes |
| [engine\_version](#input\_engine\_version) | The version of the database engine to use. | `string` | n/a | yes |
| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | n/a | yes |
| [final\_snapshot\_identifier](#input\_final\_snapshot\_identifier) | (optional) Name of your final DB snapshot when this DB cluster is deleted. If omitted, no final snapshot will be made. | `string` | `null` | no |
| [iam\_database\_authentication\_enabled](#input\_iam\_database\_authentication\_enabled) | Enable IAM database authentication for the RDS cluster. | `bool` | `false` | no |
| [iops](#input\_iops) | The amount of provisioned IOPS. Required if using io1 storage type. | `number` | `0` | no |
-| [kms\_data](#input\_kms\_data) | Configuration for KMS key settings for RDS encryption and performance insights:
- create: (Optional) If true, a new KMS key is created.
- kms\_key\_id: (Optional) The ID of an existing KMS key for RDS encryption. If null it used AWS managed keys
- performance\_insights\_kms\_key\_id: (Optional) Key ID for Performance Insights. If null it used AWS managed keys
- description: (Optional) description for the KMS key.
- policy: (Optional) Specific policy for the KMS key.
- deletion\_window\_in\_days: (Optional) Number of days before deletion, default is 7.
- enable\_key\_rotation: (Optional) Enables key rotation for security; defaults to true. | object({
create = optional(bool, true)
kms_key_id = optional(string, null)
performance_insights_kms_key_id = optional(string, null)
name = optional(string, null)
description = optional(string, null)
policy = optional(string, null)
deletion_window_in_days = optional(number, 7)
enable_key_rotation = optional(bool, true)
}) | {
"create": false
} | no |
+| [kms\_data](#input\_kms\_data) | Configuration for KMS key settings for RDS encryption and performance insights:
- create: (Optional) If true, a new KMS key is created.
- kms\_key\_id: (Optional) The ID of an existing KMS key for RDS encryption. If null it used AWS managed keys
- performance\_insights\_kms\_key\_id: (Optional) Key ID for Performance Insights. If null it used AWS managed keys
- description: (Optional) description for the KMS key.
- policy: (Optional) Specific policy for the KMS key.
- deletion\_window\_in\_days: (Optional) Number of days before deletion, default is 7.
- enable\_key\_rotation: (Optional) Enables key rotation for security; defaults to true. | object({
create = optional(bool, true)
kms_key_id = optional(string, null)
performance_insights_kms_key_id = optional(string, null)
name = optional(string, null)
description = optional(string, null)
policy = optional(string, null)
deletion_window_in_days = optional(number, 7)
enable_key_rotation = optional(bool, true)
}) | {
"create": false
} | no |
| [license\_model](#input\_license\_model) | The license model for the DB instance (e.g., license-included, bring-your-own-license, general-public-license). | `string` | n/a | yes |
| [manage\_user\_password](#input\_manage\_user\_password) | (optional) Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if master\_password is provided. | `bool` | `true` | no |
| [monitoring\_interval](#input\_monitoring\_interval) | The interval, in seconds, between points when Enhanced Monitoring metrics are collected. Valid values are 0, 1, 5, 10, 15, 30, 60. | `number` | `0` | no |
@@ -111,20 +111,21 @@ To see a full example, check out the [main.tf](https://github.com/sourcefuse/ter
| [name](#input\_name) | The identifier for the RDS instance or cluster. | `string` | n/a | yes |
| [namespace](#input\_namespace) | Namespace for the resources. | `string` | n/a | yes |
| [network\_type](#input\_network\_type) | (optional) Network type of the cluster. Valid values: IPV4, DUAL. | `string` | `"IPV4"` | no |
-| [option\_group\_config](#input\_option\_group\_config) | Configuration for RDS option group, with attributes to create or specify a group name, engine details, and database options including settings, ports, and versions. | object({
create = optional(bool, false)
name = optional(string, null)
engine_name = optional(string)
major_engine_version = optional(string)
description = optional(string, "Managed by Terraform")
options = map(object({
option_name = string
port = number
version = string
option_settings = map(object({
name = string
value = string
}))
}))
}) | {
"name": null,
"options": {}
} | no |
-| [parameter\_group\_config](#input\_parameter\_group\_config) | Configuration for RDS parameter group, with options to create or specify a group name, family, and a map of database parameters including settings and apply methods. | object({
create = optional(bool, false)
name = optional(string, null)
family = optional(string)
description = optional(string, "Managed by Terraform")
parameters = map(object({
name = string
value = string
apply_method = optional(string, "immediate") # Options: "immediate" or "pending-reboot"
}))
}) | {
"name": null,
"parameters": {}
} | no |
+| [option\_group\_config](#input\_option\_group\_config) | Configuration for RDS option group, with attributes to create or specify a group name, engine details, and database options including settings, ports, and versions. | object({
create = optional(bool, false)
name = optional(string, null)
engine_name = optional(string)
major_engine_version = optional(string)
description = optional(string, "Managed by Terraform")
options = map(object({
option_name = string
port = number
version = string
option_settings = map(object({
name = string
value = string
}))
}))
}) | {
"name": null,
"options": {}
} | no |
+| [parameter\_group\_config](#input\_parameter\_group\_config) | Configuration for RDS parameter group, with options to create or specify a group name, family, and a map of database parameters including settings and apply methods. | object({
create = optional(bool, false)
name = optional(string, null)
family = optional(string)
description = optional(string, "Managed by Terraform")
parameters = map(object({
name = string
value = string
apply_method = optional(string, "immediate") # Options: "immediate" or "pending-reboot"
}))
}) | {
"name": null,
"parameters": {}
} | no |
| [password](#input\_password) | The password for the database. | `string` | `null` | no |
| [performance\_insights\_enabled](#input\_performance\_insights\_enabled) | (optional) Valid only for Non-Aurora Multi-AZ DB Clusters. Enables Performance Insights for the RDS Cluster | `bool` | `false` | no |
| [performance\_insights\_retention\_period](#input\_performance\_insights\_retention\_period) | The retention period (in days) for Performance Insights data. Valid values are 7, 731, or any value between 8 and 730. | `number` | `7` | no |
| [port](#input\_port) | Port on which the DB accepts connections | `number` | n/a | yes |
| [preferred\_backup\_window](#input\_preferred\_backup\_window) | The daily time range during which backups are taken. | `string` | `"07:00-09:00"` | no |
| [preferred\_maintenance\_window](#input\_preferred\_maintenance\_window) | The weekly time range during which maintenance can occur. | `string` | `"sun:06:00-sun:07:00"` | no |
-| [proxy\_config](#input\_proxy\_config) | Configuration object for setting up an AWS RDS Proxy. It includes options for creating the proxy, connection pooling, authentication, and other proxy-specific settings.
- **create** (optional): A boolean that determines whether to create the RDS Proxy resource. Defaults to false.
- **name** (optional): The name of the RDS Proxy. If not specified, Terraform will create a default name.
- **engine\_family**: The database engine family for the proxy (e.g., "MYSQL", "POSTGRESQL").
- **vpc\_subnet\_ids**: List of VPC subnet IDs in which the proxy will be deployed.
- **security\_group\_data**: List of security groups to associate with the RDS Proxy.
- **require\_tls** (optional): Boolean flag to enforce the use of TLS for client connections to the proxy. Defaults to false.
- **debug\_logging** (optional): Boolean flag to enable debug logging for the proxy. Defaults to false.
- **idle\_client\_timeout\_secs** (optional): Number of seconds before the proxy closes idle client connections. The minimum is 60 seconds (1 minute), and the maximum is 28,800 seconds (8 hours). Defaults to 1,800 seconds (30 minutes).
- **role\_arn** (optional): The ARN of the IAM role used by the proxy for accessing database credentials in AWS Secrets Manager. If null, Terraform will create a new IAM role.
Authentication settings:
- **auth.auth\_scheme**: The authentication scheme to use (e.g., "SECRETS").
- **auth.description** (optional): A description of the authentication method. Defaults to null.
- **auth.iam\_auth** (optional): Specifies whether to use IAM authentication for the proxy. Defaults to "DISABLED".
- **auth.secret\_arn**: The ARN of the AWS Secrets Manager secret that contains the database credentials.
- **auth.client\_password\_auth\_type**: Specifies the password authentication type for the database.
Connection pool configuration:
- **connection\_pool\_config.connection\_borrow\_timeout** (optional): The amount of time (in seconds) a client connection can be held open before being returned to the pool. Defaults to 5 seconds.
- **connection\_pool\_config.init\_query** (optional): An optional initialization query executed when a connection is first established. Defaults to null.
- **connection\_pool\_config.max\_connections\_percent** (optional): The maximum percentage of available database connections that the proxy can use. Defaults to 100%.
- **connection\_pool\_config.max\_idle\_connections\_percent** (optional): The maximum percentage of idle database connections that the proxy can keep open. Defaults to 50%.
- **connection\_pool\_config.session\_pinning\_filters** (optional): List of filters for controlling session pinning behavior. Defaults to an empty list. | object({
create = optional(bool, false)
name = optional(string, null)
engine_family = string
vpc_subnet_ids = list(string)
require_tls = optional(bool, false)
debug_logging = optional(bool, false)
idle_client_timeout_secs = optional(number, 30 * 60) // in seconds The minimum is 1 minute and the maximum is 8 hours.
role_arn = optional(string, null) // null value will create new role
auth = object({
auth_scheme = string
description = optional(string, null)
iam_auth = optional(string, "DISABLED")
client_password_auth_type = string
})
additional_auth_list = optional(list(object({
auth_scheme = string
secret_arn = optional(string, null)
description = optional(string, null)
iam_auth = optional(string, "DISABLED")
client_password_auth_type = string
})), [])
connection_pool_config = object({
connection_borrow_timeout = optional(number, 5)
init_query = optional(string, null)
max_connections_percent = optional(number, 100)
max_idle_connections_percent = optional(number, 50)
session_pinning_filters = optional(list(string), [])
})
security_group_data = optional(object({
security_group_ids_to_attach = optional(list(string), [])
create = optional(bool, true)
description = optional(string, null)
ingress_rules = optional(list(object({
description = optional(string, null)
cidr_block = optional(string, null)
source_security_group_id = optional(string, null)
from_port = number
ip_protocol = string
to_port = string
self = optional(bool, false)
})), [])
egress_rules = optional(list(object({
description = optional(string, null)
cidr_block = optional(string, null)
destination_security_group_id = optional(string, null)
from_port = number
ip_protocol = string
to_port = string
})), [])
}))
}) | {
"auth": null,
"connection_pool_config": null,
"create": false,
"engine_family": "POSTGRESQL",
"security_group_data": {
"create": false
},
"vpc_subnet_ids": []
} | no |
+| [proxy\_config](#input\_proxy\_config) | Configuration object for setting up an AWS RDS Proxy. It includes options for creating the proxy, connection pooling, authentication, and other proxy-specific settings.
- **create** (optional): A boolean that determines whether to create the RDS Proxy resource. Defaults to false.
- **name** (optional): The name of the RDS Proxy. If not specified, Terraform will create a default name.
- **engine\_family**: The database engine family for the proxy (e.g., "MYSQL", "POSTGRESQL").
- **vpc\_subnet\_ids**: List of VPC subnet IDs in which the proxy will be deployed.
- **security\_group\_data**: List of security groups to associate with the RDS Proxy.
- **require\_tls** (optional): Boolean flag to enforce the use of TLS for client connections to the proxy. Defaults to false.
- **debug\_logging** (optional): Boolean flag to enable debug logging for the proxy. Defaults to false.
- **idle\_client\_timeout\_secs** (optional): Number of seconds before the proxy closes idle client connections. The minimum is 60 seconds (1 minute), and the maximum is 28,800 seconds (8 hours). Defaults to 1,800 seconds (30 minutes).
- **role\_arn** (optional): The ARN of the IAM role used by the proxy for accessing database credentials in AWS Secrets Manager. If null, Terraform will create a new IAM role.
Authentication settings:
- **auth.auth\_scheme**: The authentication scheme to use (e.g., "SECRETS").
- **auth.description** (optional): A description of the authentication method. Defaults to null.
- **auth.iam\_auth** (optional): Specifies whether to use IAM authentication for the proxy. Defaults to "DISABLED".
- **auth.secret\_arn**: The ARN of the AWS Secrets Manager secret that contains the database credentials.
- **auth.client\_password\_auth\_type**: Specifies the password authentication type for the database.
Connection pool configuration:
- **connection\_pool\_config.connection\_borrow\_timeout** (optional): The amount of time (in seconds) a client connection can be held open before being returned to the pool. Defaults to 5 seconds.
- **connection\_pool\_config.init\_query** (optional): An optional initialization query executed when a connection is first established. Defaults to null.
- **connection\_pool\_config.max\_connections\_percent** (optional): The maximum percentage of available database connections that the proxy can use. Defaults to 100%.
- **connection\_pool\_config.max\_idle\_connections\_percent** (optional): The maximum percentage of idle database connections that the proxy can keep open. Defaults to 50%.
- **connection\_pool\_config.session\_pinning\_filters** (optional): List of filters for controlling session pinning behavior. Defaults to an empty list. | object({
create = optional(bool, false)
name = optional(string, null)
engine_family = string
vpc_subnet_ids = list(string)
require_tls = optional(bool, false)
debug_logging = optional(bool, false)
idle_client_timeout_secs = optional(number, 30 * 60) // in seconds The minimum is 1 minute and the maximum is 8 hours.
role_arn = optional(string, null) // null value will create new role
auth = object({
auth_scheme = string
description = optional(string, null)
iam_auth = optional(string, "DISABLED")
client_password_auth_type = string
})
additional_auth_list = optional(list(object({
auth_scheme = string
secret_arn = optional(string, null)
description = optional(string, null)
iam_auth = optional(string, "DISABLED")
client_password_auth_type = string
})), [])
connection_pool_config = object({
connection_borrow_timeout = optional(number, 5)
init_query = optional(string, null)
max_connections_percent = optional(number, 100)
max_idle_connections_percent = optional(number, 50)
session_pinning_filters = optional(list(string), [])
})
security_group_data = optional(object({
security_group_ids_to_attach = optional(list(string), [])
create = optional(bool, true)
description = optional(string, null)
ingress_rules = optional(list(object({
description = optional(string, null)
cidr_block = optional(string, null)
source_security_group_id = optional(string, null)
from_port = number
ip_protocol = string
to_port = string
self = optional(bool, false)
})), [])
egress_rules = optional(list(object({
description = optional(string, null)
cidr_block = optional(string, null)
destination_security_group_id = optional(string, null)
from_port = number
ip_protocol = string
to_port = string
})), [])
}))
}) | {
"auth": null,
"connection_pool_config": null,
"create": false,
"engine_family": "POSTGRESQL",
"security_group_data": {
"create": false
},
"vpc_subnet_ids": []
} | no |
| [publicly\_accessible](#input\_publicly\_accessible) | Whether the RDS instance should be publicly accessible. | `bool` | `false` | no |
-| [rds\_cluster\_instances](#input\_rds\_cluster\_instances) | "(optional) A list of objects defining configurations for RDS Cluster instances. Each object represents a single RDS instance configuration within the cluster, including options for instance class, monitoring, performance insights, maintenance windows, and other instance-specific settings."
name: Optional. Name of the instance (default: null).
instance\_class: The instance class for the RDS instance (e.g., db.r5.large).
availability\_zone: Optional. Specifies the availability zone for the instance (default: null).
publicly\_accessible: Optional. Whether the instance is publicly accessible (default: false).
db\_parameter\_group\_name: Optional. The name of the DB parameter group to associate with the instance (default: null).
apply\_immediately: Optional. Apply modifications immediately or during the next maintenance window (default: false).
ca\_cert\_identifier: Optional. Identifier for the CA certificate for the instance (default: null).
promotion\_tier: Optional. Promotion tier for the instance within the cluster (default: 0).
copy\_tags\_to\_snapshot: Optional. Copy tags to snapshots (default: true). | list(object({
name = optional(string, null)
instance_class = string
availability_zone = optional(string, null)
publicly_accessible = optional(bool, false)
db_parameter_group_name = optional(string, null)
promotion_tier = optional(number, 0)
copy_tags_to_snapshot = optional(bool, true)
})) | `[]` | no |
-| [security\_group\_data](#input\_security\_group\_data) | (optional) Security Group data | object({
security_group_ids_to_attach = optional(list(string), [])
create = optional(bool, true)
description = optional(string, null)
ingress_rules = optional(list(object({
description = optional(string, null)
cidr_block = optional(string, null)
source_security_group_id = optional(string, null)
from_port = number
ip_protocol = string
to_port = string
})), [])
egress_rules = optional(list(object({
description = optional(string, null)
cidr_block = optional(string, null)
destination_security_group_id = optional(string, null)
from_port = number
ip_protocol = string
to_port = string
})), [])
}) | {
"create": false
} | no |
-| [serverlessv2\_scaling\_config](#input\_serverlessv2\_scaling\_config) | Configuration for Serverless V2 scaling:
- max\_capacity: (Required) The maximum ACU capacity for scaling (e.g., 256.0).
- min\_capacity: (Required) The minimum ACU capacity for scaling (e.g., 0.5). | object({
max_capacity = number
min_capacity = number
}) | {
"max_capacity": 1,
"min_capacity": 0.5
} | no |
+| [rds\_cluster\_instances](#input\_rds\_cluster\_instances) | "(optional) A list of objects defining configurations for RDS Cluster instances. Each object represents a single RDS instance configuration within the cluster, including options for instance class, monitoring, performance insights, maintenance windows, and other instance-specific settings."
name: Optional. Name of the instance (default: null).
instance\_class: The instance class for the RDS instance (e.g., db.r5.large).
availability\_zone: Optional. Specifies the availability zone for the instance (default: null).
publicly\_accessible: Optional. Whether the instance is publicly accessible (default: false).
db\_parameter\_group\_name: Optional. The name of the DB parameter group to associate with the instance (default: null).
apply\_immediately: Optional. Apply modifications immediately or during the next maintenance window (default: false).
ca\_cert\_identifier: Optional. Identifier for the CA certificate for the instance (default: null).
promotion\_tier: Optional. Promotion tier for the instance within the cluster (default: 0).
copy\_tags\_to\_snapshot: Optional. Copy tags to snapshots (default: true). | list(object({
name = optional(string, null)
instance_class = string
availability_zone = optional(string, null)
publicly_accessible = optional(bool, true)
db_parameter_group_name = optional(string, null)
promotion_tier = optional(number, 0)
copy_tags_to_snapshot = optional(bool, true)
})) | `[]` | no |
+| [security\_group\_data](#input\_security\_group\_data) | (optional) Security Group data | object({
security_group_ids_to_attach = optional(list(string), [])
create = optional(bool, true)
description = optional(string, null)
ingress_rules = optional(list(object({
description = optional(string, null)
cidr_block = optional(string, null)
source_security_group_id = optional(string, null)
from_port = number
ip_protocol = string
to_port = string
})), [])
egress_rules = optional(list(object({
description = optional(string, null)
cidr_block = optional(string, null)
destination_security_group_id = optional(string, null)
from_port = number
ip_protocol = string
to_port = string
})), [])
}) | {
"create": false
} | no |
+| [serverlessv2\_scaling\_config](#input\_serverlessv2\_scaling\_config) | Configuration for Serverless V2 scaling:
- max\_capacity: (Required) The maximum ACU capacity for scaling (e.g., 256.0).
- min\_capacity: (Required) The minimum ACU capacity for scaling (e.g., 0.5). | object({
max_capacity = number
min_capacity = number
}) | {
"max_capacity": 1,
"min_capacity": 0.5
} | no |
| [skip\_final\_snapshot](#input\_skip\_final\_snapshot) | (optional) Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier. Default is false. | `string` | `true` | no |
+| [snapshot\_identifier](#input\_snapshot\_identifier) | The identifier for the DB snapshot or DB cluster snapshot to restore from.
If provided, the RDS instance will be created from this snapshot and engine/db\_name/username/password will be ignored.
If null, a fresh RDS instance will be created. | `string` | `null` | no |
| [storage\_encrypted](#input\_storage\_encrypted) | Whether to enable storage encryption. | `bool` | `true` | no |
| [storage\_type](#input\_storage\_type) | (optional) Required for Multi-AZ DB cluster) (Forces new for Multi-AZ DB clusters) Specifies the storage type to be associated with the DB cluster. For Aurora DB clusters, storage\_type modifications can be done in-place. For Multi-AZ DB Clusters, the iops argument must also be set. Valid values are: "", aurora-iopt1 (Aurora DB Clusters); io1, io2 (Multi-AZ DB Clusters). Default: "" (Aurora DB Clusters); io1 (Multi-AZ DB Clusters). | `string` | `""` | no |
| [tags](#input\_tags) | A map of tags to assign to the DB Cluster. | `map(string)` | `{}` | no |
@@ -198,4 +199,4 @@ go test
This project is authored by:
-- SourceFuse ARC Team
+- SourceFuse ARC Team
\ No newline at end of file
diff --git a/examples/rds-from-snapshot/.terraform.lock.hcl b/examples/rds-from-snapshot/.terraform.lock.hcl
new file mode 100644
index 0000000..6a72f11
--- /dev/null
+++ b/examples/rds-from-snapshot/.terraform.lock.hcl
@@ -0,0 +1,65 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+ version = "5.100.0"
+ constraints = ">= 4.0.0, ~> 5.0, < 6.0.0"
+ hashes = [
+ "h1:Ijt7pOlB7Tr7maGQIqtsLFbl7pSMIj06TVdkoSBcYOw=",
+ "zh:054b8dd49f0549c9a7cc27d159e45327b7b65cf404da5e5a20da154b90b8a644",
+ "zh:0b97bf8d5e03d15d83cc40b0530a1f84b459354939ba6f135a0086c20ebbe6b2",
+ "zh:1589a2266af699cbd5d80737a0fe02e54ec9cf2ca54e7e00ac51c7359056f274",
+ "zh:6330766f1d85f01ae6ea90d1b214b8b74cc8c1badc4696b165b36ddd4cc15f7b",
+ "zh:7c8c2e30d8e55291b86fcb64bdf6c25489d538688545eb48fd74ad622e5d3862",
+ "zh:99b1003bd9bd32ee323544da897148f46a527f622dc3971af63ea3e251596342",
+ "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+ "zh:9f8b909d3ec50ade83c8062290378b1ec553edef6a447c56dadc01a99f4eaa93",
+ "zh:aaef921ff9aabaf8b1869a86d692ebd24fbd4e12c21205034bb679b9caf883a2",
+ "zh:ac882313207aba00dd5a76dbd572a0ddc818bb9cbf5c9d61b28fe30efaec951e",
+ "zh:bb64e8aff37becab373a1a0cc1080990785304141af42ed6aa3dd4913b000421",
+ "zh:dfe495f6621df5540d9c92ad40b8067376350b005c637ea6efac5dc15028add4",
+ "zh:f0ddf0eaf052766cfe09dea8200a946519f653c384ab4336e2a4a64fdd6310e9",
+ "zh:f1b7e684f4c7ae1eed272b6de7d2049bb87a0275cb04dbb7cda6636f600699c9",
+ "zh:ff461571e3f233699bf690db319dfe46aec75e58726636a0d97dd9ac6e32fb70",
+ ]
+}
+
+provider "registry.terraform.io/hashicorp/null" {
+ version = "3.2.4"
+ constraints = ">= 3.1.0"
+ hashes = [
+ "h1:L5V05xwp/Gto1leRryuesxjMfgZwjb7oool4WS1UEFQ=",
+ "zh:59f6b52ab4ff35739647f9509ee6d93d7c032985d9f8c6237d1f8a59471bbbe2",
+ "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+ "zh:795c897119ff082133150121d39ff26cb5f89a730a2c8c26f3a9c1abf81a9c43",
+ "zh:7b9c7b16f118fbc2b05a983817b8ce2f86df125857966ad356353baf4bff5c0a",
+ "zh:85e33ab43e0e1726e5f97a874b8e24820b6565ff8076523cc2922ba671492991",
+ "zh:9d32ac3619cfc93eb3c4f423492a8e0f79db05fec58e449dee9b2d5873d5f69f",
+ "zh:9e15c3c9dd8e0d1e3731841d44c34571b6c97f5b95e8296a45318b94e5287a6e",
+ "zh:b4c2ab35d1b7696c30b64bf2c0f3a62329107bd1a9121ce70683dec58af19615",
+ "zh:c43723e8cc65bcdf5e0c92581dcbbdcbdcf18b8d2037406a5f2033b1e22de442",
+ "zh:ceb5495d9c31bfb299d246ab333f08c7fb0d67a4f82681fbf47f2a21c3e11ab5",
+ "zh:e171026b3659305c558d9804062762d168f50ba02b88b231d20ec99578a6233f",
+ "zh:ed0fe2acdb61330b01841fa790be00ec6beaac91d41f311fb8254f74eb6a711f",
+ ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+ version = "3.7.2"
+ constraints = ">= 3.4.0"
+ hashes = [
+ "h1:KG4NuIBl1mRWU0KD/BGfCi1YN/j3F7H4YgeeM7iSdNs=",
+ "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f",
+ "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc",
+ "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab",
+ "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3",
+ "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212",
+ "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f",
+ "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+ "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34",
+ "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967",
+ "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d",
+ "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62",
+ "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0",
+ ]
+}
diff --git a/examples/rds-from-snapshot/README.md b/examples/rds-from-snapshot/README.md
new file mode 100644
index 0000000..4a3f250
--- /dev/null
+++ b/examples/rds-from-snapshot/README.md
@@ -0,0 +1,48 @@
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | ~> 1.3, < 2.0.0 |
+| [aws](#requirement\_aws) | >= 4.0, < 6.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | 5.100.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [rds](#module\_rds) | ../../ | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_subnets.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
+| [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `"poc"` | no |
+| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `"arc"` | no |
+| [region](#input\_region) | AWS region | `string` | `"us-east-1"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [arn](#output\_arn) | Instance or Cluster ARN |
+| [endpoint](#output\_endpoint) | Instance or Cluster Endpoint |
+| [id](#output\_id) | Instance or Cluster ID |
+| [identifier](#output\_identifier) | Instance or Cluster Identifier |
+| [kms\_key\_id](#output\_kms\_key\_id) | Instance or Cluster KMS Key ID |
+| [monitoring\_role\_arn](#output\_monitoring\_role\_arn) | Instance or Cluster Monitoring Role ARN |
+| [performance\_insights\_kms\_key\_id](#output\_performance\_insights\_kms\_key\_id) | Instance or Cluster Performance Insights KMS Key ID |
+| [port](#output\_port) | Database server port |
+
\ No newline at end of file
diff --git a/examples/rds-from-snapshot/data.tf b/examples/rds-from-snapshot/data.tf
new file mode 100644
index 0000000..c2751e0
--- /dev/null
+++ b/examples/rds-from-snapshot/data.tf
@@ -0,0 +1,23 @@
+################################################
+## imports
+################################################
+## vpc
+data "aws_vpc" "this" {
+ filter {
+ name = "tag:Name"
+ values = ["${var.namespace}-poc-vpc"]
+ }
+}
+
+## network
+data "aws_subnets" "private" {
+ filter {
+ name = "vpc-id"
+ values = [data.aws_vpc.this.id]
+ }
+
+ filter {
+ name = "tag:Name"
+ values = ["*public*"]
+ }
+}
diff --git a/examples/rds-from-snapshot/locals.tf b/examples/rds-from-snapshot/locals.tf
new file mode 100644
index 0000000..89da431
--- /dev/null
+++ b/examples/rds-from-snapshot/locals.tf
@@ -0,0 +1,26 @@
+locals {
+ rds_security_group_data = {
+ create = true
+ description = "Security Group for RDS instance"
+
+ ingress_rules = [
+ {
+ description = "Allow traffic from local network"
+ cidr_block = data.aws_vpc.this.cidr_block
+ from_port = 5432
+ ip_protocol = "tcp"
+ to_port = 5432
+ }
+ ]
+
+ egress_rules = [
+ {
+ description = "Allow all outbound traffic"
+ cidr_block = "0.0.0.0/0"
+ from_port = -1
+ ip_protocol = "-1"
+ to_port = -1
+ }
+ ]
+ }
+}
\ No newline at end of file
diff --git a/examples/rds-from-snapshot/main.tf b/examples/rds-from-snapshot/main.tf
new file mode 100644
index 0000000..6dc0eef
--- /dev/null
+++ b/examples/rds-from-snapshot/main.tf
@@ -0,0 +1,53 @@
+################################################################################
+## defaults
+################################################################################
+terraform {
+ required_version = "~> 1.3, < 2.0.0"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 4.0, < 6.0"
+ }
+ }
+}
+
+provider "aws" {
+ region = var.region
+}
+
+module "rds" {
+ source = "../../"
+
+ environment = var.environment
+ namespace = var.namespace
+ vpc_id = data.aws_vpc.this.id
+
+ name = "${var.namespace}-${var.environment}-test-01-from-snapshot"
+ engine_type = "rds"
+ db_server_class = "db.t3.small"
+ port = 5432
+
+ # Restore from snapshot
+ snapshot_identifier = "manual-snaphost-test01" ### get this using Data block
+
+ # Skip values that don’t apply when restoring from snapshot
+ engine = null
+ engine_version = null
+ username = null
+ manage_user_password = false
+
+ license_model = "postgresql-license"
+
+ db_subnet_group_data = {
+ name = "${var.namespace}-${var.environment}-subnet-group"
+ create = true
+ description = "Subnet group for rds instance"
+ subnet_ids = data.aws_subnets.private.ids
+ }
+
+ security_group_data = local.rds_security_group_data
+ performance_insights_enabled = true
+ monitoring_interval = 5
+
+}
diff --git a/examples/rds-from-snapshot/output.tf b/examples/rds-from-snapshot/output.tf
new file mode 100644
index 0000000..7f6cd48
--- /dev/null
+++ b/examples/rds-from-snapshot/output.tf
@@ -0,0 +1,39 @@
+output "id" {
+ value = module.rds.id
+ description = "Instance or Cluster ID"
+}
+
+output "identifier" {
+ value = module.rds.identifier
+ description = "Instance or Cluster Identifier"
+}
+
+output "arn" {
+ value = module.rds.arn
+ description = "Instance or Cluster ARN"
+}
+
+output "port" {
+ value = module.rds.port
+ description = "Database server port"
+}
+
+output "endpoint" {
+ value = module.rds.endpoint
+ description = "Instance or Cluster Endpoint"
+}
+
+output "kms_key_id" {
+ value = module.rds.kms_key_id
+ description = "Instance or Cluster KMS Key ID"
+}
+
+output "performance_insights_kms_key_id" {
+ value = module.rds.performance_insights_kms_key_id
+ description = "Instance or Cluster Performance Insights KMS Key ID"
+}
+
+output "monitoring_role_arn" {
+ value = module.rds.monitoring_role_arn
+ description = "Instance or Cluster Monitoring Role ARN"
+}
diff --git a/examples/rds-from-snapshot/variables.tf b/examples/rds-from-snapshot/variables.tf
new file mode 100644
index 0000000..8e65782
--- /dev/null
+++ b/examples/rds-from-snapshot/variables.tf
@@ -0,0 +1,20 @@
+################################################################################
+## shared
+################################################################################
+variable "region" {
+ type = string
+ default = "us-east-1"
+ description = "AWS region"
+}
+
+variable "environment" {
+ type = string
+ default = "poc"
+ description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'"
+}
+
+variable "namespace" {
+ type = string
+ default = "arc"
+ description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique"
+}
diff --git a/examples/rds/data.tf b/examples/rds/data.tf
index 3e062e8..4c21977 100644
--- a/examples/rds/data.tf
+++ b/examples/rds/data.tf
@@ -18,6 +18,6 @@ data "aws_subnets" "private" {
filter {
name = "tag:Name"
- values = ["*private*"]
+ values = ["*public*"]
}
-}
+}
\ No newline at end of file
diff --git a/examples/rds/main.tf b/examples/rds/main.tf
index c1bc54c..173ae7d 100644
--- a/examples/rds/main.tf
+++ b/examples/rds/main.tf
@@ -50,7 +50,7 @@ module "rds" {
namespace = var.namespace
vpc_id = data.aws_vpc.this.id
- name = "${var.namespace}-${var.environment}-test"
+ name = "${var.namespace}-${var.environment}-test-01"
engine_type = "rds"
db_server_class = "db.t3.small"
port = 5432
@@ -77,4 +77,10 @@ module "rds" {
deletion_window_in_days = 7
enable_key_rotation = true
}
+
+ # kms_data = {
+ # create = false
+ # kms_key_id = data.aws_kms_key.by_alias.arn
+ # }
+
}
diff --git a/locals.tf b/locals.tf
index 12d29fc..d7851f7 100644
--- a/locals.tf
+++ b/locals.tf
@@ -1,7 +1,8 @@
locals {
// Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if master_password is provided
// null - is equal to 'false', don't set it to false , known bug : https://github.com/hashicorp/terraform-provider-aws/issues/31179
- manage_user_password = var.manage_user_password ? true : null
+ # manage_user_password = var.manage_user_password ? true : null
+ manage_user_password = coalesce(var.manage_user_password, false)
prefix = "${var.namespace}-${var.environment}"
security_group_ids_to_attach = var.security_group_data.create ? concat(var.security_group_data.security_group_ids_to_attach, [module.security_group[0].id]) : var.security_group_data.security_group_ids_to_attach
diff --git a/main.tf b/main.tf
index a67f7fa..da25985 100644
--- a/main.tf
+++ b/main.tf
@@ -4,20 +4,24 @@
resource "aws_db_instance" "this" {
count = var.engine_type == "rds" ? 1 : 0
- identifier = var.name
- db_name = var.database_name
- allocated_storage = var.allocated_storage
- engine = var.engine
- engine_version = var.engine_version
- engine_lifecycle_support = var.engine_lifecycle_support
- port = var.port
- instance_class = var.db_server_class
+ identifier = var.name
+ # ========= Dynamic logic for snapshot vs new =========
+ snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
- username = var.username
- password = var.password == null && local.manage_user_password == false ? random_password.master[0].result : var.password
- manage_master_user_password = var.manage_user_password
+ # Only set these if NOT restoring from snapshot
+ db_name = var.snapshot_identifier == null ? var.database_name : null
+ username = var.snapshot_identifier == null ? var.username : null
+ password = var.snapshot_identifier == null && local.manage_user_password == false ? random_password.master[0].result : (var.snapshot_identifier == null ? var.password : null)
+ manage_master_user_password = var.snapshot_identifier == null ? var.manage_user_password : null
+ engine = var.snapshot_identifier == null ? var.engine : null
+ engine_version = var.snapshot_identifier == null ? var.engine_version : null
+ engine_lifecycle_support = var.snapshot_identifier == null ? var.engine_lifecycle_support : null
+ port = var.snapshot_identifier == null ? var.port : null
+ # =====================================================
+ allocated_storage = var.allocated_storage
+ instance_class = var.db_server_class
iops = var.iops
db_subnet_group_name = var.db_subnet_group_data.create ? aws_db_subnet_group.this[0].name : null
vpc_security_group_ids = local.security_group_ids_to_attach
diff --git a/variables.tf b/variables.tf
index b6c0179..4711c90 100644
--- a/variables.tf
+++ b/variables.tf
@@ -19,6 +19,17 @@ variable "vpc_id" {
description = "VPC Id for creating security group"
}
+
+variable "snapshot_identifier" {
+ description = <