README.md

May 21, 2026 · View on GitHub

This component is responsible for provisioning Aurora Postgres RDS clusters. It seeds relevant database information (hostnames, username, password, etc.) into AWS SSM Parameter Store.

Tip

👽 Use Atmos with Terraform

Cloud Posse uses atmos to easily orchestrate multiple environments using Terraform.
Works with Github Actions, Atlantis, or Spacelift.

Watch demo of using Atmos with Terraform

Example of running atmos to manage infrastructure from our Quick Start tutorial.

Usage

Stack Level: Regional

Here's an example for how to use this component.

stacks/catalog/aurora-postgres/defaults.yaml file (base component for all Aurora Postgres clusters with default settings):

components:
  terraform:
    aurora-postgres/defaults:
      metadata:
        type: abstract
      vars:
        enabled: true
        name: aurora-postgres
        tags:
          Team: sre
          Service: aurora-postgres
        cluster_name: shared
        deletion_protection: false
        storage_encrypted: true
        engine: aurora-postgresql

        # Provisioned configuration
        engine_mode: provisioned
        engine_version: "15.3"
        cluster_family: aurora-postgresql15
        # 1 writer, 1 reader
        cluster_size: 2
        # https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Concepts.DBInstanceClass.html
        instance_type: db.t3.medium

        admin_user: postgres
        admin_password: "" # generate random password
        database_name: postgres
        database_port: 5432
        skip_final_snapshot: false
        # Enhanced Monitoring
        # A boolean flag to enable/disable the creation of the enhanced monitoring IAM role.
        # If set to false, the module will not create a new role and will use rds_monitoring_role_arn for enhanced monitoring
        enhanced_monitoring_role_enabled: true
        # The interval, in seconds, between points when enhanced monitoring metrics are collected for the DB instance.
        # To disable collecting Enhanced Monitoring metrics, specify 0. The default is 0. Valid Values: 0, 1, 5, 10, 15, 30, 60
        rds_monitoring_interval: 15
        # Allow ingress from the following accounts
        # If any of tenant, stage, or environment aren't given, this will be taken
        allow_ingress_from_vpc_accounts:
          - tenant: core
            stage: auto

Example (not actual):

stacks/uw2-dev.yaml file (override the default settings for the cluster in the dev account, create an additional database and user):

import:
  - catalog/aurora-postgres/defaults

components:
  terraform:
    aurora-postgres:
      metadata:
        component: aurora-postgres
        inherits:
          - aurora-postgres/defaults
      vars:
        enabled: true

Finding Aurora Engine Version

Use the following to query the AWS API by engine-mode. Both provisioned and Serverless v2 use the privisoned engine mode, whereas only Serverless v1 uses the serverless engine mode.

aws rds describe-db-engine-versions \
  --engine aurora-postgresql \
  --query 'DBEngineVersions[].EngineVersion' \
  --filters 'Name=engine-mode,Values=serverless'

Use the following to query AWS API by db-instance-class. Use this query to find supported versions for a specific instance class, such as db.serverless with Serverless v2.

aws rds describe-orderable-db-instance-options \
  --engine aurora-postgresql \
  --db-instance-class db.serverless \
  --query 'OrderableDBInstanceOptions[].[EngineVersion]'

Once a version has been selected, use the following to find the cluster family.

aws rds describe-db-engine-versions --engine aurora-postgresql --query "DBEngineVersions[]" | \
jq '.[] | select(.EngineVersion == "15.3") |
  { Engine: .Engine, EngineVersion: .EngineVersion, DBParameterGroupFamily: .DBParameterGroupFamily }'

In Cloud Posse's examples, we avoid pinning modules to specific versions to prevent discrepancies between the documentation and the latest released versions. However, for your own projects, we strongly advise pinning each module to the exact version you're using. This practice ensures the stability of your infrastructure. Additionally, we recommend implementing a systematic approach for updating versions to avoid unexpected changes.

Requirements

Name	Version
terraform	>= 1.3.0
aws	>= 4.9.0, < 6.0.0
postgresql	>= 1.17.1
random	>= 2.3

Providers

Name	Version
aws	>= 4.9.0, < 6.0.0
random	>= 2.3

Modules

Name	Source	Version
aurora_postgres_cluster	cloudposse/rds-cluster/aws	2.6.0
cluster	cloudposse/label/null	0.25.0
dns_gbl_delegated	cloudposse/stack-config/yaml//modules/remote-state	2.0.0
eks	cloudposse/stack-config/yaml//modules/remote-state	2.0.0
iam_roles	../account-map/modules/iam-roles	n/a
kms_key_rds	cloudposse/kms-key/aws	0.12.2
parameter_store_write	cloudposse/ssm-parameter-store/aws	0.13.0
rds_proxy	cloudposse/rds-db-proxy/aws	1.1.1
this	cloudposse/label/null	0.25.0
vpc	cloudposse/stack-config/yaml//modules/remote-state	2.0.0
vpc_ingress	cloudposse/stack-config/yaml//modules/remote-state	2.0.0

Resources

Name	Type
aws_route53_record.proxy	resource
aws_security_group.proxy	resource
aws_security_group_rule.cluster_ingress_from_proxy	resource
aws_security_group_rule.proxy_egress_to_cluster	resource
random_password.admin_password	resource
random_pet.admin_user	resource
random_pet.database_name	resource
aws_caller_identity.current	data source
aws_iam_policy_document.kms_key_rds	data source
aws_partition.current	data source
aws_security_groups.allowed	data source

Inputs

Name	Description	Type	Default	Required
additional_tag_map	Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`. This is for some rare cases where resources want additional configuration of tags and therefore take a list of maps with tag key, value, and additional configuration.	`map(string)`	`{}`	no
admin_password	Postgres password for the admin user	`string`	`""`	no
admin_user	Postgres admin user name	`string`	`""`	no
allow_ingress_from_vpc_accounts	List of account contexts to pull VPC ingress CIDR and add to cluster security group. e.g. { environment = "ue2", stage = "auto", tenant = "core" } Defaults to the "vpc" component in the given account	list(object({ vpc = optional(string, "vpc") environment = optional(string) stage = optional(string) tenant = optional(string) }))	`[]`	no
allow_major_version_upgrade	Enable to allow major engine version upgrades when changing engine versions. Defaults to false.	`bool`	`false`	no
allowed_cidr_blocks	List of CIDRs allowed to access the database (in addition to security groups and subnets)	`list(string)`	`[]`	no
allowed_security_group_ids	List of security group ids that should be allowed access to the database	`list(string)`	`[]`	no
allowed_security_group_names	List of security group names (tags) that should be allowed access to the database	`list(string)`	`[]`	no
attributes	ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`, in the order they appear in the list. New attributes are appended to the end of the list. The elements of the list are joined by the `delimiter` and treated as a single ID element.	`list(string)`	`[]`	no
autoscaling_enabled	Whether to enable cluster autoscaling	`bool`	`false`	no
autoscaling_max_capacity	Maximum number of instances to be maintained by the autoscaler	`number`	`5`	no
autoscaling_min_capacity	Minimum number of instances to be maintained by the autoscaler	`number`	`1`	no
autoscaling_policy_type	Autoscaling policy type. `TargetTrackingScaling` and `StepScaling` are supported	`string`	`"TargetTrackingScaling"`	no
autoscaling_scale_in_cooldown	The amount of time, in seconds, after a scaling activity completes and before the next scaling down activity can start. Default is 300s	`number`	`300`	no
autoscaling_scale_out_cooldown	The amount of time, in seconds, after a scaling activity completes and before the next scaling up activity can start. Default is 300s	`number`	`300`	no
autoscaling_target_metrics	The metrics type to use. If this value isn't provided the default is CPU utilization	`string`	`"RDSReaderAverageCPUUtilization"`	no
autoscaling_target_value	The target value to scale with respect to target metrics	`number`	`75`	no
backup_window	Daily time range during which the backups happen, UTC	`string`	`"07:00-09:00"`	no
ca_cert_identifier	The identifier of the CA certificate for the DB instance	`string`	`null`	no
cluster_dns_name_part	Part of DNS name added to module and cluster name for DNS for cluster endpoint	`string`	`"writer"`	no
cluster_family	Family of the DB parameter group. Valid values for Aurora PostgreSQL: `aurora-postgresql9.6`, `aurora-postgresql10`, `aurora-postgresql11`, `aurora-postgresql12`	`string`	`"aurora-postgresql13"`	no
cluster_name	Short name for this cluster	`string`	n/a	yes
cluster_parameters	List of DB cluster parameters to apply	list(object({ apply_method = string name = string value = string }))	`[]`	no
cluster_size	Postgres cluster size	`number`	n/a	yes
context	Single object for setting entire context at once. See description of individual variables for details. Leave string and numeric variables as `null` to use default value. Individual variable settings (non-null) override settings in context object, except for attributes, tags, and additional_tag_map, which are merged.	`any`	{ "additional_tag_map": {}, "attributes": [], "delimiter": null, "descriptor_formats": {}, "enabled": true, "environment": null, "id_length_limit": null, "label_key_case": null, "label_order": [], "label_value_case": null, "labels_as_tags": [ "unset" ], "name": null, "namespace": null, "regex_replace_chars": null, "stage": null, "tags": {}, "tenant": null }	no
database_insights_mode	The database insights mode for the RDS cluster. Valid values are `standard`, `advanced`. See https://registry.terraform.io/providers/hashicorp/aws/6.16.0/docs/resources/rds_cluster#database_insights_mode-1	`string`	`null`	no
database_name	Name for an automatically created database on cluster creation. An empty name will generate a db name.	`string`	`""`	no
database_port	Database port	`number`	`5432`	no
deletion_protection	Specifies whether the Cluster should have deletion protection enabled. The database can't be deleted when this value is set to `true`	`bool`	`false`	no
delimiter	Delimiter to be used between ID elements. Defaults to `-` (hyphen). Set to `""` to use no delimiter at all.	`string`	`null`	no
descriptor_formats	Describe additional descriptors to be output in the `descriptors` output map. Map of maps. Keys are names of descriptors. Values are maps of the form `{<br/> format = string<br/> labels = list(string)<br/>}` (Type is `any` so the map values can later be enhanced to provide additional options.) `format` is a Terraform format string to be passed to the `format()` function. `labels` is a list of labels, in order, to pass to `format()` function. Label values will be normalized before being passed to `format()` so they will be identical to how they appear in `id`. Default is `{}` (`descriptors` output will be empty).	`any`	`{}`	no
dns_gbl_delegated_environment_name	The name of the environment where global `dns_delegated` is provisioned	`string`	`"gbl"`	no
egress_enabled	If `true`, the created security group will allow egress on all ports and protocols to all IP addresses. If `false`, no egress rules will be created by this module; egress must be configured via other means (e.g. additional security group rules) or all outbound traffic will be denied.	`bool`	`true`	no
eks_component_names	The names of the eks components	`set(string)`	[ "eks/cluster" ]	no
eks_security_group_enabled	Use the eks default security group	`bool`	`false`	no
enabled	Set to false to prevent the module from creating any resources	`bool`	`null`	no
enabled_cloudwatch_logs_exports	List of log types to export to cloudwatch. The following log types are supported: audit, error, general, slowquery	`list(string)`	`[]`	no
engine	Name of the database engine to be used for the DB cluster	`string`	`"postgresql"`	no
engine_mode	The database engine mode. Valid values: `global`, `multimaster`, `parallelquery`, `provisioned`, `serverless`	`string`	n/a	yes
engine_version	Engine version of the Aurora global database	`string`	`"13.4"`	no
enhanced_monitoring_attributes	Attributes used to format the Enhanced Monitoring IAM role. If this role hits IAM role length restrictions (max 64 characters), consider shortening these strings.	`list(string)`	[ "enhanced-monitoring" ]	no
enhanced_monitoring_role_enabled	A boolean flag to enable/disable the creation of the enhanced monitoring IAM role. If set to `false`, the module will not create a new role and will use `rds_monitoring_role_arn` for enhanced monitoring	`bool`	`true`	no
environment	ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'	`string`	`null`	no
iam_database_authentication_enabled	Specifies whether or mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled	`bool`	`false`	no
id_length_limit	Limit `id` to this many characters (minimum 6). Set to `0` for unlimited length. Set to `null` for keep the existing setting, which defaults to `0`. Does not affect `id_full`.	`number`	`null`	no
instance_type	EC2 instance type for Postgres cluster	`string`	n/a	yes
intra_security_group_traffic_enabled	Whether to allow traffic between resources inside the database's security group.	`bool`	`false`	no
label_key_case	Controls the letter case of the `tags` keys (label names) for tags generated by this module. Does not affect keys of tags passed in via the `tags` input. Possible values: `lower`, `title`, `upper`. Default value: `title`.	`string`	`null`	no
label_order	The order in which the labels (ID elements) appear in the `id`. Defaults to ["namespace", "environment", "stage", "name", "attributes"]. You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.	`list(string)`	`null`	no
label_value_case	Controls the letter case of ID elements (labels) as included in `id`, set as tag values, and output by this module individually. Does not affect values of tags passed in via the `tags` input. Possible values: `lower`, `title`, `upper` and `none` (no transformation). Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs. Default value: `lower`.	`string`	`null`	no
labels_as_tags	Set of labels (ID elements) to include as tags in the `tags` output. Default is to include all labels. Tags with empty values will not be included in the `tags` output. Set to `[]` to suppress all generated tags. Notes: The value of the `name` tag, if included, will be the `id`, not the `name`. Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be changed in later chained modules. Attempts to change it will be silently ignored.	`set(string)`	[ "default" ]	no
maintenance_window	Weekly time range during which system maintenance can occur, in UTC	`string`	`"wed:03:00-wed:04:00"`	no
manage_admin_user_password	Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if admin_password is provided	`bool`	`false`	no
name	ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'. This is the only ID element not also included as a `tag`. The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input.	`string`	`null`	no
namespace	ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique	`string`	`null`	no
performance_insights_enabled	Whether to enable Performance Insights	`bool`	`false`	no
promotion_tier	Failover Priority setting on instance level. The reader who has lower tier has higher priority to get promoted to writer. Readers in promotion tiers 0 and 1 scale at the same time as the writer. Readers in promotion tiers 2–15 scale independently from the writer. For more information, see: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless-v2.how-it-works.html#aurora-serverless-v2.how-it-works.scaling	`number`	`0`	no
proxy_auth	Configuration blocks with authorization mechanisms to connect to the associated database instances or clusters. Each block supports: - auth_scheme: The type of authentication that the proxy uses for connections. Valid values: SECRETS - client_password_auth_type: The type of authentication the proxy uses for connections from clients. Valid values: MYSQL_NATIVE_PASSWORD, POSTGRES_SCRAM_SHA_256, POSTGRES_MD5, SQL_SERVER_AUTHENTICATION - description: A user-specified description about the authentication used by a proxy - iam_auth: Whether to require or disallow AWS IAM authentication. Valid values: DISABLED, REQUIRED, OPTIONAL - secret_arn: The ARN of the Secrets Manager secret containing the database credentials - username: The name of the database user to which the proxy connects	list(object({ auth_scheme = optional(string, "SECRETS") client_password_auth_type = optional(string) description = optional(string) iam_auth = optional(string, "DISABLED") secret_arn = optional(string) username = optional(string) }))	`null`	no
proxy_client_password_auth_type	The type of authentication the proxy uses for connections from clients. Valid values: MYSQL_NATIVE_PASSWORD, POSTGRES_SCRAM_SHA_256, POSTGRES_MD5, SQL_SERVER_AUTHENTICATION	`string`	`null`	no
proxy_connection_borrow_timeout	The number of seconds for a proxy to wait for a connection to become available in the connection pool	`number`	`120`	no
proxy_debug_logging	Whether the proxy includes detailed information about SQL statements in its logs	`bool`	`false`	no
proxy_dns_enabled	Whether to create a Route53 DNS record for the proxy endpoint	`bool`	`true`	no
proxy_dns_name_part	Part of DNS name added to module and cluster name for DNS for the proxy endpoint	`string`	`"proxy"`	no
proxy_enabled	Whether to enable RDS Proxy for the Aurora cluster	`bool`	`false`	no
proxy_existing_iam_role_arn	The ARN of an existing IAM role that the proxy can use to access secrets in AWS Secrets Manager. If not provided, the module will create a role to access secrets in Secrets Manager	`string`	`null`	no
proxy_iam_auth	Whether to require or disallow AWS IAM authentication for connections to the proxy. Valid values: DISABLED, REQUIRED, OPTIONAL	`string`	`"DISABLED"`	no
proxy_iam_role_attributes	Additional attributes to add to the ID of the IAM role that the proxy uses to access secrets in AWS Secrets Manager	`list(string)`	`null`	no
proxy_idle_client_timeout	The number of seconds that a connection to the proxy can be inactive before the proxy disconnects it	`number`	`1800`	no
proxy_init_query	One or more SQL statements for the proxy to run when opening each new database connection	`string`	`null`	no
proxy_max_connections_percent	The maximum size of the connection pool for each target in a target group. Must be between 1 and 100.	`number`	`100`	no
proxy_max_idle_connections_percent	Controls how actively the proxy closes idle database connections in the connection pool. Must be between 0 and 100.	`number`	`50`	no
proxy_require_tls	A Boolean parameter that specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy	`bool`	`true`	no
proxy_secret_arn	The ARN of the secret in AWS Secrets Manager that contains the database credentials. Required if manage_admin_user_password is false and proxy_auth is not provided	`string`	`null`	no
proxy_session_pinning_filters	Each item in the list represents a class of SQL operations that normally cause all later statements in a session using a proxy to be pinned to the same underlying database connection	`list(string)`	`null`	no
publicly_accessible	Set true to make this database accessible from the public internet	`bool`	`false`	no
rds_monitoring_interval	The interval, in seconds, between points when enhanced monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. The default is 0. Valid Values: 0, 1, 5, 10, 15, 30, 60	`number`	`60`	no
reader_dns_name_part	Part of DNS name added to module and cluster name for DNS for cluster reader	`string`	`"reader"`	no
regex_replace_chars	Terraform regular expression (regex) string. Characters matching the regex will be removed from the ID elements. If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits.	`string`	`null`	no
region	AWS Region	`string`	n/a	yes
restore_to_point_in_time	List of point-in-time recovery options. Valid parameters are: `source_cluster_identifier` Identifier of the source database cluster from which to restore. `restore_type`: Type of restore to be performed. Valid options are "full-copy" and "copy-on-write". `use_latest_restorable_time`: Set to true to restore the database cluster to the latest restorable backup time. Conflicts with `restore_to_time`. `restore_to_time`: Date and time in UTC format to restore the database cluster to. Conflicts with `use_latest_restorable_time`.	list(object({ source_cluster_identifier = string restore_type = optional(string, "copy-on-write") use_latest_restorable_time = optional(bool, true) restore_to_time = optional(string, null) }))	`[]`	no
retention_period	Number of days to retain backups for	`number`	`5`	no
scaling_configuration	List of nested attributes with scaling properties. Only valid when `engine_mode` is set to `serverless`. This is required for Serverless v1	list(object({ auto_pause = bool max_capacity = number min_capacity = number seconds_until_auto_pause = number timeout_action = string }))	`[]`	no
serverlessv2_scaling_configuration	Nested attribute with scaling properties for ServerlessV2. Only valid when `engine_mode` is set to `provisioned.` This is required for Serverless v2	object({ min_capacity = number max_capacity = number })	`null`	no
skip_final_snapshot	Normally AWS makes a snapshot of the database before deleting it. Set this to `true` in order to skip this. NOTE: The final snapshot has a name derived from the cluster name. If you delete a cluster, get a final snapshot, then create a cluster of the same name, its final snapshot will fail with a name collision unless you delete the previous final snapshot first.	`bool`	`false`	no
snapshot_identifier	Specifies whether or not to create this cluster from a snapshot	`string`	`null`	no
ssm_cluster_name_override	Set a cluster name into the ssm path prefix	`string`	`""`	no
ssm_path_prefix	Top level SSM path prefix (without leading or trailing slash)	`string`	`"aurora-postgres"`	no
stage	ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'	`string`	`null`	no
storage_encrypted	Specifies whether the DB cluster is encrypted	`bool`	`true`	no
storage_type	One of 'standard' (magnetic), 'gp2' (general purpose SSD), 'io1' (provisioned IOPS SSD), 'aurora', or 'aurora-iopt1'	`string`	`null`	no
tags	Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`). Neither the tag keys nor the tag values will be modified by this module.	`map(string)`	`{}`	no
tenant	ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for	`string`	`null`	no
vpc_component_name	The name of the VPC component	`string`	`"vpc"`	no

Outputs

Name	Description
admin_username	Postgres admin username
allowed_security_groups	The resulting list of security group IDs that are allowed to connect to the Aurora Postgres cluster.
cluster_endpoint	Postgres cluster endpoint
cluster_identifier	Postgres cluster identifier
config_map	Map containing information pertinent to a PostgreSQL client configuration.
database_name	Postgres database name
instance_endpoints	List of Postgres instance endpoints
kms_key_arn	KMS key ARN for Aurora Postgres
master_hostname	Postgres master hostname
proxy_arn	The ARN of the RDS Proxy
proxy_default_target_group_arn	The Amazon Resource Name (ARN) representing the default target group
proxy_default_target_group_name	The name of the default target group
proxy_dns_name	The DNS name of the RDS Proxy (Route53 record)
proxy_endpoint	The endpoint of the RDS Proxy
proxy_iam_role_arn	The ARN of the IAM role that the proxy uses to access secrets in AWS Secrets Manager
proxy_id	The ID of the RDS Proxy
proxy_security_group_id	The security group ID of the RDS Proxy
proxy_target_endpoint	Hostname for the target RDS DB Instance
proxy_target_id	Identifier of db_proxy_name, target_group_name, target type, and resource identifier separated by forward slashes
proxy_target_port	Port for the target Aurora DB cluster
proxy_target_rds_resource_id	Identifier representing the DB cluster target
proxy_target_type	Type of target (e.g. RDS_INSTANCE or TRACKED_CLUSTER)
reader_endpoint	Postgres reader endpoint
replicas_hostname	Postgres replicas hostname
security_group_id	The security group ID of the Aurora Postgres cluster
ssm_key_paths	Names (key paths) of all SSM parameters stored for this cluster

Check out these related projects.

Cloud Posse Terraform Modules - Our collection of reusable Terraform modules used by our reference architectures.
Atmos - Atmos is like docker-compose but for your infrastructure

References

For additional context, refer to some of these links.

cloudposse-terraform-components - Cloud Posse's upstream component

Tip

Use Terraform Reference Architectures for AWS

Use Cloud Posse's ready-to-go terraform architecture blueprints for AWS to get up and running quickly.

✅ We build it together with your team.
✅ Your team owns everything.
✅ 100% Open Source and backed by fanatical support.

📚 Learn More

Cloud Posse is the leading DevOps Accelerator for funded startups and enterprises.

Your team can operate like a pro today.

Ensure that your team succeeds by using Cloud Posse's proven process and turnkey blueprints. Plus, we stick around until you succeed.

Day-0: Your Foundation for Success

Reference Architecture. You'll get everything you need from the ground up built using 100% infrastructure as code.
Deployment Strategy. Adopt a proven deployment strategy with GitHub Actions, enabling automated, repeatable, and reliable software releases.
Site Reliability Engineering. Gain total visibility into your applications and services with Datadog, ensuring high availability and performance.
Security Baseline. Establish a secure environment from the start, with built-in governance, accountability, and comprehensive audit logs, safeguarding your operations.
GitOps. Empower your team to manage infrastructure changes confidently and efficiently through Pull Requests, leveraging the full power of GitHub Actions.

Day-2: Your Operational Mastery

Training. Equip your team with the knowledge and skills to confidently manage the infrastructure, ensuring long-term success and self-sufficiency.
Support. Benefit from a seamless communication over Slack with our experts, ensuring you have the support you need, whenever you need it.
Troubleshooting. Access expert assistance to quickly resolve any operational challenges, minimizing downtime and maintaining business continuity.
Code Reviews. Enhance your team’s code quality with our expert feedback, fostering continuous improvement and collaboration.
Bug Fixes. Rely on our team to troubleshoot and resolve any issues, ensuring your systems run smoothly.
Migration Assistance. Accelerate your migration process with our dedicated support, minimizing disruption and speeding up time-to-value.
Customer Workshops. Engage with our team in weekly workshops, gaining insights and strategies to continuously improve and innovate.

✨ Contributing

This project is under active development, and we encourage contributions from our community.

Many thanks to our outstanding contributors:

For 🐛 bug reports & feature requests, please use the issue tracker.

In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.

Review our Code of Conduct and Contributor Guidelines.
Fork the repo on GitHub
Clone the project to your own machine
Commit changes to your own branch
Push your work back up to your fork
Submit a Pull Request so that we can review your changes

NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!

Running Terraform Tests

We use Atmos to streamline how Terraform tests are run. It centralizes configuration and wraps common test workflows with easy-to-use commands.

All tests are located in the test/ folder.

Under the hood, tests are powered by Terratest together with our internal Test Helpers library, providing robust infrastructure validation.

Setup dependencies:

Install Atmos (installation guide)
Install Go 1.24+ or newer
Install Terraform or OpenTofu

To run tests:

Run all tests:
```
atmos test run
```
Clean up test artifacts:
```
atmos test clean
```
Explore additional test options:
```
atmos test --help
```

The configuration for test commands is centrally managed. To review what's being imported, see the atmos.yaml file.

Learn more about our automated testing in our documentation or implementing custom commands with atmos.

🌎 Slack Community

Join our Open Source Community on Slack. It's FREE for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally sweet infrastructure.

Sign up for our newsletter and join 3,000+ DevOps engineers, CTOs, and founders who get insider access to the latest DevOps trends, so you can always stay in the know. Dropped straight into your Inbox every week — and usually a 5-minute read.

📆 Office Hours

Join us every Wednesday via Zoom for your weekly dose of insider DevOps trends, AWS news and Terraform insights, all sourced from our SweetOps community, plus a live Q&A that you can’t find anywhere else. It's FREE for everyone!

License

Preamble to the Apache License, Version 2.0

Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements.  See the NOTICE file
distributed with this work for additional information
regarding copyright ownership.  The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License.  You may obtain a copy of the License at

  https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied.  See the License for the
specific language governing permissions and limitations
under the License.

Trademarks

All other trademarks referenced herein are the property of their respective owners.