allow rds to assume this role

May 14, 2026 Β· View on GitHub

Project Banner

Latest ReleaseLast UpdatedSlack CommunityGet Support

Terraform module to provision an RDS Aurora cluster for MySQL or Postgres.

Supports Amazon Aurora Serverless.

Tip

πŸ‘½ Use Atmos with Terraform

Cloud Posse uses atmos to easily orchestrate multiple environments using Terraform.
Works with Github Actions, Atlantis, or Spacelift.

Watch demo of using Atmos with Terraform
Example of running atmos to manage infrastructure from our Quick Start tutorial.

Usage

For a complete example, see examples/complete.

For automated tests of the complete example using bats and Terratest (which tests and deploys the example on AWS), see test.

Basic example

module "rds_cluster_aurora_postgres" {
  source = "cloudposse/rds-cluster/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version     = "x.x.x"

  name            = "postgres"
  engine          = "aurora-postgresql"
  cluster_family  = "aurora-postgresql9.6"
  # 1 writer, 1 reader
  cluster_size    = 2
  # 1 writer, 3 reader
  # cluster_size    = 4
  # 1 writer, 5 reader
  # cluster_size    = 6
  namespace       = "eg"
  stage           = "dev"
  admin_user      = "admin1"
  admin_password  = "Test123456789"
  db_name         = "dbname"
  db_port         = 5432
  instance_type   = "db.r4.large"
  vpc_id          = "vpc-xxxxxxxx"
  security_groups = ["sg-xxxxxxxx"]
  subnets         = ["subnet-xxxxxxxx", "subnet-xxxxxxxx"]
  zone_id         = "Zxxxxxxxx"
}

Serverless Aurora MySQL 5.6

module "rds_cluster_aurora_mysql_serverless" {
  source = "cloudposse/rds-cluster/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version     = "x.x.x"
  namespace            = "eg"
  stage                = "dev"
  name                 = "db"
  engine               = "aurora"
  engine_mode          = "serverless"
  cluster_family       = "aurora5.6"
  cluster_size         = 0
  admin_user           = "admin1"
  admin_password       = "Test123456789"
  db_name              = "dbname"
  db_port              = 3306
  instance_type        = "db.t2.small"
  vpc_id               = "vpc-xxxxxxxx"
  security_groups      = ["sg-xxxxxxxx"]
  subnets              = ["subnet-xxxxxxxx", "subnet-xxxxxxxx"]
  zone_id              = "Zxxxxxxxx"
  enable_http_endpoint = true

  scaling_configuration = [
    {
      auto_pause               = true
      max_capacity             = 256
      min_capacity             = 2
      seconds_until_auto_pause = 300
    }
  ]
}

Serverless Aurora 2.07.1 MySQL 5.7

module "rds_cluster_aurora_mysql_serverless" {
  source = "cloudposse/rds-cluster/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version     = "x.x.x"
  namespace            = "eg"
  stage                = "dev"
  name                 = "db"
  engine               = "aurora-mysql"
  engine_mode          = "serverless"
  engine_version       = "5.7.mysql_aurora.2.07.1"
  cluster_family       = "aurora-mysql5.7"
  cluster_size         = 0
  admin_user           = "admin1"
  admin_password       = "Test123456789"
  db_name              = "dbname"
  db_port              = 3306
  vpc_id               = "vpc-xxxxxxxx"
  security_groups      = ["sg-xxxxxxxx"]
  subnets              = ["subnet-xxxxxxxx", "subnet-xxxxxxxx"]
  zone_id              = "Zxxxxxxxx"
  enable_http_endpoint = true

  scaling_configuration = [
    {
      auto_pause               = true
      max_capacity             = 16
      min_capacity             = 1
      seconds_until_auto_pause = 300
      timeout_action           = "ForceApplyCapacityChange"
    }
  ]
}

With cluster parameters

module "rds_cluster_aurora_mysql" {
  source = "cloudposse/rds-cluster/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version     = "x.x.x"
  engine          = "aurora"
  cluster_family  = "aurora-mysql5.7"
  cluster_size    = 2
  namespace       = "eg"
  stage           = "dev"
  name            = "db"
  admin_user      = "admin1"
  admin_password  = "Test123456789"
  db_name         = "dbname"
  instance_type   = "db.t2.small"
  vpc_id          = "vpc-xxxxxxx"
  security_groups = ["sg-xxxxxxxx"]
  subnets         = ["subnet-xxxxxxxx", "subnet-xxxxxxxx"]
  zone_id         = "Zxxxxxxxx"

  cluster_parameters = [
    {
      name  = "character_set_client"
      value = "utf8"
    },
    {
      name  = "character_set_connection"
      value = "utf8"
    },
    {
      name  = "character_set_database"
      value = "utf8"
    },
    {
      name  = "character_set_results"
      value = "utf8"
    },
    {
      name  = "character_set_server"
      value = "utf8"
    },
    {
      name  = "collation_connection"
      value = "utf8_bin"
    },
    {
      name  = "collation_server"
      value = "utf8_bin"
    },
    {
      name         = "lower_case_table_names"
      value        = "1"
      apply_method = "pending-reboot"
    },
    {
      name         = "skip-character-set-client-handshake"
      value        = "1"
      apply_method = "pending-reboot"
    }
  ]
}

With enhanced monitoring

# create IAM role for monitoring
resource "aws_iam_role" "enhanced_monitoring" {
  name               = "rds-cluster-example-1"
  assume_role_policy = data.aws_iam_policy_document.enhanced_monitoring.json
}

# Attach Amazon's managed policy for RDS enhanced monitoring
resource "aws_iam_role_policy_attachment" "enhanced_monitoring" {
  role       = aws_iam_role.enhanced_monitoring.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
}

# allow rds to assume this role
data "aws_iam_policy_document" "enhanced_monitoring" {
  statement {
      actions = [
      "sts:AssumeRole",
    ]

    effect = "Allow"

    principals {
      type        = "Service"
      identifiers = ["monitoring.rds.amazonaws.com"]
    }
  }
}

module "rds_cluster_aurora_postgres" {
  source = "cloudposse/rds-cluster/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version     = "x.x.x"
  engine          = "aurora-postgresql"
  cluster_family  = "aurora-postgresql9.6"
  cluster_size    = 2
  namespace       = "eg"
  stage           = "dev"
  name            = "db"
  admin_user      = "admin1"
  admin_password  = "Test123456789"
  db_name         = "dbname"
  db_port         = 5432
  instance_type   = "db.r4.large"
  vpc_id          = "vpc-xxxxxxx"
  security_groups = ["sg-xxxxxxxx"]
  subnets         = ["subnet-xxxxxxxx", "subnet-xxxxxxxx"]
  zone_id         = "Zxxxxxxxx"

  # enable monitoring every 30 seconds
  rds_monitoring_interval = 30

  # reference iam role created above
  rds_monitoring_role_arn = aws_iam_role.enhanced_monitoring.arn
}

Important

In Cloud Posse's examples, we avoid pinning modules to specific versions to prevent discrepancies between the documentation and the latest released versions. However, for your own projects, we strongly advise pinning each module to the exact version you're using. This practice ensures the stability of your infrastructure. Additionally, we recommend implementing a systematic approach for updating versions to avoid unexpected changes.

Examples

Review the complete example to see how to use this module.

Requirements

NameVersion
terraform>= 1.0.0
aws>= 5.81.0
null>= 2.0
random>= 2.0

Providers

NameVersion
aws>= 5.81.0
random>= 2.0

Modules

NameSourceVersion
dns_mastercloudposse/route53-cluster-hostname/aws0.13.0
dns_replicascloudposse/route53-cluster-hostname/aws0.13.0
enhanced_monitoring_labelcloudposse/label/null0.25.0
rds_identifiercloudposse/label/null0.25.0
thiscloudposse/label/null0.25.0

Resources

NameType
aws_appautoscaling_policy.replicasresource
aws_appautoscaling_target.replicasresource
aws_db_parameter_group.defaultresource
aws_db_subnet_group.defaultresource
aws_iam_role.enhanced_monitoringresource
aws_iam_role_policy_attachment.enhanced_monitoringresource
aws_rds_cluster.primaryresource
aws_rds_cluster.secondaryresource
aws_rds_cluster_activity_stream.primaryresource
aws_rds_cluster_instance.defaultresource
aws_rds_cluster_parameter_group.defaultresource
aws_rds_reserved_instance.defaultresource
aws_security_group.defaultresource
aws_security_group_rule.egressresource
aws_security_group_rule.egress_ipv6resource
aws_security_group_rule.ingress_cidr_blocksresource
aws_security_group_rule.ingress_ipv6_cidr_blocksresource
aws_security_group_rule.ingress_security_groupsresource
aws_security_group_rule.traffic_inside_security_groupresource
random_pet.instanceresource
aws_iam_policy_document.enhanced_monitoringdata source
aws_partition.currentdata source
aws_rds_reserved_instance_offering.defaultdata source

Inputs

NameDescriptionTypeDefaultRequired
activity_stream_enabledWhether to enable Activity Streamsboolfalseno
activity_stream_kms_key_idThe ARN for the KMS key to encrypt Activity Stream Data data. When specifying activity_stream_kms_key_id, activity_stream_enabled needs to be set to truestring""no
activity_stream_modeThe mode for the Activity Streams. async and sync are supported. Defaults to asyncstring"async"no
additional_tag_mapAdditional key-value pairs to add to each map in tags_as_list_of_maps. Not added to tags or id.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration.
map(string){}no
admin_passwordPassword for the master DB user. Ignored if snapshot_identifier or replication_source_identifier is providedstring""no
admin_userUsername for the master DB user. Ignored if snapshot_identifier or replication_source_identifier is providedstring"admin"no
admin_user_secret_kms_key_idAmazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.
To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.
If not specified, the default KMS key for your Amazon Web Services account is used.
stringnullno
allocated_storageThe allocated storage in GBsnumbernullno
allow_major_version_upgradeEnable to allow major engine version upgrades when changing engine versions. Defaults to false.boolfalseno
allowed_cidr_blocksList of CIDR blocks allowed to access the clusterlist(string)[]no
allowed_ipv6_cidr_blocksList of IPv6 CIDR blocks allowed to access the clusterlist(string)[]no
apply_immediatelySpecifies whether any cluster modifications are applied immediately, or during the next maintenance windowbooltrueno
attributesID element. Additional attributes (e.g. workers or cluster) to add to id,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the delimiter
and treated as a single ID element.
list(string)[]no
auto_minor_version_upgradeIndicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance windowbooltrueno
autoscaling_enabledWhether to enable cluster autoscalingboolfalseno
autoscaling_max_capacityMaximum number of instances to be maintained by the autoscalernumber5no
autoscaling_min_capacityMinimum number of instances to be maintained by the autoscalernumber1no
autoscaling_policy_typeAutoscaling policy type. TargetTrackingScaling and StepScaling are supportedstring"TargetTrackingScaling"no
autoscaling_scale_in_cooldownThe amount of time, in seconds, after a scaling activity completes and before the next scaling down activity can start. Default is 300snumber300no
autoscaling_scale_out_cooldownThe amount of time, in seconds, after a scaling activity completes and before the next scaling up activity can start. Default is 300snumber300no
autoscaling_target_metricsThe metrics type to use. If this value isn't provided the default is CPU utilizationstring"RDSReaderAverageCPUUtilization"no
autoscaling_target_valueThe target value to scale with respect to target metricsnumber75no
backtrack_windowThe target backtrack window, in seconds. Only available for aurora engine currently. Must be between 0 and 259200 (72 hours)number0no
backup_windowDaily time range during which the backups happenstring"07:00-09:00"no
ca_cert_identifierThe identifier of the CA certificate for the DB instancestringnullno
cluster_dns_nameName of the cluster CNAME record to create in the parent DNS zone specified by zone_id. If left empty, the name will be auto-asigned using the format master.var.namestring""no
cluster_familyThe family of the DB cluster parameter groupstring"aurora5.6"no
cluster_identifierThe RDS Cluster Identifier. Will use generated label ID if not suppliedstring""no
cluster_parametersList of DB cluster parameters to apply
list(object({
apply_method = string
name = string
value = string
}))
[]no
cluster_sizeNumber of DB instances to create in the clusternumber2no
cluster_typeEither regional or global.
If regional will be created as a normal, standalone DB.
If global, will be made part of a Global cluster (requires global_cluster_identifier).
string"regional"no
contextSingle object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as null to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged.
any
{
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
}
no
copy_tags_to_snapshotCopy tags to backup snapshotsboolfalseno
database_insights_modeThe database insights mode for the RDS cluster. Valid values are standard, advanced. See https://registry.terraform.io/providers/hashicorp/aws/6.16.0/docs/resources/rds_cluster#database_insights_mode-1stringnullno
db_cluster_instance_classThis setting is required to create a provisioned Multi-AZ DB clusterstringnullno
db_nameDatabase name (default is not to create a database)string""no
db_parameter_group_nameThe name to give to the created aws_db_parameter_group resource.
If omitted, the module will generate a name.
string""no
db_portDatabase portnumber3306no
deletion_protectionIf the DB instance should have deletion protection enabledboolfalseno
delimiterDelimiter to be used between ID elements.
Defaults to - (hyphen). Set to "" to use no delimiter at all.
stringnullno
descriptor_formatsDescribe additional descriptors to be output in the descriptors output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
{<br/> format = string<br/> labels = list(string)<br/>}
(Type is any so the map values can later be enhanced to provide additional options.)
format is a Terraform format string to be passed to the format() function.
labels is a list of labels, in order, to pass to format() function.
Label values will be normalized before being passed to format() so they will be
identical to how they appear in id.
Default is {} (descriptors output will be empty).
any{}no
egress_enabledWhether or not to apply the egress security group rule to default security group, defaults to truebooltrueno
enable_global_write_forwardingSet to true, to forward writes to an associated global cluster.boolnullno
enable_http_endpointEnable HTTP endpoint (data API).boolfalseno
enable_local_write_forwardingSet to true, to forward writes sent to a reader to the writer instance.boolnullno
enabledSet to false to prevent the module from creating any resourcesboolnullno
enabled_cloudwatch_logs_exportsList of log types to export to cloudwatch. The following log types are supported: audit, error, general, slowquerylist(string)[]no
engineThe name of the database engine to be used for this DB cluster. Valid values: aurora, aurora-mysql, aurora-postgresqlstring"aurora"no
engine_modeThe database engine mode. Valid values: parallelquery, provisioned, serverlessstring"provisioned"no
engine_versionThe version of the database engine to use. See aws rds describe-db-engine-versionsstring""no
enhanced_monitoring_attributesThe attributes for the enhanced monitoring IAM rolelist(string)
[
"enhanced-monitoring"
]
no
enhanced_monitoring_role_enabledA boolean flag to enable/disable the creation of the enhanced monitoring IAM role. If set to false, the module will not create a new role and will use rds_monitoring_role_arn for enhanced monitoringboolfalseno
environmentID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'stringnullno
global_cluster_identifierID of the Aurora global clusterstring""no
iam_database_authentication_enabledSpecifies whether or mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabledboolfalseno
iam_rolesIam roles for the Aurora clusterlist(string)[]no
id_length_limitLimit id to this many characters (minimum 6).
Set to 0 for unlimited length.
Set to null for keep the existing setting, which defaults to 0.
Does not affect id_full.
numbernullno
instance_availability_zoneOptional parameter to place cluster instances in a specific availability zone. If left empty, will place randomlystring""no
instance_identifier_suffixThe suffix to append to DB instance identifiers.
If null, the module will generate a random suffix. If empty, no suffix will be appended.
stringnullno
instance_parametersList of DB instance parameters to apply
list(object({
apply_method = string
name = string
value = string
}))
[]no
instance_typeInstance type to usestring"db.t2.small"no
intra_security_group_traffic_enabledWhether to allow traffic between resources inside the database's security group.boolfalseno
iopsThe amount of provisioned IOPS. Setting this implies a storage_type of 'io1'. This setting is required to create a Multi-AZ DB cluster. Check TF docs for values based on db enginenumbernullno
kms_key_arnThe ARN for the KMS encryption key. When specifying kms_key_arn, storage_encrypted needs to be set to truestring""no
label_key_caseControls the letter case of the tags keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the tags input.
Possible values: lower, title, upper.
Default value: title.
stringnullno
label_orderThe order in which the labels (ID elements) appear in the id.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.
list(string)nullno
label_value_caseControls the letter case of ID elements (labels) as included in id,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the tags input.
Possible values: lower, title, upper and none (no transformation).
Set this to title and set delimiter to "" to yield Pascal Case IDs.
Default value: lower.
stringnullno
labels_as_tagsSet of labels (ID elements) to include as tags in the tags output.
Default is to include all labels.
Tags with empty values will not be included in the tags output.
Set to [] to suppress all generated tags.
Notes:
The value of the name tag, if included, will be the id, not the name.
Unlike other null-label inputs, the initial setting of labels_as_tags cannot be
changed in later chained modules. Attempts to change it will be silently ignored.
set(string)
[
"default"
]
no
maintenance_windowWeekly time range during which system maintenance can occur, in UTCstring"wed:03:00-wed:04:00"no
manage_admin_user_passwordSet to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if master_password is providedboolfalseno
nameID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a tag.
The "name" tag is set to the full id string. There is no tag with the value of the name input.
stringnullno
namespaceID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally uniquestringnullno
network_typeThe network type of the cluster. Valid values: IPV4, DUAL.string"IPV4"no
parameter_group_name_prefix_enabledSet to true to use name_prefix to name the cluster and database parameter groups. Set to false to use name insteadbooltrueno
performance_insights_enabledWhether to enable Performance Insightsboolfalseno
performance_insights_kms_key_idThe ARN for the KMS key to encrypt Performance Insights data. When specifying performance_insights_kms_key_id, performance_insights_enabled needs to be set to truestring""no
performance_insights_retention_periodAmount of time in days to retain Performance Insights data. Either 7 (7 days) or 731 (2 years)numbernullno
promotion_tierFailover Priority setting on instance level. The reader who has lower tier has higher priority to get promoted to writer.

Readers in promotion tiers 0 and 1 scale at the same time as the writer. Readers in promotion tiers 2–15 scale independently from the writer. For more information, see: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless-v2.how-it-works.html#aurora-serverless-v2.how-it-works.scaling
number0no
publicly_accessibleSet to true if you want your cluster to be publicly accessible (such as via QuickSight)boolfalseno
rds_cluster_parameter_group_nameThe name to give to the created aws_rds_cluster_parameter_group resource.
If omitted, the module will generate a name.
string""no
rds_monitoring_intervalThe interval, in seconds, between points when enhanced monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. The default is 0. Valid Values: 0, 1, 5, 10, 15, 30, 60number0no
rds_monitoring_role_arnThe ARN for the IAM role that permits RDS to send enhanced monitoring metrics to CloudWatch Logsstringnullno
rds_ri_durationThe number of years to reserve the instance. Values can be 1 or 3 (or in seconds, 31536000 or 94608000)number1no
rds_ri_offering_typeOffering type of reserved DB instances. Valid values are 'No Upfront', 'Partial Upfront', 'All Upfront'.string""no
rds_ri_reservation_idCustomer-specified identifier to track the reservation of the reserved DB instance.stringnullno
reader_dns_nameName of the reader endpoint CNAME record to create in the parent DNS zone specified by zone_id. If left empty, the name will be auto-asigned using the format replicas.var.namestring""no
regex_replace_charsTerraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, "/[^a-zA-Z0-9-]/" is used to remove all characters other than hyphens, letters and digits.
stringnullno
replication_source_identifierARN of a source DB cluster or DB instance if this DB cluster is to be created as a Read Replicastring""no
restore_to_point_in_timeList of point-in-time recovery options. Valid parameters are:

source_cluster_identifier
Identifier of the source database cluster from which to restore.
restore_type:
Type of restore to be performed. Valid options are "full-copy" and "copy-on-write".
use_latest_restorable_time:
Set to true to restore the database cluster to the latest restorable backup time. Conflicts with restore_to_time.
restore_to_time:
Date and time in UTC format to restore the database cluster to. Conflicts with use_latest_restorable_time.
list(object({
source_cluster_identifier = string
restore_type = optional(string, "copy-on-write")
use_latest_restorable_time = optional(bool, true)
restore_to_time = optional(string, null)
}))
[]no
retention_periodNumber of days to retain backups fornumber5no
s3_importRestore from a Percona Xtrabackup in S3. The bucket_name is required to be in the same region as the resource.
object({
bucket_name = string
bucket_prefix = string
ingestion_role = string
source_engine = string
source_engine_version = string
})
nullno
scaling_configurationList of nested attributes with scaling properties. Only valid when engine_mode is set to serverless
list(object({
auto_pause = bool
max_capacity = number
min_capacity = number
seconds_until_auto_pause = number
timeout_action = string
}))
[]no
security_groupsList of security groups to be allowed to connect to the DB instancelist(string)[]no
serverlessv2_scaling_configurationserverlessv2 scaling properties
object({
min_capacity = number
max_capacity = number
seconds_until_auto_pause = optional(number, null)
})
nullno
skip_final_snapshotDetermines whether a final DB snapshot is created before the DB cluster is deletedbooltrueno
snapshot_identifierSpecifies whether or not to create this cluster from a snapshotstringnullno
source_regionSource Region of primary cluster, needed when using encrypted storage and region replicasstring""no
stageID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'stringnullno
storage_encryptedSpecifies whether the DB cluster is encrypted. The default is false for provisioned engine_mode and true for serverless engine_modeboolfalseno
storage_typeOne of 'standard' (magnetic), 'gp2' (general purpose SSD), 'io1' (provisioned IOPS SSD), 'aurora', or 'aurora-iopt1'stringnullno
subnet_group_nameDatabase subnet group name. Will use generated label ID if not supplied.string""no
subnetsList of VPC subnet IDslist(string)n/ayes
tagsAdditional tags (e.g. {'BusinessUnit': 'XYZ'}).
Neither the tag keys nor the tag values will be modified by this module.
map(string){}no
tenantID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is forstringnullno
timeouts_configurationList of timeout values per action. Only valid actions are create, update and delete
list(object({
create = string
update = string
delete = string
}))
[]no
use_reserved_instancesWARNING: Observe your plans and applies carefully when using this feature.
It has potential to be very expensive if not used correctly.
Also, it is not clear what happens when the reservation expires.

Whether to use reserved instances.
boolfalseno
vpc_idVPC ID to create the cluster in (e.g. vpc-a22222ee)stringn/ayes
vpc_security_group_idsAdditional security group IDs to apply to the cluster, in addition to the provisioned default security group with ingress traffic from existing CIDR blocks and existing security groupslist(string)[]no
zone_idRoute53 DNS Zone ID as list of string (0 or 1 items). If empty, no custom DNS name will be published.
If the list contains a single Zone ID, a custom DNS name will be pulished in that zone.
Can also be a plain string, but that use is DEPRECATED because of Terraform issues.
any[]no

Outputs

NameDescription
activity_stream_arnActivity Stream ARN
activity_stream_nameActivity Stream Name
admin_user_secretThe secret manager attributes for the managed admin user password (master_user_secret).
arnAmazon Resource Name (ARN) of the cluster
cluster_identifierCluster Identifier
cluster_resource_idThe region-unique, immutable identifie of the cluster
cluster_security_groupsDefault RDS cluster security groups
database_nameDatabase name
dbi_resource_idsList of the region-unique, immutable identifiers for the DB instances in the cluster
endpointThe DNS address of the RDS instance
instance_arnsList of ARNs of the DB instances in the cluster
instance_endpointsList of DNS addresses for the DB instances in the cluster
master_hostDB Master hostname
master_usernameUsername for the master DB user
portDB port
reader_endpointA read-only endpoint for the Aurora cluster, automatically load-balanced across replicas
replicas_hostReplicas hostname
reserved_instanceAll information about the reserved instance(s) if created.
security_group_arnSecurity Group ARN
security_group_idSecurity Group ID
security_group_nameSecurity Group name

Check out these related projects.

Tip

Use Terraform Reference Architectures for AWS

Use Cloud Posse's ready-to-go terraform architecture blueprints for AWS to get up and running quickly.

βœ… We build it together with your team.
βœ… Your team owns everything.
βœ… 100% Open Source and backed by fanatical support.

Request Quote

πŸ“š Learn More

Cloud Posse is the leading DevOps Accelerator for funded startups and enterprises.

Your team can operate like a pro today.

Ensure that your team succeeds by using Cloud Posse's proven process and turnkey blueprints. Plus, we stick around until you succeed.

Day-0: Your Foundation for Success

  • Reference Architecture. You'll get everything you need from the ground up built using 100% infrastructure as code.
  • Deployment Strategy. Adopt a proven deployment strategy with GitHub Actions, enabling automated, repeatable, and reliable software releases.
  • Site Reliability Engineering. Gain total visibility into your applications and services with Datadog, ensuring high availability and performance.
  • Security Baseline. Establish a secure environment from the start, with built-in governance, accountability, and comprehensive audit logs, safeguarding your operations.
  • GitOps. Empower your team to manage infrastructure changes confidently and efficiently through Pull Requests, leveraging the full power of GitHub Actions.

Request Quote

Day-2: Your Operational Mastery

  • Training. Equip your team with the knowledge and skills to confidently manage the infrastructure, ensuring long-term success and self-sufficiency.
  • Support. Benefit from a seamless communication over Slack with our experts, ensuring you have the support you need, whenever you need it.
  • Troubleshooting. Access expert assistance to quickly resolve any operational challenges, minimizing downtime and maintaining business continuity.
  • Code Reviews. Enhance your team’s code quality with our expert feedback, fostering continuous improvement and collaboration.
  • Bug Fixes. Rely on our team to troubleshoot and resolve any issues, ensuring your systems run smoothly.
  • Migration Assistance. Accelerate your migration process with our dedicated support, minimizing disruption and speeding up time-to-value.
  • Customer Workshops. Engage with our team in weekly workshops, gaining insights and strategies to continuously improve and innovate.

Request Quote

✨ Contributing

This project is under active development, and we encourage contributions from our community.

Many thanks to our outstanding contributors:

For πŸ› bug reports & feature requests, please use the issue tracker.

In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.

  1. Review our Code of Conduct and Contributor Guidelines.
  2. Fork the repo on GitHub
  3. Clone the project to your own machine
  4. Commit changes to your own branch
  5. Push your work back up to your fork
  6. Submit a Pull Request so that we can review your changes

NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!

Running Terraform Tests

We use Atmos to streamline how Terraform tests are run. It centralizes configuration and wraps common test workflows with easy-to-use commands.

All tests are located in the test/ folder.

Under the hood, tests are powered by Terratest together with our internal Test Helpers library, providing robust infrastructure validation.

Setup dependencies:

To run tests:

  • Run all tests:
    atmos test run
    
  • Clean up test artifacts:
    atmos test clean
    
  • Explore additional test options:
    atmos test --help
    

The configuration for test commands is centrally managed. To review what's being imported, see the atmos.yaml file.

Learn more about our automated testing in our documentation or implementing custom commands with atmos.

🌎 Slack Community

Join our Open Source Community on Slack. It's FREE for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally sweet infrastructure.

πŸ“° Newsletter

Sign up for our newsletter and join 3,000+ DevOps engineers, CTOs, and founders who get insider access to the latest DevOps trends, so you can always stay in the know. Dropped straight into your Inbox every week β€” and usually a 5-minute read.

πŸ“† Office Hours

Join us every Wednesday via Zoom for your weekly dose of insider DevOps trends, AWS news and Terraform insights, all sourced from our SweetOps community, plus a live Q&A that you can’t find anywhere else. It's FREE for everyone!

License

License

Preamble to the Apache License, Version 2.0

Complete license is available in the LICENSE file.

Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements.  See the NOTICE file
distributed with this work for additional information
regarding copyright ownership.  The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License.  You may obtain a copy of the License at

  https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied.  See the License for the
specific language governing permissions and limitations
under the License.

Trademarks

All other trademarks referenced herein are the property of their respective owners.


Copyright Β© 2017-2026 Cloud Posse, LLC

README footer

Beacon