AWS RDS Terraform module

March 19, 2026 · View on GitHub

Terraform module which creates RDS resources on AWS.

Root module calls these modules which can also be used separately to create independent resources:

db_instance - creates RDS DB instance
db_subnet_group - creates RDS DB subnet group
db_parameter_group - creates RDS DB parameter group
db_option_group - creates RDS DB option group
db_instance_role_association - creates RDS DB instance role association resources

Usage

module "db" {
  source = "terraform-aws-modules/rds/aws"

  identifier = "demodb"

  engine            = "mysql"
  engine_version    = "8.0"
  instance_class    = "db.t3a.large"
  allocated_storage = 5

  db_name  = "demodb"
  username = "user"
  port     = "3306"

  iam_database_authentication_enabled = true

  vpc_security_group_ids = ["sg-12345678"]

  maintenance_window = "Mon:00:00-Mon:03:00"
  backup_window      = "03:00-06:00"

  # Enhanced Monitoring - see example for details on how to create the role
  # by yourself, in case you don't want to create it automatically
  monitoring_interval    = "30"
  monitoring_role_name   = "MyRDSMonitoringRole"
  create_monitoring_role = true

  tags = {
    Owner       = "user"
    Environment = "dev"
  }

  # DB subnet group
  create_db_subnet_group = true
  subnet_ids             = ["subnet-12345678", "subnet-87654321"]

  # DB parameter group
  family = "mysql8.0"

  # DB option group
  major_engine_version = "8.0"

  # Database Deletion Protection
  deletion_protection = true

  parameters = [
    {
      name  = "character_set_client"
      value = "utf8mb4"
    },
    {
      name  = "character_set_server"
      value = "utf8mb4"
    }
  ]

  options = [
    {
      option_name = "MARIADB_AUDIT_PLUGIN"

      option_settings = [
        {
          name  = "SERVER_AUDIT_EVENTS"
          value = "CONNECT"
        },
        {
          name  = "SERVER_AUDIT_FILE_ROTATIONS"
          value = "37"
        },
      ]
    },
  ]
}

Conditional creation

The following values are provided to toggle on/off creation of the associated resources as desired:

module "db" {
  source = "terraform-aws-modules/rds/aws"

  # Disable creation of RDS instance(s)
  create_db_instance = false

  # Disable creation of option group - provide an option group or default AWS default
  create_db_option_group = false

  # Disable creation of parameter group - provide a parameter group or default to AWS default
  create_db_parameter_group = false

  # Enable creation of subnet group (disabled by default)
  create_db_subnet_group = true

  # Enable creation of monitoring IAM role
  create_monitoring_role = true

  # ... omitted
}

Option Groups

Reference

Users have the ability to:

Create an option group with the name provided:

  option_group_name            = "prod-instance-mysql-8.0"
  option_group_use_name_prefix = false

Create an option group using a unique prefix beginning with the name provided:

  option_group_name = "prod-instance-mysql-8.0"

Pass the name of an option group to use that has been created outside of the module:

  create_db_option_group = false
  option_group_name      = "prod-instance-mysql-8.0" # must already exist in AWS

Skip creating an option group for PostgreSQL entirely as that is not supported

  engine            = "postgres"
  option_group_name = "prod-instance-postgresql-11.0" # this will be ignored, no option group created

Use a default option group provided by AWS

  create_db_option_group = false

Parameter Groups

Reference

Users have the ability to:

Create a parameter group with the name provided:

  parameter_group_name            = "prod-instance-mysql-8.0"
  parameter_group_use_name_prefix = false

Create a parameter group using a unique prefix beginning with the name provided:

  parameter_group_name = "prod-instance-mysql-8.0"

Pass the name of a parameter group to use that has been created outside of the module:

  create_db_parameter_group = false
  parameter_group_name   = "prod-instance-mysql-8.0" # must already exist in AWS

Use a default parameter group provided by AWS

  create_db_parameter_group = false

Examples

Notes

This module does not create RDS security group. Use terraform-aws-security-group module for this.
For an RDS instance with storage_type using gp3, be aware that iops and storage_throughput cannot be specified if the allocated_storage value is below a per-engine threshold. See the RDS User Guide for details.

Requirements

Name	Version
terraform	>= 1.11.1
aws	>= 6.28

Providers

No providers.

Modules

Name	Source	Version
db_instance	./modules/db_instance	n/a
db_instance_role_association	./modules/db_instance_role_association	n/a
db_option_group	./modules/db_option_group	n/a
db_parameter_group	./modules/db_parameter_group	n/a
db_subnet_group	./modules/db_subnet_group	n/a

Resources

No resources.

Inputs

Name	Description	Type	Default	Required
allocated_storage	The allocated storage in gigabytes	`number`	`null`	no
allow_major_version_upgrade	Indicates that major version upgrades are allowed. Changing this parameter does not result in an outage and the change is asynchronously applied as soon as possible	`bool`	`false`	no
apply_immediately	Specifies whether any database modifications are applied immediately, or during the next maintenance window	`bool`	`false`	no
auto_minor_version_upgrade	Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window	`bool`	`true`	no
availability_zone	The Availability Zone of the RDS instance	`string`	`null`	no
backup_retention_period	The days to retain backups for	`number`	`null`	no
backup_window	The daily time range (in UTC) during which automated backups are created if they are enabled. Example: '09:46-10:16'. Must not overlap with maintenance_window	`string`	`null`	no
blue_green_update	Enables low-downtime updates using RDS Blue/Green deployments.	object({ enabled = optional(bool) })	`null`	no
ca_cert_identifier	Specifies the identifier of the CA certificate for the DB instance	`string`	`null`	no
character_set_name	The character set name to use for DB encoding in Oracle instances. This can't be changed. See Oracle Character Sets Supported in Amazon RDS and Collations and Character Sets for Microsoft SQL Server for more information. This can only be set on creation	`string`	`null`	no
cloudwatch_log_group_class	Specified the log class of the log group. Possible values are: STANDARD or INFREQUENT_ACCESS	`string`	`null`	no
cloudwatch_log_group_kms_key_id	The ARN of the KMS Key to use when encrypting log data	`string`	`null`	no
cloudwatch_log_group_retention_in_days	The number of days to retain CloudWatch logs for the DB instance	`number`	`7`	no
cloudwatch_log_group_skip_destroy	Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state	`bool`	`null`	no
cloudwatch_log_group_tags	Additional tags for the CloudWatch log group(s)	`map(string)`	`{}`	no
copy_tags_to_snapshot	On delete, copy all Instance tags to the final snapshot	`bool`	`true`	no
create_cloudwatch_log_group	Determines whether a CloudWatch log group is created for each `enabled_cloudwatch_logs_exports`	`bool`	`false`	no
create_db_instance	Whether to create a database instance	`bool`	`true`	no
create_db_option_group	Create a database option group	`bool`	`true`	no
create_db_parameter_group	Whether to create a database parameter group	`bool`	`true`	no
create_db_subnet_group	Whether to create a database subnet group	`bool`	`false`	no
create_monitoring_role	Create IAM role with a defined name that permits RDS to send enhanced monitoring metrics to CloudWatch Logs	`bool`	`false`	no
custom_iam_instance_profile	RDS custom iam instance profile	`string`	`null`	no
customer_owned_ip_enabled	Indicates whether to enable a customer-owned IP address (CoIP) for an RDS on Outposts DB instance	`bool`	`null`	no
database_insights_mode	The mode of Database Insights that is enabled for the instance. Valid values: standard, advanced	`string`	`null`	no
db_instance_role_associations	A map of DB instance supported feature name to role association ARNs.	`map(string)`	`{}`	no
db_instance_tags	Additional tags for the DB instance	`map(string)`	`{}`	no
db_name	The DB name to create. If omitted, no database is created initially	`string`	`null`	no
db_option_group_tags	Additional tags for the DB option group	`map(string)`	`{}`	no
db_parameter_group_tags	Additional tags for the DB parameter group	`map(string)`	`{}`	no
db_subnet_group_description	Description of the DB subnet group to create	`string`	`null`	no
db_subnet_group_name	Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC	`string`	`null`	no
db_subnet_group_tags	Additional tags for the DB subnet group	`map(string)`	`{}`	no
db_subnet_group_use_name_prefix	Determines whether to use `subnet_group_name` as is or create a unique name beginning with the `subnet_group_name` as the prefix	`bool`	`true`	no
dedicated_log_volume	Use a dedicated log volume (DLV) for the DB instance. Requires Provisioned IOPS.	`bool`	`false`	no
delete_automated_backups	Specifies whether to remove automated backups immediately after the DB instance is deleted	`bool`	`true`	no
deletion_protection	The database can't be deleted when this value is set to true	`bool`	`false`	no
domain	The ID of the Directory Service Active Directory domain to create the instance in	`string`	`null`	no
domain_auth_secret_arn	(Optional, but required if domain_fqdn is provided) The ARN for the Secrets Manager secret with the self managed Active Directory credentials for the user joining the domain. Conflicts with domain and domain_iam_role_name.	`string`	`null`	no
domain_dns_ips	(Optional, but required if domain_fqdn is provided) The IPv4 DNS IP addresses of your primary and secondary self managed Active Directory domain controllers. Two IP addresses must be provided. If there isn't a secondary domain controller, use the IP address of the primary domain controller for both entries in the list. Conflicts with domain and domain_iam_role_name.	`list(string)`	`null`	no
domain_fqdn	The fully qualified domain name (FQDN) of the self managed Active Directory domain. Conflicts with domain and domain_iam_role_name.	`string`	`null`	no
domain_iam_role_name	(Required if domain is provided) The name of the IAM role to be used when making API calls to the Directory Service	`string`	`null`	no
domain_ou	(Optional, but required if domain_fqdn is provided) The self managed Active Directory organizational unit for your DB instance to join. Conflicts with domain and domain_iam_role_name.	`string`	`null`	no
enabled_cloudwatch_logs_exports	List of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported. Valid values (depending on engine): alert, audit, error, general, listener, slowquery, trace, postgresql (PostgreSQL), upgrade (PostgreSQL)	`list(string)`	`[]`	no
engine	The database engine to use	`string`	`null`	no
engine_lifecycle_support	The life cycle type for this DB instance. This setting applies only to RDS for MySQL and RDS for PostgreSQL. Valid values are `open-source-rds-extended-support`, `open-source-rds-extended-support-disabled`. Default value is `open-source-rds-extended-support`.	`string`	`null`	no
engine_version	The engine version to use	`string`	`null`	no
family	The family of the DB parameter group	`string`	`null`	no
final_snapshot_identifier_prefix	The name which is prefixed to the final snapshot on cluster destroy	`string`	`"final"`	no
iam_database_authentication_enabled	Specifies whether or not the mappings of AWS Identity and Access Management (IAM) accounts to database accounts are enabled	`bool`	`false`	no
identifier	The name of the RDS instance	`string`	n/a	yes
instance_class	The instance type of the RDS instance	`string`	`null`	no
instance_use_identifier_prefix	Determines whether to use `identifier` as is or create a unique identifier beginning with `identifier` as the specified prefix	`bool`	`false`	no
iops	The amount of provisioned IOPS. Setting this implies a storage_type of 'io1' or `gp3`. See `notes` for limitations regarding this variable for `gp3`	`number`	`null`	no
kms_key_id	The ARN for the KMS encryption key. If creating an encrypted replica, set this to the destination KMS ARN. If storage_encrypted is set to true and kms_key_id is not specified the default KMS key created in your account will be used. Be sure to use the full ARN, not a key alias.	`string`	`null`	no
license_model	License model information for this DB instance. Optional, but required for some DB engines, i.e. Oracle SE1	`string`	`null`	no
maintenance_window	The window to perform maintenance in. Syntax: 'ddd:hh24:mi-ddd:hh24:mi'. Eg: 'Mon:00:00-Mon:03:00'	`string`	`null`	no
major_engine_version	Specifies the major version of the engine that this option group should be associated with	`string`	`null`	no
manage_master_user_password	Set to true to allow RDS to manage the master user password in Secrets Manager	`bool`	`true`	no
manage_master_user_password_rotation	Whether to manage the master user password rotation. By default, false on creation, rotation is managed by RDS. There is not currently a way to disable this on initial creation even when set to false. Setting this value to false after previously having been set to true will disable automatic rotation.	`bool`	`false`	no
master_user_password_rotate_immediately	Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window.	`bool`	`null`	no
master_user_password_rotation_automatically_after_days	Specifies the number of days between automatic scheduled rotations of the secret. Either automatically_after_days or schedule_expression must be specified.	`number`	`null`	no
master_user_password_rotation_duration	The length of the rotation window in hours. For example, 3h for a three hour window.	`string`	`null`	no
master_user_password_rotation_schedule_expression	A cron() or rate() expression that defines the schedule for rotating your secret. Either automatically_after_days or schedule_expression must be specified.	`string`	`null`	no
master_user_secret_kms_key_id	The key ARN, key ID, alias ARN or alias name for the KMS key to encrypt the master user password secret in Secrets Manager. If not specified, the default KMS key for your Amazon Web Services account is used.	`string`	`null`	no
max_allocated_storage	Specifies the value for Storage Autoscaling	`number`	`0`	no
monitoring_interval	The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. The default is 0. Valid Values: 0, 1, 5, 10, 15, 30, 60	`number`	`0`	no
monitoring_role_arn	The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to CloudWatch Logs. Must be specified if monitoring_interval is non-zero	`string`	`null`	no
monitoring_role_description	Description of the monitoring IAM role	`string`	`null`	no
monitoring_role_name	Name of the IAM role which will be created when create_monitoring_role is enabled	`string`	`"rds-monitoring-role"`	no
monitoring_role_permissions_boundary	ARN of the policy that is used to set the permissions boundary for the monitoring IAM role	`string`	`null`	no
monitoring_role_use_name_prefix	Determines whether to use `monitoring_role_name` as is or create a unique identifier beginning with `monitoring_role_name` as the specified prefix	`bool`	`false`	no
multi_az	Specifies if the RDS instance is multi-AZ	`bool`	`false`	no
nchar_character_set_name	The national character set is used in the NCHAR, NVARCHAR2, and NCLOB data types for Oracle instances. This can't be changed.	`string`	`null`	no
network_type	The type of network stack to use	`string`	`null`	no
option_group_description	The description of the option group	`string`	`null`	no
option_group_name	Name of the option group	`string`	`null`	no
option_group_skip_destroy	Set to true if you do not wish the option group to be deleted at destroy time, and instead just remove the option group from the Terraform state	`bool`	`null`	no
option_group_timeouts	Define maximum timeout for deletion of `aws_db_option_group` resource	object({ delete = optional(string) })	`null`	no
option_group_use_name_prefix	Determines whether to use `option_group_name` as is or create a unique name beginning with the `option_group_name` as the prefix	`bool`	`true`	no
options	A list of Options to apply	list(object({ option_name = string port = optional(number) version = optional(string) db_security_group_memberships = optional(list(string)) vpc_security_group_memberships = optional(list(string)) option_settings = optional(list(object({ name = string value = string }))) }))	`null`	no
parameter_group_description	Description of the DB parameter group to create	`string`	`null`	no
parameter_group_name	Name of the DB parameter group to associate or create	`string`	`null`	no
parameter_group_skip_destroy	Set to true if you do not wish the parameter group to be deleted at destroy time, and instead just remove the parameter group from the Terraform state	`bool`	`null`	no
parameter_group_use_name_prefix	Determines whether to use `parameter_group_name` as is or create a unique name beginning with the `parameter_group_name` as the prefix	`bool`	`true`	no
parameters	A list of DB parameters (map) to apply	list(object({ name = string value = string apply_method = optional(string) }))	`null`	no
password_wo	Write-Only required unless `manage_master_user_password` is set to `true`, `snapshot_identifier`, or `replicate_source_db` is provided). Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file	`string`	`null`	no
password_wo_version	Used together with password_wo to trigger an update. Increment this value when an update to password_wo is required.	`number`	`null`	no
performance_insights_enabled	Specifies whether Performance Insights are enabled	`bool`	`false`	no
performance_insights_kms_key_id	The ARN for the KMS key to encrypt Performance Insights data	`string`	`null`	no
performance_insights_retention_period	The amount of time in days to retain Performance Insights data. Valid values are `7`, `731` (2 years) or a multiple of `31`	`number`	`7`	no
port	The port on which the DB accepts connections	`string`	`null`	no
publicly_accessible	Bool to control if instance is publicly accessible	`bool`	`false`	no
putin_khuylo	Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!	`bool`	`true`	no
region	Region where this resource will be managed. Defaults to the Region set in the provider configuration	`string`	`null`	no
replica_mode	Specifies whether the replica is in either mounted or open-read-only mode. This attribute is only supported by Oracle instances. Oracle replicas operate in open-read-only mode unless otherwise specified	`string`	`null`	no
replicate_source_db	Specifies that this resource is a Replicate database, and to use this value as the source database. This correlates to the identifier of another Amazon RDS Database to replicate	`string`	`null`	no
restore_to_point_in_time	Restore to a point in time (MySQL is NOT supported)	object({ restore_time = optional(string) source_db_instance_automated_backups_arn = optional(string) source_db_instance_identifier = optional(string) source_dbi_resource_id = optional(string) use_latest_restorable_time = optional(bool) })	`null`	no
s3_import	Restore from a Percona Xtrabackup in S3 (only MySQL is supported)	object({ source_engine_version = string bucket_name = string bucket_prefix = optional(string) ingestion_role = string })	`null`	no
skip_final_snapshot	Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted	`bool`	`false`	no
snapshot_identifier	Specifies whether or not to create this database from a snapshot. This correlates to the snapshot ID you'd find in the RDS console, e.g: rds:production-2015-06-26-06-05	`string`	`null`	no
storage_encrypted	Specifies whether the DB instance is encrypted	`bool`	`true`	no
storage_throughput	Storage throughput value for the DB instance. See `notes` for limitations regarding this variable for `gp3`	`number`	`null`	no
storage_type	One of 'standard' (magnetic), 'gp2' (general purpose SSD), 'gp3' (new generation of general purpose SSD), or 'io1' (provisioned IOPS SSD). The default is 'io1' if iops is specified, 'gp2' if not. If you specify 'io1' or 'gp3' , you must also include a value for the 'iops' parameter	`string`	`null`	no
subnet_ids	A list of VPC subnet IDs	`list(string)`	`[]`	no
tags	A mapping of tags to assign to all resources	`map(string)`	`{}`	no
timeouts	Updated Terraform resource management timeouts. Applies to `aws_db_instance` in particular to permit resource management times	object({ create = optional(string) update = optional(string) delete = optional(string) })	`null`	no
timezone	Time zone of the DB instance. timezone is currently only supported by Microsoft SQL Server. The timezone can only be set on creation. See MSSQL User Guide for more information	`string`	`null`	no
upgrade_storage_config	Whether to upgrade the storage file system configuration on the read replica. Can only be set with replicate_source_db.	`bool`	`null`	no
username	Username for the master DB user	`string`	`null`	no
vpc_security_group_ids	List of VPC security groups to associate	`list(string)`	`[]`	no

Outputs

Name	Description
db_instance_address	The address of the RDS instance
db_instance_arn	The ARN of the RDS instance
db_instance_availability_zone	The availability zone of the RDS instance
db_instance_ca_cert_identifier	Specifies the identifier of the CA certificate for the DB instance
db_instance_cloudwatch_log_groups	Map of CloudWatch log groups created and their attributes
db_instance_domain	The ID of the Directory Service Active Directory domain the instance is joined to
db_instance_domain_auth_secret_arn	The ARN for the Secrets Manager secret with the self managed Active Directory credentials for the user joining the domain
db_instance_domain_dns_ips	The IPv4 DNS IP addresses of your primary and secondary self managed Active Directory domain controllers
db_instance_domain_fqdn	The fully qualified domain name (FQDN) of an self managed Active Directory domain
db_instance_domain_iam_role_name	The name of the IAM role to be used when making API calls to the Directory Service
db_instance_domain_ou	The self managed Active Directory organizational unit for your DB instance to join
db_instance_endpoint	The connection endpoint
db_instance_engine	The database engine
db_instance_engine_version_actual	The running version of the database
db_instance_hosted_zone_id	The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record)
db_instance_identifier	The RDS instance identifier
db_instance_master_user_secret_arn	The ARN of the master user secret (Only available when manage_master_user_password is set to true)
db_instance_name	The database name
db_instance_port	The database port
db_instance_resource_id	The RDS Resource ID of this instance
db_instance_role_associations	A map of DB Instance Identifiers and IAM Role ARNs separated by a comma
db_instance_secretsmanager_secret_rotation_enabled	Specifies whether automatic rotation is enabled for the secret
db_instance_status	The RDS instance status
db_instance_upgrade_rollout_order	Order in which the instances are upgraded (first, second, last)
db_instance_username	The master username for the database
db_listener_endpoint	Specifies the listener connection endpoint for SQL Server Always On
db_option_group_arn	The ARN of the db option group
db_option_group_id	The db option group id
db_parameter_group_arn	The ARN of the db parameter group
db_parameter_group_id	The db parameter group id
db_subnet_group_arn	The ARN of the db subnet group
db_subnet_group_id	The db subnet group name
enhanced_monitoring_iam_role_arn	The Amazon Resource Name (ARN) specifying the monitoring role
enhanced_monitoring_iam_role_name	The name of the monitoring role

Authors

Module is maintained by Anton Babenko with help from these awesome contributors.

License

Apache 2 Licensed. See LICENSE for full details.

Additional information for users from Russia and Belarus

Russia has illegally annexed Crimea in 2014 and brought the war in Donbas followed by full-scale invasion of Ukraine in 2022.
Russia has brought sorrow and devastations to millions of Ukrainians, killed hundreds of innocent people, damaged thousands of buildings, and forced several million people to flee.
Putin khuylo!