Top / Amazon Web Service / AWS Amazon RDS / Instance

AWS Amazon RDS Instance

This page shows how to write Terraform and CloudFormation for Amazon RDS Instance and write them securely.

terraform-logo

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_db_instance (Terraform)

The Instance in Amazon RDS can be configured in Terraform with the resource name aws_db_instance. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

db_instance_test.tf#L12
resource "aws_db_instance" "mysql-default" {
  engine         = "mysql"
  instance_class = "db.t3.large"
}

resource "aws_db_instance" "mysql-allocated-storage" {
db_instance_test.tf#L12
resource "aws_db_instance" "mysql-default" {
  engine         = "mysql"
  instance_class = "db.t3.large"
}

resource "aws_db_instance" "mysql-allocated-storage" {
main.tf#L285
resource "aws_db_instance" "d1" {
  engine         = "mysql"
  instance_class = "db.t3.large"
}

resource "aws_db_instance" "d2" {
aws_db_instance.tf#L5
resource "aws_db_instance" "secureInstance" {
  allocated_storage    = 20
  storage_type         = "gp2"
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t2.micro"
tagging.tf#L16
resource "aws_db_instance" "pass_main_db" {
  count                     = 1
  allocated_storage         = 100
  max_allocated_storage     = 150
  storage_type              = "gp2"
  engine                    = "mysql"

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for aws_db_instance

There are 4 settings in aws_db_instance that should be taken care of for security reasons. The following section explain an overview and example code.

risk-label

Ensure backup retension of your RDS instance is specified

It's better to set it explicitly to reduce the risk of availability issues.

risk-label

Ensure your RDS instance blocks unwanted access

It's better to limit accessibility to the minimum that is required for your application to work.

risk-label

Ensure to enable Performance Insights of your RDS instance

It is better to Performance Insights of the RDS instance. The feature will help investigate the availability issues of the instance.

risk-label

Ensure to enable storage encryption of your RDS instance

It is better to enable storage encryption of your RDS instance. Encryption reduces the risk of data leakage.

Review your AWS Amazon RDS settings

You can check if the aws_db_instance setting in your .tf file is correct in 3 min with Shisho Cloud.

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Provides an RDS instance resource. A DB instance is an isolated database environment in the cloud. A DB instance can contain multiple user-created databases. Changes to a DB instance can occur when you manually change a parameter, such as allocated_storage, and are reflected in the next maintenance window. Because of this, Terraform may report a difference in its planning phase because a modification has not yet taken place. You can use the apply_immediately flag to instruct the service to apply the change immediately (see documentation below). When upgrading the major version of an engine, allow_major_version_upgrade must be set to true.

Note: using apply_immediately can result in a brief downtime as the server reboots. See the AWS Docs on [RDS Maintenance][2] for more information. Note: All arguments including the username and password will be stored in the raw state as plain-text. Read more about sensitive data in state. > Hands-on: Try the Manage AWS RDS Instances tutorial on HashiCorp Learn.

>> from Terraform Registry

Tips: Best Practices for The Other AWS Amazon RDS Resources

In addition to the aws_rds_cluster, AWS Amazon RDS has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_rds_cluster

Ensure backup retension of your RDS cluster is specified

It's better to set it explicitly to reduce the risk of availability issues.

risk-label

aws_rds_cluster_instance

Ensure your RDS cluster instance blocks unwanted access

It's better to limit accessibily to the minimum that is required for the application to work.

Review your AWS Amazon RDS settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::RDS::DBInstance (CloudFormation)

The DBInstance in RDS can be configured in CloudFormation with the resource name AWS::RDS::DBInstance. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

rds.yml#L7
    Type: AWS::RDS::DBInstance
    Properties:
      DeletionProtection: !If [IsProd, true, false]
      PubliclyAccessible: true # change depending on bastion config
      EnablePerformanceInsights: true
      Engine: Postgres
rds.yml#L7
    Type: AWS::RDS::DBInstance
    Properties:
      DeletionProtection: !If [IsProd, true, false]
      PubliclyAccessible: true # change depending on bastion config
      EnablePerformanceInsights: true
      Engine: Postgres
rds.yml#L7
    Type: AWS::RDS::DBInstance
    Properties:
      DeletionProtection: !If [IsProd, true, false]
      PubliclyAccessible: true  # change depending on bastion config
      EnablePerformanceInsights: true
      Engine: Postgres
rds.yml#L4
    Type: AWS::RDS::DBInstance
    Properties:
      DBSecurityGroups: [!Ref 'MyDbSecurityByEC2SecurityGroup', !Ref 'MyDbSecurityByCIDRIPGroup']
      AllocatedStorage: '5'
      DBInstanceClass: db.m1.small
      Engine: MySQL
rds.template.yml#L10
    Type: AWS::RDS::DBInstance
    Properties:
      Engine: aurora
      PubliclyAccessible: 'false'
      DBInstanceClass: db.r4.large
      DBClusterIdentifier:
test.json#L5
      "Type": "AWS::RDS::DBInstance",
      "Properties": {
        "StorageEncrypted": true
      }
    },
    "SensitiveDBInstance": {
cft-west-rds-readreplica.json#L25
      "Type": "AWS::RDS::DBInstance",
      "Properties": {
        "SourceDBInstanceIdentifier": { "Ref": "MasterDBIdentifier" },
        "DBInstanceClass": { "Ref": "RdsInstanceType" },
        "DBInstanceIdentifier":
        {
bad_template.json#L18
      "Type": "AWS::RDS::DBInstance",
      "Properties": {
        "SourceDBInstanceIdentifier": "sampleDbInstance",
        "MasterUserPassword": {
          "Ref": "Password"
        }
aws_rds.json#L11
    "path": "/ResourceTypes/AWS::RDS::DBInstance/Properties/BackupRetentionPeriod/Value",
    "value": {
      "ValueType": "AWS::RDS::DBInstance.BackupRetentionPeriod"
    }
  },
  {
aws_rds.json#L11
    "path": "/ResourceTypes/AWS::RDS::DBInstance/Properties/BackupRetentionPeriod/Value",
    "value": {
      "ValueType": "AWS::RDS::DBInstance.BackupRetentionPeriod"
    }
  },
  {

Parameters

>> from AWS CloudFormation Documentation

Explanation in CloudFormation Registry

The AWS::RDS::DBInstance resource creates an Amazon RDS DB instance.

If you import an existing DB instance, and the template configuration doesn't match the actual configuration of the DB instance, AWS CloudFormation applies the changes in the template during the import operation.

Important If a DB instance is deleted or replaced during an update, AWS CloudFormation deletes all automated snapshots. However, it retains manual DB snapshots. During an update that requires replacement, you can apply a stack policy to prevent DB instances from being replaced. For more information, see Prevent Updates to Stack Resources.

Updating DB instancesWhen properties labeled "Update requires: Replacement" are updated, AWS CloudFormation first creates a replacement DB instance, then changes references from other dependent resources to point to the replacement DB instance, and finally deletes the old DB instance.

Important We highly recommend that you take a snapshot of the database before updating the stack. If you don't, you lose the data when AWS CloudFormation replaces your DB instance. To preserve your data, perform the following procedure: Deactivate any applications that are using the DB instance so that there's no activity on the DB instance.

Create a snapshot of the DB instance. For more information about creating DB snapshots, see Creating a DB Snapshot.

If you want to restore your instance using a DB snapshot, modify the updated template with your DB instance changes and add the DBSnapshotIdentifier property with the ID of the DB snapshot that you want to use. After you restore a DB instance with a DBSnapshotIdentifier property, you must specify the same DBSnapshotIdentifier property for any future updates to the DB instance. When you specify this property for an update, the DB instance is not restored from the DB snapshot again, and the data in the database is not changed. However, if you don't specify the DBSnapshotIdentifier property, an empty DB instance is created, and the original DB instance is deleted. If you specify a property that is different from the previous snapshot restore property, a new DB instance is restored from the specified DBSnapshotIdentifier property, and the original DB instance is deleted.

Update the stack.

For more information about updating other properties of this resource, see [ModifyDBInstance](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBInstance.html). For more information about updating stacks, see AWS CloudFormation Stacks Updates.

Deleting DB instancesFor DB instances that are part of an Aurora DB cluster, you can set a deletion policy for your DB instance to control how AWS CloudFormation handles the DB instance when the stack is deleted. For Amazon RDS DB instances, you can choose to retain the DB instance, to delete the DB instance, or to create a snapshot of the DB instance. The default AWS CloudFormation behavior depends on the DBClusterIdentifier property:1. For AWS::RDS::DBInstance resources that don't specify the DBClusterIdentifier property, AWS CloudFormation saves a snapshot of the DB instance.

  1. For AWS::RDS::DBInstance resources that do specify the DBClusterIdentifier property, AWS CloudFormation deletes the DB instance. For more information, see DeletionPolicy Attribute.

>> from AWS CloudFormation Documentation

The Other Related AWS Amazon RDS Resources

Frequently asked questions

What is AWS Amazon RDS Instance?

AWS Amazon RDS Instance is a resource for Amazon RDS of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Amazon RDS Instance?

For Terraform, the gilyas/infracost, infracost/infracost and terraform-aws-modules/terraform-aws-pricing source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the ProbablyNextTime/db_labs, jetbridge/sls-flask and Svjard/ephemeris source code examples are useful. See the CloudFormation Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents