AWS Amazon RDS Cluster Instance
This page shows how to write Terraform and CloudFormation for Amazon RDS Cluster Instance and write them securely.
aws_rds_cluster_instance (Terraform)
The Cluster Instance in Amazon RDS can be configured in Terraform with the resource name aws_rds_cluster_instance. The following sections describe 4 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_rds_cluster_instance" "cluster_instances" {
db_subnet_group_name = aws_db_subnet_group.db_team4.name
identifier = "aurora-cluster-demo"
cluster_identifier = aws_rds_cluster.default.cluster_identifier
instance_class = var.instance_class
engine_version = aws_rds_cluster.default.engine_version
resource "aws_rds_cluster_instance" "primary" {
provider = "aws.primary"
cluster_identifier = aws_rds_cluster.primary.id
instance_class = var.aurora_instance_class
engine = "aurora"
resource "aws_rds_cluster_instance" "cluster_instances" {
db_subnet_group_name = aws_db_subnet_group.db_team4.name
identifier = "aurora-cluster-demo"
cluster_identifier = aws_rds_cluster.default.cluster_identifier
instance_class = var.instance_class
engine_version = aws_rds_cluster.default.engine_version
resource "aws_rds_cluster_instance" "cluster_instance" {
identifier = "aurora-cluster-demo"
cluster_identifier = aws_rds_cluster.default.id
instance_class = "db.r4.large"
engine = aws_rds_cluster.default.engine
engine_version = aws_rds_cluster.default.engine_version
Security Best Practices for aws_rds_cluster_instance
There are 2 settings in aws_rds_cluster_instance that should be taken care of for security reasons. The following section explain an overview and example code.
Ensure your RDS cluster instance blocks unwanted access
It's better to limit accessibily to the minimum that is required for the application to work.
Ensure to enable Performance Insights of your RDS cluster
It is better to enable Performance Insights of your RDS cluster. The feature will help investigate the availability issues of the cluster.
Parameters
-
apply_immediatelyoptional computed - bool -
arnoptional computed - string -
auto_minor_version_upgradeoptional - bool -
availability_zoneoptional computed - string -
ca_cert_identifieroptional computed - string -
cluster_identifierrequired - string -
copy_tags_to_snapshotoptional - bool -
db_parameter_group_nameoptional computed - string -
db_subnet_group_nameoptional computed - string -
dbi_resource_idoptional computed - string -
endpointoptional computed - string -
engineoptional - string -
engine_versionoptional computed - string -
idoptional computed - string -
identifieroptional computed - string -
identifier_prefixoptional computed - string -
instance_classrequired - string -
kms_key_idoptional computed - string -
monitoring_intervaloptional - number -
monitoring_role_arnoptional computed - string -
performance_insights_enabledoptional computed - bool -
performance_insights_kms_key_idoptional computed - string -
portoptional computed - number -
preferred_backup_windowoptional computed - string -
preferred_maintenance_windowoptional computed - string -
promotion_tieroptional - number -
publicly_accessibleoptional - bool -
storage_encryptedoptional computed - bool -
tagsoptional - map from string to string -
writeroptional computed - bool -
timeoutssingle block
Explanation in Terraform Registry
Provides an RDS Cluster Instance Resource. A Cluster Instance Resource defines attributes that are specific to a single instance in a [RDS Cluster][3], specifically running Amazon Aurora. Unlike other RDS resources that support replication, with Amazon Aurora you do not designate a primary and subsequent replicas. Instead, you simply add RDS Instances and Aurora manages the replication. You can use the [count][5] meta-parameter to make multiple instances and join them all to the same RDS Cluster, or you may specify different Cluster Instance resources with various
instance_classsizes. For more information on Amazon Aurora, see [Aurora on Amazon RDS][2] in the Amazon RDS User Guide.NOTE: Deletion Protection from the RDS service can only be enabled at the cluster level, not for individual cluster instances. You can still add the
prevent_destroylifecycle behavior to your Terraform resource configuration if you desire protection from accidental deletion.
Tips: Best Practices for The Other AWS Amazon RDS Resources
In addition to the aws_db_instance, AWS Amazon RDS has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_db_instance
Ensure backup retension of your RDS instance is specified
It's better to set it explicitly to reduce the risk of availability issues.
aws_rds_cluster
Ensure backup retension of your RDS cluster is specified
It's better to set it explicitly to reduce the risk of availability issues.
AWS::RDS::DBCluster (CloudFormation)
The DBCluster in RDS can be configured in CloudFormation with the resource name AWS::RDS::DBCluster. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: 'AWS::RDS::DBCluster'
Properties:
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
DBClusterIdentifier: aurora-postgresql-cluster
Engine: aurora-postgresql
Type: 'AWS::RDS::DBCluster'
Properties:
MasterUsername: !Ref DBUsername
MasterUserPassword: !Ref DBPassword
DBClusterIdentifier: aurora-postgresql-cluster
Engine: aurora-postgresql
Type: 'AWS::RDS::DBClusterParameterGroup'
Properties:
Description: 'Aurora PostgreSQL 10 Parameter Group'
Family: aurora-postgresql10
Parameters:
rds.force_ssl: 1
Type: AWS::RDS::DBCluster
Properties:
DatabaseName: ${self:custom.environments.DB_DATABASE}
Engine: aurora-mysql
EngineMode: serverless
MasterUsername: ${self:custom.environments.DB_USER_NAME}
TargetType: AWS::RDS::DBCluster
# aurora-postgresql serverless DB
DBCluster:
Type: AWS::RDS::DBCluster
Properties:
"resourceType": "AWS::RDS::DBClusterSnapshot",
"resourceId": "rds:database-1-2020-05-19-05-58",
"resourceName": "rds:database-1-2020-05-19-05-58"
},
{
"resourceType": "AWS::RDS::DBClusterSnapshot",
"resourceType": "AWS::RDS::DBClusterSnapshot",
"resourceId": "rds:database-1-2020-05-19-05-58",
"resourceName": "rds:database-1-2020-05-19-05-58"
},
{
"resourceType": "AWS::RDS::DBClusterSnapshot",
"resourceType": "AWS::RDS::DBClusterSnapshot",
"resourceId": "rds:database-1-2020-05-19-05-58",
"resourceName": "rds:database-1-2020-05-19-05-58"
},
{
"resourceType": "AWS::RDS::DBClusterSnapshot",
"ResourceType": "AWS::RDS::DBCluster",
"ResourceStatus": "CREATE_COMPLETE"
},
{
"PhysicalResourceId": "auroraClusterParameterGroup",
"ResourceType": "AWS::RDS::DBClusterParameterGroup",
"Type": "AWS::RDS::DBCluster",
"Properties": {
"Engine": "aurora-postgresql",
"EngineMode": "provisioned",
"EngineVersion": {
"Ref": "EngineVersion"
Parameters
-
AssociatedRolesoptional - List of DBClusterRole -
AvailabilityZonesoptional - List -
BacktrackWindowoptional - Long -
BackupRetentionPeriodoptional - Integer -
CopyTagsToSnapshotoptional - Boolean -
DBClusterIdentifieroptional - String -
DBClusterParameterGroupNameoptional - String -
DBSubnetGroupNameoptional - String -
DatabaseNameoptional - String -
DeletionProtectionoptional - Boolean -
EnableCloudwatchLogsExportsoptional - List -
EnableHttpEndpointoptional - Boolean -
EnableIAMDatabaseAuthenticationoptional - Boolean -
Enginerequired - String -
EngineModeoptional - String -
EngineVersionoptional - String -
GlobalClusterIdentifieroptional - String -
KmsKeyIdoptional - String -
MasterUserPasswordoptional - String -
MasterUsernameoptional - String -
Portoptional - Integer -
PreferredBackupWindowoptional - String -
PreferredMaintenanceWindowoptional - String -
ReplicationSourceIdentifieroptional - String -
RestoreTypeoptional - String -
ScalingConfigurationoptional - ScalingConfiguration -
SnapshotIdentifieroptional - String -
SourceDBClusterIdentifieroptional - String -
SourceRegionoptional - String -
StorageEncryptedoptional - Boolean -
Tagsoptional - List of Tag -
UseLatestRestorableTimeoptional - Boolean -
VpcSecurityGroupIdsoptional - List
Explanation in CloudFormation Registry
The
AWS::RDS::DBClusterresource creates an Amazon Aurora DB cluster. For more information, see Managing an Amazon Aurora DB Cluster in the Amazon Aurora User Guide.Note You can only create this resource in AWS Regions where Amazon Aurora is supported.
Updating DB clustersWhen properties labeled "Update requires: Replacement" are updated, AWS CloudFormation first creates a replacement DB cluster, then changes references from other dependent resources to point to the replacement DB cluster, and finally deletes the old DB cluster.
Important We highly recommend that you take a snapshot of the database before updating the stack. If you don't, you lose the data when AWS CloudFormation replaces your DB cluster. To preserve your data, perform the following procedure: Deactivate any applications that are using the DB cluster so that there's no activity on the DB instance.
Create a snapshot of the DB cluster. For more information about creating DB snapshots, see Creating a DB Cluster Snapshot.
If you want to restore your DB cluster using a DB cluster snapshot, modify the updated template with your DB cluster changes and add the
SnapshotIdentifierproperty with the ID of the DB cluster snapshot that you want to use. After you restore a DB cluster with aSnapshotIdentifierproperty, you must specify the sameSnapshotIdentifierproperty for any future updates to the DB cluster. When you specify this property for an update, the DB cluster is not restored from the DB cluster snapshot again, and the data in the database is not changed. However, if you don't specify theSnapshotIdentifierproperty, an empty DB cluster is created, and the original DB cluster is deleted. If you specify a property that is different from the previous snapshot restore property, a new DB cluster is restored from the specifiedSnapshotIdentifierproperty, and the original DB cluster is deleted.Update the stack.
Currently, when you are updating the stack for an Aurora Serverless DB cluster, you can't include changes to any other properties when you specify one of the following properties:
PreferredBackupWindow,PreferredMaintenanceWindow, andPort. This limitation doesn't apply to provisioned DB clusters.For more information about updating other properties of this resource, see
[ModifyDBCluster](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html). For more information about updating stacks, see AWS CloudFormation Stacks Updates.Deleting DB clustersThe default
DeletionPolicyforAWS::RDS::DBClusterresources isSnapshot. For more information about how AWS CloudFormation deletes resources, see DeletionPolicy Attribute.
Frequently asked questions
What is AWS Amazon RDS Cluster Instance?
AWS Amazon RDS Cluster Instance is a resource for Amazon RDS of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon RDS Cluster Instance?
For Terraform, the shokhan7/Terraform-AWS-RDS-Project, 111crb111/terraform-aws-rds-no-versions2 and maxat2416/terraform-aws-RDS-project source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the mallik-user1/TestRepo, jcroall/kaimonkey-demo and KennethWussmann/aurora-serverless-kotlin-api-example source code examples are useful. See the CloudFormation Example section for further details.
