AWS Amazon RDS Cluster Instance

This page shows how to write Terraform and CloudFormation for Amazon RDS Cluster Instance and write them securely.

aws_rds_cluster_instance (Terraform)

The Cluster Instance in Amazon RDS can be configured in Terraform with the resource name aws_rds_cluster_instance. The following sections describe 4 examples of how to use the resource and its parameters.

Example Usage from GitHub

main.tf#L27
resource "aws_rds_cluster_instance" "cluster_instances" {
  db_subnet_group_name = aws_db_subnet_group.db_team4.name
  identifier         = "aurora-cluster-demo"
  cluster_identifier = aws_rds_cluster.default.cluster_identifier
  instance_class     = var.instance_class
  engine_version     = aws_rds_cluster.default.engine_version
main.tf#L30
resource "aws_rds_cluster_instance" "primary" {
  provider = "aws.primary"

  cluster_identifier = aws_rds_cluster.primary.id
  instance_class = var.aurora_instance_class
  engine = "aurora"
main.tf#L27
resource "aws_rds_cluster_instance" "cluster_instances" {
  db_subnet_group_name = aws_db_subnet_group.db_team4.name
  identifier         = "aurora-cluster-demo"
  cluster_identifier = aws_rds_cluster.default.cluster_identifier
  instance_class     = var.instance_class
  engine_version     = aws_rds_cluster.default.engine_version
rds_cluster_instance_test.tf#L20
resource "aws_rds_cluster_instance" "cluster_instance" {
  identifier         = "aurora-cluster-demo"
  cluster_identifier = aws_rds_cluster.default.id
  instance_class     = "db.r4.large"
  engine             = aws_rds_cluster.default.engine
  engine_version     = aws_rds_cluster.default.engine_version

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Security Best Practices for aws_rds_cluster_instance

There are 2 settings in aws_rds_cluster_instance that should be taken care of for security reasons. The following section explain an overview and example code.

risk-label

Ensure your RDS cluster instance blocks unwanted access

It's better to limit accessibily to the minimum that is required for the application to work.

risk-label

Ensure to enable Performance Insights of your RDS cluster

It is better to enable Performance Insights of your RDS cluster. The feature will help investigate the availability issues of the cluster.

Review your AWS Amazon RDS settings

You can check if the aws_rds_cluster_instance setting in your .tf file is correct in 3 min with Shisho Cloud.

Parameters

Explanation in Terraform Registry

Provides an RDS Cluster Instance Resource. A Cluster Instance Resource defines attributes that are specific to a single instance in a [RDS Cluster][3], specifically running Amazon Aurora. Unlike other RDS resources that support replication, with Amazon Aurora you do not designate a primary and subsequent replicas. Instead, you simply add RDS Instances and Aurora manages the replication. You can use the [count][5] meta-parameter to make multiple instances and join them all to the same RDS Cluster, or you may specify different Cluster Instance resources with various instance_class sizes. For more information on Amazon Aurora, see [Aurora on Amazon RDS][2] in the Amazon RDS User Guide.

NOTE: Deletion Protection from the RDS service can only be enabled at the cluster level, not for individual cluster instances. You can still add the prevent_destroy lifecycle behavior to your Terraform resource configuration if you desire protection from accidental deletion.

Tips: Best Practices for The Other AWS Amazon RDS Resources

In addition to the aws_db_instance, AWS Amazon RDS has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

aws_db_instance

Ensure backup retension of your RDS instance is specified

It's better to set it explicitly to reduce the risk of availability issues.

risk-label

aws_rds_cluster

Ensure backup retension of your RDS cluster is specified

It's better to set it explicitly to reduce the risk of availability issues.

Review your AWS Amazon RDS settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

AWS::RDS::DBCluster (CloudFormation)

The DBCluster in RDS can be configured in CloudFormation with the resource name AWS::RDS::DBCluster. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

deploy.yml#L4
    Type: 'AWS::RDS::DBCluster'
    Properties:
      MasterUsername: !Ref DBUsername
      MasterUserPassword: !Ref DBPassword
      DBClusterIdentifier: aurora-postgresql-cluster
      Engine: aurora-postgresql
deploy.yml#L4
    Type: 'AWS::RDS::DBCluster'
    Properties:
      MasterUsername: !Ref DBUsername
      MasterUserPassword: !Ref DBPassword
      DBClusterIdentifier: aurora-postgresql-cluster
      Engine: aurora-postgresql
aurora.yml#L3
    Type: AWS::RDS::DBCluster
    Properties:
      DatabaseName: ${self:custom.environments.DB_DATABASE}
      Engine: aurora-mysql
      EngineMode: serverless
      MasterUsername: ${self:custom.environments.DB_USER_NAME}
RDS.yml#L3
    Type: 'AWS::RDS::DBClusterParameterGroup'
    Properties:
      Description: 'Aurora PostgreSQL 10 Parameter Group'
      Family: aurora-postgresql10
      Parameters:
        rds.force_ssl: 1
aurora-serverless.yml#L24
      TargetType: AWS::RDS::DBCluster

  # aurora-postgresql serverless DB
  DBCluster:
    Type: AWS::RDS::DBCluster
    Properties:
config.ListDiscoveredResources_1.json#L6
                "resourceType": "AWS::RDS::DBClusterSnapshot",
                "resourceId": "rds:database-1-2020-05-19-05-58",
                "resourceName": "rds:database-1-2020-05-19-05-58"
            },
            {
                "resourceType": "AWS::RDS::DBClusterSnapshot",
config.ListDiscoveredResources_1.json#L6
                "resourceType": "AWS::RDS::DBClusterSnapshot",
                "resourceId": "rds:database-1-2020-05-19-05-58",
                "resourceName": "rds:database-1-2020-05-19-05-58"
            },
            {
                "resourceType": "AWS::RDS::DBClusterSnapshot",
config.ListDiscoveredResources_1.json#L6
                "resourceType": "AWS::RDS::DBClusterSnapshot",
                "resourceId": "rds:database-1-2020-05-19-05-58",
                "resourceName": "rds:database-1-2020-05-19-05-58"
            },
            {
                "resourceType": "AWS::RDS::DBClusterSnapshot",
cloudformation-list-stack-resources.aurora.json#L5
            "ResourceType": "AWS::RDS::DBCluster",
            "ResourceStatus": "CREATE_COMPLETE"
        },
        {
            "PhysicalResourceId": "auroraClusterParameterGroup",
            "ResourceType": "AWS::RDS::DBClusterParameterGroup",
aurora-postgresql.json#L18
      "Type": "AWS::RDS::DBCluster",
      "Properties": {
        "Engine": "aurora-postgresql",
        "EngineMode": "provisioned",
        "EngineVersion": {
          "Ref": "EngineVersion"

Parameters

Explanation in CloudFormation Registry

The AWS::RDS::DBCluster resource creates an Amazon Aurora DB cluster. For more information, see Managing an Amazon Aurora DB Cluster in the Amazon Aurora User Guide.

Note You can only create this resource in AWS Regions where Amazon Aurora is supported.

Updating DB clustersWhen properties labeled "Update requires: Replacement" are updated, AWS CloudFormation first creates a replacement DB cluster, then changes references from other dependent resources to point to the replacement DB cluster, and finally deletes the old DB cluster.

Important We highly recommend that you take a snapshot of the database before updating the stack. If you don't, you lose the data when AWS CloudFormation replaces your DB cluster. To preserve your data, perform the following procedure: Deactivate any applications that are using the DB cluster so that there's no activity on the DB instance.

Create a snapshot of the DB cluster. For more information about creating DB snapshots, see Creating a DB Cluster Snapshot.

If you want to restore your DB cluster using a DB cluster snapshot, modify the updated template with your DB cluster changes and add the SnapshotIdentifier property with the ID of the DB cluster snapshot that you want to use. After you restore a DB cluster with a SnapshotIdentifier property, you must specify the same SnapshotIdentifier property for any future updates to the DB cluster. When you specify this property for an update, the DB cluster is not restored from the DB cluster snapshot again, and the data in the database is not changed. However, if you don't specify the SnapshotIdentifier property, an empty DB cluster is created, and the original DB cluster is deleted. If you specify a property that is different from the previous snapshot restore property, a new DB cluster is restored from the specified SnapshotIdentifier property, and the original DB cluster is deleted.

Update the stack.

Currently, when you are updating the stack for an Aurora Serverless DB cluster, you can't include changes to any other properties when you specify one of the following properties: PreferredBackupWindow, PreferredMaintenanceWindow, and Port. This limitation doesn't apply to provisioned DB clusters.

For more information about updating other properties of this resource, see [ModifyDBCluster](https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html). For more information about updating stacks, see AWS CloudFormation Stacks Updates.

Deleting DB clustersThe default DeletionPolicy for AWS::RDS::DBCluster resources is Snapshot. For more information about how AWS CloudFormation deletes resources, see DeletionPolicy Attribute.

Frequently asked questions

What is AWS Amazon RDS Cluster Instance?

AWS Amazon RDS Cluster Instance is a resource for Amazon RDS of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Amazon RDS Cluster Instance?

For Terraform, the shokhan7/Terraform-AWS-RDS-Project, 111crb111/terraform-aws-rds-no-versions2 and maxat2416/terraform-aws-RDS-project source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the mallik-user1/TestRepo, jcroall/kaimonkey-demo and ega4432/serverless-laravel source code examples are useful. See the CloudFormation Example section for further details.