To follow this guide you need to have the following.<\/p>\n
- \n
- The latest Terraform binary is installed and configured in your system.<\/li>\n
- AWS CLI installed <\/a>and configured with a Valid AWS account with permission to deploy RDS instances.<\/li>\n
- If you using an ec2 instance for provisioning, ensure you have a valid IAM role<\/a> attached to the instance with RDS provisioning permissions.<\/li>\n<\/ol>\n
Terraform RDS Workflow<\/strong><\/h2>\n
The following image shows the RDS provisioning workflow using Terraform.<\/p>\n
![\"Terraform](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/rds-terraform-workflow-1.gif\")
Click to View in HD<\/span><\/figcaption><\/figure>\n Here is the workflow explanation.<\/p>\n
- \n
- Terraform code is developed, tested, and pushed to GitHub<\/li>\n
- Pull the terraform code to the workstation or server where you have the terraform and AWS CLI configured. Ideally, this would be an agent of a CI server like Jenkins<\/a><\/li>\n
- Execute the terraform RDS script by passing the variables required for RDS provisioning.<\/li>\n
- RDS gets provisioned and the password for RDS will be automatically created and stored in the AWS secrets manager. You can also use direct passwords instead of secret manager. However, it is not recommended to keep secrets in terraform code.<\/li>\n
- Once the RDS instance is provisioned the RDS endpoint, address, and secret manager secret arn<\/a> get added to the terraform output. With the secret arn, applications can retrieve the DB username and password from the secrets manager.<\/li>\n
- If you use s3 as a remote state, the state file gets stored in s3 or else the state gets stored locally. It is not recommended to use the local state in real projects.<\/li>\n<\/ol>\n
Terraform RDS Code<\/strong> Repository<\/h2>\n
RDS terraform code is part of the terraform AWS<\/a> repository. Clone it to your workstation to follow the guide.<\/p>\n
git clone https:\/\/github.com\/techiescamp\/terraform-aws.git<\/code><\/pre>\nFork and clone the repository if you intend to reuse and make changes as per your requirements.<\/p>\n
Terraform AWS<\/strong> RDS Provisioning Workflow<\/h2>\n
The RDS terraform script is structured in the following way.<\/p>\n
\u251c\u2500\u2500 environments\n\u2502 \u251c\u2500\u2500 dev\n\u2502 \u2502 \u251c\u2500\u2500 rds\n\u2502 \u2502 \u2502 \u251c\u2500\u2500 main.tf\n\u2502 \u2502 \u2502 \u2514\u2500\u2500 variables.tf\n\u251c\u2500\u2500 modules\n\u2502 \u251c\u2500\u2500 rds\n\u2502 \u2502 \u251c\u2500\u2500 main.tf\n\u2502 \u2502 \u251c\u2500\u2500 outputs.tf\n\u2502 \u2502 \u2514\u2500\u2500 variables.tf\n\u2514\u2500\u2500 vars\n \u2514\u2500\u2500 dev\n \u2514\u2500\u2500 rds.tfvars<\/code><\/pre>\nvars<\/strong><\/code> folder contains the variables file namedrds.tfvars<\/code><\/p>\nenvironments<\/strong><\/code> folder contains the terraform code (main.tf<\/code>) that calls the actual RDS module from the modules directory.<\/p>\nThe module contains the following resources<\/p>\n
- \n
- Security Group: <\/strong>To allow & deny access to\/from the instance.<\/li>\n
- Subnet Group:<\/strong> For demo purposes, we have added the subnet group. Ideally, you don’t need to create a subnet group for each RDS. You can re-use the existing subnet groups as there is a default limit of 50 subnet groups<\/a> you can create per region. The limits can be increased by request though.<\/li>\n
- RDS: <\/strong>Resource to provision RDS instances based on the variables.<\/li>\n<\/ol>\n
![\"\"](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/rds-terraform-code-workflow-1.gif\")
Click to View in HD<\/span><\/figcaption><\/figure>\n Note: <\/strong>There are many parameters supported by RDS. If you want to deploy RDS for production use cases, please refer to the official documentation and design a solution that complies with security and availability as per organizational standards. Refer to terraform official aws_db_instance resource documenation<\/a> to know about all the supported parameters.<\/p><\/blockquote>\n
Provisioning RDS Using Terraform<\/h2>\n
Follow the steps given in this section to provision an RDS instance.<\/p>\n
Note<\/strong>: For this demo, we will be using the MySQL RDS instance that is publicly accessible over port 3306<\/strong>. If you deploying it in project environemnt, modify the paramters to restrict access to only required IP ranges.<\/p><\/blockquote>\n
I assume terraform-aws<\/strong> folder as the root folder for the entire guide.<\/p>\n
Step 1: <\/strong>Modify the RDS variables<\/p>\n
Open the
rds.tfvars<\/code><\/strong> file present in the vars\/dev<\/strong> folder. Change these variables according to your requirements. The following are the variables present.<\/p>\nPrimarily you need to change the variables marked in bold.<\/p>\n
- \n
- Replace subnet_ids<\/strong> with your subnet<\/strong> ids.<\/li>\n
- If you want to manage the RDS secret using AWS secrets manager, ensure you set
set_secret_manager_password = true<\/code> andset_db_password = false<\/code>. The condition is handled inside the RDS module code.<\/li>\n- Change the cidr_block<\/strong> to the CIDR range from which access is required to RDS.<\/li>\n
- Replace db_engine<\/strong> with the required DB engineer. RDS supports Aurora, MariaDB, PostgreSQL, Oracle, and Microsoft SQL Server.<\/li>\n<\/ol>\n
Other variables are self-explanatory and change<\/p>\n
# Network Vars\nregion = \"us-west-2\"\nsubnet_ids = [\"subnet-058a7514ba8adbb07\", \"subnet-0dbcd1ac168414927\", \"subnet-032f5077729435858\"]\nmulti_az = false\npublicly_accessible = true\n\n# DB Vars\ndb_engine = \"mysql\"\ndb_storage_type = \"gp2\"\ndb_username = \"techiescamp\"\ndb_instance_class = \"db.t2.micro\"\ndb_storage_size = 20\nset_secret_manager_password = false\nset_db_password = true\ndb_password = \"rdssecret\"\n\n# Security Group Vars\nfrom_port = 3306\nto_port = 3306\nprotocol = \"tcp\"\ncidr_block = [\"0.0.0.0\/0\"]\n\n# Backup vars\nbackup_retention_period = 7\ndelete_automated_backups = true\ncopy_tags_to_snapshot = true\nskip_final_snapshot = true\napply_immediately = true\n\n# Tag Vars\nowner = \"techiescamp-devops\"\nenvironment = \"dev\"\ncost_center = \"techiescamp\"\napplication = \"techiescamp-commerce\"<\/code><\/pre>\nStep 2:<\/strong> Initialize terraform<\/p>\n
Once the variables are modified as per your requirements, go to the terminal and cd into
environments\/dev\/rds<\/code><\/strong> directory.<\/p>\ncd environments\/dev\/rds<\/code><\/pre>\nInside the rds folder, you can find the main.tf<\/strong> file where it calls the rds module<\/strong> present in the modules directory as shown below.<\/p>\n
provider \"aws\" {\n region = var.region\n}\n\nmodule \"rds\" {\n source = \"..\/..\/..\/modules\/rds\"\n region = var.region\n subnet_ids = var.subnet_ids\n db_engine = var.db_engine\n db_storage_type = var.db_storage_type\n db_username = var.db_username\n set_secret_manager_password = var.set_secret_manager_password\n set_db_password = var.set_db_password\n db_password = var.db_password\n db_instance_class = var.db_instance_class\n db_storage_size = var.db_storage_size\n from_port = var.from_port\n to_port = var.to_port\n protocol = var.protocol\n cidr_block = var.cidr_block\n backup_retention_period = var.backup_retention_period\n multi_az = var.multi_az\n delete_automated_backups = var.delete_automated_backups\n copy_tags_to_snapshot = var.copy_tags_to_snapshot\n publicly_accessible = var.publicly_accessible\n skip_final_snapshot = var.skip_final_snapshot\n apply_immediately = var.apply_immediately\n owner = var.owner\n cost_center = var.cost_center\n environment = var.environment\n application = var.application\n}<\/code><\/pre>\nInitialize Terraform using the following command<\/p>\n
terraform init<\/code><\/pre>\nThis command initializes terraform. Make sure to run the init command inside the environments\/dev\/rds<\/strong> directory.<\/p>\n
Step 3: <\/strong>To verify the configurations, run terraform plan with the variable file.<\/p>\n
terraform plan -var-file=..\/..\/..\/vars\/dev\/rds.tfvars<\/code><\/pre>\nThis command displays the plan which is going to execute.<\/p>\n
Step 4:<\/strong> Apply the terraform configurations.<\/p>\n
After verifying, apply the configurations using the command given below.<\/p>\n
terraform apply -var-file=..\/..\/..\/vars\/dev\/rds.tfvars --auto-approve<\/code><\/pre>\nThis command applies the changes to start the provisioning using the variables given in the rds.tfvars<\/strong> file. The
--auto-approve<\/code><\/strong> flag automatically approves the provisioning without manual confirmation.<\/p>\nStep 5:<\/strong> Validate provisioned RDS instances<\/p>\n
Once the terraform is executed, you can validate the RDS instance by getting the RDS DNS endpoint, address, and secret arn using the following command.<\/p>\n
terraform output<\/code><\/pre>\nAlso, use the AWS console and verify all the RDS instance details.<\/p>\n
Try accessing the database using the username, password, and RDS endpoint as host. You can use MySQL client or MySQL workbench utility.<\/p>\n
If you have enabled secret management using secrets manager, you can retrieve the secret from the AWS console.<\/p>\n
Step 5:<\/strong> To clean up the setup, execute the following command.<\/p>\n
terraform destroy -var-file=..\/..\/..\/vars\/dev\/rds.tfvars --auto-approve<\/code><\/pre>\nConclusion<\/h2>\n
In this guide, we looked at terraform aws rds<\/strong> provisioning.<\/p>\n
RDS supports password management using a secrets manager. It creates and stores the username and password during provisioning. Each secret in the secret manager costs $.50.<\/strong> The secret created by RDS cannot be modified separately. Also, by default, password rotation<\/strong> is enabled for the master password with a rotation schedule of 7 days.<\/strong> That value can be modified in the secrets manager.<\/p>\n
You can also look at the AWS RDS community module<\/a> to learn more.<\/p>\n
When using RDS for production, you must consider security, availability, <\/strong>cloudwatch logging<\/strong><\/a>, scalability, and <\/strong>monitoring<\/strong><\/a>. Whether you are using a community module or a custom RDS, terraform AWS module, ensure you follow the organization’s standards.<\/p>\n
Next, you can try our Terraform autoscaling group<\/a> deployment guide.<\/p>\n
I hope this guide is helpful. Do let me know your feedback in the comments.<\/p>\n
\n - If you want to manage the RDS secret using AWS secrets manager, ensure you set
- Subnet Group:<\/strong> For demo purposes, we have added the subnet group. Ideally, you don’t need to create a subnet group for each RDS. You can re-use the existing subnet groups as there is a default limit of 50 subnet groups<\/a> you can create per region. The limits can be increased by request though.<\/li>\n
- If you using an ec2 instance for provisioning, ensure you have a valid IAM role<\/a> attached to the instance with RDS provisioning permissions.<\/li>\n<\/ol>\n