Provisioning Amazon RDS through Terraform

Provisioning Amazon RDS through Terraform

This blog is about terraform AWS RDS provisioning with secret manager integration.

Terraform RDS Workflow

The following image shows the RDS provisioning workflow using Terraform.

Here is the workflow explanation.

  1. Terraform code is developed, tested, and pushed to GitHub

  2. Once you execute terraform init, the terraform code is pulled to the workstation or server where you have the terraform and AWS CLI configured.

  3. Execute terraform plan, pass the variables required for RDS provisioning.

  4. RDS gets provisioned after executing terraform apply and terraform remote state file is stored in S3 bucket.

  5. The password for RDS will be automatically created and stored in the AWS secrets manager. You can also use direct passwords instead of secret manager. However, it is not recommended to keep secrets in terraform code.

  6. Once the RDS instance is provisioned; the RDS endpoint, address, and secret manager's secret arn get added to the terraform output. With the secret arn, applications can retrieve the DB username and password from the secrets manager.

  7. Applications can connect with DB using this RDS endpoint.

Terraform RDS Code Repository

You can access my GitHub repo for RDS terraform module by clicking here. To get the payload required for RDS terraform module, click here.

Conclusion

In this blog, we looked at terraform aws rds provisioning. Some things to keep in mind.

  1. RDS supports password management using a secrets manager. It automatically creates and stores the username and password during provisioning.

  2. Each secret in the secret manager costs $.50

  3. The secret created by RDS cannot be modified separately. Also, by default, password rotation is enabled for the master password with a rotation schedule of 7 days. That value can be modified in the secrets manager.