aws.rds-instance resource¶
Description¶
Instance is a standalone Amazon RDS database instance. It has five mutually-exclusive create modes, chosen by which input is set: a read replica of another instance (replicate-source-db), a restore from an S3 backup (s3-import), a restore from a snapshot (snapshot-identifier), a point-in-time restore (restore-to-point-in-time), or a plain new instance when none is set. Each create call under-fills the instance, so the fields it does not accept are reconciled by a follow-on ModifyDBInstance, and the read-replica path may also reboot to pick up a parameter-group change. Every create response is partial: the endpoint, ARN, status, and managed secret settle only after the instance becomes available, so Create returns values from a post-wait read.
The password is reconciled either directly (password) or by letting RDS manage it in Secrets Manager (manage-master-user-password); the two conflict. On delete, a final snapshot is taken unless skip-final-snapshot is set, and a deletion-protection retry clears protection before retrying the delete. The blue/green deployment update strategy is not modeled: every ModifyDBInstance applies immediately in place, so there is no apply-immediately input.
Source: internal/service/rds/instance_rsrc.go:89
Example usage:
imports: {
aws: 'github.com/cloudboss/unobin-library-aws'
}
resources: {
example: aws.rds-instance {
# Set input fields here.
}
}
Inputs¶
identifier
string
engine
optional(string)
engine-version
optional(string)
username
optional(string)
password
optional(string)
instance-class
optional(string)
allocated-storage
optional(integer)
max-allocated-storage
optional(integer)
iops
optional(integer)
storage-type
optional(string)
storage-throughput
optional(integer)
storage-encrypted
optional(boolean)
kms-key-id
optional(string)
db-name
optional(string)
db-subnet-group-name
optional(string)
parameter-group-name
optional(string)
option-group-name
optional(string)
port
optional(integer)
availability-zone
optional(string)
multi-az
optional(boolean)
publicly-accessible
optional(boolean)
network-type
optional(string)
vpc-security-group-ids
list(string)
license-model
optional(string)
character-set-name
optional(string)
nchar-character-set-name
optional(string)
timezone
optional(string)
backup-retention-period
optional(integer)
backup-window
optional(string)
backup-target
optional(string)
copy-tags-to-snapshot
optional(boolean)
maintenance-window
optional(string)
auto-minor-version-upgrade
optional(boolean)
allow-major-version-upgrade
optional(boolean)
deletion-protection
optional(boolean)
ca-cert-identifier
optional(string)
customer-owned-ip-enabled
optional(boolean)
custom-iam-instance-profile
optional(string)
dedicated-log-volume
optional(boolean)
iam-database-authentication-enabled
optional(boolean)
database-insights-mode
optional(string)
enabled-cloudwatch-logs-exports
list(string)
engine-lifecycle-support
optional(string)
monitoring-interval
optional(integer)
monitoring-role-arn
optional(string)
enable-performance-insights
optional(boolean)
performance-insights-kms-key-id
optional(string)
performance-insights-retention-period
optional(integer)
manage-master-user-password
optional(boolean)
master-user-secret-kms-key-id
optional(string)
domain
optional(string)
domain-iam-role-name
optional(string)
domain-fqdn
optional(string)
domain-ou
optional(string)
domain-auth-secret-arn
optional(string)
domain-dns-ips
list(string)
replicate-source-db
optional(string)
replica-mode
optional(string)
snapshot-identifier
optional(string)
s3-import
optional(object)
optional(
object({
bucket-name: optional(string)
bucket-prefix: optional(string)
ingestion-role: optional(string)
source-engine: optional(string)
source-engine-version: optional(string)
})
)restore-to-point-in-time
optional(object)
optional(
object({
restore-time: optional(string)
use-latest-restorable-time: optional(boolean)
source-db-instance-identifier: optional(string)
source-dbi-resource-id: optional(string)
source-db-instance-automated-backups-arn: optional(string)
})
)skip-final-snapshot
optional(boolean)
final-snapshot-identifier
optional(string)
delete-automated-backups
optional(boolean)
tags
map(string)
Input Constraints¶
Field combinations
At most one of replicate-source-db, s3-import, snapshot-identifier, or restore-to-point-in-time.
At most one of manage-master-user-password or password.
At most one of domain or domain-fqdn.
At most one of domain-iam-role-name or domain-fqdn.
Forbidden together: character-set-name, replicate-source-db, s3-import, snapshot-identifier, and restore-to-point-in-time.
Forbidden together: db-name and replicate-source-db.
Forbidden together: username and replicate-source-db.
Forbidden together: timezone and s3-import.
Forbidden together: backup-target and s3-import.
Database insights mode rules
database-insights-mode must be standard or advanced.
Rule logic
- When
input.database-insights-mode != null- Require
input.database-insights-mode == 'standard'
|| input.database-insights-mode == 'advanced'
Replica mode rules
replica-mode must be open-read-only or mounted.
Rule logic
- When
input.replica-mode != null- Require
input.replica-mode == 'open-read-only'
|| input.replica-mode == 'mounted'
Engine lifecycle support rules
engine-lifecycle-support must be a valid extended-support value.
Rule logic
- When
input.engine-lifecycle-support != null- Require
input.engine-lifecycle-support == 'open-source-rds-extended-support'
|| input.engine-lifecycle-support == 'open-source-rds-extended-support-disabled'
Network type rules
network-type must be IPV4 or DUAL.
Rule logic
- When
input.network-type != null- Require
input.network-type == 'IPV4'
|| input.network-type == 'DUAL'
Backup target rules
backup-target must be outposts or region.
Rule logic
- When
input.backup-target != null- Require
input.backup-target == 'outposts'
|| input.backup-target == 'region'
Storage type rules
storage-type must be gp2, gp3, io1, io2, or standard.
Rule logic
- When
input.storage-type != null- Require
input.storage-type == 'gp2'
|| input.storage-type == 'gp3'
|| input.storage-type == 'io1'
|| input.storage-type == 'io2'
|| input.storage-type == 'standard'
Backup retention period rules
backup-retention-period must be between 0 and 35.
Rule logic
- When
input.backup-retention-period != null- Require
(input.backup-retention-period == null || input.backup-retention-period >= 0)
&& (input.backup-retention-period == null || input.backup-retention-period <= 35)
Monitoring interval rules
monitoring-interval must be 0, 1, 5, 10, 15, 30, or 60.
Rule logic
- When
input.monitoring-interval != null- Require
input.monitoring-interval == 0
|| input.monitoring-interval == 1
|| input.monitoring-interval == 5
|| input.monitoring-interval == 10
|| input.monitoring-interval == 15
|| input.monitoring-interval == 30
|| input.monitoring-interval == 60
Enabled cloudwatch logs exports rules
enabled-cloudwatch-logs-exports entries must be valid instance log types.
Rule logic
- For each
input.enabled-cloudwatch-logs-exports- Require
@each.value == 'agent'
|| @each.value == 'alert'
|| @each.value == 'audit'
|| @each.value == 'diag.log'
|| @each.value == 'error'
|| @each.value == 'general'
|| @each.value == 'iam-db-auth-error'
|| @each.value == 'listener'
|| @each.value == 'notify.log'
|| @each.value == 'oemagent'
|| @each.value == 'postgresql'
|| @each.value == 'slowquery'
|| @each.value == 'trace'
|| @each.value == 'upgrade'
Outputs¶
arn
string
resource-id
string
endpoint
string
address
string
port
integer
hosted-zone-id
string
status
string
engine-version-actual
string
ca-cert-identifier
string
latest-restorable-time
string
master-user-secret
optional(object)
optional(
object({
secret-arn: string
kms-key-id: string
secret-status: string
})
)listener-endpoint
optional(object)
optional(
object({
address: string
port: integer
hosted-zone-id: string
})
)replicas
list(string)