Hi Team
I am able to create PostgreSQL AWS RDS with terraform but now I want to create read replica of that PostgreSQL AWS RDS. Please help me with terraform option/document to setup this.
$ terraform version
Terraform v0.12.28
- provider.aws v2.69.0
- provider.null v2.1.2
This is the main.tf file i am using
> #####################
> # DB parameter group
> # We create this up-front to avoid having to restart to modify parameters later
> #####################
> resource "aws_db_parameter_group" "this" {
> name = "${var.environment}-${var.name}"
> description = "Database parameter group for ${var.environment}-${var.name}"
> family = var.parameter_group
>
> parameter {
> name = "max_connections"
> value = var.max_connections
> apply_method = "pending-reboot"
> }
>
> lifecycle {
> create_before_destroy = true
> }
>
> tags = {
> Terraform = "true"
> Environment = "${var.environment}"
> Project = "${var.name}"
> }
> }
>
> ######## AWS RDS INSTANCE #########
>
> resource "aws_db_instance" "postgresql" {
> count = var.aws_rds_instance_count
> engine = var.engine
> engine_version = var.engine_version
> name = "${var.environment}_${var.name}"
> username = "master"
> password = data.aws_secretsmanager_secret_version.password.secret_string
> identifier_prefix = "${var.environment}-${var.name}-"
> instance_class = var.instance_class
> db_subnet_group_name = var.subnet_group_name
> parameter_group_name = aws_db_parameter_group.this.id
> depends_on = [null_resource.random-pw]
> ca_cert_identifier = "rds-ca-2019"
> allocated_storage = var.storage-size
> storage_encrypted = "true"
> kms_key_id = aws_kms_key.aurora_db.arn
> deletion_protection = var.deletion_protection
> performance_insights_enabled = var.performance_insights
> performance_insights_kms_key_id = var.performance_insights_keyid
> final_snapshot_identifier = "${var.environment}-${var.name}-final"
> vpc_security_group_ids = var.security_groups
> backup_retention_period = var.backup_retention_period
>
> tags = {
> Name = "${var.environment}-${var.name}-db"
> Project = "${var.name}"
> PCR = "${var.PCR}"
> }
> }
>
>
> #################
> ## DB PASSWORD ##
> # Genarates a random password and then store it in SSM parameter store
> #################
>
> data "aws_secretsmanager_secret" "name" {
> name = "/${var.environment}/rds/${var.name}/master"
> depends_on = [null_resource.random-pw]
> }
>
> data "aws_secretsmanager_secret_version" "password" {
> secret_id = "${data.aws_secretsmanager_secret.name.id}"
> }
>
> resource "null_resource" "random-pw" {
>
> provisioner "local-exec" {
> command = "aws secretsmanager create-secret --name \"/${var.environment}/rds/${var.name}/master\" --secret-string `openssl rand -base64 32 | cut -c1-32 | tr '/@' '_'` --kms-key-id ${aws_kms_key.aurora_db.arn} "
> }
>
> provisioner "local-exec" {
> command = "aws secretsmanager delete-secret --secret-id \"/${var.environment}/rds/${var.name}/master\" --force-delete-without-recovery"
> when = destroy
> }
> }
>
> ####### RDS KMS Encryption ########
>
> data "aws_caller_identity" "current" {}
>
> resource "aws_kms_key" "aurora_db" {
> description = "${var.environment}/rds/${var.environment}-${var.name}"
> enable_key_rotation = true
>
> policy = <<POLICY
> {
> "Version": "2012-10-17",
> "Id": "key-consolepolicy-3",
> "Statement": [
> {
> "Sid": "Enable IAM User Permissions",
> "Effect": "Allow",
> "Principal": {
> "AWS": "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
> },
> "Action": "kms:*",
> "Resource": "*"
> },
> {
> "Sid": "Allow access for Key Administrators",
> "Effect": "Allow",
> "Principal": {
> "AWS": "${data.aws_caller_identity.current.arn}"
> },
> "Action": [
> "kms:Create*",
> "kms:Describe*",
> "kms:Enable*",
> "kms:List*",
> "kms:Put*",
> "kms:Update*",
> "kms:Revoke*",
> "kms:Disable*",
> "kms:Get*",
> "kms:Delete*",
> "kms:TagResource",
> "kms:UntagResource",
> "kms:ScheduleKeyDeletion",
> "kms:CancelKeyDeletion"
> ],
> "Resource": "*"
> },
> {
> "Sid": "Allow use of the key",
> "Effect": "Allow",
> "Principal": {
> "AWS": "${data.aws_caller_identity.current.arn}"
> },
> "Action": [
> "kms:Encrypt",
> "kms:Decrypt",
> "kms:ReEncrypt*",
> "kms:GenerateDataKey*",
> "kms:DescribeKey"
> ],
> "Resource": "*"
> },
> {
> "Sid": "Allow attachment of persistent resources",
> "Effect": "Allow",
> "Principal": {
> "AWS": "${data.aws_caller_identity.current.arn}"
> },
> "Action": [
> "kms:CreateGrant",
> "kms:ListGrants",
> "kms:RevokeGrant"
> ],
> "Resource": "*",
> "Condition": {
> "Bool": {
> "kms:GrantIsForAWSResource": "true"
> }
> }
> }
> ]
> }
> POLICY
> }
>
> resource "aws_kms_alias" "aurora_db" {
> name = "alias/${var.environment}/rds/${var.name}"
> target_key_id = aws_kms_key.aurora_db.key_id
> }
Thanks,
Bharat Jarwal