Resource temporarily in a different state? (example: temporary public access to AWS RDS)

Hey all.

My goal is to make an RDS Postgres instance, along with a login role (that can create databases etc but is not an rds_superuser). I’d also like this instance to not be publicly accessible.

As far as I can tell, this can’t be specified in one terraform apply, because terraform can’t both connect to the database and then turn off public access. I think my options are:

  • a strategy that involves multiple terraform apply calls (i.e., stage one is “public access, make role”, stage two is “switch to private access”)
  • a strategy that runs some behaviour from an instance within the vpc (though this still seems like you’d need multiple stages, at least to delete the instance afterwards)
  • move responsibility for the RDS to something that lives within the vpc permanently

I’d like to check with you all if I’ve missed something obvious!