My goal is to make an RDS Postgres instance, along with a login role (that can create databases etc but is not an
rds_superuser). I’d also like this instance to not be publicly accessible.
As far as I can tell, this can’t be specified in one
terraform apply, because terraform can’t both connect to the database and then turn off public access. I think my options are:
- a strategy that involves multiple
terraform applycalls (i.e., stage one is “public access, make role”, stage two is “switch to private access”)
- a strategy that runs some behaviour from an instance within the vpc (though this still seems like you’d need multiple stages, at least to delete the instance afterwards)
- move responsibility for the RDS to something that lives within the vpc permanently
I’d like to check with you all if I’ve missed something obvious!