From 685b01b64754953db29a89f79488f560e56e5731 Mon Sep 17 00:00:00 2001
From: Melissa Greenbaum <69476188+magreenbaum@users.noreply.github.com>
Date: Fri, 20 Dec 2024 09:16:09 -0500
Subject: [PATCH 1/3] docs: Clarify the `manage_master_user_password_rotation`
functionality (#478)
---
README.md | 2 +-
main.tf | 6 ++++++
variables.tf | 2 +-
3 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index af333a18..d03d05a0 100644
--- a/README.md
+++ b/README.md
@@ -351,7 +351,7 @@ No modules.
| [is\_primary\_cluster](#input\_is\_primary\_cluster) | Determines whether cluster is primary cluster with writer instance (set to `false` for global cluster and replica clusters) | `bool` | `true` | no |
| [kms\_key\_id](#input\_kms\_key\_id) | The ARN for the KMS encryption key. When specifying `kms_key_id`, `storage_encrypted` needs to be set to `true` | `string` | `null` | no |
| [manage\_master\_user\_password](#input\_manage\_master\_user\_password) | Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if `master_password` is provided | `bool` | `true` | no |
-| [manage\_master\_user\_password\_rotation](#input\_manage\_master\_user\_password\_rotation) | Whether to manage the master user password rotation. Setting this value to false after previously having been set to true will disable automatic rotation. | `bool` | `false` | no |
+| [manage\_master\_user\_password\_rotation](#input\_manage\_master\_user\_password\_rotation) | Whether to manage the master user password rotation. By default, false on creation, rotation is managed by RDS. There is not currently a way to disable this on initial creation even when set to false. Setting this value to false after previously having been set to true will disable automatic rotation. | `bool` | `false` | no |
| [master\_password](#input\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Required unless `manage_master_user_password` is set to `true` or unless `snapshot_identifier` or `replication_source_identifier` is provided or unless a `global_cluster_identifier` is provided when the cluster is the secondary cluster of a global database | `string` | `null` | no |
| [master\_user\_password\_rotate\_immediately](#input\_master\_user\_password\_rotate\_immediately) | Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window. | `bool` | `null` | no |
| [master\_user\_password\_rotation\_automatically\_after\_days](#input\_master\_user\_password\_rotation\_automatically\_after\_days) | Specifies the number of days between automatic scheduled rotations of the secret. Either `master_user_password_rotation_automatically_after_days` or `master_user_password_rotation_schedule_expression` must be specified | `number` | `null` | no |
diff --git a/main.tf b/main.tf
index 1cb74426..d18ab9ee 100644
--- a/main.tf
+++ b/main.tf
@@ -453,6 +453,12 @@ resource "aws_rds_cluster_activity_stream" "this" {
# Managed Secret Rotation
################################################################################
+# There is not currently a way to disable secret rotation on an initial apply.
+# In order to use master password secrets management without a rotation, the following workaround can be used:
+# `manage_master_user_password_rotation` must be set to true first and applied followed by setting it to false and another apply.
+# Note: when setting `manage_master_user_password_rotation` to true, a schedule must also be set using `master_user_password_rotation_schedule_expression` or `master_user_password_rotation_automatically_after_days`.
+# To prevent password from being immediately rotated when implementing this workaround, set `master_user_password_rotate_immediately` to false.
+# See: https://github.com/hashicorp/terraform-provider-aws/issues/37779
resource "aws_secretsmanager_secret_rotation" "this" {
count = local.create && var.manage_master_user_password && var.manage_master_user_password_rotation ? 1 : 0
diff --git a/variables.tf b/variables.tf
index 8b49969e..8e46247b 100644
--- a/variables.tf
+++ b/variables.tf
@@ -789,7 +789,7 @@ variable "engine_native_audit_fields_included" {
################################################################################
variable "manage_master_user_password_rotation" {
- description = "Whether to manage the master user password rotation. Setting this value to false after previously having been set to true will disable automatic rotation."
+ description = "Whether to manage the master user password rotation. By default, false on creation, rotation is managed by RDS. There is not currently a way to disable this on initial creation even when set to false. Setting this value to false after previously having been set to true will disable automatic rotation."
type = bool
default = false
}
From b172e0815292229ede381e2f8132b83ba7ad418c Mon Sep 17 00:00:00 2001
From: Melissa Greenbaum <69476188+magreenbaum@users.noreply.github.com>
Date: Wed, 19 Feb 2025 05:41:11 -0500
Subject: [PATCH 2/3] feat: Support RDS Cluster monitoring interval and role
arn (#485)
* support monitoring interval and role for cluster
* updates to example and variables
* revert
* Update variables.tf
Co-authored-by: Anton Babenko
* update README
---------
Co-authored-by: Anton Babenko
---
README.md | 5 +++--
examples/autoscaling/README.md | 4 ++--
examples/autoscaling/versions.tf | 2 +-
examples/global-cluster/README.md | 6 +++---
examples/global-cluster/versions.tf | 2 +-
examples/multi-az/README.md | 4 ++--
examples/multi-az/versions.tf | 2 +-
examples/mysql/README.md | 4 ++--
examples/mysql/versions.tf | 2 +-
examples/postgresql/README.md | 4 ++--
examples/postgresql/main.tf | 12 +++++++-----
examples/postgresql/versions.tf | 2 +-
examples/s3-import/README.md | 4 ++--
examples/s3-import/versions.tf | 2 +-
examples/serverless/README.md | 4 ++--
examples/serverless/versions.tf | 2 +-
main.tf | 6 ++++--
variables.tf | 6 ++++++
versions.tf | 2 +-
19 files changed, 43 insertions(+), 32 deletions(-)
diff --git a/README.md b/README.md
index d03d05a0..4263f866 100644
--- a/README.md
+++ b/README.md
@@ -224,13 +224,13 @@ Terraform documentation is generated automatically using [pre-commit hooks](http
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.81 |
+| [aws](#requirement\_aws) | >= 5.86 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.81 |
+| [aws](#provider\_aws) | >= 5.86 |
## Modules
@@ -286,6 +286,7 @@ No modules.
| [cloudwatch\_log\_group\_tags](#input\_cloudwatch\_log\_group\_tags) | Additional tags for the CloudWatch log group(s) | `map(string)` | `{}` | no |
| [cluster\_ca\_cert\_identifier](#input\_cluster\_ca\_cert\_identifier) | The CA certificate identifier to use for the DB cluster's server certificate. Currently only supported for multi-az DB clusters | `string` | `null` | no |
| [cluster\_members](#input\_cluster\_members) | List of RDS Instances that are a part of this cluster | `list(string)` | `null` | no |
+| [cluster\_monitoring\_interval](#input\_cluster\_monitoring\_interval) | Interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB cluster. To turn off collecting Enhanced Monitoring metrics, specify 0. Valid Values: 0, 1, 5, 10, 15, 30, 60 | `number` | `0` | no |
| [cluster\_performance\_insights\_enabled](#input\_cluster\_performance\_insights\_enabled) | Valid only for Non-Aurora Multi-AZ DB Clusters. Enables Performance Insights for the RDS Cluster | `bool` | `null` | no |
| [cluster\_performance\_insights\_kms\_key\_id](#input\_cluster\_performance\_insights\_kms\_key\_id) | Valid only for Non-Aurora Multi-AZ DB Clusters. Specifies the KMS Key ID to encrypt Performance Insights data. If not specified, the default RDS KMS key will be used (aws/rds) | `string` | `null` | no |
| [cluster\_performance\_insights\_retention\_period](#input\_cluster\_performance\_insights\_retention\_period) | Valid only for Non-Aurora Multi-AZ DB Clusters. Specifies the amount of time to retain performance insights data for. Defaults to 7 days if Performance Insights are enabled. Valid values are 7, month * 31 (where month is a number of months from 1-23), and 731 | `number` | `null` | no |
diff --git a/examples/autoscaling/README.md b/examples/autoscaling/README.md
index 673eae90..92c46b47 100644
--- a/examples/autoscaling/README.md
+++ b/examples/autoscaling/README.md
@@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.81 |
+| [aws](#requirement\_aws) | >= 5.86 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.81 |
+| [aws](#provider\_aws) | >= 5.86 |
## Modules
diff --git a/examples/autoscaling/versions.tf b/examples/autoscaling/versions.tf
index 4969d64d..529264fd 100644
--- a/examples/autoscaling/versions.tf
+++ b/examples/autoscaling/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.81"
+ version = ">= 5.86"
}
}
}
diff --git a/examples/global-cluster/README.md b/examples/global-cluster/README.md
index 0f49a415..c492c319 100644
--- a/examples/global-cluster/README.md
+++ b/examples/global-cluster/README.md
@@ -20,15 +20,15 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.81 |
+| [aws](#requirement\_aws) | >= 5.86 |
| [random](#requirement\_random) | >= 2.2 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.81 |
-| [aws.secondary](#provider\_aws.secondary) | >= 5.81 |
+| [aws](#provider\_aws) | >= 5.86 |
+| [aws.secondary](#provider\_aws.secondary) | >= 5.86 |
| [random](#provider\_random) | >= 2.2 |
## Modules
diff --git a/examples/global-cluster/versions.tf b/examples/global-cluster/versions.tf
index b4c052db..2b46d381 100644
--- a/examples/global-cluster/versions.tf
+++ b/examples/global-cluster/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.81"
+ version = ">= 5.86"
}
random = {
diff --git a/examples/multi-az/README.md b/examples/multi-az/README.md
index a8cf5a30..bb54647f 100644
--- a/examples/multi-az/README.md
+++ b/examples/multi-az/README.md
@@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.81 |
+| [aws](#requirement\_aws) | >= 5.86 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.81 |
+| [aws](#provider\_aws) | >= 5.86 |
## Modules
diff --git a/examples/multi-az/versions.tf b/examples/multi-az/versions.tf
index 4969d64d..529264fd 100644
--- a/examples/multi-az/versions.tf
+++ b/examples/multi-az/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.81"
+ version = ">= 5.86"
}
}
}
diff --git a/examples/mysql/README.md b/examples/mysql/README.md
index 5ef47896..fe233bf6 100644
--- a/examples/mysql/README.md
+++ b/examples/mysql/README.md
@@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.81 |
+| [aws](#requirement\_aws) | >= 5.86 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.81 |
+| [aws](#provider\_aws) | >= 5.86 |
## Modules
diff --git a/examples/mysql/versions.tf b/examples/mysql/versions.tf
index 4969d64d..529264fd 100644
--- a/examples/mysql/versions.tf
+++ b/examples/mysql/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.81"
+ version = ">= 5.86"
}
}
}
diff --git a/examples/postgresql/README.md b/examples/postgresql/README.md
index c7ee6bf6..fe40ff88 100644
--- a/examples/postgresql/README.md
+++ b/examples/postgresql/README.md
@@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.81 |
+| [aws](#requirement\_aws) | >= 5.86 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.81 |
+| [aws](#provider\_aws) | >= 5.86 |
## Modules
diff --git a/examples/postgresql/main.tf b/examples/postgresql/main.tf
index e97d935b..f521fe2e 100644
--- a/examples/postgresql/main.tf
+++ b/examples/postgresql/main.tf
@@ -25,11 +25,13 @@ locals {
module "aurora" {
source = "../../"
- name = local.name
- engine = "aurora-postgresql"
- engine_version = "14.7"
- master_username = "root"
- storage_type = "aurora-iopt1"
+ name = local.name
+ engine = "aurora-postgresql"
+ engine_version = "14.13"
+ master_username = "root"
+ storage_type = "aurora-iopt1"
+ cluster_monitoring_interval = 30
+
instances = {
1 = {
instance_class = "db.r5.2xlarge"
diff --git a/examples/postgresql/versions.tf b/examples/postgresql/versions.tf
index 4969d64d..529264fd 100644
--- a/examples/postgresql/versions.tf
+++ b/examples/postgresql/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.81"
+ version = ">= 5.86"
}
}
}
diff --git a/examples/s3-import/README.md b/examples/s3-import/README.md
index 8f65cf16..a318344f 100644
--- a/examples/s3-import/README.md
+++ b/examples/s3-import/README.md
@@ -49,13 +49,13 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.81 |
+| [aws](#requirement\_aws) | >= 5.86 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.81 |
+| [aws](#provider\_aws) | >= 5.86 |
## Modules
diff --git a/examples/s3-import/versions.tf b/examples/s3-import/versions.tf
index 4969d64d..529264fd 100644
--- a/examples/s3-import/versions.tf
+++ b/examples/s3-import/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.81"
+ version = ">= 5.86"
}
}
}
diff --git a/examples/serverless/README.md b/examples/serverless/README.md
index 9016a068..323f815b 100644
--- a/examples/serverless/README.md
+++ b/examples/serverless/README.md
@@ -20,14 +20,14 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.81 |
+| [aws](#requirement\_aws) | >= 5.86 |
| [random](#requirement\_random) | >= 3.5 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.81 |
+| [aws](#provider\_aws) | >= 5.86 |
| [random](#provider\_random) | >= 3.5 |
## Modules
diff --git a/examples/serverless/versions.tf b/examples/serverless/versions.tf
index d31e0c40..a7425345 100644
--- a/examples/serverless/versions.tf
+++ b/examples/serverless/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.81"
+ version = ">= 5.86"
}
random = {
source = "hashicorp/random"
diff --git a/main.tf b/main.tf
index d18ab9ee..d72640d6 100644
--- a/main.tf
+++ b/main.tf
@@ -77,6 +77,8 @@ resource "aws_rds_cluster" "this" {
master_user_secret_kms_key_id = var.global_cluster_identifier == null && var.manage_master_user_password ? var.master_user_secret_kms_key_id : null
master_password = var.is_primary_cluster && !var.manage_master_user_password ? var.master_password : null
master_username = var.is_primary_cluster ? var.master_username : null
+ monitoring_interval = var.cluster_monitoring_interval
+ monitoring_role_arn = var.create_monitoring_role && var.cluster_monitoring_interval > 0 ? try(aws_iam_role.rds_enhanced_monitoring[0].arn, null) : var.monitoring_role_arn
network_type = var.network_type
performance_insights_enabled = var.cluster_performance_insights_enabled
performance_insights_kms_key_id = var.cluster_performance_insights_kms_key_id
@@ -181,7 +183,7 @@ resource "aws_rds_cluster_instance" "this" {
identifier = var.instances_use_identifier_prefix ? null : try(each.value.identifier, "${var.name}-${each.key}")
identifier_prefix = var.instances_use_identifier_prefix ? try(each.value.identifier_prefix, "${var.name}-${each.key}-") : null
instance_class = try(each.value.instance_class, var.instance_class)
- monitoring_interval = try(each.value.monitoring_interval, var.monitoring_interval)
+ monitoring_interval = var.cluster_monitoring_interval > 0 ? var.cluster_monitoring_interval : try(each.value.monitoring_interval, var.monitoring_interval)
monitoring_role_arn = var.create_monitoring_role ? try(aws_iam_role.rds_enhanced_monitoring[0].arn, null) : var.monitoring_role_arn
performance_insights_enabled = try(each.value.performance_insights_enabled, var.performance_insights_enabled)
performance_insights_kms_key_id = try(each.value.performance_insights_kms_key_id, var.performance_insights_kms_key_id)
@@ -235,7 +237,7 @@ resource "aws_rds_cluster_role_association" "this" {
################################################################################
locals {
- create_monitoring_role = local.create && var.create_monitoring_role && var.monitoring_interval > 0
+ create_monitoring_role = local.create && var.create_monitoring_role && (var.monitoring_interval > 0 || var.cluster_monitoring_interval > 0)
}
data "aws_iam_policy_document" "monitoring_rds_assume_role" {
diff --git a/variables.tf b/variables.tf
index 8e46247b..f9676340 100644
--- a/variables.tf
+++ b/variables.tf
@@ -120,6 +120,12 @@ variable "cluster_performance_insights_retention_period" {
default = null
}
+variable "cluster_monitoring_interval" {
+ description = "Interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB cluster. To turn off collecting Enhanced Monitoring metrics, specify 0. Valid Values: 0, 1, 5, 10, 15, 30, 60"
+ type = number
+ default = 0
+}
+
variable "copy_tags_to_snapshot" {
description = "Copy all Cluster `tags` to snapshots"
type = bool
diff --git a/versions.tf b/versions.tf
index 4969d64d..529264fd 100644
--- a/versions.tf
+++ b/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.81"
+ version = ">= 5.86"
}
}
}
From 9e54c6d86b16459a7c6d83453479b03357970e5c Mon Sep 17 00:00:00 2001
From: semantic-release-bot
Date: Wed, 19 Feb 2025 10:41:40 +0000
Subject: [PATCH 3/3] chore(release): version 9.12.0 [skip ci]
## [9.12.0](https://github.com/terraform-aws-modules/terraform-aws-rds-aurora/compare/v9.11.0...v9.12.0) (2025-02-19)
### Features
* Support RDS Cluster monitoring interval and role arn ([#485](https://github.com/terraform-aws-modules/terraform-aws-rds-aurora/issues/485)) ([b172e08](https://github.com/terraform-aws-modules/terraform-aws-rds-aurora/commit/b172e0815292229ede381e2f8132b83ba7ad418c))
---
CHANGELOG.md | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 816d21a0..590b013f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,13 @@
All notable changes to this project will be documented in this file.
+## [9.12.0](https://github.com/terraform-aws-modules/terraform-aws-rds-aurora/compare/v9.11.0...v9.12.0) (2025-02-19)
+
+
+### Features
+
+* Support RDS Cluster monitoring interval and role arn ([#485](https://github.com/terraform-aws-modules/terraform-aws-rds-aurora/issues/485)) ([b172e08](https://github.com/terraform-aws-modules/terraform-aws-rds-aurora/commit/b172e0815292229ede381e2f8132b83ba7ad418c))
+
## [9.11.0](https://github.com/terraform-aws-modules/terraform-aws-rds-aurora/compare/v9.10.0...v9.11.0) (2024-12-19)