diff --git a/auto-drive/backend.tf b/auto-drive/backend.tf
new file mode 100644
index 00000000..ece60b83
--- /dev/null
+++ b/auto-drive/backend.tf
@@ -0,0 +1,9 @@
+terraform {
+ cloud {
+ organization = "subspace-sre"
+
+ workspaces {
+ name = "auto-drive-aws"
+ }
+ }
+}
diff --git a/auto-drive/db.tf b/auto-drive/db.tf
new file mode 100644
index 00000000..517e2c2e
--- /dev/null
+++ b/auto-drive/db.tf
@@ -0,0 +1,155 @@
+data "aws_caller_identity" "current" {}
+
+################################################################################
+# RDS Module
+################################################################################
+
+module "db" {
+ source = "../templates/terraform/aws/rds/"
+
+ identifier = local.name
+
+ engine = "postgres"
+ engine_version = "16"
+ engine_lifecycle_support = "open-source-rds-extended-support-disabled"
+ family = "postgres16" # DB parameter group
+ major_engine_version = "16" # DB option group
+ instance_class = "db.t4g.large"
+
+ allocated_storage = 50
+ max_allocated_storage = 200
+
+
+ db_name = "postgres"
+ username = "postgres"
+ port = 5432
+
+
+ manage_master_user_password_rotation = true
+ master_user_password_rotate_immediately = false
+ master_user_password_rotation_schedule_expression = "rate(15 days)"
+
+ multi_az = true
+ db_subnet_group_name = module.vpc_rds.database_subnet_group
+ vpc_security_group_ids = [module.security_group.security_group_id]
+
+ maintenance_window = "Mon:00:00-Mon:03:00"
+ backup_window = "03:00-06:00"
+ enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"]
+ create_cloudwatch_log_group = true
+
+ backup_retention_period = 1
+ skip_final_snapshot = true
+ deletion_protection = false
+
+ performance_insights_enabled = true
+ performance_insights_retention_period = 7
+ create_monitoring_role = true
+ monitoring_interval = 60
+ monitoring_role_name = "example-monitoring-role-name"
+ monitoring_role_use_name_prefix = true
+ monitoring_role_description = "Description for monitoring role"
+
+ parameters = [
+ {
+ name = "autovacuum"
+ value = 1
+ },
+ {
+ name = "client_encoding"
+ value = "utf8"
+ }
+ ]
+
+ tags = local.tags
+ db_option_group_tags = {
+ "Sensitive" = "low"
+ }
+ db_parameter_group_tags = {
+ "Sensitive" = "low"
+ }
+ cloudwatch_log_group_tags = {
+ "Sensitive" = "high"
+ }
+}
+
+################################################################################
+# RDS Automated Backups Replication Module
+################################################################################
+
+provider "aws" {
+ alias = "region2"
+ region = local.region2
+}
+
+module "kms" {
+ source = "terraform-aws-modules/kms/aws"
+ version = "~> 1.0"
+ description = "KMS key for cross region automated backups replication"
+
+ # Aliases
+ aliases = [local.name]
+ aliases_use_name_prefix = true
+
+ key_owners = [data.aws_caller_identity.current.arn]
+
+ tags = local.tags
+
+ providers = {
+ aws = aws.region2
+ }
+}
+
+module "db_automated_backups_replication" {
+ source = "../templates/terraform/aws/rds/modules/db_instance_automated_backups_replication"
+
+ source_db_instance_arn = module.db.db_instance_arn
+ kms_key_arn = module.kms.key_arn
+
+ providers = {
+ aws = aws.region2
+ }
+}
+
+################################################################################
+# Supporting Resources
+################################################################################
+
+module "vpc_rds" {
+ source = "terraform-aws-modules/vpc/aws"
+ version = "~> 5.0"
+
+ name = local.name
+ cidr = local.vpc_cidr
+
+ azs = local.azs
+ public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
+ private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 3)]
+ database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 6)]
+
+ create_database_subnet_group = true
+
+ tags = local.tags
+}
+
+module "security_group" {
+ source = "terraform-aws-modules/security-group/aws"
+ version = "~> 5.0"
+
+ name = local.name
+ description = "Auto Drive PostgreSQL security group"
+ vpc_id = module.vpc_rds.vpc_id
+
+ # ingress
+ ingress_with_cidr_blocks = [
+ {
+ from_port = 5432
+ to_port = 5432
+ protocol = "tcp"
+ description = "PostgreSQL access from within VPC"
+ cidr_blocks = module.vpc_rds.vpc_cidr_block
+ },
+ ]
+
+ tags = local.tags
+}
diff --git a/auto-drive/main.tf b/auto-drive/main.tf
new file mode 100644
index 00000000..57885d21
--- /dev/null
+++ b/auto-drive/main.tf
@@ -0,0 +1,204 @@
+provider "aws" {
+ region = var.region
+}
+
+data "aws_availability_zones" "available" {
+ state = "available"
+}
+
+locals {
+ name = basename(path.cwd)
+ region = var.region
+ region2 = "us-west-1"
+
+ vpc_cidr = var.vpc_cidr
+ azs = slice(data.aws_availability_zones.available.names, 0, var.az_count)
+
+ tags = merge(
+ {
+ Name = local.name
+ },
+ var.tags
+ )
+}
+
+################################################################################
+# Auto-Drive VPC
+################################################################################
+
+module "vpc" {
+ source = "../templates/terraform/aws/vpc"
+
+ name = "${local.name}-vpc"
+ cidr = var.vpc_cidr
+ azs = local.azs
+ private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+ public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+
+ enable_nat_gateway = true
+ single_nat_gateway = true
+
+ tags = local.tags
+}
+
+################################################################################
+# Auto-Drive Security Group
+################################################################################
+
+resource "aws_security_group" "auto_drive_sg" {
+ name = "auto_drive_sg"
+ description = "auto drive security group"
+ vpc_id = var.vpc_cidr
+
+ # Ingress Rules
+ ingress {
+ from_port = 22
+ to_port = 22
+ protocol = "tcp"
+ cidr_blocks = ["0.0.0.0/0"]
+ description = "Allow SSH"
+ }
+
+ ingress {
+ from_port = 80
+ to_port = 80
+ protocol = "tcp"
+ cidr_blocks = ["0.0.0.0/0"]
+ description = "Allow HTTP"
+ }
+
+ ingress {
+ from_port = 443
+ to_port = 443
+ protocol = "tcp"
+ cidr_blocks = ["0.0.0.0/0"]
+ description = "Allow HTTPS"
+ }
+
+ # Egress Rules
+ egress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = ["0.0.0.0/0"]
+ description = "Allow all outbound traffic"
+ }
+
+ tags = {
+ Name = "auto-drive-sg"
+ }
+}
+
+################################################################################
+# AMI Data Source
+################################################################################
+
+data "aws_ami" "ubuntu_amd64" {
+ most_recent = true
+
+ filter {
+ name = "name"
+ values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"]
+ }
+
+ filter {
+ name = "virtualization-type"
+ values = ["hvm"]
+ }
+
+ filter {
+ name = "architecture"
+ values = ["x86_64"]
+ }
+
+ owners = ["099720109477"]
+}
+
+################################################################################
+# Auto-Drive Instances
+################################################################################
+
+module "ec2_auto_drive" {
+ source = "../templates/terraform/aws/ec2"
+
+ name = "${local.name}-backend"
+ count = var.auto_drive_instance_count
+ ami = data.aws_ami.ubuntu_amd64.id
+ instance_type = var.auto_drive_instance_type
+ availability_zone = element(local.azs, count.index % length(local.azs))
+ subnet_id = element(module.vpc.private_subnets, count.index % length(module.vpc.private_subnets))
+ vpc_security_group_ids = [aws_security_group.auto_drive_sg.id]
+ associate_public_ip_address = false # Auto-drive instances use EIPs
+ ignore_ami_changes = true
+ root_block_device = [
+ {
+ device_name = "/dev/sdf"
+ encrypted = true
+ volume_type = "gp3"
+ throughput = 250
+ volume_size = var.auto_drive_root_volume_size
+ }
+ ]
+ volume_tags = merge(
+ { "Name" = "${local.name}-backend-root-volume-${count.index}" },
+ var.tags
+ )
+ tags = merge(local.tags, { Role = "auto-drive" })
+}
+
+################################################################################
+# Gateway Instances
+################################################################################
+
+module "ec2_gateway" {
+ source = "../templates/terraform/aws/ec2"
+ name = "${local.name}-gateway"
+ count = var.gateway_instance_count
+ ami = data.aws_ami.ubuntu_amd64.id
+ instance_type = var.gateway_instance_type
+ availability_zone = element(local.azs, count.index % length(local.azs))
+ subnet_id = element(module.vpc.private_subnets, count.index % length(module.vpc.private_subnets))
+ vpc_security_group_ids = [aws_security_group.auto_drive_sg.id]
+ associate_public_ip_address = false # Gateway instances use EIPs
+ ignore_ami_changes = true
+ root_block_device = [
+ {
+ device_name = "/dev/sdf"
+ encrypted = true
+ volume_type = "gp3"
+ throughput = 250
+ volume_size = var.gateway_root_volume_size
+ }
+ ]
+ volume_tags = merge(
+ { "Name" = "${local.name}-gateway-root-volume-${count.index}" },
+ var.tags
+ )
+ tags = merge(local.tags, { Role = "gateway" })
+}
+
+################################################################################
+# Elastic IPs for Auto-Drive Instances
+################################################################################
+
+resource "aws_eip" "auto_drive_eip" {
+ count = var.auto_drive_instance_count
+
+ instance = module.ec2_auto_drive[count.index].id
+ tags = {
+ Name = "${local.name}-backend-eip-${count.index}"
+ }
+}
+
+################################################################################
+# Elastic IPs for Gateway Instances
+################################################################################
+
+resource "aws_eip" "gateway_eip" {
+ count = var.gateway_instance_count
+
+ instance = module.ec2_gateway[count.index].id
+ tags = {
+ Name = "${local.name}-gateway-eip-${count.index}"
+ }
+}
diff --git a/auto-drive/outputs.tf b/auto-drive/outputs.tf
new file mode 100644
index 00000000..e722167d
--- /dev/null
+++ b/auto-drive/outputs.tf
@@ -0,0 +1,188 @@
+################################################################################
+# Auto-Drive Instances Outputs
+################################################################################
+
+output "ec2_auto_drive_ids" {
+ description = "The IDs of the auto-drive instances"
+ value = module.ec2_auto_drive[*].id
+}
+
+output "ec2_auto_drive_arns" {
+ description = "The ARNs of the auto-drive instances"
+ value = module.ec2_auto_drive[*].arn
+}
+
+output "ec2_auto_drive_instance_states" {
+ description = "The states of the auto-drive instances (e.g., pending, running, etc.)"
+ value = module.ec2_auto_drive[*].instance_state
+}
+
+output "ec2_auto_drive_private_ips" {
+ description = "The private IPs of the auto-drive instances"
+ value = module.ec2_auto_drive[*].private_ip
+}
+
+output "ec2_auto_drive_public_ips" {
+ description = "The public IPs of the auto-drive instances, if applicable"
+ value = module.ec2_auto_drive[*].public_ip
+}
+
+output "ec2_auto_drive_availability_zones" {
+ description = "The availability zones of the auto-drive instances"
+ value = module.ec2_auto_drive[*].availability_zone
+}
+
+################################################################################
+# Gateway Instances Outputs
+################################################################################
+
+output "ec2_gateway_ids" {
+ description = "The IDs of the gateway instances"
+ value = module.ec2_gateway[*].id
+}
+
+output "ec2_gateway_arns" {
+ description = "The ARNs of the gateway instances"
+ value = module.ec2_gateway[*].arn
+}
+
+output "ec2_gateway_instance_states" {
+ description = "The states of the gateway instances (e.g., pending, running, etc.)"
+ value = module.ec2_gateway[*].instance_state
+}
+
+output "ec2_gateway_private_ips" {
+ description = "The private IPs of the gateway instances"
+ value = module.ec2_gateway[*].private_ip
+}
+
+output "ec2_gateway_public_ips" {
+ description = "The public IPs of the gateway instances, if applicable"
+ value = module.ec2_gateway[*].public_ip
+}
+
+output "ec2_gateway_availability_zones" {
+ description = "The availability zones of the gateway instances"
+ value = module.ec2_gateway[*].availability_zone
+}
+
+output "auto_drive_eip" {
+ description = "Elastic IPs for Auto-Drive instances"
+ value = aws_eip.auto_drive_eip[*].public_ip
+}
+
+output "gateway_eip" {
+ description = "Elastic IPs for Gateway instances"
+ value = aws_eip.gateway_eip[*].public_ip
+}
+
+
+################################################################################
+# RDS Outputs
+################################################################################
+
+output "db_instance_address" {
+ description = "The address of the RDS instance"
+ value = module.db.db_instance_address
+}
+
+output "db_instance_arn" {
+ description = "The ARN of the RDS instance"
+ value = module.db.db_instance_arn
+}
+
+output "db_instance_availability_zone" {
+ description = "The availability zone of the RDS instance"
+ value = module.db.db_instance_availability_zone
+}
+
+output "db_instance_endpoint" {
+ description = "The connection endpoint"
+ value = module.db.db_instance_endpoint
+}
+
+output "db_instance_engine" {
+ description = "The database engine"
+ value = module.db.db_instance_engine
+}
+
+output "db_instance_engine_version_actual" {
+ description = "The running version of the database"
+ value = module.db.db_instance_engine_version_actual
+}
+
+output "db_instance_hosted_zone_id" {
+ description = "The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record)"
+ value = module.db.db_instance_hosted_zone_id
+}
+
+output "db_instance_identifier" {
+ description = "The RDS instance identifier"
+ value = module.db.db_instance_identifier
+}
+
+output "db_instance_resource_id" {
+ description = "The RDS Resource ID of this instance"
+ value = module.db.db_instance_resource_id
+}
+
+output "db_instance_status" {
+ description = "The RDS instance status"
+ value = module.db.db_instance_status
+}
+
+output "db_instance_name" {
+ description = "The database name"
+ value = module.db.db_instance_name
+}
+
+output "db_instance_username" {
+ description = "The master username for the database"
+ value = module.db.db_instance_username
+ sensitive = true
+}
+
+output "db_instance_port" {
+ description = "The database port"
+ value = module.db.db_instance_port
+}
+
+output "db_subnet_group_id" {
+ description = "The db subnet group name"
+ value = module.db.db_subnet_group_id
+}
+
+output "db_subnet_group_arn" {
+ description = "The ARN of the db subnet group"
+ value = module.db.db_subnet_group_arn
+}
+
+output "db_parameter_group_id" {
+ description = "The db parameter group id"
+ value = module.db.db_parameter_group_id
+}
+
+output "db_parameter_group_arn" {
+ description = "The ARN of the db parameter group"
+ value = module.db.db_parameter_group_arn
+}
+
+output "db_enhanced_monitoring_iam_role_arn" {
+ description = "The Amazon Resource Name (ARN) specifying the monitoring role"
+ value = module.db.enhanced_monitoring_iam_role_arn
+}
+
+output "db_instance_cloudwatch_log_groups" {
+ description = "Map of CloudWatch log groups created and their attributes"
+ value = module.db.db_instance_cloudwatch_log_groups
+}
+
+output "db_instance_master_user_secret_arn" {
+ description = "The ARN of the master user secret (Only available when manage_master_user_password is set to true)"
+ value = module.db.db_instance_master_user_secret_arn
+}
+
+output "db_instance_secretsmanager_secret_rotation_enabled" {
+ description = "Specifies whether automatic rotation is enabled for the secret"
+ value = module.db.db_instance_secretsmanager_secret_rotation_enabled
+}
diff --git a/auto-drive/variables.tf b/auto-drive/variables.tf
new file mode 100644
index 00000000..0fbf9b08
--- /dev/null
+++ b/auto-drive/variables.tf
@@ -0,0 +1,102 @@
+# AWS Region
+variable "region" {
+ description = "AWS region where the resources will be created."
+ type = string
+ default = "us-west-2"
+}
+
+# VPC CIDR
+variable "vpc_cidr" {
+ description = "CIDR block for the VPC."
+ type = string
+ default = "10.0.0.0/16"
+}
+
+# Availability Zones
+variable "az_count" {
+ description = "Number of availability zones to use."
+ type = number
+ default = 3
+}
+
+# Tags
+variable "tags" {
+ description = "Tags to assign to all resources."
+ type = map(string)
+ default = {
+ Repository = "https://github.com/terraform-aws-modules/terraform-aws-ec2-instance"
+ }
+}
+
+# Auto-Drive Instance Configuration
+variable "auto_drive_instance_type" {
+ description = "Instance type for auto-drive instances."
+ type = string
+ default = "m7a.2xlarge"
+}
+
+variable "auto_drive_root_volume_size" {
+ description = "Size of the root volume (in GB) for auto-drive instances."
+ type = number
+ default = 500
+}
+
+# Gateway Instance Configuration
+variable "gateway_instance_type" {
+ description = "Instance type for gateway instances."
+ type = string
+ default = "m7a.2xlarge"
+}
+
+variable "gateway_root_volume_size" {
+ description = "Size of the root volume (in GB) for gateway instances."
+ type = number
+ default = 100
+}
+
+variable "iam_role_policy_arn" {
+ description = "IAM policy ARN to attach to instance role."
+ type = string
+ default = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+
+variable "kms_key_id" {
+ description = "KMS key ARN for EBS volume encryption."
+ type = string
+ default = "" # Replace with your desired KMS Key ARN or leave empty
+}
+
+# Optional: Number of Instances for Each Module
+variable "auto_drive_instance_count" {
+ description = "Number of auto-drive instances to create."
+ type = number
+ default = 2
+}
+
+variable "gateway_instance_count" {
+ description = "Number of gateway instances to create."
+ type = number
+ default = 2
+}
+
+variable "ingress_cidr_blocks" {
+ description = "List of CIDR blocks for ingress"
+ type = list(string)
+ default = ["0.0.0.0/0"] # Open to all; adjust as needed
+}
+
+variable "ingress_rules" {
+ description = "List of ingress rules to apply"
+ type = list(string)
+ default = ["ssh", "http", "https"]
+}
+
+variable "rules" {
+ description = "Map of predefined rules"
+ type = map(list(string))
+ default = {
+ ssh = [22, 22, "tcp", "SSH access"]
+ http = [80, 80, "tcp", "HTTP access"]
+ https = [443, 443, "tcp", "HTTPS access"]
+ }
+}
diff --git a/auto-drive/versions.tf b/auto-drive/versions.tf
new file mode 100644
index 00000000..fd4d1167
--- /dev/null
+++ b/auto-drive/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 1.0"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 4.66"
+ }
+ }
+}
diff --git a/templates/terraform/aws/rds/main.tf b/templates/terraform/aws/rds/main.tf
new file mode 100644
index 00000000..44249211
--- /dev/null
+++ b/templates/terraform/aws/rds/main.tf
@@ -0,0 +1,174 @@
+locals {
+ create_db_subnet_group = var.create_db_subnet_group && var.putin_khuylo
+ create_db_parameter_group = var.create_db_parameter_group && var.putin_khuylo
+ create_db_instance = var.create_db_instance && var.putin_khuylo
+
+ db_subnet_group_name = var.create_db_subnet_group ? module.db_subnet_group.db_subnet_group_id : var.db_subnet_group_name
+ parameter_group_name_id = var.create_db_parameter_group ? module.db_parameter_group.db_parameter_group_id : var.parameter_group_name
+
+ create_db_option_group = var.create_db_option_group && var.engine != "postgres"
+ option_group = local.create_db_option_group ? module.db_option_group.db_option_group_id : var.option_group_name
+}
+
+module "db_subnet_group" {
+ source = "./modules/db_subnet_group"
+
+ create = local.create_db_subnet_group
+
+ name = coalesce(var.db_subnet_group_name, var.identifier)
+ use_name_prefix = var.db_subnet_group_use_name_prefix
+ description = var.db_subnet_group_description
+ subnet_ids = var.subnet_ids
+
+ tags = merge(var.tags, var.db_subnet_group_tags)
+}
+
+module "db_parameter_group" {
+ source = "./modules/db_parameter_group"
+
+ create = local.create_db_parameter_group
+
+ name = coalesce(var.parameter_group_name, var.identifier)
+ use_name_prefix = var.parameter_group_use_name_prefix
+ description = var.parameter_group_description
+ family = var.family
+
+ parameters = var.parameters
+ skip_destroy = var.parameter_group_skip_destroy
+
+ tags = merge(var.tags, var.db_parameter_group_tags)
+}
+
+module "db_option_group" {
+ source = "./modules/db_option_group"
+
+ create = local.create_db_option_group
+
+ name = coalesce(var.option_group_name, var.identifier)
+ use_name_prefix = var.option_group_use_name_prefix
+ option_group_description = var.option_group_description
+ engine_name = var.engine
+ major_engine_version = var.major_engine_version
+
+ options = var.options
+ skip_destroy = var.option_group_skip_destroy
+
+ timeouts = var.option_group_timeouts
+
+ tags = merge(var.tags, var.db_option_group_tags)
+}
+
+module "db_instance" {
+ source = "./modules/db_instance"
+
+ create = local.create_db_instance
+ identifier = var.identifier
+ use_identifier_prefix = var.instance_use_identifier_prefix
+
+ engine = var.engine
+ engine_version = var.engine_version
+ engine_lifecycle_support = var.engine_lifecycle_support
+ instance_class = var.instance_class
+ allocated_storage = var.allocated_storage
+ storage_type = var.storage_type
+ storage_encrypted = var.storage_encrypted
+ kms_key_id = var.kms_key_id
+ license_model = var.license_model
+
+ db_name = var.db_name
+ username = var.username
+ password = var.manage_master_user_password ? null : var.password
+ port = var.port
+ domain = var.domain
+ domain_auth_secret_arn = var.domain_auth_secret_arn
+ domain_dns_ips = var.domain_dns_ips
+ domain_fqdn = var.domain_fqdn
+ domain_iam_role_name = var.domain_iam_role_name
+ domain_ou = var.domain_ou
+ iam_database_authentication_enabled = var.iam_database_authentication_enabled
+ custom_iam_instance_profile = var.custom_iam_instance_profile
+ manage_master_user_password = var.manage_master_user_password
+ master_user_secret_kms_key_id = var.master_user_secret_kms_key_id
+
+ manage_master_user_password_rotation = var.manage_master_user_password_rotation
+ master_user_password_rotate_immediately = var.master_user_password_rotate_immediately
+ master_user_password_rotation_automatically_after_days = var.master_user_password_rotation_automatically_after_days
+ master_user_password_rotation_duration = var.master_user_password_rotation_duration
+ master_user_password_rotation_schedule_expression = var.master_user_password_rotation_schedule_expression
+
+ vpc_security_group_ids = var.vpc_security_group_ids
+ db_subnet_group_name = local.db_subnet_group_name
+ parameter_group_name = local.parameter_group_name_id
+ option_group_name = var.engine != "postgres" ? local.option_group : null
+ network_type = var.network_type
+
+ availability_zone = var.availability_zone
+ multi_az = var.multi_az
+ iops = var.iops
+ storage_throughput = var.storage_throughput
+ publicly_accessible = var.publicly_accessible
+ ca_cert_identifier = var.ca_cert_identifier
+ dedicated_log_volume = var.dedicated_log_volume
+ upgrade_storage_config = var.upgrade_storage_config
+
+ allow_major_version_upgrade = var.allow_major_version_upgrade
+ auto_minor_version_upgrade = var.auto_minor_version_upgrade
+ apply_immediately = var.apply_immediately
+ maintenance_window = var.maintenance_window
+ blue_green_update = var.blue_green_update
+
+ snapshot_identifier = var.snapshot_identifier
+ copy_tags_to_snapshot = var.copy_tags_to_snapshot
+ skip_final_snapshot = var.skip_final_snapshot
+ final_snapshot_identifier_prefix = var.final_snapshot_identifier_prefix
+
+ performance_insights_enabled = var.performance_insights_enabled
+ performance_insights_retention_period = var.performance_insights_retention_period
+ performance_insights_kms_key_id = var.performance_insights_enabled ? var.performance_insights_kms_key_id : null
+
+ replicate_source_db = var.replicate_source_db
+ replica_mode = var.replica_mode
+ backup_retention_period = var.backup_retention_period
+ backup_window = var.backup_window
+ max_allocated_storage = var.max_allocated_storage
+ monitoring_interval = var.monitoring_interval
+ monitoring_role_arn = var.monitoring_role_arn
+ monitoring_role_name = var.monitoring_role_name
+ monitoring_role_use_name_prefix = var.monitoring_role_use_name_prefix
+ monitoring_role_description = var.monitoring_role_description
+ create_monitoring_role = var.create_monitoring_role
+ monitoring_role_permissions_boundary = var.monitoring_role_permissions_boundary
+
+ character_set_name = var.character_set_name
+ nchar_character_set_name = var.nchar_character_set_name
+ timezone = var.timezone
+
+ enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports
+ create_cloudwatch_log_group = var.create_cloudwatch_log_group
+ cloudwatch_log_group_retention_in_days = var.cloudwatch_log_group_retention_in_days
+ cloudwatch_log_group_kms_key_id = var.cloudwatch_log_group_kms_key_id
+ cloudwatch_log_group_skip_destroy = var.cloudwatch_log_group_skip_destroy
+ cloudwatch_log_group_class = var.cloudwatch_log_group_class
+ cloudwatch_log_group_tags = var.cloudwatch_log_group_tags
+
+ timeouts = var.timeouts
+
+ deletion_protection = var.deletion_protection
+ delete_automated_backups = var.delete_automated_backups
+
+ restore_to_point_in_time = var.restore_to_point_in_time
+ s3_import = var.s3_import
+
+ db_instance_tags = var.db_instance_tags
+ tags = var.tags
+}
+
+module "db_instance_role_association" {
+ source = "./modules/db_instance_role_association"
+
+ for_each = { for k, v in var.db_instance_role_associations : k => v if var.create_db_instance }
+
+ feature_name = each.key
+ role_arn = each.value
+ db_instance_identifier = module.db_instance.db_instance_identifier
+}
diff --git a/templates/terraform/aws/rds/modules/db_instance/README.md b/templates/terraform/aws/rds/modules/db_instance/README.md
new file mode 100644
index 00000000..3746718e
--- /dev/null
+++ b/templates/terraform/aws/rds/modules/db_instance/README.md
@@ -0,0 +1,156 @@
+# aws_db_instance
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.0 |
+| [aws](#requirement\_aws) | >= 5.62 |
+| [random](#requirement\_random) | >= 3.1 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 5.62 |
+| [random](#provider\_random) | >= 3.1 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_log_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_db_instance.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance) | resource |
+| [aws_iam_role.enhanced_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.enhanced_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_secretsmanager_secret_rotation.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_rotation) | resource |
+| [random_id.snapshot_identifier](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [aws_iam_policy_document.enhanced_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [allocated\_storage](#input\_allocated\_storage) | The allocated storage in gigabytes | `number` | `null` | no |
+| [allow\_major\_version\_upgrade](#input\_allow\_major\_version\_upgrade) | Indicates that major version upgrades are allowed. Changing this parameter does not result in an outage and the change is asynchronously applied as soon as possible | `bool` | `false` | no |
+| [apply\_immediately](#input\_apply\_immediately) | Specifies whether any database modifications are applied immediately, or during the next maintenance window | `bool` | `false` | no |
+| [auto\_minor\_version\_upgrade](#input\_auto\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window | `bool` | `true` | no |
+| [availability\_zone](#input\_availability\_zone) | The Availability Zone of the RDS instance | `string` | `null` | no |
+| [backup\_retention\_period](#input\_backup\_retention\_period) | The days to retain backups for | `number` | `null` | no |
+| [backup\_window](#input\_backup\_window) | The daily time range (in UTC) during which automated backups are created if they are enabled. Example: '09:46-10:16'. Must not overlap with maintenance\_window | `string` | `null` | no |
+| [blue\_green\_update](#input\_blue\_green\_update) | Enables low-downtime updates using RDS Blue/Green deployments. | `map(string)` | `{}` | no |
+| [ca\_cert\_identifier](#input\_ca\_cert\_identifier) | Specifies the identifier of the CA certificate for the DB instance | `string` | `null` | no |
+| [character\_set\_name](#input\_character\_set\_name) | The character set name to use for DB encoding in Oracle instances. This can't be changed. See Oracle Character Sets Supported in Amazon RDS and Collations and Character Sets for Microsoft SQL Server for more information. This can only be set on creation. | `string` | `null` | no |
+| [cloudwatch\_log\_group\_class](#input\_cloudwatch\_log\_group\_class) | Specified the log class of the log group. Possible values are: STANDARD or INFREQUENT\_ACCESS | `string` | `null` | no |
+| [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data | `string` | `null` | no |
+| [cloudwatch\_log\_group\_retention\_in\_days](#input\_cloudwatch\_log\_group\_retention\_in\_days) | The number of days to retain CloudWatch logs for the DB instance | `number` | `7` | no |
+| [cloudwatch\_log\_group\_skip\_destroy](#input\_cloudwatch\_log\_group\_skip\_destroy) | Set to true if you do not wish the log group (and any logs it may contain) to be deleted at destroy time, and instead just remove the log group from the Terraform state | `bool` | `null` | no |
+| [cloudwatch\_log\_group\_tags](#input\_cloudwatch\_log\_group\_tags) | Additional tags for the CloudWatch log group(s) | `map(string)` | `{}` | no |
+| [copy\_tags\_to\_snapshot](#input\_copy\_tags\_to\_snapshot) | On delete, copy all Instance tags to the final snapshot | `bool` | `false` | no |
+| [create](#input\_create) | Whether to create this resource or not? | `bool` | `true` | no |
+| [create\_cloudwatch\_log\_group](#input\_create\_cloudwatch\_log\_group) | Determines whether a CloudWatch log group is created for each `enabled_cloudwatch_logs_exports` | `bool` | `false` | no |
+| [create\_monitoring\_role](#input\_create\_monitoring\_role) | Create IAM role with a defined name that permits RDS to send enhanced monitoring metrics to CloudWatch Logs. | `bool` | `false` | no |
+| [custom\_iam\_instance\_profile](#input\_custom\_iam\_instance\_profile) | RDS custom iam instance profile | `string` | `null` | no |
+| [db\_instance\_tags](#input\_db\_instance\_tags) | A map of additional tags for the DB instance | `map(string)` | `{}` | no |
+| [db\_name](#input\_db\_name) | The DB name to create. If omitted, no database is created initially | `string` | `null` | no |
+| [db\_subnet\_group\_name](#input\_db\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC | `string` | `null` | no |
+| [dedicated\_log\_volume](#input\_dedicated\_log\_volume) | Use a dedicated log volume (DLV) for the DB instance. Requires Provisioned IOPS. | `bool` | `false` | no |
+| [delete\_automated\_backups](#input\_delete\_automated\_backups) | Specifies whether to remove automated backups immediately after the DB instance is deleted | `bool` | `true` | no |
+| [deletion\_protection](#input\_deletion\_protection) | The database can't be deleted when this value is set to true. | `bool` | `false` | no |
+| [domain](#input\_domain) | The ID of the Directory Service Active Directory domain to create the instance in | `string` | `null` | no |
+| [domain\_auth\_secret\_arn](#input\_domain\_auth\_secret\_arn) | (Optional, but required if domain\_fqdn is provided) The ARN for the Secrets Manager secret with the self managed Active Directory credentials for the user joining the domain. Conflicts with domain and domain\_iam\_role\_name. | `string` | `null` | no |
+| [domain\_dns\_ips](#input\_domain\_dns\_ips) | (Optional, but required if domain\_fqdn is provided) The IPv4 DNS IP addresses of your primary and secondary self managed Active Directory domain controllers. Two IP addresses must be provided. If there isn't a secondary domain controller, use the IP address of the primary domain controller for both entries in the list. Conflicts with domain and domain\_iam\_role\_name. | `list(string)` | `null` | no |
+| [domain\_fqdn](#input\_domain\_fqdn) | The fully qualified domain name (FQDN) of the self managed Active Directory domain. Conflicts with domain and domain\_iam\_role\_name. | `string` | `null` | no |
+| [domain\_iam\_role\_name](#input\_domain\_iam\_role\_name) | (Required if domain is provided) The name of the IAM role to be used when making API calls to the Directory Service | `string` | `null` | no |
+| [domain\_ou](#input\_domain\_ou) | (Optional, but required if domain\_fqdn is provided) The self managed Active Directory organizational unit for your DB instance to join. Conflicts with domain and domain\_iam\_role\_name. | `string` | `null` | no |
+| [enabled\_cloudwatch\_logs\_exports](#input\_enabled\_cloudwatch\_logs\_exports) | List of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported. Valid values (depending on engine): alert, audit, error, general, listener, slowquery, trace, postgresql (PostgreSQL), upgrade (PostgreSQL). | `list(string)` | `[]` | no |
+| [engine](#input\_engine) | The database engine to use | `string` | `null` | no |
+| [engine\_lifecycle\_support](#input\_engine\_lifecycle\_support) | The life cycle type for this DB instance. This setting applies only to RDS for MySQL and RDS for PostgreSQL. Valid values are `open-source-rds-extended-support`, `open-source-rds-extended-support-disabled`. Default value is `open-source-rds-extended-support`. | `string` | `null` | no |
+| [engine\_version](#input\_engine\_version) | The engine version to use | `string` | `null` | no |
+| [final\_snapshot\_identifier\_prefix](#input\_final\_snapshot\_identifier\_prefix) | The name which is prefixed to the final snapshot on cluster destroy | `string` | `"final"` | no |
+| [iam\_database\_authentication\_enabled](#input\_iam\_database\_authentication\_enabled) | Specifies whether or mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled | `bool` | `false` | no |
+| [identifier](#input\_identifier) | The name of the RDS instance | `string` | n/a | yes |
+| [instance\_class](#input\_instance\_class) | The instance type of the RDS instance | `string` | `null` | no |
+| [iops](#input\_iops) | The amount of provisioned IOPS. Setting this implies a storage\_type of 'io1' or `gp3`. See `notes` for limitations regarding this variable for `gp3` | `number` | `null` | no |
+| [kms\_key\_id](#input\_kms\_key\_id) | The ARN for the KMS encryption key. If creating an encrypted replica, set this to the destination KMS ARN. If storage\_encrypted is set to true and kms\_key\_id is not specified the default KMS key created in your account will be used | `string` | `null` | no |
+| [license\_model](#input\_license\_model) | License model information for this DB instance. Optional, but required for some DB engines, i.e. Oracle SE1 | `string` | `null` | no |
+| [maintenance\_window](#input\_maintenance\_window) | The window to perform maintenance in. Syntax: 'ddd:hh24:mi-ddd:hh24:mi'. Eg: 'Mon:00:00-Mon:03:00' | `string` | `null` | no |
+| [manage\_master\_user\_password](#input\_manage\_master\_user\_password) | Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if password is provided | `bool` | `true` | no |
+| [manage\_master\_user\_password\_rotation](#input\_manage\_master\_user\_password\_rotation) | Whether to manage the master user password rotation. By default, false on creation, rotation is managed by RDS. There is not currently a way to disable this on initial creation even when set to false. Setting this value to false after previously having been set to true will disable automatic rotation. | `bool` | `false` | no |
+| [master\_user\_password\_rotate\_immediately](#input\_master\_user\_password\_rotate\_immediately) | Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window. | `bool` | `null` | no |
+| [master\_user\_password\_rotation\_automatically\_after\_days](#input\_master\_user\_password\_rotation\_automatically\_after\_days) | Specifies the number of days between automatic scheduled rotations of the secret. Either automatically\_after\_days or schedule\_expression must be specified. | `number` | `null` | no |
+| [master\_user\_password\_rotation\_duration](#input\_master\_user\_password\_rotation\_duration) | The length of the rotation window in hours. For example, 3h for a three hour window. | `string` | `null` | no |
+| [master\_user\_password\_rotation\_schedule\_expression](#input\_master\_user\_password\_rotation\_schedule\_expression) | A cron() or rate() expression that defines the schedule for rotating your secret. Either automatically\_after\_days or schedule\_expression must be specified. | `string` | `null` | no |
+| [master\_user\_secret\_kms\_key\_id](#input\_master\_user\_secret\_kms\_key\_id) | The key ARN, key ID, alias ARN or alias name for the KMS key to encrypt the master user password secret in Secrets Manager.
If not specified, the default KMS key for your Amazon Web Services account is used. | `string` | `null` | no |
+| [max\_allocated\_storage](#input\_max\_allocated\_storage) | Specifies the value for Storage Autoscaling | `number` | `0` | no |
+| [monitoring\_interval](#input\_monitoring\_interval) | The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. The default is 0. Valid Values: 0, 1, 5, 10, 15, 30, 60. | `number` | `0` | no |
+| [monitoring\_role\_arn](#input\_monitoring\_role\_arn) | The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to CloudWatch Logs. Must be specified if monitoring\_interval is non-zero. | `string` | `null` | no |
+| [monitoring\_role\_description](#input\_monitoring\_role\_description) | Description of the monitoring IAM role | `string` | `null` | no |
+| [monitoring\_role\_name](#input\_monitoring\_role\_name) | Name of the IAM role which will be created when create\_monitoring\_role is enabled. | `string` | `"rds-monitoring-role"` | no |
+| [monitoring\_role\_permissions\_boundary](#input\_monitoring\_role\_permissions\_boundary) | ARN of the policy that is used to set the permissions boundary for the monitoring IAM role | `string` | `null` | no |
+| [monitoring\_role\_use\_name\_prefix](#input\_monitoring\_role\_use\_name\_prefix) | Determines whether to use `monitoring_role_name` as is or create a unique identifier beginning with `monitoring_role_name` as the specified prefix | `bool` | `false` | no |
+| [multi\_az](#input\_multi\_az) | Specifies if the RDS instance is multi-AZ | `bool` | `false` | no |
+| [nchar\_character\_set\_name](#input\_nchar\_character\_set\_name) | The national character set is used in the NCHAR, NVARCHAR2, and NCLOB data types for Oracle instances. This can't be changed. | `string` | `null` | no |
+| [network\_type](#input\_network\_type) | The type of network stack | `string` | `null` | no |
+| [option\_group\_name](#input\_option\_group\_name) | Name of the DB option group to associate. | `string` | `null` | no |
+| [parameter\_group\_name](#input\_parameter\_group\_name) | Name of the DB parameter group to associate | `string` | `null` | no |
+| [password](#input\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file | `string` | `null` | no |
+| [performance\_insights\_enabled](#input\_performance\_insights\_enabled) | Specifies whether Performance Insights are enabled | `bool` | `false` | no |
+| [performance\_insights\_kms\_key\_id](#input\_performance\_insights\_kms\_key\_id) | The ARN for the KMS key to encrypt Performance Insights data. | `string` | `null` | no |
+| [performance\_insights\_retention\_period](#input\_performance\_insights\_retention\_period) | The amount of time in days to retain Performance Insights data. Either 7 (7 days) or 731 (2 years). | `number` | `7` | no |
+| [port](#input\_port) | The port on which the DB accepts connections | `string` | `null` | no |
+| [publicly\_accessible](#input\_publicly\_accessible) | Bool to control if instance is publicly accessible | `bool` | `false` | no |
+| [replica\_mode](#input\_replica\_mode) | Specifies whether the replica is in either mounted or open-read-only mode. This attribute is only supported by Oracle instances. Oracle replicas operate in open-read-only mode unless otherwise specified | `string` | `null` | no |
+| [replicate\_source\_db](#input\_replicate\_source\_db) | Specifies that this resource is a Replicate database, and to use this value as the source database. This correlates to the identifier of another Amazon RDS Database to replicate. | `string` | `null` | no |
+| [restore\_to\_point\_in\_time](#input\_restore\_to\_point\_in\_time) | Restore to a point in time (MySQL is NOT supported) | `map(string)` | `null` | no |
+| [s3\_import](#input\_s3\_import) | Restore from a Percona Xtrabackup in S3 (only MySQL is supported) | `map(string)` | `null` | no |
+| [skip\_final\_snapshot](#input\_skip\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted | `bool` | `false` | no |
+| [snapshot\_identifier](#input\_snapshot\_identifier) | Specifies whether or not to create this database from a snapshot. This correlates to the snapshot ID you'd find in the RDS console, e.g: rds:production-2015-06-26-06-05. | `string` | `null` | no |
+| [storage\_encrypted](#input\_storage\_encrypted) | Specifies whether the DB instance is encrypted | `bool` | `true` | no |
+| [storage\_throughput](#input\_storage\_throughput) | Storage throughput value for the DB instance. This setting applies only to the `gp3` storage type. See `notes` for limitations regarding this variable for `gp3` | `number` | `null` | no |
+| [storage\_type](#input\_storage\_type) | One of 'standard' (magnetic), 'gp2' (general purpose SSD), 'gp3' (new generation of general purpose SSD), or 'io1' (provisioned IOPS SSD). The default is 'io1' if iops is specified, 'gp2' if not. If you specify 'io1' or 'gp3' , you must also include a value for the 'iops' parameter | `string` | `null` | no |
+| [tags](#input\_tags) | A mapping of tags to assign to all resources | `map(string)` | `{}` | no |
+| [timeouts](#input\_timeouts) | Updated Terraform resource management timeouts. Applies to `aws_db_instance` in particular to permit resource management times | `map(string)` | `{}` | no |
+| [timezone](#input\_timezone) | Time zone of the DB instance. timezone is currently only supported by Microsoft SQL Server. The timezone can only be set on creation. See MSSQL User Guide for more information. | `string` | `null` | no |
+| [upgrade\_storage\_config](#input\_upgrade\_storage\_config) | Whether to upgrade the storage file system configuration on the read replica. Can only be set with replicate\_source\_db. | `bool` | `null` | no |
+| [use\_identifier\_prefix](#input\_use\_identifier\_prefix) | Determines whether to use `identifier` as is or create a unique identifier beginning with `identifier` as the specified prefix | `bool` | `false` | no |
+| [username](#input\_username) | Username for the master DB user | `string` | `null` | no |
+| [vpc\_security\_group\_ids](#input\_vpc\_security\_group\_ids) | List of VPC security groups to associate | `list(string)` | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [db\_instance\_address](#output\_db\_instance\_address) | The address of the RDS instance |
+| [db\_instance\_arn](#output\_db\_instance\_arn) | The ARN of the RDS instance |
+| [db\_instance\_availability\_zone](#output\_db\_instance\_availability\_zone) | The availability zone of the RDS instance |
+| [db\_instance\_ca\_cert\_identifier](#output\_db\_instance\_ca\_cert\_identifier) | Specifies the identifier of the CA certificate for the DB instance |
+| [db\_instance\_cloudwatch\_log\_groups](#output\_db\_instance\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes |
+| [db\_instance\_domain](#output\_db\_instance\_domain) | The ID of the Directory Service Active Directory domain the instance is joined to |
+| [db\_instance\_domain\_auth\_secret\_arn](#output\_db\_instance\_domain\_auth\_secret\_arn) | The ARN for the Secrets Manager secret with the self managed Active Directory credentials for the user joining the domain |
+| [db\_instance\_domain\_dns\_ips](#output\_db\_instance\_domain\_dns\_ips) | The IPv4 DNS IP addresses of your primary and secondary self managed Active Directory domain controllers |
+| [db\_instance\_domain\_fqdn](#output\_db\_instance\_domain\_fqdn) | The fully qualified domain name (FQDN) of an self managed Active Directory domain |
+| [db\_instance\_domain\_iam\_role\_name](#output\_db\_instance\_domain\_iam\_role\_name) | The name of the IAM role to be used when making API calls to the Directory Service |
+| [db\_instance\_domain\_ou](#output\_db\_instance\_domain\_ou) | The self managed Active Directory organizational unit for your DB instance to join |
+| [db\_instance\_endpoint](#output\_db\_instance\_endpoint) | The connection endpoint |
+| [db\_instance\_engine](#output\_db\_instance\_engine) | The database engine |
+| [db\_instance\_engine\_version\_actual](#output\_db\_instance\_engine\_version\_actual) | The running version of the database |
+| [db\_instance\_hosted\_zone\_id](#output\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) |
+| [db\_instance\_identifier](#output\_db\_instance\_identifier) | The RDS instance identifier |
+| [db\_instance\_master\_user\_secret\_arn](#output\_db\_instance\_master\_user\_secret\_arn) | The ARN of the master user secret (Only available when manage\_master\_user\_password is set to true) |
+| [db\_instance\_name](#output\_db\_instance\_name) | The database name |
+| [db\_instance\_port](#output\_db\_instance\_port) | The database port |
+| [db\_instance\_resource\_id](#output\_db\_instance\_resource\_id) | The RDS Resource ID of this instance |
+| [db\_instance\_secretsmanager\_secret\_rotation\_enabled](#output\_db\_instance\_secretsmanager\_secret\_rotation\_enabled) | Specifies whether automatic rotation is enabled for the secret |
+| [db\_instance\_status](#output\_db\_instance\_status) | The RDS instance status |
+| [db\_instance\_username](#output\_db\_instance\_username) | The master username for the database |
+| [db\_listener\_endpoint](#output\_db\_listener\_endpoint) | Specifies the listener connection endpoint for SQL Server Always On |
+| [enhanced\_monitoring\_iam\_role\_arn](#output\_enhanced\_monitoring\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the monitoring role |
+| [enhanced\_monitoring\_iam\_role\_name](#output\_enhanced\_monitoring\_iam\_role\_name) | The name of the monitoring role |
+
diff --git a/templates/terraform/aws/rds/modules/db_instance/main.tf b/templates/terraform/aws/rds/modules/db_instance/main.tf
new file mode 100644
index 00000000..ce9b4c43
--- /dev/null
+++ b/templates/terraform/aws/rds/modules/db_instance/main.tf
@@ -0,0 +1,230 @@
+locals {
+ monitoring_role_arn = var.create_monitoring_role ? aws_iam_role.enhanced_monitoring[0].arn : var.monitoring_role_arn
+
+ final_snapshot_identifier = var.skip_final_snapshot ? null : "${var.final_snapshot_identifier_prefix}-${var.identifier}-${try(random_id.snapshot_identifier[0].hex, "")}"
+
+ identifier = var.use_identifier_prefix ? null : var.identifier
+ identifier_prefix = var.use_identifier_prefix ? "${var.identifier}-" : null
+
+ monitoring_role_name = var.monitoring_role_use_name_prefix ? null : var.monitoring_role_name
+ monitoring_role_name_prefix = var.monitoring_role_use_name_prefix ? "${var.monitoring_role_name}-" : null
+
+ # Replicas will use source metadata
+ is_replica = var.replicate_source_db != null
+}
+
+# Ref. https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#genref-aws-service-namespaces
+data "aws_partition" "current" {}
+
+resource "random_id" "snapshot_identifier" {
+ count = var.create && !var.skip_final_snapshot ? 1 : 0
+
+ keepers = {
+ id = var.identifier
+ }
+
+ byte_length = 4
+}
+
+resource "aws_db_instance" "this" {
+ count = var.create ? 1 : 0
+
+ identifier = local.identifier
+ identifier_prefix = local.identifier_prefix
+
+ engine = local.is_replica ? null : var.engine
+ engine_version = var.engine_version
+ engine_lifecycle_support = var.engine_lifecycle_support
+ instance_class = var.instance_class
+ allocated_storage = var.allocated_storage
+ storage_type = var.storage_type
+ storage_encrypted = var.storage_encrypted
+ kms_key_id = var.kms_key_id
+ license_model = var.license_model
+
+ db_name = var.db_name
+ username = !local.is_replica ? var.username : null
+ password = !local.is_replica && var.manage_master_user_password ? null : var.password
+ port = var.port
+ domain = var.domain
+ domain_auth_secret_arn = var.domain_auth_secret_arn
+ domain_dns_ips = var.domain_dns_ips
+ domain_fqdn = var.domain_fqdn
+ domain_iam_role_name = var.domain_iam_role_name
+ domain_ou = var.domain_ou
+ iam_database_authentication_enabled = var.iam_database_authentication_enabled
+ custom_iam_instance_profile = var.custom_iam_instance_profile
+ manage_master_user_password = !local.is_replica && var.manage_master_user_password ? var.manage_master_user_password : null
+ master_user_secret_kms_key_id = !local.is_replica && var.manage_master_user_password ? var.master_user_secret_kms_key_id : null
+
+ vpc_security_group_ids = var.vpc_security_group_ids
+ db_subnet_group_name = var.db_subnet_group_name
+ parameter_group_name = var.parameter_group_name
+ option_group_name = var.option_group_name
+ network_type = var.network_type
+
+ availability_zone = var.availability_zone
+ multi_az = var.multi_az
+ iops = var.iops
+ storage_throughput = var.storage_throughput
+ publicly_accessible = var.publicly_accessible
+ ca_cert_identifier = var.ca_cert_identifier
+ dedicated_log_volume = var.dedicated_log_volume
+ upgrade_storage_config = var.upgrade_storage_config
+
+ allow_major_version_upgrade = var.allow_major_version_upgrade
+ auto_minor_version_upgrade = var.auto_minor_version_upgrade
+ apply_immediately = var.apply_immediately
+ maintenance_window = var.maintenance_window
+
+ # https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/blue-green-deployments.html
+ dynamic "blue_green_update" {
+ for_each = length(var.blue_green_update) > 0 ? [var.blue_green_update] : []
+
+ content {
+ enabled = try(blue_green_update.value.enabled, null)
+ }
+ }
+
+ snapshot_identifier = var.snapshot_identifier
+ copy_tags_to_snapshot = var.copy_tags_to_snapshot
+ skip_final_snapshot = var.skip_final_snapshot
+ final_snapshot_identifier = local.final_snapshot_identifier
+
+ performance_insights_enabled = var.performance_insights_enabled
+ performance_insights_retention_period = var.performance_insights_enabled ? var.performance_insights_retention_period : null
+ performance_insights_kms_key_id = var.performance_insights_enabled ? var.performance_insights_kms_key_id : null
+
+ replicate_source_db = var.replicate_source_db
+ replica_mode = var.replica_mode
+ backup_retention_period = length(var.blue_green_update) > 0 ? coalesce(var.backup_retention_period, 1) : var.backup_retention_period
+ backup_window = var.backup_window
+ max_allocated_storage = var.max_allocated_storage
+ monitoring_interval = var.monitoring_interval
+ monitoring_role_arn = var.monitoring_interval > 0 ? local.monitoring_role_arn : null
+
+ character_set_name = var.character_set_name
+ nchar_character_set_name = var.nchar_character_set_name
+ timezone = var.timezone
+ enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports
+
+ deletion_protection = var.deletion_protection
+ delete_automated_backups = var.delete_automated_backups
+
+ dynamic "restore_to_point_in_time" {
+ for_each = var.restore_to_point_in_time != null ? [var.restore_to_point_in_time] : []
+
+ content {
+ restore_time = lookup(restore_to_point_in_time.value, "restore_time", null)
+ source_db_instance_automated_backups_arn = lookup(restore_to_point_in_time.value, "source_db_instance_automated_backups_arn", null)
+ source_db_instance_identifier = lookup(restore_to_point_in_time.value, "source_db_instance_identifier", null)
+ source_dbi_resource_id = lookup(restore_to_point_in_time.value, "source_dbi_resource_id", null)
+ use_latest_restorable_time = lookup(restore_to_point_in_time.value, "use_latest_restorable_time", null)
+ }
+ }
+
+ dynamic "s3_import" {
+ for_each = var.s3_import != null ? [var.s3_import] : []
+
+ content {
+ source_engine = "mysql"
+ source_engine_version = s3_import.value.source_engine_version
+ bucket_name = s3_import.value.bucket_name
+ bucket_prefix = lookup(s3_import.value, "bucket_prefix", null)
+ ingestion_role = s3_import.value.ingestion_role
+ }
+ }
+
+ tags = merge(var.tags, var.db_instance_tags)
+
+ depends_on = [aws_cloudwatch_log_group.this]
+
+ timeouts {
+ create = lookup(var.timeouts, "create", null)
+ delete = lookup(var.timeouts, "delete", null)
+ update = lookup(var.timeouts, "update", null)
+ }
+
+ # Note: do not add `latest_restorable_time` to `ignore_changes`
+ # https://github.com/terraform-aws-modules/terraform-aws-rds/issues/478
+}
+
+################################################################################
+# CloudWatch Log Group
+################################################################################
+
+# Log groups will not be created if using an identifier prefix
+resource "aws_cloudwatch_log_group" "this" {
+ for_each = toset([for log in var.enabled_cloudwatch_logs_exports : log if var.create && var.create_cloudwatch_log_group && !var.use_identifier_prefix])
+
+ name = "/aws/rds/instance/${var.identifier}/${each.value}"
+ retention_in_days = var.cloudwatch_log_group_retention_in_days
+ kms_key_id = var.cloudwatch_log_group_kms_key_id
+ skip_destroy = var.cloudwatch_log_group_skip_destroy
+ log_group_class = var.cloudwatch_log_group_class
+
+ tags = merge(var.tags, var.cloudwatch_log_group_tags)
+}
+
+################################################################################
+# Enhanced monitoring
+################################################################################
+
+data "aws_iam_policy_document" "enhanced_monitoring" {
+ statement {
+ actions = [
+ "sts:AssumeRole",
+ ]
+
+ principals {
+ type = "Service"
+ identifiers = ["monitoring.rds.amazonaws.com"]
+ }
+ }
+}
+
+resource "aws_iam_role" "enhanced_monitoring" {
+ count = var.create_monitoring_role ? 1 : 0
+
+ name = local.monitoring_role_name
+ name_prefix = local.monitoring_role_name_prefix
+ assume_role_policy = data.aws_iam_policy_document.enhanced_monitoring.json
+ description = var.monitoring_role_description
+ permissions_boundary = var.monitoring_role_permissions_boundary
+
+ tags = merge(
+ {
+ "Name" = format("%s", var.monitoring_role_name)
+ },
+ var.tags,
+ )
+}
+
+resource "aws_iam_role_policy_attachment" "enhanced_monitoring" {
+ count = var.create_monitoring_role ? 1 : 0
+
+ role = aws_iam_role.enhanced_monitoring[0].name
+ policy_arn = "arn:${data.aws_partition.current.partition}:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
+}
+
+################################################################################
+# Managed Secret Rotation
+################################################################################
+
+# There is not currently a way to disable secret rotation on an initial apply.
+# In order to use master password secrets management without a rotation, the following workaround can be used:
+# `manage_master_user_password_rotation` must be set to true first and applied followed by setting it to false and another apply.
+# Note: when setting `manage_master_user_password_rotation` to true, a schedule must also be set using `master_user_password_rotation_schedule_expression` or `master_user_password_rotation_automatically_after_days`.
+# See: https://github.com/hashicorp/terraform-provider-aws/issues/37779
+resource "aws_secretsmanager_secret_rotation" "this" {
+ count = var.create && var.manage_master_user_password && var.manage_master_user_password_rotation ? 1 : 0
+
+ secret_id = aws_db_instance.this[0].master_user_secret[0].secret_arn
+ rotate_immediately = var.master_user_password_rotate_immediately
+
+ rotation_rules {
+ automatically_after_days = var.master_user_password_rotation_automatically_after_days
+ duration = var.master_user_password_rotation_duration
+ schedule_expression = var.master_user_password_rotation_schedule_expression
+ }
+}
diff --git a/templates/terraform/aws/rds/modules/db_instance/outputs.tf b/templates/terraform/aws/rds/modules/db_instance/outputs.tf
new file mode 100644
index 00000000..26c4cdb7
--- /dev/null
+++ b/templates/terraform/aws/rds/modules/db_instance/outputs.tf
@@ -0,0 +1,138 @@
+output "enhanced_monitoring_iam_role_name" {
+ description = "The name of the monitoring role"
+ value = try(aws_iam_role.enhanced_monitoring[0].name, null)
+}
+
+output "enhanced_monitoring_iam_role_arn" {
+ description = "The Amazon Resource Name (ARN) specifying the monitoring role"
+ value = try(aws_iam_role.enhanced_monitoring[0].arn, null)
+}
+
+output "db_instance_address" {
+ description = "The address of the RDS instance"
+ value = try(aws_db_instance.this[0].address, null)
+}
+
+output "db_instance_arn" {
+ description = "The ARN of the RDS instance"
+ value = try(aws_db_instance.this[0].arn, null)
+}
+
+output "db_instance_availability_zone" {
+ description = "The availability zone of the RDS instance"
+ value = try(aws_db_instance.this[0].availability_zone, null)
+}
+
+output "db_instance_endpoint" {
+ description = "The connection endpoint"
+ value = try(aws_db_instance.this[0].endpoint, null)
+}
+
+output "db_listener_endpoint" {
+ description = "Specifies the listener connection endpoint for SQL Server Always On"
+ value = try(aws_db_instance.this[0].listener_endpoint, null)
+}
+
+output "db_instance_engine" {
+ description = "The database engine"
+ value = try(aws_db_instance.this[0].engine, null)
+}
+
+output "db_instance_engine_version_actual" {
+ description = "The running version of the database"
+ value = try(aws_db_instance.this[0].engine_version_actual, null)
+}
+
+output "db_instance_hosted_zone_id" {
+ description = "The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record)"
+ value = try(aws_db_instance.this[0].hosted_zone_id, null)
+}
+
+output "db_instance_identifier" {
+ description = "The RDS instance identifier"
+ value = try(aws_db_instance.this[0].identifier, null)
+}
+
+output "db_instance_resource_id" {
+ description = "The RDS Resource ID of this instance"
+ value = try(aws_db_instance.this[0].resource_id, null)
+}
+
+output "db_instance_status" {
+ description = "The RDS instance status"
+ value = try(aws_db_instance.this[0].status, null)
+}
+
+output "db_instance_name" {
+ description = "The database name"
+ value = try(aws_db_instance.this[0].db_name, null)
+}
+
+output "db_instance_username" {
+ description = "The master username for the database"
+ value = try(aws_db_instance.this[0].username, null)
+ sensitive = true
+}
+
+output "db_instance_port" {
+ description = "The database port"
+ value = try(aws_db_instance.this[0].port, null)
+}
+
+output "db_instance_ca_cert_identifier" {
+ description = "Specifies the identifier of the CA certificate for the DB instance"
+ value = try(aws_db_instance.this[0].ca_cert_identifier, null)
+}
+
+output "db_instance_domain" {
+ description = "The ID of the Directory Service Active Directory domain the instance is joined to"
+ value = try(aws_db_instance.this[0].domain, null)
+}
+
+output "db_instance_domain_auth_secret_arn" {
+ description = "The ARN for the Secrets Manager secret with the self managed Active Directory credentials for the user joining the domain"
+ value = try(aws_db_instance.this[0].domain_auth_secret_arn, null)
+}
+
+output "db_instance_domain_dns_ips" {
+ description = "The IPv4 DNS IP addresses of your primary and secondary self managed Active Directory domain controllers"
+ value = try(aws_db_instance.this[0].domain_dns_ips, null)
+}
+
+output "db_instance_domain_fqdn" {
+ description = "The fully qualified domain name (FQDN) of an self managed Active Directory domain"
+ value = try(aws_db_instance.this[0].domain_fqdn, null)
+}
+
+output "db_instance_domain_iam_role_name" {
+ description = "The name of the IAM role to be used when making API calls to the Directory Service"
+ value = try(aws_db_instance.this[0].domain_iam_role_name, null)
+}
+
+output "db_instance_domain_ou" {
+ description = "The self managed Active Directory organizational unit for your DB instance to join"
+ value = try(aws_db_instance.this[0].domain_ou, null)
+}
+
+output "db_instance_master_user_secret_arn" {
+ description = "The ARN of the master user secret (Only available when manage_master_user_password is set to true)"
+ value = try(aws_db_instance.this[0].master_user_secret[0].secret_arn, null)
+}
+
+################################################################################
+# CloudWatch Log Group
+################################################################################
+
+output "db_instance_cloudwatch_log_groups" {
+ description = "Map of CloudWatch log groups created and their attributes"
+ value = aws_cloudwatch_log_group.this
+}
+
+################################################################################
+# Managed Secret Rotation
+################################################################################
+
+output "db_instance_secretsmanager_secret_rotation_enabled" {
+ description = "Specifies whether automatic rotation is enabled for the secret"
+ value = try(aws_secretsmanager_secret_rotation.this[0].rotation_enabled, null)
+}
diff --git a/templates/terraform/aws/rds/modules/db_instance/variables.tf b/templates/terraform/aws/rds/modules/db_instance/variables.tf
new file mode 100644
index 00000000..acb17305
--- /dev/null
+++ b/templates/terraform/aws/rds/modules/db_instance/variables.tf
@@ -0,0 +1,519 @@
+variable "create" {
+ description = "Whether to create this resource or not?"
+ type = bool
+ default = true
+}
+
+variable "identifier" {
+ description = "The name of the RDS instance"
+ type = string
+}
+variable "custom_iam_instance_profile" {
+ description = "RDS custom iam instance profile"
+ type = string
+ default = null
+}
+
+variable "use_identifier_prefix" {
+ description = "Determines whether to use `identifier` as is or create a unique identifier beginning with `identifier` as the specified prefix"
+ type = bool
+ default = false
+}
+
+variable "allocated_storage" {
+ description = "The allocated storage in gigabytes"
+ type = number
+ default = null
+}
+
+variable "storage_type" {
+ description = "One of 'standard' (magnetic), 'gp2' (general purpose SSD), 'gp3' (new generation of general purpose SSD), or 'io1' (provisioned IOPS SSD). The default is 'io1' if iops is specified, 'gp2' if not. If you specify 'io1' or 'gp3' , you must also include a value for the 'iops' parameter"
+ type = string
+ default = null
+}
+
+variable "storage_throughput" {
+ description = "Storage throughput value for the DB instance. This setting applies only to the `gp3` storage type. See `notes` for limitations regarding this variable for `gp3`"
+ type = number
+ default = null
+}
+
+variable "storage_encrypted" {
+ description = "Specifies whether the DB instance is encrypted"
+ type = bool
+ default = true
+}
+
+variable "kms_key_id" {
+ description = "The ARN for the KMS encryption key. If creating an encrypted replica, set this to the destination KMS ARN. If storage_encrypted is set to true and kms_key_id is not specified the default KMS key created in your account will be used"
+ type = string
+ default = null
+}
+
+variable "replicate_source_db" {
+ description = "Specifies that this resource is a Replicate database, and to use this value as the source database. This correlates to the identifier of another Amazon RDS Database to replicate."
+ type = string
+ default = null
+}
+
+variable "license_model" {
+ description = "License model information for this DB instance. Optional, but required for some DB engines, i.e. Oracle SE1"
+ type = string
+ default = null
+}
+
+variable "replica_mode" {
+ description = "Specifies whether the replica is in either mounted or open-read-only mode. This attribute is only supported by Oracle instances. Oracle replicas operate in open-read-only mode unless otherwise specified"
+ type = string
+ default = null
+}
+
+variable "iam_database_authentication_enabled" {
+ description = "Specifies whether or mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled"
+ type = bool
+ default = false
+}
+
+variable "domain" {
+ description = "The ID of the Directory Service Active Directory domain to create the instance in"
+ type = string
+ default = null
+}
+
+variable "domain_auth_secret_arn" {
+ description = "(Optional, but required if domain_fqdn is provided) The ARN for the Secrets Manager secret with the self managed Active Directory credentials for the user joining the domain. Conflicts with domain and domain_iam_role_name."
+ type = string
+ default = null
+}
+
+variable "domain_dns_ips" {
+ description = "(Optional, but required if domain_fqdn is provided) The IPv4 DNS IP addresses of your primary and secondary self managed Active Directory domain controllers. Two IP addresses must be provided. If there isn't a secondary domain controller, use the IP address of the primary domain controller for both entries in the list. Conflicts with domain and domain_iam_role_name."
+ type = list(string)
+ default = null
+}
+
+variable "domain_fqdn" {
+ description = "The fully qualified domain name (FQDN) of the self managed Active Directory domain. Conflicts with domain and domain_iam_role_name."
+ type = string
+ default = null
+}
+
+variable "domain_iam_role_name" {
+ description = "(Required if domain is provided) The name of the IAM role to be used when making API calls to the Directory Service"
+ type = string
+ default = null
+}
+
+variable "domain_ou" {
+ description = "(Optional, but required if domain_fqdn is provided) The self managed Active Directory organizational unit for your DB instance to join. Conflicts with domain and domain_iam_role_name."
+ type = string
+ default = null
+}
+
+variable "engine" {
+ description = "The database engine to use"
+ type = string
+ default = null
+}
+
+variable "engine_version" {
+ description = "The engine version to use"
+ type = string
+ default = null
+}
+
+variable "engine_lifecycle_support" {
+ description = "The life cycle type for this DB instance. This setting applies only to RDS for MySQL and RDS for PostgreSQL. Valid values are `open-source-rds-extended-support`, `open-source-rds-extended-support-disabled`. Default value is `open-source-rds-extended-support`."
+ type = string
+ default = null
+}
+
+variable "instance_class" {
+ description = "The instance type of the RDS instance"
+ type = string
+ default = null
+}
+
+variable "db_name" {
+ description = "The DB name to create. If omitted, no database is created initially"
+ type = string
+ default = null
+}
+
+variable "username" {
+ description = "Username for the master DB user"
+ type = string
+ default = null
+}
+
+variable "password" {
+ description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file"
+ type = string
+ default = null
+}
+
+variable "manage_master_user_password" {
+ description = "Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if password is provided"
+ type = bool
+ default = true
+}
+
+variable "master_user_secret_kms_key_id" {
+ description = <
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.0 |
+| [aws](#requirement\_aws) | >= 5.62 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 5.62 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_db_instance_role_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance_role_association) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [create](#input\_create) | Determines whether to create a DB instance role association | `bool` | `true` | no |
+| [db\_instance\_identifier](#input\_db\_instance\_identifier) | The database instance identifier to associate the role | `string` | `null` | no |
+| [feature\_name](#input\_feature\_name) | Name of the feature for association | `string` | `null` | no |
+| [role\_arn](#input\_role\_arn) | Amazon Resource Name (ARN) of the IAM Role to associate with the DB Instance | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [db\_instance\_role\_association\_id](#output\_db\_instance\_role\_association\_id) | DB Instance Identifier and IAM Role ARN separated by a comma |
+
diff --git a/templates/terraform/aws/rds/modules/db_instance_role_association/main.tf b/templates/terraform/aws/rds/modules/db_instance_role_association/main.tf
new file mode 100644
index 00000000..0a11a4c2
--- /dev/null
+++ b/templates/terraform/aws/rds/modules/db_instance_role_association/main.tf
@@ -0,0 +1,7 @@
+resource "aws_db_instance_role_association" "this" {
+ count = var.create ? 1 : 0
+
+ db_instance_identifier = var.db_instance_identifier
+ feature_name = var.feature_name
+ role_arn = var.role_arn
+}
diff --git a/templates/terraform/aws/rds/modules/db_instance_role_association/outputs.tf b/templates/terraform/aws/rds/modules/db_instance_role_association/outputs.tf
new file mode 100644
index 00000000..9152a0c0
--- /dev/null
+++ b/templates/terraform/aws/rds/modules/db_instance_role_association/outputs.tf
@@ -0,0 +1,4 @@
+output "db_instance_role_association_id" {
+ description = "DB Instance Identifier and IAM Role ARN separated by a comma"
+ value = try(aws_db_instance_role_association.this[0].id, "")
+}
diff --git a/templates/terraform/aws/rds/modules/db_instance_role_association/variables.tf b/templates/terraform/aws/rds/modules/db_instance_role_association/variables.tf
new file mode 100644
index 00000000..d548d7fd
--- /dev/null
+++ b/templates/terraform/aws/rds/modules/db_instance_role_association/variables.tf
@@ -0,0 +1,23 @@
+variable "create" {
+ description = "Determines whether to create a DB instance role association"
+ type = bool
+ default = true
+}
+
+variable "feature_name" {
+ description = "Name of the feature for association"
+ type = string
+ default = null
+}
+
+variable "role_arn" {
+ description = "Amazon Resource Name (ARN) of the IAM Role to associate with the DB Instance"
+ type = string
+ default = null
+}
+
+variable "db_instance_identifier" {
+ description = "The database instance identifier to associate the role"
+ type = string
+ default = null
+}
diff --git a/templates/terraform/aws/rds/modules/db_instance_role_association/versions.tf b/templates/terraform/aws/rds/modules/db_instance_role_association/versions.tf
new file mode 100644
index 00000000..53040bf6
--- /dev/null
+++ b/templates/terraform/aws/rds/modules/db_instance_role_association/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 1.0"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 5.62"
+ }
+ }
+}
diff --git a/templates/terraform/aws/rds/modules/db_option_group/README.md b/templates/terraform/aws/rds/modules/db_option_group/README.md
new file mode 100644
index 00000000..163b0059
--- /dev/null
+++ b/templates/terraform/aws/rds/modules/db_option_group/README.md
@@ -0,0 +1,48 @@
+# aws_db_option_group
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.0 |
+| [aws](#requirement\_aws) | >= 5.62 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 5.62 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_db_option_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_option_group) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [create](#input\_create) | Whether to create this resource or not? | `bool` | `true` | no |
+| [engine\_name](#input\_engine\_name) | Specifies the name of the engine that this option group should be associated with | `string` | `null` | no |
+| [major\_engine\_version](#input\_major\_engine\_version) | Specifies the major version of the engine that this option group should be associated with | `string` | `null` | no |
+| [name](#input\_name) | The name of the option group | `string` | `""` | no |
+| [option\_group\_description](#input\_option\_group\_description) | The description of the option group | `string` | `null` | no |
+| [options](#input\_options) | A list of Options to apply | `any` | `[]` | no |
+| [skip\_destroy](#input\_skip\_destroy) | Set to true if you do not wish the option group to be deleted at destroy time, and instead just remove the option group from the Terraform state | `bool` | `null` | no |
+| [tags](#input\_tags) | A mapping of tags to assign to the resource | `map(string)` | `{}` | no |
+| [timeouts](#input\_timeouts) | Define maximum timeout for deletion of `aws_db_option_group` resource | `map(string)` | `{}` | no |
+| [use\_name\_prefix](#input\_use\_name\_prefix) | Determines whether to use `name` as is or create a unique name beginning with `name` as the specified prefix | `bool` | `true` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [db\_option\_group\_arn](#output\_db\_option\_group\_arn) | The ARN of the db option group |
+| [db\_option\_group\_id](#output\_db\_option\_group\_id) | The db option group id |
+
diff --git a/templates/terraform/aws/rds/modules/db_option_group/main.tf b/templates/terraform/aws/rds/modules/db_option_group/main.tf
new file mode 100644
index 00000000..88fa554b
--- /dev/null
+++ b/templates/terraform/aws/rds/modules/db_option_group/main.tf
@@ -0,0 +1,52 @@
+locals {
+ name = var.use_name_prefix ? null : var.name
+ name_prefix = var.use_name_prefix ? "${var.name}-" : null
+
+ description = coalesce(var.option_group_description, format("%s option group", var.name))
+}
+
+resource "aws_db_option_group" "this" {
+ count = var.create ? 1 : 0
+
+ name = local.name
+ name_prefix = local.name_prefix
+ option_group_description = local.description
+ engine_name = var.engine_name
+ major_engine_version = var.major_engine_version
+
+ dynamic "option" {
+ for_each = var.options
+ content {
+ option_name = option.value.option_name
+ port = lookup(option.value, "port", null)
+ version = lookup(option.value, "version", null)
+ db_security_group_memberships = lookup(option.value, "db_security_group_memberships", null)
+ vpc_security_group_memberships = lookup(option.value, "vpc_security_group_memberships", null)
+
+ dynamic "option_settings" {
+ for_each = lookup(option.value, "option_settings", [])
+ content {
+ name = lookup(option_settings.value, "name", null)
+ value = lookup(option_settings.value, "value", null)
+ }
+ }
+ }
+ }
+
+ skip_destroy = var.skip_destroy
+
+ tags = merge(
+ var.tags,
+ {
+ "Name" = var.name
+ },
+ )
+
+ timeouts {
+ delete = lookup(var.timeouts, "delete", null)
+ }
+
+ lifecycle {
+ create_before_destroy = true
+ }
+}
diff --git a/templates/terraform/aws/rds/modules/db_option_group/outputs.tf b/templates/terraform/aws/rds/modules/db_option_group/outputs.tf
new file mode 100644
index 00000000..377e169a
--- /dev/null
+++ b/templates/terraform/aws/rds/modules/db_option_group/outputs.tf
@@ -0,0 +1,9 @@
+output "db_option_group_id" {
+ description = "The db option group id"
+ value = try(aws_db_option_group.this[0].id, null)
+}
+
+output "db_option_group_arn" {
+ description = "The ARN of the db option group"
+ value = try(aws_db_option_group.this[0].arn, null)
+}
diff --git a/templates/terraform/aws/rds/modules/db_option_group/variables.tf b/templates/terraform/aws/rds/modules/db_option_group/variables.tf
new file mode 100644
index 00000000..e990529b
--- /dev/null
+++ b/templates/terraform/aws/rds/modules/db_option_group/variables.tf
@@ -0,0 +1,59 @@
+variable "create" {
+ description = "Whether to create this resource or not?"
+ type = bool
+ default = true
+}
+
+variable "name" {
+ description = "The name of the option group"
+ type = string
+ default = ""
+}
+
+variable "use_name_prefix" {
+ description = "Determines whether to use `name` as is or create a unique name beginning with `name` as the specified prefix"
+ type = bool
+ default = true
+}
+
+variable "option_group_description" {
+ description = "The description of the option group"
+ type = string
+ default = null
+}
+
+variable "engine_name" {
+ description = "Specifies the name of the engine that this option group should be associated with"
+ type = string
+ default = null
+}
+
+variable "major_engine_version" {
+ description = "Specifies the major version of the engine that this option group should be associated with"
+ type = string
+ default = null
+}
+
+variable "options" {
+ description = "A list of Options to apply"
+ type = any
+ default = []
+}
+
+variable "skip_destroy" {
+ description = "Set to true if you do not wish the option group to be deleted at destroy time, and instead just remove the option group from the Terraform state"
+ type = bool
+ default = null
+}
+
+variable "timeouts" {
+ description = "Define maximum timeout for deletion of `aws_db_option_group` resource"
+ type = map(string)
+ default = {}
+}
+
+variable "tags" {
+ description = "A mapping of tags to assign to the resource"
+ type = map(string)
+ default = {}
+}
diff --git a/templates/terraform/aws/rds/modules/db_option_group/versions.tf b/templates/terraform/aws/rds/modules/db_option_group/versions.tf
new file mode 100644
index 00000000..53040bf6
--- /dev/null
+++ b/templates/terraform/aws/rds/modules/db_option_group/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 1.0"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 5.62"
+ }
+ }
+}
diff --git a/templates/terraform/aws/rds/modules/db_parameter_group/README.md b/templates/terraform/aws/rds/modules/db_parameter_group/README.md
new file mode 100644
index 00000000..6c923c60
--- /dev/null
+++ b/templates/terraform/aws/rds/modules/db_parameter_group/README.md
@@ -0,0 +1,46 @@
+# aws_db_parameter_group
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.0 |
+| [aws](#requirement\_aws) | >= 5.62 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 5.62 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_db_parameter_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_parameter_group) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [create](#input\_create) | Whether to create this resource or not? | `bool` | `true` | no |
+| [description](#input\_description) | The description of the DB parameter group | `string` | `null` | no |
+| [family](#input\_family) | The family of the DB parameter group | `string` | `null` | no |
+| [name](#input\_name) | The name of the DB parameter group | `string` | `""` | no |
+| [parameters](#input\_parameters) | A list of DB parameter maps to apply | `list(map(string))` | `[]` | no |
+| [skip\_destroy](#input\_skip\_destroy) | Set to true if you do not wish the parameter group to be deleted at destroy time, and instead just remove the parameter group from the Terraform state | `bool` | `null` | no |
+| [tags](#input\_tags) | A mapping of tags to assign to the resource | `map(string)` | `{}` | no |
+| [use\_name\_prefix](#input\_use\_name\_prefix) | Determines whether to use `name` as is or create a unique name beginning with `name` as the specified prefix | `bool` | `true` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [db\_parameter\_group\_arn](#output\_db\_parameter\_group\_arn) | The ARN of the db parameter group |
+| [db\_parameter\_group\_id](#output\_db\_parameter\_group\_id) | The db parameter group id |
+
diff --git a/templates/terraform/aws/rds/modules/db_parameter_group/main.tf b/templates/terraform/aws/rds/modules/db_parameter_group/main.tf
new file mode 100644
index 00000000..19ce380c
--- /dev/null
+++ b/templates/terraform/aws/rds/modules/db_parameter_group/main.tf
@@ -0,0 +1,37 @@
+locals {
+ name = var.use_name_prefix ? null : var.name
+ name_prefix = var.use_name_prefix ? "${var.name}-" : null
+
+ description = coalesce(var.description, format("%s parameter group", var.name))
+}
+
+resource "aws_db_parameter_group" "this" {
+ count = var.create ? 1 : 0
+
+ name = local.name
+ name_prefix = local.name_prefix
+ description = local.description
+ family = var.family
+
+ dynamic "parameter" {
+ for_each = var.parameters
+ content {
+ name = parameter.value.name
+ value = parameter.value.value
+ apply_method = lookup(parameter.value, "apply_method", null)
+ }
+ }
+
+ skip_destroy = var.skip_destroy
+
+ tags = merge(
+ var.tags,
+ {
+ "Name" = var.name
+ },
+ )
+
+ lifecycle {
+ create_before_destroy = true
+ }
+}
diff --git a/templates/terraform/aws/rds/modules/db_parameter_group/outputs.tf b/templates/terraform/aws/rds/modules/db_parameter_group/outputs.tf
new file mode 100644
index 00000000..0ea46412
--- /dev/null
+++ b/templates/terraform/aws/rds/modules/db_parameter_group/outputs.tf
@@ -0,0 +1,9 @@
+output "db_parameter_group_id" {
+ description = "The db parameter group id"
+ value = try(aws_db_parameter_group.this[0].id, null)
+}
+
+output "db_parameter_group_arn" {
+ description = "The ARN of the db parameter group"
+ value = try(aws_db_parameter_group.this[0].arn, null)
+}
diff --git a/templates/terraform/aws/rds/modules/db_parameter_group/variables.tf b/templates/terraform/aws/rds/modules/db_parameter_group/variables.tf
new file mode 100644
index 00000000..702a11f9
--- /dev/null
+++ b/templates/terraform/aws/rds/modules/db_parameter_group/variables.tf
@@ -0,0 +1,47 @@
+variable "create" {
+ description = "Whether to create this resource or not?"
+ type = bool
+ default = true
+}
+
+variable "name" {
+ description = "The name of the DB parameter group"
+ type = string
+ default = ""
+}
+
+variable "use_name_prefix" {
+ description = "Determines whether to use `name` as is or create a unique name beginning with `name` as the specified prefix"
+ type = bool
+ default = true
+}
+
+variable "description" {
+ description = "The description of the DB parameter group"
+ type = string
+ default = null
+}
+
+variable "family" {
+ description = "The family of the DB parameter group"
+ type = string
+ default = null
+}
+
+variable "parameters" {
+ description = "A list of DB parameter maps to apply"
+ type = list(map(string))
+ default = []
+}
+
+variable "skip_destroy" {
+ description = "Set to true if you do not wish the parameter group to be deleted at destroy time, and instead just remove the parameter group from the Terraform state"
+ type = bool
+ default = null
+}
+
+variable "tags" {
+ description = "A mapping of tags to assign to the resource"
+ type = map(string)
+ default = {}
+}
diff --git a/templates/terraform/aws/rds/modules/db_parameter_group/versions.tf b/templates/terraform/aws/rds/modules/db_parameter_group/versions.tf
new file mode 100644
index 00000000..53040bf6
--- /dev/null
+++ b/templates/terraform/aws/rds/modules/db_parameter_group/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 1.0"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 5.62"
+ }
+ }
+}
diff --git a/templates/terraform/aws/rds/modules/db_subnet_group/README.md b/templates/terraform/aws/rds/modules/db_subnet_group/README.md
new file mode 100644
index 00000000..98fbed54
--- /dev/null
+++ b/templates/terraform/aws/rds/modules/db_subnet_group/README.md
@@ -0,0 +1,44 @@
+# aws_db_subnet_group
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.0 |
+| [aws](#requirement\_aws) | >= 5.59 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | >= 5.59 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_db_subnet_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [create](#input\_create) | Whether to create this resource or not? | `bool` | `true` | no |
+| [description](#input\_description) | The description of the DB subnet group | `string` | `null` | no |
+| [name](#input\_name) | The name of the DB subnet group | `string` | `""` | no |
+| [subnet\_ids](#input\_subnet\_ids) | A list of VPC subnet IDs | `list(string)` | `[]` | no |
+| [tags](#input\_tags) | A mapping of tags to assign to the resource | `map(string)` | `{}` | no |
+| [use\_name\_prefix](#input\_use\_name\_prefix) | Determines whether to use `name` as is or create a unique name beginning with `name` as the specified prefix | `bool` | `true` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [db\_subnet\_group\_arn](#output\_db\_subnet\_group\_arn) | The ARN of the db subnet group |
+| [db\_subnet\_group\_id](#output\_db\_subnet\_group\_id) | The db subnet group name |
+
diff --git a/templates/terraform/aws/rds/modules/db_subnet_group/main.tf b/templates/terraform/aws/rds/modules/db_subnet_group/main.tf
new file mode 100644
index 00000000..6eecd88a
--- /dev/null
+++ b/templates/terraform/aws/rds/modules/db_subnet_group/main.tf
@@ -0,0 +1,22 @@
+locals {
+ name = var.use_name_prefix ? null : var.name
+ name_prefix = var.use_name_prefix ? "${var.name}-" : null
+
+ description = coalesce(var.description, format("%s subnet group", var.name))
+}
+
+resource "aws_db_subnet_group" "this" {
+ count = var.create ? 1 : 0
+
+ name = local.name
+ name_prefix = local.name_prefix
+ description = local.description
+ subnet_ids = var.subnet_ids
+
+ tags = merge(
+ var.tags,
+ {
+ "Name" = var.name
+ },
+ )
+}
diff --git a/templates/terraform/aws/rds/modules/db_subnet_group/outputs.tf b/templates/terraform/aws/rds/modules/db_subnet_group/outputs.tf
new file mode 100644
index 00000000..dd92fe8b
--- /dev/null
+++ b/templates/terraform/aws/rds/modules/db_subnet_group/outputs.tf
@@ -0,0 +1,9 @@
+output "db_subnet_group_id" {
+ description = "The db subnet group name"
+ value = try(aws_db_subnet_group.this[0].id, null)
+}
+
+output "db_subnet_group_arn" {
+ description = "The ARN of the db subnet group"
+ value = try(aws_db_subnet_group.this[0].arn, null)
+}
diff --git a/templates/terraform/aws/rds/modules/db_subnet_group/variables.tf b/templates/terraform/aws/rds/modules/db_subnet_group/variables.tf
new file mode 100644
index 00000000..48185ab4
--- /dev/null
+++ b/templates/terraform/aws/rds/modules/db_subnet_group/variables.tf
@@ -0,0 +1,35 @@
+variable "create" {
+ description = "Whether to create this resource or not?"
+ type = bool
+ default = true
+}
+
+variable "name" {
+ description = "The name of the DB subnet group"
+ type = string
+ default = ""
+}
+
+variable "use_name_prefix" {
+ description = "Determines whether to use `name` as is or create a unique name beginning with `name` as the specified prefix"
+ type = bool
+ default = true
+}
+
+variable "description" {
+ description = "The description of the DB subnet group"
+ type = string
+ default = null
+}
+
+variable "subnet_ids" {
+ description = "A list of VPC subnet IDs"
+ type = list(string)
+ default = []
+}
+
+variable "tags" {
+ description = "A mapping of tags to assign to the resource"
+ type = map(string)
+ default = {}
+}
diff --git a/templates/terraform/aws/rds/modules/db_subnet_group/versions.tf b/templates/terraform/aws/rds/modules/db_subnet_group/versions.tf
new file mode 100644
index 00000000..7ea01589
--- /dev/null
+++ b/templates/terraform/aws/rds/modules/db_subnet_group/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 1.0"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 5.59"
+ }
+ }
+}
diff --git a/templates/terraform/aws/rds/outputs.tf b/templates/terraform/aws/rds/outputs.tf
new file mode 100644
index 00000000..b0fb26b5
--- /dev/null
+++ b/templates/terraform/aws/rds/outputs.tf
@@ -0,0 +1,178 @@
+output "enhanced_monitoring_iam_role_name" {
+ description = "The name of the monitoring role"
+ value = module.db_instance.enhanced_monitoring_iam_role_name
+}
+
+output "enhanced_monitoring_iam_role_arn" {
+ description = "The Amazon Resource Name (ARN) specifying the monitoring role"
+ value = module.db_instance.enhanced_monitoring_iam_role_arn
+}
+
+output "db_instance_address" {
+ description = "The address of the RDS instance"
+ value = module.db_instance.db_instance_address
+}
+
+output "db_instance_arn" {
+ description = "The ARN of the RDS instance"
+ value = module.db_instance.db_instance_arn
+}
+
+output "db_instance_availability_zone" {
+ description = "The availability zone of the RDS instance"
+ value = module.db_instance.db_instance_availability_zone
+}
+
+output "db_instance_endpoint" {
+ description = "The connection endpoint"
+ value = module.db_instance.db_instance_endpoint
+}
+
+output "db_listener_endpoint" {
+ description = "Specifies the listener connection endpoint for SQL Server Always On"
+ value = module.db_instance.db_listener_endpoint
+}
+
+output "db_instance_engine" {
+ description = "The database engine"
+ value = module.db_instance.db_instance_engine
+}
+
+output "db_instance_engine_version_actual" {
+ description = "The running version of the database"
+ value = module.db_instance.db_instance_engine_version_actual
+}
+
+output "db_instance_hosted_zone_id" {
+ description = "The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record)"
+ value = module.db_instance.db_instance_hosted_zone_id
+}
+
+output "db_instance_identifier" {
+ description = "The RDS instance identifier"
+ value = module.db_instance.db_instance_identifier
+}
+
+output "db_instance_resource_id" {
+ description = "The RDS Resource ID of this instance"
+ value = module.db_instance.db_instance_resource_id
+}
+
+output "db_instance_status" {
+ description = "The RDS instance status"
+ value = module.db_instance.db_instance_status
+}
+
+output "db_instance_name" {
+ description = "The database name"
+ value = module.db_instance.db_instance_name
+}
+
+output "db_instance_username" {
+ description = "The master username for the database"
+ value = module.db_instance.db_instance_username
+ sensitive = true
+}
+
+output "db_instance_domain" {
+ description = "The ID of the Directory Service Active Directory domain the instance is joined to"
+ value = module.db_instance.db_instance_domain
+}
+
+output "db_instance_domain_auth_secret_arn" {
+ description = "The ARN for the Secrets Manager secret with the self managed Active Directory credentials for the user joining the domain"
+ value = module.db_instance.db_instance_domain_auth_secret_arn
+}
+
+output "db_instance_domain_dns_ips" {
+ description = "The IPv4 DNS IP addresses of your primary and secondary self managed Active Directory domain controllers"
+ value = module.db_instance.db_instance_domain_dns_ips
+}
+
+output "db_instance_domain_fqdn" {
+ description = "The fully qualified domain name (FQDN) of an self managed Active Directory domain"
+ value = module.db_instance.db_instance_domain_fqdn
+}
+
+output "db_instance_domain_iam_role_name" {
+ description = "The name of the IAM role to be used when making API calls to the Directory Service"
+ value = module.db_instance.db_instance_domain_iam_role_name
+}
+
+output "db_instance_domain_ou" {
+ description = "The self managed Active Directory organizational unit for your DB instance to join"
+ value = module.db_instance.db_instance_domain_ou
+}
+
+output "db_instance_port" {
+ description = "The database port"
+ value = module.db_instance.db_instance_port
+}
+
+output "db_instance_ca_cert_identifier" {
+ description = "Specifies the identifier of the CA certificate for the DB instance"
+ value = module.db_instance.db_instance_ca_cert_identifier
+}
+
+output "db_instance_master_user_secret_arn" {
+ description = "The ARN of the master user secret (Only available when manage_master_user_password is set to true)"
+ value = module.db_instance.db_instance_master_user_secret_arn
+}
+
+output "db_subnet_group_id" {
+ description = "The db subnet group name"
+ value = module.db_subnet_group.db_subnet_group_id
+}
+
+output "db_subnet_group_arn" {
+ description = "The ARN of the db subnet group"
+ value = module.db_subnet_group.db_subnet_group_arn
+}
+
+output "db_parameter_group_id" {
+ description = "The db parameter group id"
+ value = module.db_parameter_group.db_parameter_group_id
+}
+
+output "db_parameter_group_arn" {
+ description = "The ARN of the db parameter group"
+ value = module.db_parameter_group.db_parameter_group_arn
+}
+
+# DB option group
+output "db_option_group_id" {
+ description = "The db option group id"
+ value = module.db_option_group.db_option_group_id
+}
+
+output "db_option_group_arn" {
+ description = "The ARN of the db option group"
+ value = module.db_option_group.db_option_group_arn
+}
+
+################################################################################
+# CloudWatch Log Group
+################################################################################
+
+output "db_instance_cloudwatch_log_groups" {
+ description = "Map of CloudWatch log groups created and their attributes"
+ value = module.db_instance.db_instance_cloudwatch_log_groups
+}
+
+################################################################################
+# DB Instance Role Association
+################################################################################
+
+output "db_instance_role_associations" {
+ description = "A map of DB Instance Identifiers and IAM Role ARNs separated by a comma"
+ value = module.db_instance_role_association
+}
+
+################################################################################
+# Managed Secret Rotation
+################################################################################
+
+output "db_instance_secretsmanager_secret_rotation_enabled" {
+ description = "Specifies whether automatic rotation is enabled for the secret"
+ value = module.db_instance.db_instance_secretsmanager_secret_rotation_enabled
+}
diff --git a/templates/terraform/aws/rds/variables.tf b/templates/terraform/aws/rds/variables.tf
new file mode 100644
index 00000000..cf3e5008
--- /dev/null
+++ b/templates/terraform/aws/rds/variables.tf
@@ -0,0 +1,662 @@
+variable "identifier" {
+ description = "The name of the RDS instance"
+ type = string
+}
+
+variable "instance_use_identifier_prefix" {
+ description = "Determines whether to use `identifier` as is or create a unique identifier beginning with `identifier` as the specified prefix"
+ type = bool
+ default = false
+}
+
+variable "custom_iam_instance_profile" {
+ description = "RDS custom iam instance profile"
+ type = string
+ default = null
+}
+
+variable "allocated_storage" {
+ description = "The allocated storage in gigabytes"
+ type = number
+ default = null
+}
+
+variable "storage_type" {
+ description = "One of 'standard' (magnetic), 'gp2' (general purpose SSD), 'gp3' (new generation of general purpose SSD), or 'io1' (provisioned IOPS SSD). The default is 'io1' if iops is specified, 'gp2' if not. If you specify 'io1' or 'gp3' , you must also include a value for the 'iops' parameter"
+ type = string
+ default = null
+}
+
+variable "storage_throughput" {
+ description = "Storage throughput value for the DB instance. See `notes` for limitations regarding this variable for `gp3`"
+ type = number
+ default = null
+}
+
+variable "storage_encrypted" {
+ description = "Specifies whether the DB instance is encrypted"
+ type = bool
+ default = true
+}
+
+variable "kms_key_id" {
+ description = "The ARN for the KMS encryption key. If creating an encrypted replica, set this to the destination KMS ARN. If storage_encrypted is set to true and kms_key_id is not specified the default KMS key created in your account will be used. Be sure to use the full ARN, not a key alias."
+ type = string
+ default = null
+}
+
+variable "replicate_source_db" {
+ description = "Specifies that this resource is a Replicate database, and to use this value as the source database. This correlates to the identifier of another Amazon RDS Database to replicate"
+ type = string
+ default = null
+}
+
+variable "license_model" {
+ description = "License model information for this DB instance. Optional, but required for some DB engines, i.e. Oracle SE1"
+ type = string
+ default = null
+}
+
+variable "replica_mode" {
+ description = "Specifies whether the replica is in either mounted or open-read-only mode. This attribute is only supported by Oracle instances. Oracle replicas operate in open-read-only mode unless otherwise specified"
+ type = string
+ default = null
+}
+
+variable "iam_database_authentication_enabled" {
+ description = "Specifies whether or not the mappings of AWS Identity and Access Management (IAM) accounts to database accounts are enabled"
+ type = bool
+ default = false
+}
+
+variable "domain" {
+ description = "The ID of the Directory Service Active Directory domain to create the instance in"
+ type = string
+ default = null
+}
+
+variable "domain_auth_secret_arn" {
+ description = "(Optional, but required if domain_fqdn is provided) The ARN for the Secrets Manager secret with the self managed Active Directory credentials for the user joining the domain. Conflicts with domain and domain_iam_role_name."
+ type = string
+ default = null
+}
+
+variable "domain_dns_ips" {
+ description = "(Optional, but required if domain_fqdn is provided) The IPv4 DNS IP addresses of your primary and secondary self managed Active Directory domain controllers. Two IP addresses must be provided. If there isn't a secondary domain controller, use the IP address of the primary domain controller for both entries in the list. Conflicts with domain and domain_iam_role_name."
+ type = list(string)
+ default = null
+}
+
+variable "domain_fqdn" {
+ description = "The fully qualified domain name (FQDN) of the self managed Active Directory domain. Conflicts with domain and domain_iam_role_name."
+ type = string
+ default = null
+}
+
+variable "domain_iam_role_name" {
+ description = "(Required if domain is provided) The name of the IAM role to be used when making API calls to the Directory Service"
+ type = string
+ default = null
+}
+
+variable "domain_ou" {
+ description = "(Optional, but required if domain_fqdn is provided) The self managed Active Directory organizational unit for your DB instance to join. Conflicts with domain and domain_iam_role_name."
+ type = string
+ default = null
+}
+
+variable "engine" {
+ description = "The database engine to use"
+ type = string
+ default = null
+}
+
+variable "engine_version" {
+ description = "The engine version to use"
+ type = string
+ default = null
+}
+
+variable "engine_lifecycle_support" {
+ description = "The life cycle type for this DB instance. This setting applies only to RDS for MySQL and RDS for PostgreSQL. Valid values are `open-source-rds-extended-support`, `open-source-rds-extended-support-disabled`. Default value is `open-source-rds-extended-support`."
+ type = string
+ default = null
+}
+
+variable "skip_final_snapshot" {
+ description = "Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted"
+ type = bool
+ default = false
+}
+
+variable "snapshot_identifier" {
+ description = "Specifies whether or not to create this database from a snapshot. This correlates to the snapshot ID you'd find in the RDS console, e.g: rds:production-2015-06-26-06-05"
+ type = string
+ default = null
+}
+
+variable "copy_tags_to_snapshot" {
+ description = "On delete, copy all Instance tags to the final snapshot"
+ type = bool
+ default = false
+}
+
+variable "final_snapshot_identifier_prefix" {
+ description = "The name which is prefixed to the final snapshot on cluster destroy"
+ type = string
+ default = "final"
+}
+
+variable "instance_class" {
+ description = "The instance type of the RDS instance"
+ type = string
+ default = null
+}
+
+variable "db_name" {
+ description = "The DB name to create. If omitted, no database is created initially"
+ type = string
+ default = null
+}
+
+variable "username" {
+ description = "Username for the master DB user"
+ type = string
+ default = null
+}
+
+variable "password" {
+ description = <