Add PostgreSQL support

Using PostgreSQL with this module was always possible but required
overriding defaults as this module was geared towards MySQL as a
default.

Noticeable changes:

* `var.engine` is now required and only allows `mysql` or `postgresql`
  as these are the only two Aurora types
* Other variables that defaulted to MySQL values have been removed and
  replaced with a default per engine and allow overriding using the user
  facing variable (e.g. `master_username` defaults to an engine specific
  value whilst still letting the user set their own if they so desire)
* Added more variable validation

Signed-off-by: Stephen Hoekstra <[email protected]>

examples/basic/main.tf

@@ -30,6 +30,7 @@ module "aurora" {
   source = "../.."
 
   name                          = "example"
+  engine                        = "mysql"
   instance_class                = "db.r6g.large"
   kms_key_id                    = module.kms.arn
   master_user_secret_kms_key_id = module.kms.arn

examples/custom-password/main.tf

@@ -35,6 +35,7 @@ module "aurora" {
   source = "../.."
 
   name                          = "example"
+  engine                        = "mysql"
   instance_class                = "db.r6g.large"
   kms_key_id                    = module.kms.arn
   manage_master_user            = false

examples/endpoints-and-instance-config/main.tf

@@ -30,6 +30,7 @@ module "aurora" {
   source = "../.."
 
   name                          = "example"
+  engine                        = "mysql"
   instance_class                = "db.r6g.large"
   instance_count                = 3
   kms_key_id                    = module.kms.arn

examples/multi-az/main.tf

@@ -34,6 +34,7 @@ module "aurora" {
   name                          = "example"
   allocated_storage             = 100
   db_cluster_instance_class     = "db.r6gd.xlarge"
+  engine                        = "mysql"
   instance_count                = 3
   iops                          = 1000
   kms_key_id                    = module.kms.arn

examples/security-group-ingress-rules/main.tf

@@ -30,6 +30,7 @@ module "aurora" {
   source = "../.."
 
   name                          = "example"
+  engine                        = "mysql"
   instance_class                = "db.r6g.large"
   kms_key_id                    = module.kms.arn
   master_user_secret_kms_key_id = module.kms.arn

main.tf

@@ -1,7 +1,30 @@
 locals {
-  backtrack_window    = (var.engine == "aurora" || var.engine == "aurora-mysql") && (var.engine_mode != "serverless" || var.engine_mode != "serverlessv2") ? var.backtrack_window : null
   instance_class      = var.engine_mode == "serverlessv2" ? "db.serverless" : var.instance_class
   skip_final_snapshot = var.final_snapshot_identifier == null
+
+  // Backtrack is only supported for MySQL clusters
+  backtrack_window = {
+    "mysql"      = var.backtrack_window
+    "postgresql" = null
+  }[var.engine]
+
+  // Default cluster family to use unless otherwise specified
+  cluster_family = var.cluster_family != null ? var.cluster_family : {
+    "mysql"      = "aurora-mysql8.0"
+    "postgresql" = "aurora-postgresql15"
+  }[var.engine]
+
+  // Default set of logs to export to CloudWatch unless otherwise specified
+  enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports != null ? var.enabled_cloudwatch_logs_exports : {
+    "mysql"      = ["audit", "error", "general", "slowquery"]
+    "postgresql" = ["postgresql"]
+  }[var.engine]
+
+  // Default master username to use unless otherwise specified
+  master_username = var.master_username != null ? var.master_username : {
+    "mysql"      = "root"
+    "postgresql" = "postgres"
+  }[var.engine]
 }
 
 data "aws_subnet" "selected" {
@@ -27,8 +50,8 @@ resource "aws_rds_cluster" "default" {
   db_cluster_instance_class           = var.db_cluster_instance_class
   deletion_protection                 = var.deletion_protection
   enable_http_endpoint                = var.enable_http_endpoint
-  enabled_cloudwatch_logs_exports     = var.enabled_cloudwatch_logs_exports
-  engine                              = var.engine
+  enabled_cloudwatch_logs_exports     = var.enable_cloudwatch_logs_exports ? local.enabled_cloudwatch_logs_exports : null
+  engine                              = "aurora-${var.engine}"
   engine_mode                         = var.engine_mode == "serverlessv2" ? "provisioned" : var.engine_mode
   engine_version                      = var.engine_version
   final_snapshot_identifier           = var.final_snapshot_identifier
@@ -39,15 +62,15 @@ resource "aws_rds_cluster" "default" {
   manage_master_user_password         = var.manage_master_user ? var.manage_master_user : null
   master_password                     = var.master_password
   master_user_secret_kms_key_id       = var.master_user_secret_kms_key_id
-  master_username                     = var.master_username
+  master_username                     = local.master_username
   preferred_backup_window             = var.preferred_backup_window
   preferred_maintenance_window        = var.preferred_maintenance_window
   skip_final_snapshot                 = local.skip_final_snapshot
   snapshot_identifier                 = var.snapshot_identifier
   storage_encrypted                   = var.storage_encrypted #tfsec:ignore:AWS051
-  tags                                = var.tags
   vpc_security_group_ids              = [aws_security_group.default.id]
   storage_type                        = var.storage_type
+  tags                                = var.tags
 
   dynamic "scaling_configuration" {
     for_each = var.engine_mode == "serverless" ? { create : null } : {}
@@ -109,7 +132,7 @@ resource "aws_rds_cluster_instance" "first" {
   copy_tags_to_snapshot                 = true
   db_parameter_group_name               = try(aws_db_parameter_group.default[0].name, null)
   db_subnet_group_name                  = aws_db_subnet_group.default.name
-  engine                                = var.engine
+  engine                                = "aurora-${var.engine}"
   engine_version                        = var.engine_version
   identifier                            = "${var.name}-${count.index + 1}"
   instance_class                        = try(var.instance_config[count.index + 1]["instance_class"], null) != null ? var.instance_config[count.index + 1]["instance_class"] : local.instance_class
@@ -133,7 +156,7 @@ resource "aws_rds_cluster_instance" "rest" {
   copy_tags_to_snapshot                 = true
   db_parameter_group_name               = try(aws_db_parameter_group.default[0].name, null)
   db_subnet_group_name                  = aws_db_subnet_group.default.name
-  engine                                = var.engine
+  engine                                = "aurora-${var.engine}"
   engine_version                        = var.engine_version
   identifier                            = "${var.name}-${count.index + 2}"
   instance_class                        = try(var.instance_config[count.index + 2]["instance_class"], null) != null ? var.instance_config[count.index + 2]["instance_class"] : local.instance_class
@@ -187,7 +210,7 @@ resource "aws_rds_cluster_parameter_group" "default" {
 
   name        = coalesce(var.parameter_group_name, var.name)
   description = "RDS default cluster parameter group"
-  family      = var.cluster_family
+  family      = local.cluster_family
   tags        = var.tags
 
   dynamic "parameter" {
@@ -214,7 +237,7 @@ resource "aws_db_parameter_group" "default" {
 
   name        = coalesce(var.parameter_group_name, "${var.name}-aurora")
   description = "RDS default database parameter group"
-  family      = var.cluster_family
+  family      = local.cluster_family
   tags        = var.tags
 
   dynamic "parameter" {

variables.tf

@@ -30,14 +30,19 @@ variable "auto_pause" {
 
 variable "backtrack_window" {
   type        = number
-  default     = null
-  description = "The target backtrack window, in seconds. Only available for `aurora` and `aurora-mysql` engines. To disable backtracking, set this value to 0. Must be between 0 and 259200 (72 hours)"
+  default     = 0
+  description = "The target backtrack window, in seconds. Only available for `mysql` engines. Must be between 0 (disabled) and 259200 (72 hours)"
+
+  validation {
+    condition     = var.backtrack_window >= 0 && var.backtrack_window <= 259200
+    error_message = "Value must be between \"0\" and \"259200\" (72 hours)"
+  }
 }
 
 variable "backup_retention_period" {
   type        = number
   default     = 7
-  description = "The days to retain backups for"
+  description = "Number of days to retain backups for"
 }
 
 variable "ca_cert_identifier" {
@@ -54,7 +59,7 @@ variable "ca_cert_identifier" {
 
 variable "cluster_family" {
   type        = string
-  default     = "aurora-mysql8.0"
+  default     = null
   description = "The family of the DB cluster parameter group"
 }
 
@@ -108,10 +113,16 @@ variable "deletion_protection" {
   description = "A boolean indicating if the DB instance should have deletion protection enable"
 }
 
+variable "enable_cloudwatch_logs_exports" {
+  type        = bool
+  default     = true
+  description = "Set to false to disable logging to cloudwatch"
+}
+
 variable "enabled_cloudwatch_logs_exports" {
   type        = list(string)
-  default     = ["audit"]
-  description = "List of log types to export to cloudwatch"
+  default     = null
+  description = "List of log types to export to cloudwatch, by default all supported types are exported"
 }
 
 variable "enable_http_endpoint" {
@@ -132,12 +143,11 @@ variable "endpoints" {
 
 variable "engine" {
   type        = string
-  default     = "aurora-mysql"
   description = "The engine type of the Aurora cluster"
 
   validation {
-    condition     = contains(["aurora", "aurora-mysql", "aurora-postgresql"], var.engine)
-    error_message = "Allowed values for engine are \"aurora\", \"aurora-mysql\", \"aurora-postgresql\""
+    condition     = contains(["mysql", "postgresql"], var.engine)
+    error_message = "Allowed values for engine are \"mysql\", \"postgresql\""
   }
 }
 
@@ -154,7 +164,7 @@ variable "engine_mode" {
 
 variable "engine_version" {
   type        = string
-  default     = "8.0.mysql_aurora.3.02.2"
+  default     = null
   description = "The engine version of the Aurora cluster"
 }
 
@@ -229,7 +239,7 @@ variable "master_user_secret_kms_key_id" {
 
 variable "master_username" {
   type        = string
-  default     = "root"
+  default     = null
   description = "Username for the master DB user"
 }
 
@@ -271,7 +281,12 @@ variable "performance_insights" {
 variable "performance_insights_retention_period" {
   type        = number
   default     = 7
-  description = "Amount of time in days to retain Performance Insights data. Valida values are 7, 731 (2 years) or a multiple of 31. When specifying performance_insights_retention_period, performance_insights needs to be set to true"
+  description = "Amount of time in days to retain Performance Insights data, must be `7`, `731` (2 years) or a multiple of `31`"
+
+  validation {
+    condition     = var.performance_insights_retention_period == 7 || var.performance_insights_retention_period == 731 || var.performance_insights_retention_period % 31 == 0
+    error_message = "Value must be \"7\", \"731\" (2 years) or a multiple of \"31\""
+  }
 }
 
 variable "permissions_boundary" {
@@ -311,7 +326,7 @@ variable "security_group_ingress_rules" {
 
   validation {
     condition     = alltrue([for o in var.security_group_ingress_rules : (o.cidr_ipv4 != null || o.cidr_ipv6 != null || o.prefix_list_id != null || o.referenced_security_group_id != null)])
-    error_message = "Although \"cidr_ipv4\", \"cidr_ipv6\", \"prefix_list_id\", and \"referenced_security_group_id\" are all marked as optional, you must provide one of them in order to configure the destination of the traffic."
+    error_message = "One of \"cidr_ipv4\", \"cidr_ipv6\", \"prefix_list_id\", or \"referenced_security_group_id\" must be provided in order to allow ingress connectivity"
   }
 }
 
@@ -353,4 +368,9 @@ variable "timeout_action" {
   type        = string
   default     = "RollbackCapacityChange"
   description = "The action to take when the timeout is reached"
+
+  validation {
+    condition     = contains(["ForceApplyCapacityChange", "RollbackCapacityChange"], var.timeout_action)
+    error_message = "Allowed values for timeout_action are \"ForceApplyCapacityChange\", \"RollbackCapacityChange\"."
+  }
 }