By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

how to create/access db in aws following best practices ?

0

i am creating a relational database in aws via terraform , see sample code below. i want to ensure,i'm following best practices here . while i create or provision a db , can i configure it such that a random password is generated and stored in secrets manager? also, if i set publicly_accessible to false, i am assuming i have to provide private subnet groups in my vpc ? and i should be able to access it from my vpc only?

being new to this, once i create this db instance, how do i connect to this db instance, via aws cli? i assume it will generate a private url, and i can simply use username/password i set to connect ? i'm new to this so some basic examples will be helpful

resource "aws_db_instance" "db_instance" {
  allocated_storage    = 10
  engine               = "postgres"
  engine_version       = "12.5"
  instance_class       = "db.t2.micro"
  identifier           = var.my_identifier
  username             = var.mysql_username
  #password             = var.mysql_password
  parameter_group_name = "default"
  
  db_subnet_group_name = aws_db_subnet_group.db_subnet_group.name
  vpc_security_group_ids = [aws_security_group.vpc_sg.id]
  
  publicly_accessible = false
  skip_final_snapshot = true
}

resource "aws_db_subnet_group" "db_subnet_group" {
  name       = "${var.project_name}-db-subnet-group"
  subnet_ids = module.vpc.private_subnets
}
Topics
Networking & Content DeliveryMigration & ModernizationAnalyticsDatabase
Tags
Amazon VPCAmazon Relational Database ServiceTerraform
Language
English
clouduser
asked 9 days ago75 views
2 Answers
0

Hello.

while i create or provision a db , can i configure it such that a random password is generated and stored in secrets manager?

If "manage_master_user_password" is set to true, a random password will be saved in Secrets Manager.
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance

also, if i set publicly_accessible to false, i am assuming i have to provide private subnet groups in my vpc ? and i should be able to access it from my vpc only?

If "publicly_accessible" is set to false, RDS will be assigned a private IP address even if started in a public subnet.
As you know, you can only connect from the same VPC as RDS.
Therefore, I think it is better to use a connection method that uses EC2 etc. as a stepping stone, as introduced in the AWS document below.
https://aws.amazon.com/jp/blogs/mt/use-port-forwarding-in-aws-systems-manager-session-manager-to-connect-to-remote-hosts/

profile picture
EXPERT
Riku_Kobayashi
answered 9 days ago
0

Below are best practices and guidelines.

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_BestPractices.html

AWS
AWS-User-3429271
answered 9 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content