AWS Aurora Database Platform (Terraform)
Production-ready Terraform project that provisions a secure, encrypted, multi-AZ Amazon Aurora PostgreSQL platform, following real-world platform engineering best practices.
This repository demonstrates how to design reusable Terraform modules, enforce environment separation, and apply security guardrails suitable for production workloads.
⸻
What this project demonstrates • Modular Terraform design (modules/) • Environment isolation (envs/dev, envs/prod) • Aurora PostgreSQL with: • Writer + optional reader replicas • SSL enforcement • Automated backups & retention • Deletion protection in prod • Secure networking: • Private subnets only • DB access restricted via Security Group to Security Group • Optional CIDR fallback for admin/VPN access • Secrets management: • Passwords generated at deploy time • Stored securely in AWS Secrets Manager • Encrypted with customer-managed KMS keys • Production safety: • Final snapshot enforcement • Guardrails via Terraform precondition
STRUCTURE
├── modules/ │ ├── aurora/ # Reusable Aurora PostgreSQL module │ │ ├── main.tf │ │ ├── variables.tf │ │ └── outputs.tf │ │ │ └── vpc/ # VPC baseline for database workloads │ ├── main.tf │ ├── variables.tf │ └── outputs.tf │ ├── envs/ │ ├── dev/ # Development environment │ │ ├── main.tf │ │ ├── variables.tf │ │ ├── providers.tf │ │ ├── outputs.tf │ │ └── backend.tf.example │ │ │ └── prod/ # Production environment │ ├── main.tf │ ├── variables.tf │ ├── providers.tf │ ├── outputs.tf │ └── backend.tf.example │ ├── .gitignore └── README.md
Design principles
- Module-first architecture
Infrastructure logic lives in reusable modules: • vpc → networking baseline • aurora → database platform
Environment folders only wire modules together and define environment-specific behavior.
⸻
- Environment isolation
Each environment: • Has its own state • Is applied independently • Can evolve safely without affecting others
Terraform is always executed from inside an environment directory, never from repo root.
⸻
- Secure by default networking • Databases run in private subnets • No public access • DB access is restricted using Security Group → Security Group rules • CIDR rules are supported only as a controlled fallback (e.g. VPN/admin)
⸻
- Secrets are never hardcoded • Database passwords are generated via random_password • Stored in AWS Secrets Manager • Encrypted with a customer-managed KMS key • Never committed to Git
⸻
- Production guardrails
Production enforces: • deletion_protection = true • Long backup retention • Mandatory final snapshots • SSL-only database connections • Terraform preconditions to prevent unsafe configs
How to use
1. Clone the repo
2. Configure backend
Rename backend.tf.example to backend.tf and update:
• S3 bucket name
• State key
• Region
• DynamoDB table
This allows remote state with locking.
- Run Terraform in each env (init, plan, apply)
Security • All data at rest encrypted with AWS KMS • Secrets encrypted independently from storage • SSL enforced at the database layer • No inbound DB access except from explicitly allowed identities
Outputs
The Aurora module exposes: • Writer endpoint • Reader endpoint • Cluster ID & ARN • DB name, port, engine info • Security Group ID • Writer & reader instance IDs
This makes the module easy to consume by: • Application stacks • CI/CD pipelines • Observability tooling