Skip to content

BCSS-23564 - feat(rds): add rds module#56

Open
uzairharoon20 wants to merge 28 commits into
mainfrom
feature/BCSS-23564-rds-tf-module
Open

BCSS-23564 - feat(rds): add rds module#56
uzairharoon20 wants to merge 28 commits into
mainfrom
feature/BCSS-23564-rds-tf-module

Conversation

@uzairharoon20

Copy link
Copy Markdown
Contributor

Description

Context

Type of changes

  • Refactoring (non-breaking change)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would change existing functionality)
  • Bug fix (non-breaking change which fixes an issue)

Checklist

  • I am familiar with the contributing guidelines
  • I have followed the code style of the project
  • I have added tests to cover my changes
  • I have updated the documentation accordingly
  • This PR is a result of pair or mob programming

Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.

  • I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes.

@nhs-oliverslater nhs-oliverslater added enhancement New feature or request terraform Pull request that updates terraform code / modules labels Jun 16, 2026
Comment thread infrastructure/modules/rds/main.tf Outdated
uzairharoon20 and others added 3 commits June 19, 2026 14:27
- Added support for a new RDS module path in dependabot.yaml.
- Created .terraform.lock.hcl for the new RDS module.
- Updated README.md to include usage examples for PostgreSQL and Oracle RDS instances, along with security group and secrets manager integration.
- Modified context.tf to enable module creation based on the 'enabled' variable.
- Introduced locals.tf to define rds_identifier based on provided names.
- Updated main.tf to conditionally create RDS resources based on the 'enabled' variable.
- Enhanced variables.tf to include custom_name variable for explicit RDS instance naming.
- Updated versions.tf to require Terraform version >= 1.13 and AWS provider version >= 6.42.
@nhs-oliverslater nhs-oliverslater force-pushed the feature/BCSS-23564-rds-tf-module branch from 4ee8a5a to 07288ef Compare June 19, 2026 14:14
@nhs-oliverslater nhs-oliverslater changed the title Created inital RDS module feat(rds): add rds module Jun 22, 2026
@nhs-oliverslater nhs-oliverslater changed the title feat(rds): add rds module BCSS-23564 - feat(rds): add rds module Jun 23, 2026
nhs-oliverslater and others added 10 commits June 23, 2026 17:27
* Bump requests in /docs/adr/assets/ADR-003/examples/python

Bumps [requests](https://github.com/psf/requests) from 2.32.0 to 2.33.0.
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.32.0...v2.33.0)

---
updated-dependencies:
- dependency-name: requests
  dependency-version: 2.33.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): bump pyjwt in /docs/adr/assets/ADR-003/examples/python

Bumps [pyjwt](https://github.com/jpadilla/pyjwt) from 2.8.0 to 2.13.0.
- [Release notes](https://github.com/jpadilla/pyjwt/releases)
- [Changelog](https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst)
- [Commits](jpadilla/pyjwt@2.8.0...2.13.0)

---
updated-dependencies:
- dependency-name: pyjwt
  dependency-version: 2.13.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

* build(deps): bump golang.org/x/net

Bumps [golang.org/x/net](https://github.com/golang/net) from 0.23.0 to 0.38.0.
- [Commits](golang/net@v0.23.0...v0.38.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.38.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* fix(dependabot.yaml): align Terraform module paths in dependabot configuration

* docs(context.tf): align context.tf files across all new modules

* build: update module file structure guidelines and conditional requirements

* style: standardize IAM capitalization across documentation and prompts

* style(acm/main.tf): correct wording in comments to clarify module controls

* docs(guardduty/README.md): enhance module documentation with detailed usage examples and conventions

* refactor(iam/locals.tf): move locals configuration for IAM path and role policies to locals.tf

* docs(iam/README.md): add enforcement details for IAM module controls and usage

* docs(inspector/README.md): enhance module documentation with detailed usage examples and conventions

* docs(kms/README.md): enhance documentation with detailed usage examples and conventions for KMS module

* docs(README.md): ensure usage blocks use <tag> reference in examples

* docs(lambda/README.md): enhance documentation with detailed usage examples and conventions for Lambda module

* docs(license-manager/README.md): enhance documentation with detailed usage examples, conventions, and additional configuration options for License Manager module

* refactor(license-manager/locals.tf): move locals configuration for IAM path and role policies to locals.tf

* docs(license-manager/README.md): update module source references to use <ref> placeholder

* docs(secrets-manager/README.md): update module source references to use full GitHub URL and enhance documentation with module limitations and conventions

* docs(s3-bucket/README.md): update module source references to use <ref> placeholder

* docs(security-hub/README.md): add conventions section detailing module defaults and configurations

* docs(README.md): ensure usage blocks use <tag> reference in examples

* docs(sns/README.md): enhance usage examples and conventions for SNS module

* style: standardize IAM capitalization across documentation and prompts

* docs(security-hub/README.md): update conventions section for clarity and formatting

* docs(README.md): update module descriptions for clarity and consistency
- Added support for a new RDS module path in dependabot.yaml.
- Created .terraform.lock.hcl for the new RDS module.
- Updated README.md to include usage examples for PostgreSQL and Oracle RDS instances, along with security group and secrets manager integration.
- Modified context.tf to enable module creation based on the 'enabled' variable.
- Introduced locals.tf to define rds_identifier based on provided names.
- Updated main.tf to conditionally create RDS resources based on the 'enabled' variable.
- Enhanced variables.tf to include custom_name variable for explicit RDS instance naming.
- Updated versions.tf to require Terraform version >= 1.13 and AWS provider version >= 6.42.
@nhs-oliverslater nhs-oliverslater force-pushed the feature/BCSS-23564-rds-tf-module branch from 7b40422 to d1fba95 Compare June 24, 2026 10:43
@uzairharoon20 uzairharoon20 marked this pull request as ready for review June 29, 2026 15:02
@uzairharoon20 uzairharoon20 requested review from a team and saliceti as code owners June 29, 2026 15:02
Comment thread infrastructure/modules/rds/variables.tf
Comment thread infrastructure/modules/rds/variables.tf
Comment thread infrastructure/modules/rds/variables.tf
Comment thread infrastructure/modules/rds/variables.tf
Comment thread infrastructure/modules/rds/variables.tf Outdated
Comment on lines +236 to +237
variable "performance_insights_retention_period" {
description = "Retention period for Performance Insights data in days. Valid values: 7, 731, or a multiple of 31"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you sure that 731 is a valid value (and not a typo of 7-31 i.e. any value between 7 and 31)?

Once you've clarified that, add a validation block to enforce it?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

731 is correct, the AWS docs explicitly list it as its own valid value meaning "2 years". Can be found here: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#performance_insights_retention_period-1

Added a validation block that checks for exactly 7, exactly 731, or any multiple of 31 greater than or equal to 31.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe include (2 years) next to the 731 in the error message and description, just to make it clear to everyone else?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both the description and the error message now read 7, 731 (2 years), or a multiple of 31.

Comment thread infrastructure/modules/rds/variables.tf Outdated
Comment on lines +242 to +243
variable "performance_insights_kms_key_id" {
description = "ARN of the KMS key used to encrypt Performance Insights data. If omitted, the default KMS key is used"

@dave4420 dave4420 Jul 1, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to insist that a KMS key is provided here, if Performance Insights is enabled? (Check with @Pira-nhs or @nhs-oliverslater.)

If so, add a validation block to enforce it?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed with Oliver, added a precondition that requires performance_insights_kms_key_id to be set whenever performance_insights_enabled is true.

On the deprecation: this is a console-only change. The Performance Insights UI redirects to CloudWatch Database Insights on 31 July 2026, but AWS has explicitly confirmed all Terraform parameters (performance_insights_enabled, performance_insights_retention_period, performance_insights_kms_key_id) are fully preserved with no changes required. Existing configs continue to work as-is. Added a comment in variables.tf to document this for future readers.

Keeping performance insights variables with comment of depreciation.

Comment thread infrastructure/modules/rds/variables.tf
Comment thread infrastructure/modules/rds/main.tf Outdated
Comment on lines +74 to +78
variable "kms_key_id" {
description = "ARN of the KMS key for storage encryption. If omitted, the default account KMS key is used"
type = string
default = null
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I missed this one! We shouldn't allow this to use the default KMS key either.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a validation block for kms_key_id must always be set since storage_encrypted = true is hardcoded. Also updated the description to remove the misleading "if omitted, default key is used" wording.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request terraform Pull request that updates terraform code / modules

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants