Skip to main content
The module creates an AWS security group for your Aurora cluster by default and attaches it automatically. You can control every aspect of the security group — from ingress and egress rules to whether the group is created at all.

Automatic security group creation

By default, the module creates one security group and associates it with the cluster: 
# main.tf (simplified)
resource "aws_security_group" "this" {
  count = local.create_security_group ? 1 : 0

  name        = var.security_group_use_name_prefix ? null : local.security_group_name
  name_prefix = var.security_group_use_name_prefix ? "${local.security_group_name}-" : null
  vpc_id      = var.vpc_id
  description = coalesce(var.security_group_description, "Control traffic to/from RDS Aurora ${local.security_group_name}")
}
To disable automatic security group creation, set: 
module "aurora" {
  source = "terraform-aws-modules/rds-aurora/aws"

  # ...
  create_security_group = false
  vpc_security_group_ids = ["sg-0abc1234def56789"] # provide your own SG
}

Core variables

create_security_group
bool
default:"true"
Determines whether to create a security group for the RDS cluster.
vpc_id
string
required
ID of the VPC where the security group will be created. Required when create_security_group is true.
security_group_name
string
default:"var.name"
Name for the security group. Defaults to the module name variable.
security_group_use_name_prefix
bool
default:"true"
When true, the value of security_group_name is used as a name prefix, resulting in a unique name. When false, the exact name is used.
vpc_security_group_ids
list(string)
default:"[]"
Additional existing security groups to associate with the cluster, alongside any created by the module.

Ingress and egress rules

Use security_group_ingress_rules and security_group_egress_rules to define traffic rules. Each is a map of rule objects keyed by an arbitrary name.

Ingress rule attributes

cidr_ipv4
string
IPv4 CIDR block to allow traffic from.
cidr_ipv6
string
IPv6 CIDR block to allow traffic from.
description
string
Human-readable description for the rule.
from_port
number
Start of the port range. Defaults to the cluster port when omitted (5432 for PostgreSQL, 3306 for MySQL).
to_port
number
End of the port range. Defaults to from_port or the cluster port when omitted.
ip_protocol
string
default:"tcp"
IP protocol. Defaults to tcp.
prefix_list_id
string
ID of a managed prefix list to allow traffic from.
referenced_security_group_id
string
ID of another security group to allow traffic from. Use the special value "self" to reference the security group created by this module.
When from_port and to_port are omitted, the module automatically resolves the correct database port: 5432 for aurora-postgresql/postgres engines, and 3306 for all other engines.
The egress rule attributes are identical in structure.

Examples

Allow traffic from each private subnet CIDR in your VPC — the pattern used in the autoscaling and postgresql examples:
module "aurora" {
  source = "terraform-aws-modules/rds-aurora/aws"

  name   = "my-aurora-pg"
  engine = "aurora-postgresql"

  vpc_id               = module.vpc.vpc_id
  db_subnet_group_name = module.vpc.database_subnet_group_name

  security_group_ingress_rules = {
    private-az1 = {
      cidr_ipv4   = element(module.vpc.private_subnets_cidr_blocks, 0)
      description = "Access from private subnet AZ1"
    }
    private-az2 = {
      cidr_ipv4   = element(module.vpc.private_subnets_cidr_blocks, 1)
      description = "Access from private subnet AZ2"
    }
    private-az3 = {
      cidr_ipv4   = element(module.vpc.private_subnets_cidr_blocks, 2)
      description = "Access from private subnet AZ3"
    }
  }
}

Network type

network_type
string
The network stack for the cluster. Valid values:
  • IPV4 — IPv4 only (default behavior)
  • DUAL — dual-stack (IPv4 and IPv6)
module "aurora" {
  source = "terraform-aws-modules/rds-aurora/aws"

  # ...
  network_type = "DUAL"
}

IAM database authentication

iam_database_authentication_enabled
bool
default:"null"
Enables IAM-based authentication to the database. When enabled, AWS IAM users and roles can authenticate to the database using an IAM token instead of a password.
module "aurora" {
  source = "terraform-aws-modules/rds-aurora/aws"

  # ...
  iam_database_authentication_enabled = true
}

Storage encryption

Storage encryption is enabled by default.
storage_encrypted
bool
default:"true"
Whether the DB cluster storage is encrypted. The default is true.
kms_key_id
string
The ARN of a KMS key to use for storage encryption. When specified, storage_encrypted must be true. If omitted, the default RDS KMS key (aws/rds) is used.
module "aurora" {
  source = "terraform-aws-modules/rds-aurora/aws"

  # ...
  storage_encrypted = true
  kms_key_id        = "arn:aws:kms:us-east-1:123456789012:key/mrk-1234abcd..."
}

Build docs developers (and LLMs) love

Get started for freeTalk to us