Aurora MySQL is a MySQL-compatible relational database engine built for the cloud. It uses the engine identifier aurora-mysql and is fully compatible with MySQL 8.0.
Engine versions
Set engine = "aurora-mysql" and specify an engine_version. The example below uses 8.0, which maps to the latest Aurora MySQL 3.x release in your region.
The aurora engine (MySQL 5.6-compatible) is legacy. Use aurora-mysql for all new clusters.
Complete example
The following is the full working example from examples/mysql/. It creates a heterogeneous three-instance cluster with a custom cluster parameter group, DB parameter group, CloudWatch log exports, a KMS-encrypted activity stream, and automatic master password rotation.
provider "aws" {
region = local.region
}
data "aws_availability_zones" "available" {
# Exclude local zones
filter {
name = "opt-in-status"
values = ["opt-in-not-required"]
}
}
locals {
name = "ex-${basename(path.cwd)}"
region = "eu-west-1"
vpc_cidr = "10.0.0.0/16"
azs = slice(data.aws_availability_zones.available.names, 0, 3)
tags = {
Example = local.name
GithubRepo = "terraform-aws-rds-aurora"
GithubOrg = "terraform-aws-modules"
}
}
module "aurora" {
source = "terraform-aws-modules/rds-aurora/aws"
name = local.name
engine = "aurora-mysql"
engine_version = "8.0"
master_username = "root"
instances = {
1 = {
instance_class = "db.r8g.large"
publicly_accessible = true
}
2 = {
identifier = "mysql-static-1"
instance_class = "db.r8g.2xlarge"
}
3 = {
identifier = "mysql-excluded-1"
instance_class = "db.r8g.xlarge"
promotion_tier = 15
}
}
vpc_id = module.vpc.vpc_id
db_subnet_group_name = module.vpc.database_subnet_group_name
security_group_ingress_rules = {
private-az1 = {
cidr_ipv4 = element(module.vpc.private_subnets_cidr_blocks, 0)
}
private-az2 = {
cidr_ipv4 = element(module.vpc.private_subnets_cidr_blocks, 1)
}
private-az3 = {
cidr_ipv4 = element(module.vpc.private_subnets_cidr_blocks, 2)
}
}
security_group_egress_rules = {
kms-vpc-endpoint = {
to_port = 443
referenced_security_group_id = module.vpc_endpoints.security_group_id
}
}
apply_immediately = true
skip_final_snapshot = true
cluster_parameter_group = {
name = local.name
family = "aurora-mysql8.0"
description = "${local.name} example cluster parameter group"
parameters = [
{
name = "connect_timeout"
value = 120
apply_method = "immediate"
},
{
name = "innodb_lock_wait_timeout"
value = 300
apply_method = "immediate"
},
{
name = "log_output"
value = "FILE"
apply_method = "pending-reboot"
},
{
name = "max_allowed_packet"
value = "67108864"
apply_method = "immediate"
},
{
name = "aurora_parallel_query"
value = 0
apply_method = "pending-reboot"
},
{
name = "binlog_format"
value = "ROW"
apply_method = "pending-reboot"
},
{
name = "log_bin_trust_function_creators"
value = 1
apply_method = "immediate"
},
{
name = "require_secure_transport"
value = "ON"
apply_method = "immediate"
},
{
name = "tls_version"
value = "TLSv1.2"
apply_method = "pending-reboot"
}
]
}
db_parameter_group = {
name = local.name
family = "aurora-mysql8.0"
description = "${local.name} example DB parameter group"
parameters = [
{
name = "connect_timeout"
value = 60
apply_method = "immediate"
},
{
name = "general_log"
value = 0
apply_method = "immediate"
},
{
name = "innodb_lock_wait_timeout"
value = 300
apply_method = "immediate"
},
{
name = "log_output"
value = "FILE"
apply_method = "pending-reboot"
},
{
name = "long_query_time"
value = 5
apply_method = "immediate"
},
{
name = "max_connections"
value = 2000
apply_method = "immediate"
},
{
name = "slow_query_log"
value = 1
apply_method = "immediate"
},
{
name = "log_bin_trust_function_creators"
value = 1
apply_method = "immediate"
}
]
}
enabled_cloudwatch_logs_exports = ["audit", "error", "general", "slowquery"]
cluster_activity_stream = {
kms_key_id = module.kms.key_id
mode = "async"
}
manage_master_user_password_rotation = true
master_user_password_rotation_schedule_expression = "rate(15 days)"
tags = local.tags
}
Instance configuration
The instances map controls how many DB instances are created and allows per-instance overrides. The cluster_instance_class variable sets a default class for all instances; any entry in instances can override it.
Homogeneous
Heterogeneous
Autoscaling
All instances share the same class. The writer is instance one; the remaining instances are readers.cluster_instance_class = "db.r8g.large"
instances = {
one = {}
two = {}
three = {}
}
Individual instances can override the class, identifier, availability zone, promotion tier, and other attributes. This is useful for mixed-use workloads where some readers handle heavier analytical queries.cluster_instance_class = "db.r8g.large"
instances = {
1 = {
instance_class = "db.r8g.large"
publicly_accessible = true
}
2 = {
identifier = "mysql-static-1"
instance_class = "db.r8g.2xlarge"
}
3 = {
identifier = "mysql-excluded-1"
instance_class = "db.r8g.xlarge"
promotion_tier = 15
}
}
Define a minimum set of instances and let Application Auto Scaling add readers when load increases.cluster_instance_class = "db.r8g.large"
instances = {
one = {}
}
autoscaling_enabled = true
autoscaling_min_capacity = 1
autoscaling_max_capacity = 5
MySQL-specific variables
| Variable | Type | Description |
|---|
engine | string | Must be "aurora-mysql" |
engine_version | string | MySQL-compatible version, e.g. "8.0" |
backtrack_window | number | Backtrack window in seconds (0–259200). See below. |
enabled_cloudwatch_logs_exports | list(string) | Supported values: audit, error, general, slowquery |
cluster_parameter_group | object | Inline cluster parameter group. Use family aurora-mysql8.0. |
db_parameter_group | object | Inline DB instance parameter group. Use family aurora-mysql8.0. |
Backtrack
Aurora MySQL supports backtracking: rewinding the cluster to a previous point in time without restoring from a snapshot. Set backtrack_window to a value between 1 and 259200 (72 hours). Setting it to 0 disables backtracking.
module "aurora" {
source = "terraform-aws-modules/rds-aurora/aws"
engine = "aurora-mysql"
engine_version = "8.0"
backtrack_window = 259200 # 72 hours
# ... other required variables
}
Backtracking is only available on Aurora MySQL clusters. It cannot be enabled on Aurora PostgreSQL clusters. Enabling or disabling backtracking after cluster creation forces a cluster replacement.
CloudWatch log exports
The following log types are supported for Aurora MySQL:
audit — Database audit log (requires the ADVANCED AUDITING feature)error — MySQL error loggeneral — General query logslowquery — Slow query log
enabled_cloudwatch_logs_exports = ["audit", "error", "general", "slowquery"]
Deployment workflow
Prepare networking
Create or identify the VPC, private subnets, and a DB subnet group. The module can use an existing db_subnet_group_name or provision one when create_db_subnet_group = true with subnets specified.module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 6.0"
name = "my-vpc"
cidr = "10.0.0.0/16"
azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
private_subnets = ["10.0.3.0/24", "10.0.4.0/24", "10.0.5.0/24"]
database_subnets = ["10.0.6.0/24", "10.0.7.0/24", "10.0.8.0/24"]
}
Configure the module
Set the required variables: name, engine, engine_version, master_username, vpc_id, db_subnet_group_name, and at least one entry in instances.Use cluster_parameter_group and db_parameter_group to apply MySQL engine parameters inline rather than managing separate parameter group resources.
Enable log exports
Add enabled_cloudwatch_logs_exports with the log types you want to capture. Set create_cloudwatch_log_group = true to let the module manage the log group lifecycle.
Configure password rotation
By default, manage_master_user_password = true stores the master password in AWS Secrets Manager. Enable rotation with a schedule expression:manage_master_user_password_rotation = true
master_user_password_rotation_schedule_expression = "rate(15 days)"
Apply
terraform init
terraform plan
terraform apply
cluster_endpoint output. The reader endpoint is in cluster_reader_endpoint. 
