fix: set snapshot identifier and backup retention period to null to default to...

fix: set snapshot identifier and backup retention period to null to default to AWS provider settings (#314)

.pre-commit-config.yaml

 repos:
   - repo: git://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.47.0
+    rev: v1.48.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate

README.md

@@ -62,9 +62,6 @@ module "db" {
   # DB option group
   major_engine_version = "5.7"
 
-  # Snapshot name upon DB deletion
-  final_snapshot_identifier = "demodb"
-
   # Database Deletion Protection
   deletion_protection = true
 
@@ -218,6 +215,7 @@ Users have the ability to:
 |------|---------|
 | terraform | >= 0.12.26 |
 | aws | >= 2.49 |
+| random | >= 2.2 |
 
 ## Providers
 
@@ -245,7 +243,7 @@ No resources.
 | apply\_immediately | Specifies whether any database modifications are applied immediately, or during the next maintenance window | `bool` | `false` | no |
 | auto\_minor\_version\_upgrade | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window | `bool` | `true` | no |
 | availability\_zone | The Availability Zone of the RDS instance | `string` | `""` | no |
-| backup\_retention\_period | The days to retain backups for | `number` | `1` | no |
+| backup\_retention\_period | The days to retain backups for | `number` | `null` | no |
 | backup\_window | The daily time range (in UTC) during which automated backups are created if they are enabled. Example: '09:46-10:16'. Must not overlap with maintenance\_window | `string` | n/a | yes |
 | ca\_cert\_identifier | Specifies the identifier of the CA certificate for the DB instance | `string` | `"rds-ca-2019"` | no |
 | character\_set\_name | (Optional) The character set name to use for DB encoding in Oracle instances. This can't be changed. See Oracle Character Sets Supported in Amazon RDS and Collations and Character Sets for Microsoft SQL Server for more information. This can only be set on creation. | `string` | `""` | no |
@@ -267,6 +265,7 @@ No resources.
 | engine\_version | The engine version to use | `string` | n/a | yes |
 | family | The family of the DB parameter group | `string` | `""` | no |
 | final\_snapshot\_identifier | The name of your final DB snapshot when this DB instance is deleted. | `string` | `null` | no |
+| final\_snapshot\_identifier\_prefix | The name which is prefixed to the final snapshot on cluster destroy | `string` | `"final"` | no |
 | iam\_database\_authentication\_enabled | Specifies whether or not the mappings of AWS Identity and Access Management (IAM) accounts to database accounts are enabled | `bool` | `false` | no |
 | identifier | The name of the RDS instance, if omitted, Terraform will assign a random, unique identifier | `string` | n/a | yes |
 | instance\_class | The instance type of the RDS instance | `string` | n/a | yes |
@@ -298,7 +297,7 @@ No resources.
 | publicly\_accessible | Bool to control if instance is publicly accessible | `bool` | `false` | no |
 | replicate\_source\_db | Specifies that this resource is a Replicate database, and to use this value as the source database. This correlates to the identifier of another Amazon RDS Database to replicate. | `string` | `null` | no |
 | s3\_import | Restore from a Percona Xtrabackup in S3 (only MySQL is supported) | `map(string)` | `null` | no |
-| skip\_final\_snapshot | Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted, using the value from final\_snapshot\_identifier | `bool` | `true` | no |
+| skip\_final\_snapshot | Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted, using the value from final\_snapshot\_identifier | `bool` | `false` | no |
 | snapshot\_identifier | Specifies whether or not to create this database from a snapshot. This correlates to the snapshot ID you'd find in the RDS console, e.g: rds:production-2015-06-26-06-05. | `string` | `null` | no |
 | storage\_encrypted | Specifies whether the DB instance is encrypted | `bool` | `false` | no |
 | storage\_type | One of 'standard' (magnetic), 'gp2' (general purpose SSD), or 'io1' (provisioned IOPS SSD). The default is 'io1' if iops is specified, 'gp2' if not. | `string` | `"gp2"` | no |

examples/complete-mssql/main.tf

@@ -141,9 +141,9 @@ module "db" {
   backup_window                   = "03:00-06:00"
   enabled_cloudwatch_logs_exports = ["error"]
 
-  backup_retention_period   = 0
-  final_snapshot_identifier = local.name
-  deletion_protection       = false
+  backup_retention_period = 0
+  skip_final_snapshot     = true
+  deletion_protection     = false
 
   performance_insights_enabled          = true
   performance_insights_retention_period = 7

examples/complete-mysql/main.tf

@@ -87,9 +87,9 @@ module "db" {
   backup_window                   = "03:00-06:00"
   enabled_cloudwatch_logs_exports = ["general"]
 
-  backup_retention_period   = 0
-  final_snapshot_identifier = local.name
-  deletion_protection       = false
+  backup_retention_period = 0
+  skip_final_snapshot     = true
+  deletion_protection     = false
 
   performance_insights_enabled          = true
   performance_insights_retention_period = 7

examples/complete-oracle/main.tf

@@ -88,9 +88,9 @@ module "db" {
   backup_window                   = "03:00-06:00"
   enabled_cloudwatch_logs_exports = ["alert", "audit"]
 
-  backup_retention_period   = 0
-  final_snapshot_identifier = local.name
-  deletion_protection       = false
+  backup_retention_period = 0
+  skip_final_snapshot     = true
+  deletion_protection     = false
 
   performance_insights_enabled          = true
   performance_insights_retention_period = 7

examples/complete-postgres/main.tf

@@ -90,9 +90,9 @@ module "db" {
   backup_window                   = "03:00-06:00"
   enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"]
 
-  backup_retention_period   = 0
-  final_snapshot_identifier = local.name
-  deletion_protection       = false
+  backup_retention_period = 0
+  skip_final_snapshot     = true
+  deletion_protection     = false
 
   performance_insights_enabled          = true
   performance_insights_retention_period = 7
@@ -101,7 +101,7 @@ module "db" {
   parameters = [
     {
       name  = "autovacuum"
-      value = true
+      value = 1
     },
     {
       name  = "client_encoding"

examples/enhanced-monitoring/main.tf

@@ -116,9 +116,9 @@ module "db" {
   backup_window                   = "03:00-06:00"
   enabled_cloudwatch_logs_exports = ["audit", "general"]
 
-  backup_retention_period   = 0
-  final_snapshot_identifier = local.name
-  deletion_protection       = false
+  backup_retention_period = 0
+  skip_final_snapshot     = true
+  deletion_protection     = false
 
   # Enhanced monitoring
   monitoring_interval = 30

examples/replica-mysql/main.tf

@@ -97,9 +97,9 @@ module "master" {
   enabled_cloudwatch_logs_exports = ["general"]
 
   # Backups are required in order to create a replica
-  backup_retention_period   = 1
-  final_snapshot_identifier = local.name
-  deletion_protection       = false
+  backup_retention_period = 1
+  skip_final_snapshot     = true
+  deletion_protection     = false
 
   create_db_option_group    = false
   create_db_parameter_group = false

examples/replica-postgres/main.tf

@@ -97,9 +97,9 @@ module "master" {
   enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"]
 
   # Backups are required in order to create a replica
-  backup_retention_period   = 1
-  final_snapshot_identifier = local.name
-  deletion_protection       = false
+  backup_retention_period = 1
+  skip_final_snapshot     = true
+  deletion_protection     = false
 
   tags = local.tags
 }
@@ -139,9 +139,9 @@ module "replica" {
   backup_window                   = "03:00-06:00"
   enabled_cloudwatch_logs_exports = ["postgresql", "upgrade"]
 
-  backup_retention_period   = 0
-  final_snapshot_identifier = local.name
-  deletion_protection       = false
+  backup_retention_period = 0
+  skip_final_snapshot     = true
+  deletion_protection     = false
 
   # Not allowed to specify a subnet group for replicas in the same region
   create_db_subnet_group = false

examples/s3-import-mysql/main.tf

@@ -190,9 +190,9 @@ module "db" {
   backup_window                   = "03:00-06:00"
   enabled_cloudwatch_logs_exports = ["audit", "general"]
 
-  backup_retention_period   = 0
-  final_snapshot_identifier = local.name
-  deletion_protection       = false
+  backup_retention_period = 0
+  skip_final_snapshot     = true
+  deletion_protection     = false
 
   tags = local.tags
 }

main.tf

@@ -56,8 +56,9 @@ module "db_option_group" {
 module "db_instance" {
   source = "./modules/db_instance"
 
-  create            = var.create_db_instance
-  identifier        = var.identifier
+  create     = var.create_db_instance
+  identifier = var.identifier
+
   engine            = var.engine
   engine_version    = var.engine_version
   instance_class    = var.instance_class
@@ -75,10 +76,6 @@ module "db_instance" {
   domain_iam_role_name                = var.domain_iam_role_name
   iam_database_authentication_enabled = var.iam_database_authentication_enabled
 
-  replicate_source_db = var.replicate_source_db
-
-  snapshot_identifier = var.snapshot_identifier
-
   vpc_security_group_ids = var.vpc_security_group_ids
   db_subnet_group_name   = local.db_subnet_group_name
   parameter_group_name   = local.parameter_group_name_id
@@ -88,21 +85,24 @@ module "db_instance" {
   multi_az            = var.multi_az
   iops                = var.iops
   publicly_accessible = var.publicly_accessible
-
-  ca_cert_identifier = var.ca_cert_identifier
+  ca_cert_identifier  = var.ca_cert_identifier
 
   allow_major_version_upgrade = var.allow_major_version_upgrade
   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
   apply_immediately           = var.apply_immediately
   maintenance_window          = var.maintenance_window
-  skip_final_snapshot         = var.skip_final_snapshot
-  copy_tags_to_snapshot       = var.copy_tags_to_snapshot
-  final_snapshot_identifier   = var.final_snapshot_identifier
+
+  snapshot_identifier              = var.snapshot_identifier
+  copy_tags_to_snapshot            = var.copy_tags_to_snapshot
+  skip_final_snapshot              = var.skip_final_snapshot
+  final_snapshot_identifier        = var.final_snapshot_identifier
+  final_snapshot_identifier_prefix = var.final_snapshot_identifier_prefix
 
   performance_insights_enabled          = var.performance_insights_enabled
   performance_insights_retention_period = var.performance_insights_retention_period
-  performance_insights_kms_key_id       = var.performance_insights_enabled == true ? var.performance_insights_kms_key_id : null
+  performance_insights_kms_key_id       = var.performance_insights_enabled ? var.performance_insights_kms_key_id : null
 
+  replicate_source_db     = var.replicate_source_db
   backup_retention_period = var.backup_retention_period
   backup_window           = var.backup_window
   max_allocated_storage   = var.max_allocated_storage
@@ -111,8 +111,8 @@ module "db_instance" {
   monitoring_role_name    = var.monitoring_role_name
   create_monitoring_role  = var.create_monitoring_role
 
-  timezone                        = var.timezone
   character_set_name              = var.character_set_name
+  timezone                        = var.timezone
   enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports
 
   timeouts = var.timeouts

modules/db_instance/README.md

@@ -7,12 +7,14 @@
 |------|---------|
 | terraform | >= 0.12.26 |
 | aws | >= 2.49 |
+| random | >= 2.2 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | aws | >= 2.49 |
+| random | >= 2.2 |
 
 ## Modules
 
@@ -26,6 +28,7 @@ No Modules.
 | [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) |
 | [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) |
 | [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) |
+| [random_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) |
 
 ## Inputs
 
@@ -36,7 +39,7 @@ No Modules.
 | apply\_immediately | Specifies whether any database modifications are applied immediately, or during the next maintenance window | `bool` | `false` | no |
 | auto\_minor\_version\_upgrade | Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window | `bool` | `true` | no |
 | availability\_zone | The Availability Zone of the RDS instance | `string` | `""` | no |
-| backup\_retention\_period | The days to retain backups for | `number` | `1` | no |
+| backup\_retention\_period | The days to retain backups for | `number` | `null` | no |
 | backup\_window | The daily time range (in UTC) during which automated backups are created if they are enabled. Example: '09:46-10:16'. Must not overlap with maintenance\_window | `string` | n/a | yes |
 | ca\_cert\_identifier | Specifies the identifier of the CA certificate for the DB instance | `string` | `"rds-ca-2019"` | no |
 | character\_set\_name | (Optional) The character set name to use for DB encoding in Oracle instances. This can't be changed. See Oracle Character Sets Supported in Amazon RDS and Collations and Character Sets for Microsoft SQL Server for more information. This can only be set on creation. | `string` | `""` | no |
@@ -52,6 +55,7 @@ No Modules.
 | engine | The database engine to use | `string` | n/a | yes |
 | engine\_version | The engine version to use | `string` | n/a | yes |
 | final\_snapshot\_identifier | The name of your final DB snapshot when this DB instance is deleted. | `string` | `null` | no |
+| final\_snapshot\_identifier\_prefix | The name which is prefixed to the final snapshot on cluster destroy | `string` | `"final"` | no |
 | iam\_database\_authentication\_enabled | Specifies whether or mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled | `bool` | `false` | no |
 | iam\_partition | IAM Partition to use when generating ARN's. For most regions this can be left at default. China/Govcloud use different partitions | `string` | `"aws"` | no |
 | identifier | The name of the RDS instance, if omitted, Terraform will assign a random, unique identifier | `string` | n/a | yes |
@@ -76,7 +80,7 @@ No Modules.
 | publicly\_accessible | Bool to control if instance is publicly accessible | `bool` | `false` | no |
 | replicate\_source\_db | Specifies that this resource is a Replicate database, and to use this value as the source database. This correlates to the identifier of another Amazon RDS Database to replicate. | `string` | `null` | no |
 | s3\_import | Restore from a Percona Xtrabackup in S3 (only MySQL is supported) | `map(string)` | `null` | no |
-| skip\_final\_snapshot | Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted, using the value from final\_snapshot\_identifier | `bool` | `true` | no |
+| skip\_final\_snapshot | Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted, using the value from final\_snapshot\_identifier | `bool` | `false` | no |
 | snapshot\_identifier | Specifies whether or not to create this database from a snapshot. This correlates to the snapshot ID you'd find in the RDS console, e.g: rds:production-2015-06-26-06-05. | `string` | `null` | no |
 | storage\_encrypted | Specifies whether the DB instance is encrypted | `bool` | `false` | no |
 | storage\_type | One of 'standard' (magnetic), 'gp2' (general purpose SSD), or 'io1' (provisioned IOPS SSD). The default is 'io1' if iops is specified, 'standard' if not. Note that this behaviour is different from the AWS web console, where the default is 'gp2'. | `string` | `"gp2"` | no |

modules/db_instance/main.tf

@@ -2,38 +2,14 @@ locals {
   is_mssql = element(split("-", var.engine), 0) == "sqlserver"
 }
 
-data "aws_iam_policy_document" "enhanced_monitoring" {
-  statement {
-    actions = [
-      "sts:AssumeRole",
-    ]
+resource "random_id" "snapshot_identifier" {
+  count = var.create && !var.skip_final_snapshot ? 1 : 0
 
-    principals {
-      type        = "Service"
-      identifiers = ["monitoring.rds.amazonaws.com"]
-    }
+  keepers = {
+    id = var.identifier
   }
-}
-
-resource "aws_iam_role" "enhanced_monitoring" {
-  count = var.create_monitoring_role ? 1 : 0
-
-  name               = var.monitoring_role_name
-  assume_role_policy = data.aws_iam_policy_document.enhanced_monitoring.json
-
-  tags = merge(
-    {
-      "Name" = format("%s", var.monitoring_role_name)
-    },
-    var.tags,
-  )
-}
 
-resource "aws_iam_role_policy_attachment" "enhanced_monitoring" {
-  count = var.create_monitoring_role ? 1 : 0
-
-  role       = aws_iam_role.enhanced_monitoring[0].name
-  policy_arn = "arn:${var.iam_partition}:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
+  byte_length = 4
 }
 
 resource "aws_db_instance" "this" {
@@ -58,10 +34,6 @@ resource "aws_db_instance" "this" {
   domain_iam_role_name                = var.domain_iam_role_name
   iam_database_authentication_enabled = var.iam_database_authentication_enabled
 
-  replicate_source_db = var.replicate_source_db
-
-  snapshot_identifier = var.snapshot_identifier
-
   vpc_security_group_ids = var.vpc_security_group_ids
   db_subnet_group_name   = var.db_subnet_group_name
   parameter_group_name   = var.parameter_group_name
@@ -71,29 +43,31 @@ resource "aws_db_instance" "this" {
   multi_az            = var.multi_az
   iops                = var.iops
   publicly_accessible = var.publicly_accessible
-  monitoring_interval = var.monitoring_interval
-  monitoring_role_arn = var.monitoring_interval > 0 ? coalesce(var.monitoring_role_arn, join(", ", aws_iam_role.enhanced_monitoring.*.arn), null) : null
+  ca_cert_identifier  = var.ca_cert_identifier
 
   allow_major_version_upgrade = var.allow_major_version_upgrade
   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
   apply_immediately           = var.apply_immediately
   maintenance_window          = var.maintenance_window
-  skip_final_snapshot         = var.skip_final_snapshot
-  copy_tags_to_snapshot       = var.copy_tags_to_snapshot
-  final_snapshot_identifier   = var.final_snapshot_identifier
-  max_allocated_storage       = var.max_allocated_storage
+
+  snapshot_identifier   = var.snapshot_identifier
+  copy_tags_to_snapshot = var.copy_tags_to_snapshot
+  skip_final_snapshot   = var.skip_final_snapshot
+  # TODO - remove coalesce() at next breaking change - adding existing name as fallback to maintain backwards compatibility
+  final_snapshot_identifier = var.skip_final_snapshot ? null : coalesce(var.final_snapshot_identifier, "${var.final_snapshot_identifier_prefix}-${var.identifier}-${random_id.snapshot_identifier[0].hex}")
 
   performance_insights_enabled          = var.performance_insights_enabled
   performance_insights_retention_period = var.performance_insights_enabled == true ? var.performance_insights_retention_period : null
   performance_insights_kms_key_id       = var.performance_insights_enabled == true ? var.performance_insights_kms_key_id : null
 
+  replicate_source_db     = var.replicate_source_db
   backup_retention_period = var.backup_retention_period
   backup_window           = var.backup_window
+  max_allocated_storage   = var.max_allocated_storage
+  monitoring_interval     = var.monitoring_interval
+  monitoring_role_arn     = var.monitoring_interval > 0 ? coalesce(var.monitoring_role_arn, join(", ", aws_iam_role.enhanced_monitoring.*.arn), null) : null
 
-  character_set_name = var.character_set_name
-
-  ca_cert_identifier = var.ca_cert_identifier
-
+  character_set_name              = var.character_set_name
   enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports
 
   deletion_protection      = var.deletion_protection
@@ -146,10 +120,6 @@ resource "aws_db_instance" "this_mssql" {
   domain_iam_role_name                = var.domain_iam_role_name
   iam_database_authentication_enabled = var.iam_database_authentication_enabled
 
-  replicate_source_db = var.replicate_source_db
-
-  snapshot_identifier = var.snapshot_identifier
-
   vpc_security_group_ids = var.vpc_security_group_ids
   db_subnet_group_name   = var.db_subnet_group_name
   parameter_group_name   = var.parameter_group_name
@@ -159,30 +129,36 @@ resource "aws_db_instance" "this_mssql" {
   multi_az            = var.multi_az
   iops                = var.iops
   publicly_accessible = var.publicly_accessible
-  monitoring_interval = var.monitoring_interval
-  monitoring_role_arn = var.monitoring_interval > 0 ? coalesce(var.monitoring_role_arn, aws_iam_role.enhanced_monitoring.*.arn, null) : null
+  ca_cert_identifier  = var.ca_cert_identifier
 
   allow_major_version_upgrade = var.allow_major_version_upgrade
   auto_minor_version_upgrade  = var.auto_minor_version_upgrade
   apply_immediately           = var.apply_immediately
   maintenance_window          = var.maintenance_window
-  skip_final_snapshot         = var.skip_final_snapshot
-  copy_tags_to_snapshot       = var.copy_tags_to_snapshot
-  final_snapshot_identifier   = var.final_snapshot_identifier
-  max_allocated_storage       = var.max_allocated_storage
+
+  snapshot_identifier   = var.snapshot_identifier
+  copy_tags_to_snapshot = var.copy_tags_to_snapshot
+  skip_final_snapshot   = var.skip_final_snapshot
+  # TODO - remove coalesce() at next breaking change - adding existing name as fallback to maintain backwards compatibility
+  final_snapshot_identifier = var.skip_final_snapshot ? null : coalesce(var.final_snapshot_identifier, "${var.final_snapshot_identifier_prefix}-${var.identifier}-${random_id.snapshot_identifier[0].hex}")
 
   performance_insights_enabled          = var.performance_insights_enabled
-  performance_insights_retention_period = var.performance_insights_enabled == true ? var.performance_insights_retention_period : null
+  performance_insights_retention_period = var.performance_insights_enabled ? var.performance_insights_retention_period : null
+  performance_insights_kms_key_id       = var.performance_insights_enabled ? var.performance_insights_kms_key_id : null
 
+  replicate_source_db     = var.replicate_source_db
   backup_retention_period = var.backup_retention_period
   backup_window           = var.backup_window
+  max_allocated_storage   = var.max_allocated_storage
+  monitoring_interval     = var.monitoring_interval
+  monitoring_role_arn     = var.monitoring_interval > 0 ? coalesce(var.monitoring_role_arn, aws_iam_role.enhanced_monitoring.*.arn, null) : null
 
-  character_set_name = var.character_set_name
-  timezone           = var.timezone
-
+  character_set_name              = var.character_set_name
+  timezone                        = var.timezone # MSSQL only
   enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports
 
-  deletion_protection = var.deletion_protection
+  deletion_protection      = var.deletion_protection
+  delete_automated_backups = var.delete_automated_backups
 
   tags = merge(
     var.tags,
@@ -198,3 +174,40 @@ resource "aws_db_instance" "this_mssql" {
   }
 }
 
+################################################################################
+# Enhanced monitoring
+################################################################################
+
+data "aws_iam_policy_document" "enhanced_monitoring" {
+  statement {
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    principals {
+      type        = "Service"
+      identifiers = ["monitoring.rds.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "enhanced_monitoring" {
+  count = var.create_monitoring_role ? 1 : 0
+
+  name               = var.monitoring_role_name
+  assume_role_policy = data.aws_iam_policy_document.enhanced_monitoring.json
+
+  tags = merge(
+    {
+      "Name" = format("%s", var.monitoring_role_name)
+    },
+    var.tags,
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "enhanced_monitoring" {
+  count = var.create_monitoring_role ? 1 : 0
+
+  role       = aws_iam_role.enhanced_monitoring[0].name
+  policy_arn = "arn:${var.iam_partition}:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole"
+}

modules/db_instance/variables.tf

@@ -38,12 +38,6 @@ variable "replicate_source_db" {
   default     = null
 }
 
-variable "snapshot_identifier" {
-  description = "Specifies whether or not to create this database from a snapshot. This correlates to the snapshot ID you'd find in the RDS console, e.g: rds:production-2015-06-26-06-05."
-  type        = string
-  default     = null
-}
-
 variable "license_model" {
   description = "License model information for this DB instance. Optional, but required for some DB engines, i.e. Oracle SE1"
   type        = string
@@ -104,12 +98,36 @@ variable "port" {
   type        = string
 }
 
+variable "skip_final_snapshot" {
+  description = "Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted, using the value from final_snapshot_identifier"
+  type        = bool
+  default     = false
+}
+
+variable "snapshot_identifier" {
+  description = "Specifies whether or not to create this database from a snapshot. This correlates to the snapshot ID you'd find in the RDS console, e.g: rds:production-2015-06-26-06-05."
+  type        = string
+  default     = null
+}
+
+variable "copy_tags_to_snapshot" {
+  description = "On delete, copy all Instance tags to the final snapshot (if final_snapshot_identifier is specified)"
+  type        = bool
+  default     = false
+}
+
 variable "final_snapshot_identifier" {
   description = "The name of your final DB snapshot when this DB instance is deleted."
   type        = string
   default     = null
 }
 
+variable "final_snapshot_identifier_prefix" {
+  description = "The name which is prefixed to the final snapshot on cluster destroy"
+  type        = string
+  default     = "final"
+}
+
 variable "vpc_security_group_ids" {
   description = "List of VPC security groups to associate"
   type        = list(string)
@@ -199,22 +217,10 @@ variable "maintenance_window" {
   type        = string
 }
 
-variable "skip_final_snapshot" {
-  description = "Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted, using the value from final_snapshot_identifier"
-  type        = bool
-  default     = true
-}
-
-variable "copy_tags_to_snapshot" {
-  description = "On delete, copy all Instance tags to the final snapshot (if final_snapshot_identifier is specified)"
-  type        = bool
-  default     = false
-}
-
 variable "backup_retention_period" {
   description = "The days to retain backups for"
   type        = number
-  default     = 1
+  default     = null
 }
 
 variable "backup_window" {

modules/db_instance/versions.tf

@@ -6,5 +6,10 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 2.49"
     }
+
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 2.2"
+    }
   }
 }

variables.tf

@@ -32,12 +32,6 @@ variable "replicate_source_db" {
   default     = null
 }
 
-variable "snapshot_identifier" {
-  description = "Specifies whether or not to create this database from a snapshot. This correlates to the snapshot ID you'd find in the RDS console, e.g: rds:production-2015-06-26-06-05."
-  type        = string
-  default     = null
-}
-
 variable "license_model" {
   description = "License model information for this DB instance. Optional, but required for some DB engines, i.e. Oracle SE1"
   type        = string
@@ -72,12 +66,36 @@ variable "engine_version" {
   type        = string
 }
 
+variable "skip_final_snapshot" {
+  description = "Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted, using the value from final_snapshot_identifier"
+  type        = bool
+  default     = false
+}
+
+variable "snapshot_identifier" {
+  description = "Specifies whether or not to create this database from a snapshot. This correlates to the snapshot ID you'd find in the RDS console, e.g: rds:production-2015-06-26-06-05."
+  type        = string
+  default     = null
+}
+
+variable "copy_tags_to_snapshot" {
+  description = "On delete, copy all Instance tags to the final snapshot (if final_snapshot_identifier is specified)"
+  type        = bool
+  default     = false
+}
+
 variable "final_snapshot_identifier" {
   description = "The name of your final DB snapshot when this DB instance is deleted."
   type        = string
   default     = null
 }
 
+variable "final_snapshot_identifier_prefix" {
+  description = "The name which is prefixed to the final snapshot on cluster destroy"
+  type        = string
+  default     = "final"
+}
+
 variable "instance_class" {
   description = "The instance type of the RDS instance"
   type        = string
@@ -181,22 +199,10 @@ variable "maintenance_window" {
   type        = string
 }
 
-variable "skip_final_snapshot" {
-  description = "Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted, using the value from final_snapshot_identifier"
-  type        = bool
-  default     = true
-}
-
-variable "copy_tags_to_snapshot" {
-  description = "On delete, copy all Instance tags to the final snapshot (if final_snapshot_identifier is specified)"
-  type        = bool
-  default     = false
-}
-
 variable "backup_retention_period" {
   description = "The days to retain backups for"
   type        = number
-  default     = 1
+  default     = null
 }
 
 variable "backup_window" {

versions.tf

@@ -6,5 +6,10 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 2.49"
     }
+
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 2.2"
+    }
   }
 }