Creating RDS instance using Terraform CDK

In the previous article, we have created a AWS VPC using terraform CDK.
In this article, we'll be creating an AWS RDS instance in the VPC that we have created earlier.

What is RDS?

RDS stands for "Relational Database Service". Amazon Relational Database Service (Amazon RDS) is a one of the services provided by the Amazon. It is a collection of managed services that makes it simple to set up, operate, and scale databases in the cloud.

Create RDS instance using CDKTF

Before creating the RDS database instance, we first need to create the database subnet group for our database.

Database subnet group: a collection of subnets (typically private subnets in most of the cases) that you create in the VPC and then designate it to the database instances.

Create database subnet group:

Add the following line at the start of the main.ts file to import required providers.

import { 
} from "./.gen/providers/aws/rds";

Now, create a database subnet group using the two private subnets that we have created earlier (in the previous article).

const dbSubnetGroup = new DbSubnetGroup(
      name: "db-subnet-group",
      subnetIds: ["subnet-01fcXXXX", "subnet-01fcXXXX"]
NOTE: replace subnet ids with your subnet ids.

Create database parameter group:

  • Database parameters specify how the database is configured. For example, database parameters can specify the amount of resources, such as memory to allocate.
  • It contains engine configuration values that can be applied to one or more database instances of the same instance type.
const dbParameterGroup = new DbParameterGroup(
      name: "test-ghost-db-pg",
      family: "mysql8.0",
      description: "Parameter group for ghost db: managed by terraform"

Create database option group:

  • Some DB engines offer tools or optional features that simplify managing the databases and making the best use of data.
  • RDS makes such tools available through option groups for e.g. Oracle Application Express (APEX), SQL Server Transparent Data Encryption, and MySQL Memcached support.
const dbOptionGroup = new DbOptionGroup(
      name: "test-ghost-db-og",
      engineName: "mysql",
      majorEngineVersion: "8.0",
      optionGroupDescription: "Option group for ghost db: managed by terraform"

Here, we are using mysql engine with version 8.0

Create DB specific security group instance:

  • Network access to database instances is turned off by default. To have access to them we need to specify rules in a security group that allows access from IP address range, port, or security group.
  • Once ingress (traffic routed to the db instance) rules are configured, the same rules apply to all DB instances that are associated with that security group.
  • You can specify up to 20 rules in a security group.
const rdsSecurityGroup = new SecurityGroup(
      name: "test-db-security-group",
      description: "Firewall for RDS instance",
      ingress: [
          fromPort: 22,
          toPort: 22,
          cidrBlocks: [CIDR_PREFIX],
          protocol: "tcp"
      egress: [
          fromPort: 0,
          toPort: 0,
          protocol: "-1",
          cidrBlocks: [""],
          ipv6CidrBlocks: ["::/0"]

Create database instance:

Finally, let's create the database instance.

new DbInstance(this, "tes-rds-db", {
      identifier: "tes-rds-db",
      engine: "mysql",
      engineVersion: "8.0",
      allocatedStorage: 10,
      instanceClass: "db.t3.micro",
      dbName: "test_db",
      username: "username",
      password: "password",
      availabilityZone: "us-east-1a",
      dbSubnetGroupName: Token.asString(,
      vpcSecurityGroupIds: []
  • identifier: name of the RDS instance
  • engine: the database engine to use
  • engine_version: engine version to use
  • username : database master user name
  • password : database master password
  • allocatedStorage: the amount of allocated storage
  • instanceClass: the RDS instance class
  • dbName: the database name
  • availabilityZone: availability zone of the instance
  • dbSubnetGroupName: name of db subnet group. db instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available
  • parameterGroupName: name of the DB parameter group to associate
  • optionGroupName: name of the DB option group to associate
  • vpcSecurityGroupIds: list of VPC security groups to associate

Deploy the changes:

Use cdktf-cli to deploy the changes done using following command.

cdktf deploy

Don't forget to check the plan diff appeared on your terminal after applying this command. If everything looks fine then proceed with "Approve".

This way, we can create RDS database instance in an already created VPC.

Kiran Kamalakar

Kiran Kamalakar

Design and development enthusiast.
Pune, India