Database Maintainer lambda
This module is used to create lambda functions that are used to run database maintenance tasks from CI.
The supported databases are: * Postgres. * MySQL
Password Storage
Database passwords can be stored in either AWS Systems Manager Parameter Store or AWS Secrets Manager:
- Parameter Store (default): Passwords are stored as SecureString parameters
- Secrets Manager: Passwords are stored in RDS-compatible format with both username and password as JSON: This format is compatible with AWS RDS credential rotation and can be used with applications that expect RDS-style secrets
Postgres
Available Events
CreateDatabaseEvent
{
"event_type": {
"enum": [
"CREATE_DATABASE",
"CREATE_USER",
"CREATE_SCHEMA_ACCESS_FOR_READ_ONLY",
"CREATE_EXTENSIONS"
],
"title": "Event Type",
"type": "string"
},
"database_name": {
"title": "Database Name",
"type": "string"
},
"locale": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Locale"
}
}
CreateUserEvent
{
"event_type": {
"enum": [
"CREATE_DATABASE",
"CREATE_USER",
"CREATE_SCHEMA_ACCESS_FOR_READ_ONLY",
"CREATE_EXTENSIONS"
],
"title": "Event Type",
"type": "string"
},
"database_name": {
"title": "Database Name",
"type": "string"
},
"database_user_name": {
"title": "Database User Name",
"type": "string"
},
"password_parameter_prefix": {
"title": "Password Parameter Prefix",
"type": "string"
},
"secret_storage_type": {
"default": "parameter_store",
"enum": [
"parameter_store",
"secrets_manager"
],
"title": "Secret Storage Type",
"type": "string"
},
"is_owner": {
"default": false,
"title": "Is Owner",
"type": "boolean"
},
"is_read_only": {
"default": false,
"title": "Is Read Only",
"type": "boolean"
}
}
CreateExtensionsEvent
{
"event_type": {
"enum": [
"CREATE_DATABASE",
"CREATE_USER",
"CREATE_SCHEMA_ACCESS_FOR_READ_ONLY",
"CREATE_EXTENSIONS"
],
"title": "Event Type",
"type": "string"
},
"database_name": {
"title": "Database Name",
"type": "string"
},
"extensions": {
"items": {
"type": "string"
},
"title": "Extensions",
"type": "array"
}
}
CreateSchemaAccessForReadOnlyEvent
{
"event_type": {
"enum": [
"CREATE_DATABASE",
"CREATE_USER",
"CREATE_SCHEMA_ACCESS_FOR_READ_ONLY",
"CREATE_EXTENSIONS"
],
"title": "Event Type",
"type": "string"
},
"database_name": {
"title": "Database Name",
"type": "string"
},
"database_user_name": {
"title": "Database User Name",
"type": "string"
},
"schema_name": {
"title": "Schema Name",
"type": "string"
}
}
Example invocations
#!/bin/bash
aws lambda invoke \
--function-name postgres-database-maintainer \
--payload '{
"event_type": "CREATE_DATABASE",
"database_name": "demo-test"
}' \
--cli-binary-format raw-in-base64-out \
/dev/stdout
aws lambda invoke \
--function-name postgres-database-maintainer \
--payload '{
"event_type": "CREATE_DATABASE",
"database_name": "demo-test-2",
"locale": "is-IS"
}' \
--cli-binary-format raw-in-base64-out \
/dev/stdout
aws lambda invoke \
--function-name postgres-database-maintainer \
--payload '{
"event_type": "CREATE_EXTENSIONS",
"database_name": "demo-test",
"extensions": [
"postgis",
"postgis_topology"
]
}' \
--cli-binary-format raw-in-base64-out \
/dev/stdout
aws lambda invoke \
--function-name postgres-database-maintainer \
--payload '{
"event_type": "CREATE_USER",
"database_name": "demo-test",
"database_user_name": "demo-test-user",
"password_parameter_prefix": "/ecs/demo-test"
}' \
--cli-binary-format raw-in-base64-out \
/dev/stdout
aws lambda invoke \
--function-name postgres-database-maintainer \
--payload '{
"event_type": "CREATE_USER",
"database_name": "demo-test-2",
"database_user_name": "demo-2-owner",
"password_parameter_prefix": "/ecs/demo-2",
"is_owner": true
}' \
--cli-binary-format raw-in-base64-out \
/dev/stdout
aws lambda invoke \
--function-name postgres-database-maintainer \
--payload '{
"event_type": "CREATE_USER",
"database_name": "demo-test",
"database_user_name": "demo-3-readonly",
"password_parameter_prefix": "/ecs/demo-3",
"is_read_only": true
}' \
--cli-binary-format raw-in-base64-out \
/dev/stdout
aws lambda invoke \
--function-name postgres-database-maintainer \
--payload '{
"event_type": "CREATE_USER",
"database_name": "demo-test",
"database_user_name": "demo-4-secrets-manager",
"password_parameter_prefix": "/ecs/demo-4",
"secret_storage_type": "secrets_manager"
}' \
--cli-binary-format raw-in-base64-out \
/dev/stdout
MySQL
Available Events
CreateDatabaseEvent
{
"event_type": {
"enum": [
"CREATE_DATABASE",
"CREATE_USER"
],
"title": "Event Type",
"type": "string"
},
"database_name": {
"title": "Database Name",
"type": "string"
},
"locale": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Locale"
}
}
CreateUserEvent
{
"event_type": {
"enum": [
"CREATE_DATABASE",
"CREATE_USER"
],
"title": "Event Type",
"type": "string"
},
"database_name": {
"title": "Database Name",
"type": "string"
},
"database_user_name": {
"title": "Database User Name",
"type": "string"
},
"password_parameter_prefix": {
"title": "Password Parameter Prefix",
"type": "string"
},
"secret_storage_type": {
"default": "parameter_store",
"enum": [
"parameter_store",
"secrets_manager"
],
"title": "Secret Storage Type",
"type": "string"
}
}
Example invocations
#!/bin/bash
aws lambda invoke \
--function-name mysql-database-maintainer \
--payload '{
"event_type": "CREATE_DATABASE",
"database_name": "demo-test"
}' \
--cli-binary-format raw-in-base64-out \
/dev/stdout
aws lambda invoke \
--function-name mysql-database-maintainer \
--payload '{
"event_type": "CREATE_USER",
"database_name": "demo-test",
"database_user_name": "demo-test-user",
"password_parameter_prefix": "/ecs/demo-test"
}' \
--cli-binary-format raw-in-base64-out \
/dev/stdout
aws lambda invoke \
--function-name mysql-database-maintainer \
--payload '{
"event_type": "CREATE_USER",
"database_name": "demo-test",
"database_user_name": "demo-test-secrets-manager",
"password_parameter_prefix": "/ecs/demo-test-sm",
"secret_storage_type": "secrets_manager"
}' \
--cli-binary-format raw-in-base64-out \
/dev/stdout
DocumentDB
Available Events
CreateUserEvent
{
"event_type": {
"const": "CREATE_USER",
"title": "Event Type",
"type": "string"
},
"database_name": {
"title": "Database Name",
"type": "string"
},
"database_user_name": {
"title": "Database User Name",
"type": "string"
},
"password_parameter_prefix": {
"title": "Password Parameter Prefix",
"type": "string"
},
"secret_storage_type": {
"default": "parameter_store",
"enum": [
"parameter_store",
"secrets_manager"
],
"title": "Secret Storage Type",
"type": "string"
},
"is_read_only": {
"default": false,
"title": "Is Read Only",
"type": "boolean"
}
}
Example invocations
#!/bin/bash
aws lambda invoke \
--function-name documentdb-database-maintainer \
--payload '{
"event_type": "CREATE_USER",
"database_name": "demo-test",
"database_user_name": "demo-test-user",
"password_parameter_prefix": "/ecs/demo-test"
}' \
--cli-binary-format raw-in-base64-out \
/dev/stdout
aws lambda invoke \
--function-name documentdb-database-maintainer \
--payload '{
"event_type": "CREATE_USER",
"database_name": "demo-test",
"database_user_name": "demo-readonly-user",
"password_parameter_prefix": "/ecs/demo-readonly",
"is_read_only": true
}' \
--cli-binary-format raw-in-base64-out \
/dev/stdout
aws lambda invoke \
--function-name documentdb-database-maintainer \
--payload '{
"event_type": "CREATE_USER",
"database_name": "demo-test",
"database_user_name": "demo-secrets-manager-user",
"password_parameter_prefix": "/ecs/demo-sm",
"secret_storage_type": "secrets_manager"
}' \
--cli-binary-format raw-in-base64-out \
/dev/stdout
Modules
| Name | Source | Version |
|---|---|---|
| documentdb_lambda | terraform-aws-modules/lambda/aws | 7.20.0 |
| mysql_lambda | terraform-aws-modules/lambda/aws | 7.20.0 |
| postgres_lambda | terraform-aws-modules/lambda/aws | 7.20.0 |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| architecture | The architecture of the lambda function | string |
"arm64" |
no |
| create | Whether to create the lambda function and associated resources | bool |
true |
no |
| database_types | Set of database types to create maintenance lambdas for. Valid values are 'postgres', 'mysql', 'documentdb' | set(string) |
[ |
no |
| documentdb_hostname | The hostname of the DocumentDB cluster. Required if 'documentdb' is in database_types. | string |
null |
no |
| documentdb_port | The port of the DocumentDB cluster | number |
27017 |
no |
| documentdb_root_database | The name of the root database for the DocumentDB cluster | string |
"admin" |
no |
| documentdb_root_user_secret_arn | The ARN of the Secrets Manager secret containing the root user credentials for the DocumentDB cluster. Required if 'documentdb' is in database_types. | string |
null |
no |
| documentdb_security_group_id | The security group to allow the lambda function to connect to the DocumentDB cluster. Required if 'documentdb' is in database_types. | string |
null |
no |
| lambda_runtime | Runtime for the lambda function | string |
"python3.13" |
no |
| mysql_hostname | The hostname of the MySQL RDS instance. Required if 'mysql' is in database_types. | string |
null |
no |
| mysql_port | The port of the MySQL RDS instance | number |
3306 |
no |
| mysql_rds_security_group_id | The security group to allow the lambda function to connect to the MySQL RDS instance. Required if 'mysql' is in database_types. | string |
null |
no |
| mysql_root_database | The name of the root database for the MySQL RDS instance | string |
"mysql" |
no |
| mysql_root_user_secret_arn | The ARN of the Secrets Manager secret containing the root user credentials for the MySQL RDS instance. Required if 'mysql' is in database_types. | string |
null |
no |
| postgres_hostname | The hostname of the postgres RDS instance. Required if 'postgres' is in database_types. | string |
null |
no |
| postgres_port | The port of the postgres RDS instance | number |
5432 |
no |
| postgres_rds_security_group_id | The security group to allow the lambda function to connect to the postgres RDS instance. Required if 'postgres' is in database_types. | string |
null |
no |
| postgres_root_database | The name of the root database for the postgres RDS instance | string |
"postgres" |
no |
| postgres_root_user_secret_arn | The arn of the secrets manager secret containing the root user postgres RDS instance. Required if 'postgres' is in database_types. | string |
null |
no |
| powertools_layer_arn | The ARN of the Powertools Lambda Layer | string |
"arn:aws:lambda:eu-west-1:017000801446:layer:AWSLambdaPowertoolsPythonV3-python313-arm64:5" |
no |
| region | The AWS region to deploy the lambda function in | string |
null |
no |
| ssm_parameter_prefix | The prefix for permissions to create and update secrets in AWS Secrets Manager (formerly used for SSM parameters, now applies to secrets) | string |
"/ecs/*" |
no |
| vpc_id | The VPC to deploy the lambda function in | string |
n/a | yes |
| vpc_subnets_id | The subnets to deploy the lambda function in | list(string) |
n/a | yes |
Outputs
| Name | Description |
|---|---|
| documentdb_lambda_cloudwatch_log_group_arn | The ARN of the DocumentDB Lambda CloudWatch Log Group |
| documentdb_lambda_cloudwatch_log_group_name | The name of the DocumentDB Lambda CloudWatch Log Group |
| documentdb_lambda_event_source_mapping_arn | The DocumentDB event source mapping ARN |
| documentdb_lambda_event_source_mapping_function_arn | The ARN of the DocumentDB Lambda function the event source mapping is sending events to |
| documentdb_lambda_event_source_mapping_state | The state of the DocumentDB event source mapping |
| documentdb_lambda_event_source_mapping_state_transition_reason | The reason the DocumentDB event source mapping is in its current state |
| documentdb_lambda_event_source_mapping_uuid | The UUID of the created DocumentDB event source mapping |
| documentdb_lambda_function_arn | The ARN of the DocumentDB Lambda Function |
| documentdb_lambda_function_arn_static | The static ARN of the DocumentDB Lambda Function. Use this to avoid cycle errors between resources. |
| documentdb_lambda_function_invoke_arn | The Invoke ARN of the DocumentDB Lambda Function |
| documentdb_lambda_function_kms_key_arn | The ARN for the KMS encryption key of DocumentDB Lambda Function |
| documentdb_lambda_function_last_modified | The date DocumentDB Lambda Function resource was last modified |
| documentdb_lambda_function_name | The name of the DocumentDB Lambda Function |
| documentdb_lambda_function_qualified_arn | The ARN identifying your DocumentDB Lambda Function Version |
| documentdb_lambda_function_qualified_invoke_arn | The Invoke ARN identifying your DocumentDB Lambda Function Version |
| documentdb_lambda_function_signing_job_arn | ARN of the DocumentDB Lambda signing job |
| documentdb_lambda_function_signing_profile_version_arn | ARN of the DocumentDB Lambda signing profile version |
| documentdb_lambda_function_source_code_hash | Base64-encoded representation of raw SHA-256 sum of the DocumentDB Lambda zip file |
| documentdb_lambda_function_source_code_size | The size in bytes of the DocumentDB Lambda .zip file |
| documentdb_lambda_function_url | The URL of the DocumentDB Lambda Function URL |
| documentdb_lambda_function_url_id | The DocumentDB Lambda Function URL generated id |
| documentdb_lambda_function_version | Latest published version of DocumentDB Lambda Function |
| documentdb_lambda_layer_arn | The ARN of the DocumentDB Lambda Layer with version |
| documentdb_lambda_layer_created_date | The date DocumentDB Lambda Layer resource was created |
| documentdb_lambda_layer_layer_arn | The ARN of the DocumentDB Lambda Layer without version |
| documentdb_lambda_layer_source_code_size | The size in bytes of the DocumentDB Lambda Layer .zip file |
| documentdb_lambda_layer_version | The DocumentDB Lambda Layer version |
| documentdb_lambda_local_filename | The filename of the DocumentDB Lambda zip archive deployed (if deployment was from local) |
| documentdb_lambda_role_arn | The ARN of the IAM role created for the DocumentDB Lambda Function |
| documentdb_lambda_role_name | The name of the IAM role created for the DocumentDB Lambda Function |
| documentdb_lambda_role_unique_id | The unique id of the IAM role created for the DocumentDB Lambda Function |
| documentdb_lambda_s3_object | The map with S3 object data of DocumentDB Lambda zip archive deployed (if deployment was from S3) |
| mysql_lambda_cloudwatch_log_group_arn | The ARN of the MySQL Lambda CloudWatch Log Group |
| mysql_lambda_cloudwatch_log_group_name | The name of the MySQL Lambda CloudWatch Log Group |
| mysql_lambda_event_source_mapping_arn | The MySQL event source mapping ARN |
| mysql_lambda_event_source_mapping_function_arn | The ARN of the MySQL Lambda function the event source mapping is sending events to |
| mysql_lambda_event_source_mapping_state | The state of the MySQL event source mapping |
| mysql_lambda_event_source_mapping_state_transition_reason | The reason the MySQL event source mapping is in its current state |
| mysql_lambda_event_source_mapping_uuid | The UUID of the created MySQL event source mapping |
| mysql_lambda_function_arn | The ARN of the MySQL Lambda Function |
| mysql_lambda_function_arn_static | The static ARN of the MySQL Lambda Function. Use this to avoid cycle errors between resources. |
| mysql_lambda_function_invoke_arn | The Invoke ARN of the MySQL Lambda Function |
| mysql_lambda_function_kms_key_arn | The ARN for the KMS encryption key of MySQL Lambda Function |
| mysql_lambda_function_last_modified | The date MySQL Lambda Function resource was last modified |
| mysql_lambda_function_name | The name of the MySQL Lambda Function |
| mysql_lambda_function_qualified_arn | The ARN identifying your MySQL Lambda Function Version |
| mysql_lambda_function_qualified_invoke_arn | The Invoke ARN identifying your MySQL Lambda Function Version |
| mysql_lambda_function_signing_job_arn | ARN of the MySQL Lambda signing job |
| mysql_lambda_function_signing_profile_version_arn | ARN of the MySQL Lambda signing profile version |
| mysql_lambda_function_source_code_hash | Base64-encoded representation of raw SHA-256 sum of the MySQL Lambda zip file |
| mysql_lambda_function_source_code_size | The size in bytes of the MySQL Lambda .zip file |
| mysql_lambda_function_url | The URL of the MySQL Lambda Function URL |
| mysql_lambda_function_url_id | The MySQL Lambda Function URL generated id |
| mysql_lambda_function_version | Latest published version of MySQL Lambda Function |
| mysql_lambda_layer_arn | The ARN of the MySQL Lambda Layer with version |
| mysql_lambda_layer_created_date | The date MySQL Lambda Layer resource was created |
| mysql_lambda_layer_layer_arn | The ARN of the MySQL Lambda Layer without version |
| mysql_lambda_layer_source_code_size | The size in bytes of the MySQL Lambda Layer .zip file |
| mysql_lambda_layer_version | The MySQL Lambda Layer version |
| mysql_lambda_local_filename | The filename of the MySQL Lambda zip archive deployed (if deployment was from local) |
| mysql_lambda_role_arn | The ARN of the IAM role created for the MySQL Lambda Function |
| mysql_lambda_role_name | The name of the IAM role created for the MySQL Lambda Function |
| mysql_lambda_role_unique_id | The unique id of the IAM role created for the MySQL Lambda Function |
| mysql_lambda_s3_object | The map with S3 object data of MySQL Lambda zip archive deployed (if deployment was from S3) |
| postgres_lambda_cloudwatch_log_group_arn | The ARN of the Cloudwatch Log Group |
| postgres_lambda_cloudwatch_log_group_name | The name of the Cloudwatch Log Group |
| postgres_lambda_event_source_mapping_arn | The event source mapping ARN |
| postgres_lambda_event_source_mapping_function_arn | The the ARN of the Lambda function the event source mapping is sending events to |
| postgres_lambda_event_source_mapping_state | The state of the event source mapping |
| postgres_lambda_event_source_mapping_state_transition_reason | The reason the event source mapping is in its current state |
| postgres_lambda_event_source_mapping_uuid | The UUID of the created event source mapping |
| postgres_lambda_function_arn | The ARN of the Lambda Function |
| postgres_lambda_function_arn_static | The static ARN of the Lambda Function. Use this to avoid cycle errors between resources (e.g., Step Functions) |
| postgres_lambda_function_invoke_arn | The Invoke ARN of the Lambda Function |
| postgres_lambda_function_kms_key_arn | The ARN for the KMS encryption key of Lambda Function |
| postgres_lambda_function_last_modified | The date Lambda Function resource was last modified |
| postgres_lambda_function_name | The name of the Lambda Function |
| postgres_lambda_function_qualified_arn | The ARN identifying your Lambda Function Version |
| postgres_lambda_function_qualified_invoke_arn | The Invoke ARN identifying your Lambda Function Version |
| postgres_lambda_function_signing_job_arn | ARN of the signing job |
| postgres_lambda_function_signing_profile_version_arn | ARN of the signing profile version |
| postgres_lambda_function_source_code_hash | Base64-encoded representation of raw SHA-256 sum of the zip file |
| postgres_lambda_function_source_code_size | The size in bytes of the function .zip file |
| postgres_lambda_function_url | The URL of the Lambda Function URL |
| postgres_lambda_function_url_id | The Lambda Function URL generated id |
| postgres_lambda_function_version | Latest published version of Lambda Function |
| postgres_lambda_layer_arn | The ARN of the Lambda Layer with version |
| postgres_lambda_layer_created_date | The date Lambda Layer resource was created |
| postgres_lambda_layer_layer_arn | The ARN of the Lambda Layer without version |
| postgres_lambda_layer_source_code_size | The size in bytes of the Lambda Layer .zip file |
| postgres_lambda_layer_version | The Lambda Layer version |
| postgres_lambda_local_filename | The filename of zip archive deployed (if deployment was from local) |
| postgres_lambda_role_arn | The ARN of the IAM role created for the Lambda Function |
| postgres_lambda_role_name | The name of the IAM role created for the Lambda Function |
| postgres_lambda_role_unique_id | The unique id of the IAM role created for the Lambda Function |
| postgres_lambda_s3_object | The map with S3 object data of zip archive deployed (if deployment was from S3) |
| security_group_id | The ID of the security group used for the lambdas |