Merge pull request #138 from MaterializeInc/aws-rds-customer-managed-kms

jshiwamV · web-flow · commit 7a4569f1b02c · 2026-01-08T15:02:32.000Z
add customer managed kms encryption to rds and update readmes
diff --git a/aws/examples/simple/outputs.tf b/aws/examples/simple/outputs.tf
@@ -116,3 +116,13 @@ output "external_login_password_mz_system" {
   value       = random_password.external_login_password_mz_system.result
   sensitive   = true
 }
+
+output "rds_kms_key_alias" {
+  description = "KMS Key used to encrypt the RDS instance"
+  value       = module.database.kms_key_alias
+}
+
+output "rds_kms_key_arn" {
+  description = "KMS Key used to encrypt the RDS instance"
+  value       = module.database.kms_key_arn
+}
diff --git a/aws/modules/database/README.md b/aws/modules/database/README.md
@@ -21,6 +21,8 @@
 
 | Name | Type |
 |------|------|
+| [aws_kms_alias.rds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.rds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_security_group.database](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group_rule.allow_all_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.eks_cluster_postgres_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
@@ -35,11 +37,15 @@
 | <a name="input_backup_window"></a> [backup\_window](#input\_backup\_window) | Preferred backup window | `string` | `"03:00-06:00"` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes |
 | <a name="input_cluster_security_group_id"></a> [cluster\_security\_group\_id](#input\_cluster\_security\_group\_id) | Security group ID of the EKS cluster | `string` | n/a | yes |
+| <a name="input_create_kms_key"></a> [create\_kms\_key](#input\_create\_kms\_key) | Whether to create a new KMS key for RDS encryption. If false and kms\_key\_id is not specified, the default AWS managed key will be used. | `bool` | `false` | no |
 | <a name="input_database_name"></a> [database\_name](#input\_database\_name) | Name of the database to create | `string` | n/a | yes |
 | <a name="input_database_password"></a> [database\_password](#input\_database\_password) | Password for the database | `string` | n/a | yes |
 | <a name="input_database_subnet_ids"></a> [database\_subnet\_ids](#input\_database\_subnet\_ids) | List of subnet IDs for the database | `list(string)` | n/a | yes |
 | <a name="input_database_username"></a> [database\_username](#input\_database\_username) | Username for the database | `string` | n/a | yes |
 | <a name="input_instance_class"></a> [instance\_class](#input\_instance\_class) | Instance class for the RDS instance | `string` | n/a | yes |
+| <a name="input_kms_key_deletion_window_in_days"></a> [kms\_key\_deletion\_window\_in\_days](#input\_kms\_key\_deletion\_window\_in\_days) | The waiting period, specified in number of days, after which AWS KMS deletes the KMS key. Valid values are 7-30 days. | `number` | `30` | no |
+| <a name="input_kms_key_enable_rotation"></a> [kms\_key\_enable\_rotation](#input\_kms\_key\_enable\_rotation) | Specifies whether key rotation is enabled for the KMS key. | `bool` | `true` | no |
+| <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | The ARN for the KMS encryption key. If not specified and create\_kms\_key is false, the default AWS managed key will be used. | `string` | `null` | no |
 | <a name="input_maintenance_window"></a> [maintenance\_window](#input\_maintenance\_window) | Preferred maintenance window | `string` | `"Mon:00:00-Mon:03:00"` | no |
 | <a name="input_max_allocated_storage"></a> [max\_allocated\_storage](#input\_max\_allocated\_storage) | Maximum storage for autoscaling (in GB) | `number` | `100` | no |
 | <a name="input_multi_az"></a> [multi\_az](#input\_multi\_az) | Enable multi-AZ deployment | `bool` | `false` | no |
@@ -59,3 +65,6 @@
 | <a name="output_db_instance_port"></a> [db\_instance\_port](#output\_db\_instance\_port) | The database port |
 | <a name="output_db_instance_username"></a> [db\_instance\_username](#output\_db\_instance\_username) | The master username for the database |
 | <a name="output_db_security_group_id"></a> [db\_security\_group\_id](#output\_db\_security\_group\_id) | The security group ID of the database |
+| <a name="output_kms_key_alias"></a> [kms\_key\_alias](#output\_kms\_key\_alias) | The alias of the KMS key used for RDS encryption |
+| <a name="output_kms_key_arn"></a> [kms\_key\_arn](#output\_kms\_key\_arn) | The ARN of the KMS key used for RDS encryption |
+| <a name="output_kms_key_id"></a> [kms\_key\_id](#output\_kms\_key\_id) | The ID of the KMS key used for RDS encryption (only if created by this module) |
diff --git a/aws/modules/database/main.tf b/aws/modules/database/main.tf
@@ -1,3 +1,32 @@
+# KMS key for RDS encryption at rest
+# NOTE: Once an RDS instance is created with this KMS key, it cannot be changed.
+# Deleting this key while the database exists will make the database inaccessible.
+# The deletion_window_in_days provides a recovery period - use `aws kms cancel-key-deletion`
+# to recover if deleted accidentally. See: https://repost.aws/knowledge-center/update-encryption-key-rds
+resource "aws_kms_key" "rds" {
+  count = var.create_kms_key ? 1 : 0
+
+  description             = "KMS key for RDS encryption - ${var.name_prefix}"
+  deletion_window_in_days = var.kms_key_deletion_window_in_days
+  enable_key_rotation     = var.kms_key_enable_rotation
+
+  tags = merge(var.tags, {
+    Name = "${var.name_prefix}-rds-kms-key"
+  })
+}
+
+resource "aws_kms_alias" "rds" {
+  count = var.create_kms_key ? 1 : 0
+
+  name          = "alias/${var.name_prefix}-rds"
+  target_key_id = aws_kms_key.rds[0].key_id
+}
+
+locals {
+  # Use created KMS key if create_kms_key is true, otherwise use provided kms_key_id (or null for AWS-managed key)
+  kms_key_arn = var.create_kms_key ? aws_kms_key.rds[0].arn : var.kms_key_id
+}
+
 module "db" {
   source  = "terraform-aws-modules/rds/aws"
   version = "~> 6.0"
@@ -16,6 +45,7 @@ module "db" {
   allocated_storage     = var.allocated_storage
   max_allocated_storage = var.max_allocated_storage
   storage_encrypted     = true
+  kms_key_id            = local.kms_key_arn
 
   db_name  = var.database_name
   username = var.database_username
diff --git a/aws/modules/database/outputs.tf b/aws/modules/database/outputs.tf
@@ -28,3 +28,18 @@ output "db_security_group_id" {
   description = "The security group ID of the database"
   value       = aws_security_group.database.id
 }
+
+output "kms_key_arn" {
+  description = "The ARN of the KMS key used for RDS encryption"
+  value       = local.kms_key_arn
+}
+
+output "kms_key_id" {
+  description = "The ID of the KMS key used for RDS encryption (only if created by this module)"
+  value       = var.create_kms_key ? aws_kms_key.rds[0].key_id : null
+}
+
+output "kms_key_alias" {
+  description = "The alias of the KMS key used for RDS encryption"
+  value       = var.create_kms_key ? aws_kms_alias.rds[0].name : null
+}
diff --git a/aws/modules/database/variables.tf b/aws/modules/database/variables.tf
@@ -112,3 +112,27 @@ variable "tags" {
   type        = map(string)
   default     = {}
 }
+
+variable "kms_key_id" {
+  description = "The ARN for the KMS encryption key. If not specified and create_kms_key is false, the default AWS managed key will be used."
+  type        = string
+  default     = null
+}
+
+variable "create_kms_key" {
+  description = "Whether to create a new KMS key for RDS encryption. If false and kms_key_id is not specified, the default AWS managed key will be used."
+  type        = bool
+  default     = false
+}
+
+variable "kms_key_deletion_window_in_days" {
+  description = "The waiting period, specified in number of days, after which AWS KMS deletes the KMS key. Valid values are 7-30 days."
+  type        = number
+  default     = 30
+}
+
+variable "kms_key_enable_rotation" {
+  description = "Specifies whether key rotation is enabled for the KMS key."
+  type        = bool
+  default     = true
+}
diff --git a/kubernetes/modules/materialize-instance/README.md b/kubernetes/modules/materialize-instance/README.md
@@ -45,8 +45,8 @@ No modules.
 | <a name="input_instance_namespace"></a> [instance\_namespace](#input\_instance\_namespace) | Kubernetes namespace for the instance. | `string` | n/a | yes |
 | <a name="input_issuer_ref"></a> [issuer\_ref](#input\_issuer\_ref) | Reference to a cert-manager Issuer or ClusterIssuer. | <pre>object({<br/>    name = string<br/>    kind = string<br/>  })</pre> | `null` | no |
 | <a name="input_license_key"></a> [license\_key](#input\_license\_key) | Materialize license key | `string` | `null` | no |
-| <a name="input_memory_limit"></a> [memory\_limit](#input\_memory\_limit) | Memory limit for environmentd | `string` | `"1Gi"` | no |
-| <a name="input_memory_request"></a> [memory\_request](#input\_memory\_request) | Memory request for environmentd | `string` | `"1Gi"` | no |
+| <a name="input_memory_limit"></a> [memory\_limit](#input\_memory\_limit) | Memory limit for environmentd | `string` | `"4Gi"` | no |
+| <a name="input_memory_request"></a> [memory\_request](#input\_memory\_request) | Memory request for environmentd | `string` | `"4095Mi"` | no |
 | <a name="input_metadata_backend_url"></a> [metadata\_backend\_url](#input\_metadata\_backend\_url) | PostgreSQL connection URL for metadata backend | `string` | n/a | yes |
 | <a name="input_persist_backend_url"></a> [persist\_backend\_url](#input\_persist\_backend\_url) | S3 connection URL for persist backend | `string` | n/a | yes |
 | <a name="input_pod_labels"></a> [pod\_labels](#input\_pod\_labels) | Labels for the materialize instance pod | `map(string)` | `{}` | no |
