Migrate RDS

RDS database instance module with compliance controls for encryption at rest, backup retention, deletion protection, IAM authentication, CloudWatch logging, and public access restrictions. Encryption at rest may require a snapshot-restore cycle if not already enabled.

Minor Fixes · 15-30 minutes per instance

Before and After

The migration is a source URL change. Your arguments, outputs, and Terraform state remain the same.

PCI DSS v4.0

Before (terraform-aws-modules):

module "rds" {
  source  = "terraform-aws-modules/rds/aws"
  version = "~> 7.0"

  identifier = "my-app-db"

  engine         = "mysql"
  engine_version = "8.0"
  instance_class = "db.t3.micro"

  allocated_storage = 20
  db_name           = "myapp"
  username          = "dbadmin"

  tags = {
    Environment = "production"
  }
}

After (compliance.tf / PCI DSS v4.0):

module "rds" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/rds/aws"
  version = "~> 7.0"

  identifier = "my-app-db"

  engine         = "mysql"
  engine_version = "8.0"
  instance_class = "db.t3.micro"

  allocated_storage = 20
  db_name           = "myapp"
  username          = "dbadmin"

  tags = {
    Environment = "production"
  }
}

SOC 2

Before (terraform-aws-modules):

module "rds" {
  source  = "terraform-aws-modules/rds/aws"
  version = "~> 7.0"

  identifier = "my-app-db"

  engine         = "mysql"
  engine_version = "8.0"
  instance_class = "db.t3.micro"

  allocated_storage = 20
  db_name           = "myapp"
  username          = "dbadmin"

  tags = {
    Environment = "production"
  }
}

After (compliance.tf / SOC 2):

module "rds" {
  source  = "soc2.compliance.tf/terraform-aws-modules/rds/aws"
  version = "~> 7.0"

  identifier = "my-app-db"

  engine         = "mysql"
  engine_version = "8.0"
  instance_class = "db.t3.micro"

  allocated_storage = 20
  db_name           = "myapp"
  username          = "dbadmin"

  tags = {
    Environment = "production"
  }
}

What Changes

Source URL points to compliance.tf registry
Compliance controls are enforced via validation rules
terraform plan will fail if required controls are not satisfied

What Stays the Same

All input variables (same interface as upstream terraform-aws-modules)
All output values
Resource addresses in Terraform state
Provider configuration
Version constraints

Step-by-Step Migration

Change the source URL in your module block to your framework subdomain
Run terraform init -upgrade to download the compliance.tf module
Run terraform plan to review changes. Expect a clean plan or validation errors for missing values
Fix validation errors if any (see Common Issues below)
Run terraform apply
Verify by checking .compliancetf-manifest.json in .terraform/modules/

Common Issues and Fixes

Version Compatibility

Upstream Version	compliance.tf Version	Status	Notes
v7.x	v7.x	Supported	Direct swap. Adapter version constraint: >=7.0.0

State Impact

No terraform state mv needed in typical cases. Resource addresses are unchanged because compliance.tf modules use the same internal resource structure as upstream. If a compliance control adds a new resource (rare), terraform plan will show the addition.

Change source back to "terraform-aws-modules/rds/aws"
Run terraform init -upgrade
Run terraform plan to confirm no resource changes
Compliance controls are no longer enforced, but existing configurations remain in place

Migration Guide · Compatibility · RDS Module

Migrate RDS

Before and After

PCI DSS v4.0

SOC 2

What Changes

What Stays the Same

Step-by-Step Migration

Common Issues and Fixes

Version Compatibility

State Impact

Controls Enforced

PCI DSS v4.0

SOC 2

Rollback

On this page

Storage encryption requires snapshot-restore cycle

Missing backup retention period

Missing CloudWatch log exports

Deletion protection not enabled

Auto minor version upgrade not enabled (PCI DSS only)

On this page