RDS Encryption

module "rds_encryption_key" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/kms-key/aws"
  version = "1.0.0"

  alias       = "alias/rds-encryption"
  description = "Encryption key for RDS database instances"
}

resource "aws_db_instance" "encrypted" {
  identifier     = "encrypted-database"
  engine         = "postgres"
  engine_version = "15.4"
  instance_class = "db.t3.micro"

  allocated_storage = 20
  storage_type      = "gp3"
  storage_encrypted = true
  kms_key_id        = module.rds_encryption_key.key_arn

  db_name  = "appdb"
  username = "admin"
  password = var.db_password

  skip_final_snapshot = true
}

output "db_endpoint" {
  value = aws_db_instance.encrypted.endpoint
}

output "encryption_key_arn" {
  value = module.rds_encryption_key.key_arn
}