Skip to main content
Option groups provide additional features for an Amazon RDS DB instance. Each option is a named feature, such as MARIADB_AUDIT_PLUGIN for MySQL or Oracle’s OEM_AGENT. Not every engine supports option groups.
Option groups are not supported for PostgreSQL. When engine = "postgres", the module automatically skips option group creation regardless of the create_db_option_group setting. Any value set for option_group_name is ignored.

Supported engines

EngineOption groups supported
MySQLYes
MariaDBYes
OracleYes
SQL ServerYes
PostgreSQLNo

Variables

VariableDefaultDescription
create_db_option_grouptrueWhether to create an option group. Set to false to reference an existing one or use the AWS default.
option_group_namenullName of the option group to create or reference. Defaults to the instance identifier.
option_group_use_name_prefixtrueWhen true, appends a unique suffix. Set to false to use the exact name.
major_engine_versionnullThe major engine version the option group is associated with (e.g., "8.0", "19"). Required when creating.
optionsnullList of option objects to configure.
option_group_descriptionnullDescription for the option group.
option_group_skip_destroynullWhen true, removes the option group from state on destroy without deleting it from AWS.
option_group_timeoutsnullOverride the deletion timeout for the option group resource.

The options object

Each entry in options accepts the following fields, as defined in variables.tf:
options = [
  {
    option_name                    = string                  # Option identifier (required)
    port                           = optional(number)        # Override port for this option
    version                        = optional(string)        # Option version
    db_security_group_memberships  = optional(list(string))  # Classic security groups
    vpc_security_group_memberships = optional(list(string))  # VPC security groups
    option_settings = optional(list(object({                 # Option-specific settings
      name  = string
      value = string
    })))
  }
]

Usage patterns

The module creates an option group by default. Provide major_engine_version and options to configure it. The following example adds the MARIADB_AUDIT_PLUGIN option to a MySQL 8.0 instance:
module "db" {
  source = "terraform-aws-modules/rds/aws"

  identifier = "demodb"

  engine            = "mysql"
  engine_version    = "8.0"
  instance_class    = "db.t4g.large"
  allocated_storage = 5

  # Option group
  major_engine_version = "8.0"

  options = [
    {
      option_name = "MARIADB_AUDIT_PLUGIN"

      option_settings = [
        {
          name  = "SERVER_AUDIT_EVENTS"
          value = "CONNECT"
        },
        {
          name  = "SERVER_AUDIT_FILE_ROTATIONS"
          value = "37"
        },
      ]
    },
  ]

  # ... other required variables
}
To use an exact option group name:
option_group_name            = "prod-instance-mysql-8.0"
option_group_use_name_prefix = false
To use a name prefix (the default):
option_group_name = "prod-instance-mysql-8.0"
# option_group_use_name_prefix = true (default)

Oracle option group example

Oracle option groups are commonly used for features like Oracle Enterprise Manager, Transparent Data Encryption, and native network encryption.
module "db" {
  source = "terraform-aws-modules/rds/aws"

  identifier = "demodb-oracle"

  engine               = "oracle-ee"
  engine_version       = "19"
  family               = "oracle-ee-19"
  major_engine_version = "19"
  instance_class       = "db.t3.large"
  license_model        = "bring-your-own-license"

  # Option group will be created automatically
  # Add options as needed:
  options = [
    {
      option_name = "NATIVE_NETWORK_ENCRYPTION"
      option_settings = [
        {
          name  = "SQLNET.ENCRYPTION_SERVER"
          value = "REQUIRED"
        },
        {
          name  = "SQLNET.ENCRYPTION_TYPES_SERVER"
          value = "AES256"
        },
      ]
    },
  ]

  # ... other required variables
}

Deletion timeout

Option group deletion can take several minutes if it is still associated with an instance. You can increase the timeout:
option_group_timeouts = {
  delete = "15m"
}
Set option_group_skip_destroy = true in production environments to prevent the option group from being deleted when you run terraform destroy. The resource will be removed from state but will remain in AWS.