diff --git a/docs/reference/modules/terraform-aws-data-storage/backup-vault/backup-vault.md b/docs/reference/modules/terraform-aws-data-storage/backup-vault/backup-vault.md
index 13711d1a6..051f5f51a 100644
--- a/docs/reference/modules/terraform-aws-data-storage/backup-vault/backup-vault.md
+++ b/docs/reference/modules/terraform-aws-data-storage/backup-vault/backup-vault.md
@@ -51,6 +51,25 @@ module "backup_vault" {
}
```
+## How do you create a logically air-gapped vault?
+
+AWS Backup supports logically air-gapped vaults that provide additional protection against ransomware and malicious actors. Air-gapped vaults can only receive recovery points from copy jobs and enforce strict retention policies. To create an air-gapped vault, set the `air_gapped` attribute to true:
+
+```hcl
+module "backup_vault" {
+
+ vaults = {
+ "air-gapped-vault" = {
+ air_gapped = true
+ min_retention_days = 30
+ max_retention_days = 120
+ }
+ }
+}
+```
+
+Note: Air-gapped vaults cannot be locked using the vault lock feature and can only receive recovery points through copy actions from other vaults.
+
## How do you enable vault notifications?
Backup vaults can publish notifications to an SNS topic. This is useful when you want to monitor for any problems with your backup workflows. To enable notifications for a vault when configuring a new vault with this module, set the `enable_notifications` attribute to true like so:
@@ -308,6 +327,6 @@ A map of tags assigned to the vault resources, including those inherited from th
"https://github.com/gruntwork-io/terraform-aws-data-storage/tree/v0.40.7/modules/backup-vault/outputs.tf"
],
"sourcePlugin": "module-catalog-api",
- "hash": "c5d2cd07ebcbddc7834580f0fb0cd0c8"
+ "hash": "caef1793dc224be34ca425449fe06a4b"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/modules/terraform-aws-data-storage/lambda-cleanup-snapshots/lambda-cleanup-snapshots.md b/docs/reference/modules/terraform-aws-data-storage/lambda-cleanup-snapshots/lambda-cleanup-snapshots.md
index b64852141..1b361f370 100644
--- a/docs/reference/modules/terraform-aws-data-storage/lambda-cleanup-snapshots/lambda-cleanup-snapshots.md
+++ b/docs/reference/modules/terraform-aws-data-storage/lambda-cleanup-snapshots/lambda-cleanup-snapshots.md
@@ -283,6 +283,9 @@ Namespace of snapshots that will be cleaned up by this module. If specified then
+
+
+
@@ -297,6 +300,6 @@ Namespace of snapshots that will be cleaned up by this module. If specified then
"https://github.com/gruntwork-io/terraform-aws-data-storage/tree/v0.40.7/modules/lambda-cleanup-snapshots/outputs.tf"
],
"sourcePlugin": "module-catalog-api",
- "hash": "a71af2ac43a6b1514c3c733c03f89035"
+ "hash": "79abe50d025c454a4518793b44e5e134"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/modules/terraform-aws-data-storage/lambda-create-snapshot/lambda-create-snapshot.md b/docs/reference/modules/terraform-aws-data-storage/lambda-create-snapshot/lambda-create-snapshot.md
index f22b5774f..b0d3073b7 100644
--- a/docs/reference/modules/terraform-aws-data-storage/lambda-create-snapshot/lambda-create-snapshot.md
+++ b/docs/reference/modules/terraform-aws-data-storage/lambda-create-snapshot/lambda-create-snapshot.md
@@ -453,6 +453,9 @@ Namespace all snapshots created by this module's jobs with this suffix. If not s
+
+
+
@@ -467,6 +470,6 @@ Namespace all snapshots created by this module's jobs with this suffix. If not s
"https://github.com/gruntwork-io/terraform-aws-data-storage/tree/v0.40.7/modules/lambda-create-snapshot/outputs.tf"
],
"sourcePlugin": "module-catalog-api",
- "hash": "c48bb217aaf5db31486df1b619448098"
+ "hash": "a8241bdf1a8a7c8212f0b7d8f4d193b1"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/modules/terraform-aws-data-storage/lambda-share-snapshot/lambda-share-snapshot.md b/docs/reference/modules/terraform-aws-data-storage/lambda-share-snapshot/lambda-share-snapshot.md
index aad5fedac..25655a3a1 100644
--- a/docs/reference/modules/terraform-aws-data-storage/lambda-share-snapshot/lambda-share-snapshot.md
+++ b/docs/reference/modules/terraform-aws-data-storage/lambda-share-snapshot/lambda-share-snapshot.md
@@ -188,6 +188,9 @@ The amount of time, in seconds, between retries.
+
+
+
@@ -202,6 +205,6 @@ The amount of time, in seconds, between retries.
"https://github.com/gruntwork-io/terraform-aws-data-storage/tree/v0.40.7/modules/lambda-share-snapshot/outputs.tf"
],
"sourcePlugin": "module-catalog-api",
- "hash": "46bf2714a32dbe6ce493f426e2e06ea8"
+ "hash": "bce4f2d01843152c3b74672efa6565ea"
}
##DOCS-SOURCER-END -->
diff --git a/docs/reference/modules/terraform-aws-data-storage/rds/rds.md b/docs/reference/modules/terraform-aws-data-storage/rds/rds.md
index 763f8c627..d5de99790 100644
--- a/docs/reference/modules/terraform-aws-data-storage/rds/rds.md
+++ b/docs/reference/modules/terraform-aws-data-storage/rds/rds.md
@@ -104,25 +104,6 @@ Note that low-downtime updates are only supported for MySQL, MariaDB, and Postgr
Set `multi_az=true`. When setting up a multi-AZ (Availability Zone) RDS deployment in AWS, both the primary and standby RDS instances are created in different Availability Zones for high availability. However, this doesn't mean they will have different endpoints. Both instances will have the same DNS endpoint, and AWS's internal infrastructure will handle the failover process transparently for you. AWS RDS provides automatic failover support for DB instances using Multi-AZ deployments for the supported database engines. Failover is automatically handled by RDS without any manual intervention.
-## Password Management
-
-This module supports multiple approaches for managing the master user password:
-
-### Regular Password Management
-
-* Use `master_password` to specify the password directly
-
-### AWS Managed Passwords
-
-* Set `manage_master_user_password = true` to have AWS manage the password in Secrets Manager
-* Optionally specify `master_user_secret_kms_key_id` for custom KMS encryption of the secret
-
-### Password Without State Storage (MySQL/PostgreSQL only)
-
-* Use `password_wo` instead of `master_password` to provide a password without storing the value in Terraform state
-* Use `password_wo_version` to specify the version number of the password
-* These parameters are only available for MySQL and PostgreSQL engines and provide enhanced security by preventing password storage in state files
-
## Sample Usage
@@ -132,11 +113,6 @@ This module supports multiple approaches for managing the master user password:
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S RDS MODULE
-#
-# NOTE: This module uses some sensitive variables marked inline with "# SENSITIVE".
-# When using values other than defaults for these variables, set them through environment variables or
-# another secure method.
-#
# ------------------------------------------------------------------------------------------------------
module "rds" {
@@ -430,14 +406,6 @@ module "rds" {
# Defaults to var.parameter_group_name if not set.
parameter_group_name_for_read_replicas = null
- # The password for the master user without storing the value in Terraform
- # state. This option is only available for MySQL and PostgreSQL engines.
- password_wo = null # SENSITIVE
-
- # The version number of the master user password. This option is only
- # available for MySQL and PostgreSQL engines.
- password_wo_version = null
-
# Specifies whether Performance Insights are enabled. Performance Insights can
# be enabled for specific versions of database engines. See
# https://aws.amazon.com/rds/performance-insights/ for more details.
@@ -533,11 +501,6 @@ module "rds" {
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S RDS MODULE
-#
-# NOTE: This module uses some sensitive variables marked inline with "# SENSITIVE".
-# When using values other than defaults for these variables, set them through environment variables or
-# another secure method.
-#
# ------------------------------------------------------------------------------------------------------
terraform {
@@ -833,14 +796,6 @@ inputs = {
# Defaults to var.parameter_group_name if not set.
parameter_group_name_for_read_replicas = null
- # The password for the master user without storing the value in Terraform
- # state. This option is only available for MySQL and PostgreSQL engines.
- password_wo = null # SENSITIVE
-
- # The version number of the master user password. This option is only
- # available for MySQL and PostgreSQL engines.
- password_wo_version = null
-
# Specifies whether Performance Insights are enabled. Performance Insights can
# be enabled for specific versions of database engines. See
# https://aws.amazon.com/rds/performance-insights/ for more details.
@@ -1582,24 +1537,6 @@ Name of a DB parameter group to associate with read replica instances. Defaults
-
-
-
-The password for the master user without storing the value in Terraform state. This option is only available for MySQL and PostgreSQL engines.
-
-
-
-
-
-
-
-
-The version number of the master user password. This option is only available for MySQL and PostgreSQL engines.
-
-
-
-
-
@@ -1823,6 +1760,6 @@ Timeout for DB updating
"https://github.com/gruntwork-io/terraform-aws-data-storage/tree/v0.40.7/modules/rds/outputs.tf"
],
"sourcePlugin": "module-catalog-api",
- "hash": "bafa5db9cbe5b7e6a686934342847b0f"
+ "hash": "a7ba0b72237a50a9c3596a344e370f9b"
}
##DOCS-SOURCER-END -->