We are happy to announce a major upgrade to the RDS Postgres module to v0.9. This upgrade brings compliance with major compliance frameworks: CIS AWS V1.3, PCI-DSS V3.2, NIST-800-53, ISO27001, and SOC2. Additionally, we have updated our publishing process to prevent changes to the module that would violate any of these compliance frameworks.
We made several upgrades to this module. Read further to assess any risk to upgrading your instance.
- Enabled enhanced monitoring.
- Enabled IAM authentication.
- Enabled query logging. Logs are now sent to a Cloudwatch Log Group:
/aws/rds/instance/<instance-name>/postgresql. - Updated default postgresql version to 13.
- Enabled automatic minor version upgrades.
- Secrets and Cloudwatch Logs are encrypted using customer-managed key instead of the default AWS key.
This upgrade makes no destructive changes to your database instance. While it is safe to upgrade your datastore, we always recommend upgrading modules in non-production instances before performing any changes to production instances.
If you did not specify a postgres version when launching your instance, this upgrade will perform a major version upgrade from v12 to v13.
If you wish to avoid the major version upgrade, you can manually specify postgres_version=12 in the Update dialog.
For many, upgrading from v12 to v13 is trivial. (Run an "Update" on your Datastore via Nullstone UI.) However, for a step-by-step guide, see How to perform a major version upgrade. In our tests, the upgrade plan took ~45 minutes and the database was down only briefly. This process could take much longer if you have attached read replicas because this process will force those to upgrade as well.
This upgrade makes changes to the database parameter group. (Enabled query logging) As such, these changes will be applied during your next maintenance window and will cause downtime. Usually, downtime is brief and occurs late night Sunday/early Monday.