Creating an RDS Oracle Option Group with SSL Configured

When working with Amazon RDS Oracle instances, option groups provide a way to enable and configure additional features beyond the default database configuration. Recently, while implementing infrastructure as code using Terraform for an Oracle 19c database, I encountered some interesting challenges that I would like to share.

My requirements were straightforward:

Configure time zone setting
Enable S3 integration
Implement SSL for secure communications

The first two options were relatively simple to implement, with plenty of documentation and examples available. However, setting up SSL through Terraform proved to be more challenging, with limited examples available online.

An example of how to create an option group with these configurations is below:

Terraform code

# provider.tf
provider "aws" {
  region = "us-east-1"  # Change to your desired region
}

resource "aws_db_option_group" "oracle_19c_utc" {
  name                     = "oracle-19c-test"
  option_group_description = "Oracle 19c option group with UTC timezone"
  engine_name              = "oracle-ee"
  major_engine_version     = "19"

  option {
    option_name = "Timezone"
    option_settings {
      name  = "TIME_ZONE"
      value = "UTC"
    }
  }

  option {
    option_name = "S3_INTEGRATION"
    version     = "1.0"
  }

  option {
    option_name = "SSL"
    port        = 2484
    vpc_security_group_memberships = ["sg-0x9ccd…."]
    
    option_settings {
      name  = "SQLNET.SSL_VERSION"
      value = "1.2 or 1.0"
    }
    
    option_settings {
      name  = "FIPS.SSLFIPS_140"
      value = "false"
    }
    
    option_settings {
      name  = "SQLNET.CIPHER_SUITE"
      value = "SSL_RSA_WITH_AES_256_CBC_SHA"
    }
  }

  tags = {
    Name = "Oracle 19c Option Group"
  }
}

An option group should be created as shown below:

While the available documentation provides foundational guidance, implementing these options in combination requires additional context and configuration details. This working example aims to streamline the implementation process for anyone facing similar requirements.

Before implementing this solution, please note:

Customize the option group name to align with your naming conventions
Verify compatibility with your specific Oracle engine version
Adjust security groups and network configurations to accommodate SSL connections
Review and modify cipher suite selections based on your security requirements
Ensure compliance with your organization’s security standards

Author: Dean Capps

Database consultant at Amazon Web Services. View all posts by Dean Capps