chore: update examples for security best practices and Bridgecrew monitoring (#6)

2025-12-16 16:01:11 +00:00 · 2021-09-19 12:41:40 -04:00 · 2021-09-19 12:41:40 -04:00 · 4bbca899ca
commit 4bbca899ca
parent 3550f1bd9c
10 changed files with 205 additions and 60 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -1,10 +1,10 @@
 repos:
  - repo: git://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.50.0
+    rev: v1.51.0
    hooks:
      - id: terraform_fmt
      - id: terraform_docs
  - repo: git://github.com/pre-commit/pre-commit-hooks
-    rev: v3.4.0
+    rev: v4.0.1
    hooks:
      - id: check-merge-conflict
--- a/README.md
+++ b/README.md
@ -61,6 +61,21 @@ Examples codified under the [`examples`](./examples) are intended to give users
 - [IAM auth. w/ PostgreSQL Aurora cluster](./examples/postgresql_iam_cluster)
 - [IAM auth. w/ PostgreSQL RDS instance](./examples/postgresql_iam_instance)

+## Security & Compliance [<img src="https://cloudposse.com/wp-content/uploads/2020/11/bridgecrew.svg" width="250" align="right" />](https://bridgecrew.io/)
+
+Security scanning results provided by Bridgecrew. Bridgecrew is the leading fully hosted, cloud-native solution providing continuous Terraform security and compliance.
+
+| Benchmark | Description |
+|--------|---------------|
+| [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/clowdhaus/terraform-aws-rds-proxy/general)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=INFRASTRUCTURE+SECURITY) | Infrastructure Security Compliance |
+| [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/clowdhaus/terraform-aws-rds-proxy/cis_aws)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=CIS+AWS+V1.2) | Center for Internet Security, AWS Compliance |
+| [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/clowdhaus/terraform-aws-rds-proxy/pci_dss_v321)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=PCI-DSS+V3.2.1) | Payment Card Industry Data Security Standards Compliance |
+| [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/clowdhaus/terraform-aws-rds-proxy/nist)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=NIST-800-53) | National Institute of Standards and Technology Compliance |
+| [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/clowdhaus/terraform-aws-rds-proxy/iso)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=ISO27001) | Information Security Management System, ISO/IEC 27001 Compliance |
+| [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/clowdhaus/terraform-aws-rds-proxy/soc2)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=SOC2) | Service Organization Control 2 Compliance |
+| [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/clowdhaus/terraform-aws-rds-proxy/hipaa)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=HIPAA) | Health Insurance Portability and Accountability Compliance |
+| [![Infrastructure Tests](https://www.bridgecrew.cloud/badges/github/clowdhaus/terraform-aws-rds-proxy/fedramp_moderate)](https://www.bridgecrew.cloud/link/badge?vcs=github&fullRepo=clowdhaus%2Fterraform-aws-rds-proxy&benchmark=FEDRAMP+%28MODERATE%29) | FedRAMP Moderate Impact Level |
+
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements

--- a/examples/mysql_iam_cluster/README.md
+++ b/examples/mysql_iam_cluster/README.md
@ -37,17 +37,17 @@ An EC2 instance configuration has been provided for use in validating the exampl

 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.38 |
-| <a name="provider_random"></a> [random](#provider\_random) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.59.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.1.0 |

 ## Modules

 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_ec2_instance"></a> [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 2 |
+| <a name="module_ec2_instance"></a> [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 3 |
 | <a name="module_ec2_sg"></a> [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
 | <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 4 |
-| <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ |  |
+| <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
 | <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3 |

--- a/examples/mysql_iam_cluster/main.tf
+++ b/examples/mysql_iam_cluster/main.tf
@ -51,6 +51,18 @@ module "vpc" {
  create_database_subnet_group = true
  enable_nat_gateway           = true
  single_nat_gateway           = true
+  map_public_ip_on_launch      = false
+
+  manage_default_security_group  = true
+  default_security_group_ingress = []
+  default_security_group_egress  = []
+
+  enable_flow_log                      = true
+  flow_log_destination_type            = "cloud-watch-logs"
+  create_flow_log_cloudwatch_log_group = true
+  create_flow_log_cloudwatch_iam_role  = true
+  flow_log_max_aggregation_interval    = 60
+  flow_log_log_format                  = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id}"

  tags = local.tags
 }
@ -71,13 +83,18 @@ module "rds" {
  engine_version      = "5.7"
  replica_count       = 1
  instance_type       = "db.t3.medium"
-  storage_encrypted   = false
+  storage_encrypted   = true
  apply_immediately   = true
  skip_final_snapshot = true

-  vpc_id                  = module.vpc.vpc_id
-  subnets                 = module.vpc.database_subnets
-  allowed_security_groups = [module.rds_proxy_sg.security_group_id]
+  enabled_cloudwatch_logs_exports = ["general", "error", "slowquery"]
+  monitoring_interval             = 60
+  create_monitoring_role          = true
+
+  vpc_id                 = module.vpc.vpc_id
+  subnets                = module.vpc.database_subnets
+  create_security_group  = false
+  vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]

  db_subnet_group_name            = local.name # Created by VPC module
  db_parameter_group_name         = aws_db_parameter_group.aurora_db_mysql57_parameter_group.id
@ -90,12 +107,16 @@ resource "aws_db_parameter_group" "aurora_db_mysql57_parameter_group" {
  name        = "example-aurora-db-57-parameter-group"
  family      = "aurora-mysql5.7"
  description = "example-aurora-db-57-parameter-group"
+
+  tags = local.tags
 }

 resource "aws_rds_cluster_parameter_group" "aurora_cluster_mysql57_parameter_group" {
  name        = "example-aurora-57-cluster-parameter-group"
  family      = "aurora-mysql5.7"
  description = "example-aurora-57-cluster-parameter-group"
+
+  tags = local.tags
 }

 ################################################################################
@ -105,6 +126,8 @@ resource "aws_rds_cluster_parameter_group" "aurora_cluster_mysql57_parameter_gro
 resource "aws_iam_instance_profile" "ec2_test" {
  name_prefix = local.name
  role        = aws_iam_role.ec2_test.name
+
+  tags = local.tags
 }

 data "aws_iam_policy_document" "ec2_test_assume" {
@ -121,6 +144,8 @@ resource "aws_iam_role" "ec2_test" {
  name_prefix           = local.name
  force_detach_policies = true
  assume_role_policy    = data.aws_iam_policy_document.ec2_test_assume.json
+
+  tags = local.tags
 }

 data "aws_iam_policy_document" "ec2_test" {
@ -171,14 +196,23 @@ module "ec2_sg" {

 module "ec2_instance" {
  source  = "terraform-aws-modules/ec2-instance/aws"
-  version = "~> 2"
+  version = "~> 3"

-  name           = local.name
-  instance_count = 1
+  name = local.name

-  associate_public_ip_address = true
-  iam_instance_profile        = aws_iam_instance_profile.ec2_test.name
-  user_data                   = <<-EOT
+  monitoring    = true
+  ebs_optimized = true
+  metadata_options = {
+    http_endpoint = "disabled"
+  }
+  root_block_device = [
+    {
+      encrypted = true
+    }
+  ]
+
+  iam_instance_profile = aws_iam_instance_profile.ec2_test.name
+  user_data            = <<-EOT
  #!/usr/bin/env bash

  mkdir -p /home/ssm-user/ && wget -O /home/ssm-user/AmazonRootCA1.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem
@ -191,7 +225,7 @@ module "ec2_instance" {
  ami                    = data.aws_ami.ubuntu.id
  instance_type          = "t3.micro"
  vpc_security_group_ids = [module.ec2_sg.security_group_id]
-  subnet_ids             = module.vpc.private_subnets
+  subnet_id              = element(module.vpc.private_subnets, 0)

  tags = local.tags
 }
--- a/examples/mysql_iam_instance/README.md
+++ b/examples/mysql_iam_instance/README.md
@ -37,17 +37,17 @@ An EC2 instance configuration has been provided for use in validating the exampl

 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.38 |
-| <a name="provider_random"></a> [random](#provider\_random) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.59.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.1.0 |

 ## Modules

 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_ec2_instance"></a> [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 2 |
+| <a name="module_ec2_instance"></a> [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 3 |
 | <a name="module_ec2_sg"></a> [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
 | <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 3 |
-| <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ |  |
+| <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
 | <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
 | <a name="module_rds_sg"></a> [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3 |
--- a/examples/mysql_iam_instance/main.tf
+++ b/examples/mysql_iam_instance/main.tf
@ -48,8 +48,21 @@ module "vpc" {
  private_subnets  = ["10.0.3.0/24", "10.0.4.0/24", "10.0.5.0/24"]
  database_subnets = ["10.0.7.0/24", "10.0.8.0/24", "10.0.9.0/24"]

-  enable_nat_gateway = true
-  single_nat_gateway = true
+  create_database_subnet_group = true
+  enable_nat_gateway           = true
+  single_nat_gateway           = true
+  map_public_ip_on_launch      = false
+
+  manage_default_security_group  = true
+  default_security_group_ingress = []
+  default_security_group_egress  = []
+
+  enable_flow_log                      = true
+  flow_log_destination_type            = "cloud-watch-logs"
+  create_flow_log_cloudwatch_log_group = true
+  create_flow_log_cloudwatch_iam_role  = true
+  flow_log_max_aggregation_interval    = 60
+  flow_log_log_format                  = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id}"

  tags = local.tags
 }
@ -94,11 +107,16 @@ module "rds" {
  port                 = 3306
  instance_class       = "db.t3.micro"
  allocated_storage    = 5
-  storage_encrypted    = false
+  storage_encrypted    = true
  apply_immediately    = true

+  enabled_cloudwatch_logs_exports = ["general", "error", "slowquery"]
+  monitoring_interval             = 60
+  create_monitoring_role          = true
+
  vpc_security_group_ids = [module.rds_sg.security_group_id]
  subnet_ids             = module.vpc.database_subnets
+  multi_az               = true

  maintenance_window      = "Mon:00:00-Mon:03:00"
  backup_window           = "03:00-06:00"
@ -115,6 +133,8 @@ module "rds" {
 resource "aws_iam_instance_profile" "ec2_test" {
  name_prefix = local.name
  role        = aws_iam_role.ec2_test.name
+
+  tags = local.tags
 }

 data "aws_iam_policy_document" "ec2_test_assume" {
@ -131,6 +151,8 @@ resource "aws_iam_role" "ec2_test" {
  name_prefix           = local.name
  force_detach_policies = true
  assume_role_policy    = data.aws_iam_policy_document.ec2_test_assume.json
+
+  tags = local.tags
 }

 data "aws_iam_policy_document" "ec2_test" {
@ -181,14 +203,23 @@ module "ec2_sg" {

 module "ec2_instance" {
  source  = "terraform-aws-modules/ec2-instance/aws"
-  version = "~> 2"
+  version = "~> 3"

-  name           = local.name
-  instance_count = 1
+  name = local.name

-  associate_public_ip_address = true
-  iam_instance_profile        = aws_iam_instance_profile.ec2_test.name
-  user_data                   = <<-EOT
+  monitoring    = true
+  ebs_optimized = true
+  metadata_options = {
+    http_endpoint = "disabled"
+  }
+  root_block_device = [
+    {
+      encrypted = true
+    }
+  ]
+
+  iam_instance_profile = aws_iam_instance_profile.ec2_test.name
+  user_data            = <<-EOT
  #!/usr/bin/env bash

  mkdir -p /home/ssm-user/ && wget -O /home/ssm-user/AmazonRootCA1.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem
@ -201,7 +232,7 @@ module "ec2_instance" {
  ami                    = data.aws_ami.ubuntu.id
  instance_type          = "t3.micro"
  vpc_security_group_ids = [module.ec2_sg.security_group_id]
-  subnet_ids             = module.vpc.private_subnets
+  subnet_id              = element(module.vpc.private_subnets, 0)

  tags = local.tags
 }
--- a/examples/postgresql_iam_cluster/README.md
+++ b/examples/postgresql_iam_cluster/README.md
@ -37,17 +37,17 @@ An EC2 instance configuration has been provided for use in validating the exampl

 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.38 |
-| <a name="provider_random"></a> [random](#provider\_random) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.59.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.1.0 |

 ## Modules

 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_ec2_instance"></a> [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 2 |
+| <a name="module_ec2_instance"></a> [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 3 |
 | <a name="module_ec2_sg"></a> [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
 | <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 5 |
-| <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ |  |
+| <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
 | <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3 |

--- a/examples/postgresql_iam_cluster/main.tf
+++ b/examples/postgresql_iam_cluster/main.tf
@ -51,6 +51,18 @@ module "vpc" {
  create_database_subnet_group = true
  enable_nat_gateway           = true
  single_nat_gateway           = true
+  map_public_ip_on_launch      = false
+
+  manage_default_security_group  = true
+  default_security_group_ingress = []
+  default_security_group_egress  = []
+
+  enable_flow_log                      = true
+  flow_log_destination_type            = "cloud-watch-logs"
+  create_flow_log_cloudwatch_log_group = true
+  create_flow_log_cloudwatch_iam_role  = true
+  flow_log_max_aggregation_interval    = 60
+  flow_log_log_format                  = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id}"

  tags = local.tags
 }
@ -71,13 +83,18 @@ module "rds" {
  engine_version      = "11.9"
  replica_count       = 1
  instance_type       = "db.t3.medium"
-  storage_encrypted   = false
+  storage_encrypted   = true
  apply_immediately   = true
  skip_final_snapshot = true

-  vpc_id                  = module.vpc.vpc_id
-  subnets                 = module.vpc.database_subnets
-  allowed_security_groups = [module.rds_proxy_sg.security_group_id]
+  enabled_cloudwatch_logs_exports = ["postgresql"]
+  monitoring_interval             = 60
+  create_monitoring_role          = true
+
+  vpc_id                 = module.vpc.vpc_id
+  subnets                = module.vpc.database_subnets
+  create_security_group  = false
+  vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]

  db_subnet_group_name            = local.name # Created by VPC module
  db_parameter_group_name         = aws_db_parameter_group.aurora_db_postgres11_parameter_group.id
@ -90,12 +107,16 @@ resource "aws_db_parameter_group" "aurora_db_postgres11_parameter_group" {
  name        = "example-aurora-db-postgres11-parameter-group"
  family      = "aurora-postgresql11"
  description = "test-aurora-db-postgres11-parameter-group"
+
+  tags = local.tags
 }

 resource "aws_rds_cluster_parameter_group" "aurora_cluster_postgres11_parameter_group" {
  name        = "example-aurora-postgres11-cluster-parameter-group"
  family      = "aurora-postgresql11"
  description = "example-aurora-postgres11-cluster-parameter-group"
+
+  tags = local.tags
 }

 ################################################################################
@ -105,6 +126,8 @@ resource "aws_rds_cluster_parameter_group" "aurora_cluster_postgres11_parameter_
 resource "aws_iam_instance_profile" "ec2_test" {
  name_prefix = local.name
  role        = aws_iam_role.ec2_test.name
+
+  tags = local.tags
 }

 data "aws_iam_policy_document" "ec2_test_assume" {
@ -121,6 +144,8 @@ resource "aws_iam_role" "ec2_test" {
  name_prefix           = local.name
  force_detach_policies = true
  assume_role_policy    = data.aws_iam_policy_document.ec2_test_assume.json
+
+  tags = local.tags
 }

 data "aws_iam_policy_document" "ec2_test" {
@ -171,14 +196,23 @@ module "ec2_sg" {

 module "ec2_instance" {
  source  = "terraform-aws-modules/ec2-instance/aws"
-  version = "~> 2"
+  version = "~> 3"

-  name           = local.name
-  instance_count = 1
+  name = local.name

-  associate_public_ip_address = true
-  iam_instance_profile        = aws_iam_instance_profile.ec2_test.name
-  user_data                   = <<-EOT
+  monitoring    = true
+  ebs_optimized = true
+  metadata_options = {
+    http_endpoint = "disabled"
+  }
+  root_block_device = [
+    {
+      encrypted = true
+    }
+  ]
+
+  iam_instance_profile = aws_iam_instance_profile.ec2_test.name
+  user_data            = <<-EOT
  #!/usr/bin/env bash

  mkdir -p /home/ssm-user/ && wget -O /home/ssm-user/AmazonRootCA1.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem
@ -191,7 +225,7 @@ module "ec2_instance" {
  ami                    = data.aws_ami.ubuntu.id
  instance_type          = "t3.micro"
  vpc_security_group_ids = [module.ec2_sg.security_group_id]
-  subnet_ids             = module.vpc.private_subnets
+  subnet_id              = element(module.vpc.private_subnets, 0)

  tags = local.tags
 }
--- a/examples/postgresql_iam_instance/README.md
+++ b/examples/postgresql_iam_instance/README.md
@ -37,17 +37,17 @@ An EC2 instance configuration has been provided for use in validating the exampl

 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.38 |
-| <a name="provider_random"></a> [random](#provider\_random) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 3.59.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.1.0 |

 ## Modules

 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_ec2_instance"></a> [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 2 |
+| <a name="module_ec2_instance"></a> [ec2\_instance](#module\_ec2\_instance) | terraform-aws-modules/ec2-instance/aws | ~> 3 |
 | <a name="module_ec2_sg"></a> [ec2\_sg](#module\_ec2\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
 | <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 3 |
-| <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ |  |
+| <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
 | <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
 | <a name="module_rds_sg"></a> [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 4 |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3 |
--- a/examples/postgresql_iam_instance/main.tf
+++ b/examples/postgresql_iam_instance/main.tf
@ -48,8 +48,21 @@ module "vpc" {
  private_subnets  = ["10.0.3.0/24", "10.0.4.0/24", "10.0.5.0/24"]
  database_subnets = ["10.0.7.0/24", "10.0.8.0/24", "10.0.9.0/24"]

-  enable_nat_gateway = true
-  single_nat_gateway = true
+  create_database_subnet_group = true
+  enable_nat_gateway           = true
+  single_nat_gateway           = true
+  map_public_ip_on_launch      = false
+
+  manage_default_security_group  = true
+  default_security_group_ingress = []
+  default_security_group_egress  = []
+
+  enable_flow_log                      = true
+  flow_log_destination_type            = "cloud-watch-logs"
+  create_flow_log_cloudwatch_log_group = true
+  create_flow_log_cloudwatch_iam_role  = true
+  flow_log_max_aggregation_interval    = 60
+  flow_log_log_format                  = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id}"

  tags = local.tags
 }
@ -94,11 +107,16 @@ module "rds" {
  port                 = 5432
  instance_class       = "db.t3.micro"
  allocated_storage    = 5
-  storage_encrypted    = false
+  storage_encrypted    = true
  apply_immediately    = true

+  enabled_cloudwatch_logs_exports = ["postgresql"]
+  monitoring_interval             = 60
+  create_monitoring_role          = true
+
  vpc_security_group_ids = [module.rds_sg.security_group_id]
  subnet_ids             = module.vpc.database_subnets
+  multi_az               = true

  maintenance_window      = "Mon:00:00-Mon:03:00"
  backup_window           = "03:00-06:00"
@ -115,6 +133,8 @@ module "rds" {
 resource "aws_iam_instance_profile" "ec2_test" {
  name_prefix = local.name
  role        = aws_iam_role.ec2_test.name
+
+  tags = local.tags
 }

 data "aws_iam_policy_document" "ec2_test_assume" {
@ -131,6 +151,8 @@ resource "aws_iam_role" "ec2_test" {
  name_prefix           = local.name
  force_detach_policies = true
  assume_role_policy    = data.aws_iam_policy_document.ec2_test_assume.json
+
+  tags = local.tags
 }

 data "aws_iam_policy_document" "ec2_test" {
@ -181,14 +203,23 @@ module "ec2_sg" {

 module "ec2_instance" {
  source  = "terraform-aws-modules/ec2-instance/aws"
-  version = "~> 2"
+  version = "~> 3"

-  name           = local.name
-  instance_count = 1
+  name = local.name

-  associate_public_ip_address = true
-  iam_instance_profile        = aws_iam_instance_profile.ec2_test.name
-  user_data                   = <<-EOT
+  monitoring    = true
+  ebs_optimized = true
+  metadata_options = {
+    http_endpoint = "disabled"
+  }
+  root_block_device = [
+    {
+      encrypted = true
+    }
+  ]
+
+  iam_instance_profile = aws_iam_instance_profile.ec2_test.name
+  user_data            = <<-EOT
  #!/usr/bin/env bash

  mkdir -p /home/ssm-user/ && wget -O /home/ssm-user/AmazonRootCA1.pem https://www.amazontrust.com/repository/AmazonRootCA1.pem
@ -201,7 +232,7 @@ module "ec2_instance" {
  ami                    = data.aws_ami.ubuntu.id
  instance_type          = "t3.micro"
  vpc_security_group_ids = [module.ec2_sg.security_group_id]
-  subnet_ids             = module.vpc.private_subnets
+  subnet_id              = element(module.vpc.private_subnets, 0)

  tags = local.tags
 }