# PRD: Layer 30 - Data (RDS PostgreSQL)

**Scope:** Deployment account. RDS PostgreSQL for Wiki.js (external DB configuration).

**Dependencies:** PRD_00-cross-cutting, PRD_00-bootstrap, PRD_10-network (VPC, db subnets, RDS security group).

## 1. Purpose and Execution Order

| ID | Requirement |
| ---- | ------------- |
| R-R30-001 | This layer SHALL provision RDS PostgreSQL as the external database for Wiki.js. |
| R-R30-002 | The layer SHALL run after network and before or in parallel with layers that do not depend on RDS (e.g. before 50-app-wikijs). |
| R-R30-003 | Outputs SHALL be published to Parameter Store: endpoint, port, database name, and the secret ARN for the managed master password. |

## 2. RDS Subnet and Security

| ID | Requirement |
| ---- | ------------- |
| R-R30-101 | An RDS subnet group SHALL be created using the DB subnets provided by the network layer (read from Parameter Store). |
| R-R30-102 | The RDS instance(s) SHALL be placed in the DB subnets and SHALL use the RDS security group that allows inbound 5432 only from the EKS/workload security group. |
| R-R30-103 | RDS SHALL NOT be publicly accessible. |

## 3. RDS Instance Configuration

| ID | Requirement |
| ---- | ------------- |
| R-R30-201 | RDS SHALL be configured for PostgreSQL. |
| R-R30-202 | Multi-AZ deployment SHALL be enabled for high availability. |
| R-R30-203 | Storage encryption SHALL be enabled (KMS). |
| R-R30-204 | Automated backups SHALL be configured. |
| R-R30-205 | Deletion protection SHALL be enabled by default; teardown documentation SHALL describe the two-step process (disable protection then destroy) when applicable. |

## 4. Secrets (Managed Master Password)

| ID | Requirement |
| ---- | ------------- |
| R-R30-301 | The RDS master password SHALL be managed by AWS (managed master password) so that Secrets Manager stores the generated password and Terraform does not materialize the plaintext value. |
| R-R30-302 | Terraform SHALL store only the secret ARN (non-secret metadata) in outputs and Parameter Store. |
| R-R30-303 | Terraform state SHALL NOT contain the plaintext master password. |

## 5. Parameter Store Outputs

| ID | Requirement |
| ---- | ------------- |
| R-R30-401 | The layer SHALL publish to Parameter Store under `wikijs/<region>/<env>/30-data-rds/`: endpoint (hostname), port, database name, and secret ARN for the managed master password. |
| R-R30-402 | The layer SHALL publish only under its own prefix. |
| R-R30-403 | Outputs SHALL be consumable by the platform/application layers to configure Wiki.js DB connection (e.g. via secret sync and connection parameters). |

## 6. Destroy Behavior

| ID | Requirement |
| ---- | ------------- |
| R-R30-501 | On `terraform destroy`, the layer SHALL remove the RDS instance, subnet group, and related resources after the application layer (50) has been destroyed. |
| R-R30-502 | If deletion protection is enabled, destroy SHALL fail until protection is explicitly disabled; documentation SHALL describe this. |
| R-R30-503 | The layer SHALL delete its own Parameter Store prefix after successful destroy. |
| R-R30-504 | A provision workflow and a destroy workflow SHALL exist; destroy SHALL run after 50-app-wikijs and before 20-eks. |

## 7. Implementation Notes

- **Terraform:** Root module at `terraform/30-data-rds/` using the official module `terraform-aws-modules/rds/aws` with RDS managed master password (Secrets Manager).
- **Workflows:** `tf-30-data-rds-provision.yaml` and `tf-30-data-rds-destroy.yaml` (extension `.yaml`), calling `_terraform-layer.yaml`.
- **Parameter Store (reads):** From 10-network: `database_subnet_ids`, `rds_sg_id` (or equivalent) under `wikijs/<region>/<env>/10-network/`.
- **Parameter Store (writes):** Under `wikijs/<region>/<env>/30-data-rds/`: `endpoint`, `port`, `db_name`, `secret_arn` (managed master password). All type `String`; no secret values.