feat!: Upgrade AWS provider and min required Terraform version to 6.0 and 1.5.7 respectively (#34)

Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
2025-12-16 16:01:11 +00:00 · 2025-09-16 10:28:55 -04:00 · 2025-09-16 10:28:55 -04:00 · 47c0fcad4b
commit 47c0fcad4b
parent e8ffe8f2f1
19 changed files with 200 additions and 95 deletions
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -1,6 +1,6 @@
 repos:
  - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.96.1
+    rev: v1.100.0
    hooks:
      - id: terraform_fmt
      - id: terraform_docs
@ -23,7 +23,7 @@ repos:
          - '--args=--only=terraform_workspace_remote'
      - id: terraform_validate
  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: v6.0.0
    hooks:
      - id: check-merge-conflict
      - id: end-of-file-fixer
--- a/README.md
+++ b/README.md
@ -62,14 +62,14 @@ Examples codified under the [`examples`](https://github.com/terraform-aws-module
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
 ## Providers
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
 ## Modules
@ -97,7 +97,7 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_auth"></a> [auth](#input\_auth) | Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters | `any` | `{}` | no |
+| <a name="input_auth"></a> [auth](#input\_auth) | Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters | <pre>map(object({<br/>    auth_scheme               = optional(string)<br/>    client_password_auth_type = optional(string)<br/>    description               = optional(string)<br/>    iam_auth                  = optional(string)<br/>    secret_arn                = optional(string)<br/>    username                  = optional(string)<br/>  }))</pre> | <pre>{<br/>  "default": {<br/>    "auth_scheme": "SECRETS"<br/>  }<br/>}</pre> | no |
 | <a name="input_connection_borrow_timeout"></a> [connection\_borrow\_timeout](#input\_connection\_borrow\_timeout) | The number of seconds for a proxy to wait for a connection to become available in the connection pool | `number` | `null` | no |
 | <a name="input_create"></a> [create](#input\_create) | Whether cluster should be created (affects nearly all resources) | `bool` | `true` | no |
 | <a name="input_create_iam_policy"></a> [create\_iam\_policy](#input\_create\_iam\_policy) | Determines whether an IAM policy is created | `bool` | `true` | no |
@ -105,7 +105,7 @@ No modules.
 | <a name="input_db_cluster_identifier"></a> [db\_cluster\_identifier](#input\_db\_cluster\_identifier) | DB cluster identifier | `string` | `""` | no |
 | <a name="input_db_instance_identifier"></a> [db\_instance\_identifier](#input\_db\_instance\_identifier) | DB instance identifier | `string` | `""` | no |
 | <a name="input_debug_logging"></a> [debug\_logging](#input\_debug\_logging) | Whether the proxy includes detailed information about SQL statements in its logs | `bool` | `false` | no |
-| <a name="input_endpoints"></a> [endpoints](#input\_endpoints) | Map of DB proxy endpoints to create and their attributes (see `aws_db_proxy_endpoint`) | `any` | `{}` | no |
+| <a name="input_endpoints"></a> [endpoints](#input\_endpoints) | Map of DB proxy endpoints to create and their attributes | <pre>map(object({<br/>    name                   = optional(string)<br/>    vpc_subnet_ids         = list(string)<br/>    vpc_security_group_ids = optional(list(string))<br/>    target_role            = optional(string)<br/>    tags                   = optional(map(string), {})<br/>  }))</pre> | `{}` | no |
 | <a name="input_engine_family"></a> [engine\_family](#input\_engine\_family) | The kind of database engine that the proxy will connect to. Valid values are `MYSQL` or `POSTGRESQL` | `string` | `""` | no |
 | <a name="input_iam_policy_name"></a> [iam\_policy\_name](#input\_iam\_policy\_name) | The name of the role policy. If omitted, Terraform will assign a random, unique name | `string` | `""` | no |
 | <a name="input_iam_role_description"></a> [iam\_role\_description](#input\_iam\_role\_description) | The description of the role | `string` | `""` | no |
@ -118,6 +118,7 @@ No modules.
 | <a name="input_idle_client_timeout"></a> [idle\_client\_timeout](#input\_idle\_client\_timeout) | The number of seconds that a connection to the proxy can be inactive before the proxy disconnects it | `number` | `1800` | no |
 | <a name="input_init_query"></a> [init\_query](#input\_init\_query) | One or more SQL statements for the proxy to run when opening each new database connection | `string` | `""` | no |
 | <a name="input_kms_key_arns"></a> [kms\_key\_arns](#input\_kms\_key\_arns) | List of KMS Key ARNs to allow access to decrypt SecretsManager secrets | `list(string)` | `[]` | no |
 | <a name="input_log_group_class"></a> [log\_group\_class](#input\_log\_group\_class) | Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS` | `string` | `null` | no |
 | <a name="input_log_group_kms_key_id"></a> [log\_group\_kms\_key\_id](#input\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data | `string` | `null` | no |
 | <a name="input_log_group_retention_in_days"></a> [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the log group | `number` | `30` | no |
 | <a name="input_log_group_tags"></a> [log\_group\_tags](#input\_log\_group\_tags) | A map of tags to apply to the CloudWatch log group | `map(string)` | `{}` | no |
@ -126,6 +127,7 @@ No modules.
 | <a name="input_max_idle_connections_percent"></a> [max\_idle\_connections\_percent](#input\_max\_idle\_connections\_percent) | Controls how actively the proxy closes idle database connections in the connection pool | `number` | `50` | no |
 | <a name="input_name"></a> [name](#input\_name) | The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens | `string` | `""` | no |
 | <a name="input_proxy_tags"></a> [proxy\_tags](#input\_proxy\_tags) | A map of tags to apply to the RDS Proxy | `map(string)` | `{}` | no |
 | <a name="input_region"></a> [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no |
 | <a name="input_require_tls"></a> [require\_tls](#input\_require\_tls) | A Boolean parameter that specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy | `bool` | `true` | no |
 | <a name="input_role_arn"></a> [role\_arn](#input\_role\_arn) | The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager | `string` | `""` | no |
 | <a name="input_session_pinning_filters"></a> [session\_pinning\_filters](#input\_session\_pinning\_filters) | Each item in the list represents a class of SQL operations that normally cause all later statements in a session using a proxy to be pinned to the same underlying database connection | `list(string)` | `[]` | no |
--- a/docs/UPGRADE-3.0.md
+++ b/docs/UPGRADE-3.0.md
--- a/examples/mysql-iam-cluster/README.md
+++ b/examples/mysql-iam-cluster/README.md
@ -30,23 +30,23 @@ An EC2 instance configuration has been provided for use in validating the exampl
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
 ## Providers
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
 ## Modules
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 8.0 |
+| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 9.0 |
 | <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
 | <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
 ## Resources
--- a/examples/mysql-iam-cluster/main.tf
+++ b/examples/mysql-iam-cluster/main.tf
@ -69,7 +69,7 @@ module "rds_proxy" {
 module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 5.0"
+  version = "~> 6.0"
  name = local.name
  cidr = local.vpc_cidr
@ -84,7 +84,7 @@ module "vpc" {
 module "rds" {
  source  = "terraform-aws-modules/rds-aurora/aws"
-  version = "~> 8.0"
+  version = "~> 9.0"
  name            = local.name
  engine          = "aurora-mysql"
--- a/examples/mysql-iam-cluster/versions.tf
+++ b/examples/mysql-iam-cluster/versions.tf
@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.5.7"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 5.0"
+      version = ">= 6.0"
    }
  }
 }
--- a/examples/mysql-iam-instance/README.md
+++ b/examples/mysql-iam-instance/README.md
@ -30,26 +30,26 @@ An EC2 instance configuration has been provided for use in validating the exampl
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 ## Providers
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
 ## Modules
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 5.0 |
+| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 6.0 |
 | <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
 | <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
 | <a name="module_rds_sg"></a> [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
 ## Resources
--- a/examples/mysql-iam-instance/main.tf
+++ b/examples/mysql-iam-instance/main.tf
@ -61,7 +61,7 @@ module "rds_proxy" {
  # Target RDS instance
  target_db_instance     = true
-  db_instance_identifier = module.rds.db_instance_id
+  db_instance_identifier = module.rds.db_instance_identifier
  tags = local.tags
 }
@ -82,7 +82,7 @@ resource "random_password" "password" {
 module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 5.0"
+  version = "~> 6.0"
  name = local.name
  cidr = local.vpc_cidr
@ -97,7 +97,7 @@ module "vpc" {
 module "rds" {
  source  = "terraform-aws-modules/rds/aws"
-  version = "~> 5.0"
+  version = "~> 6.0"
  username = local.db_username
  password = local.db_password
--- a/examples/mysql-iam-instance/versions.tf
+++ b/examples/mysql-iam-instance/versions.tf
@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.5.7"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 5.0"
+      version = ">= 6.0"
    }
    random = {
      source  = "hashicorp/random"
--- a/examples/postgresql-iam-cluster/README.md
+++ b/examples/postgresql-iam-cluster/README.md
@ -30,23 +30,23 @@ An EC2 instance configuration has been provided for use in validating the exampl
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
 ## Providers
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
 ## Modules
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 8.0 |
+| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 9.0 |
 | <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
 | <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
 ## Resources
--- a/examples/postgresql-iam-cluster/main.tf
+++ b/examples/postgresql-iam-cluster/main.tf
@ -69,7 +69,7 @@ module "rds_proxy" {
 module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 5.0"
+  version = "~> 6.0"
  name = local.name
  cidr = local.vpc_cidr
@ -84,7 +84,7 @@ module "vpc" {
 module "rds" {
  source  = "terraform-aws-modules/rds-aurora/aws"
-  version = "~> 8.0"
+  version = "~> 9.0"
  name            = local.name
  engine          = "aurora-postgresql"
--- a/examples/postgresql-iam-cluster/versions.tf
+++ b/examples/postgresql-iam-cluster/versions.tf
@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.5.7"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 5.0"
+      version = ">= 6.0"
    }
  }
 }
--- a/examples/postgresql-iam-instance/README.md
+++ b/examples/postgresql-iam-instance/README.md
@ -30,26 +30,26 @@ An EC2 instance configuration has been provided for use in validating the exampl
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 ## Providers
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
 ## Modules
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 5.0 |
+| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 6.0 |
 | <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
 | <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
 | <a name="module_rds_sg"></a> [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
 ## Resources
--- a/examples/postgresql-iam-instance/main.tf
+++ b/examples/postgresql-iam-instance/main.tf
@ -61,7 +61,7 @@ module "rds_proxy" {
  # Target RDS instance
  target_db_instance     = true
-  db_instance_identifier = module.rds.db_instance_id
+  db_instance_identifier = module.rds.db_instance_identifier
  tags = local.tags
 }
@ -82,7 +82,7 @@ resource "random_password" "password" {
 module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 5.0"
+  version = "~> 6.0"
  name = local.name
  cidr = local.vpc_cidr
@ -97,7 +97,7 @@ module "vpc" {
 module "rds" {
  source  = "terraform-aws-modules/rds/aws"
-  version = "~> 5.0"
+  version = "~> 6.0"
  username = local.db_username
  password = local.db_password
--- a/examples/postgresql-iam-instance/versions.tf
+++ b/examples/postgresql-iam-instance/versions.tf
@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.5.7"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 5.0"
+      version = ">= 6.0"
    }
    random = {
      source  = "hashicorp/random"
--- a/main.tf
+++ b/main.tf
@ -1,17 +1,3 @@
 locals {
  role_arn    = var.create && var.create_iam_role ? aws_iam_role.this[0].arn : var.role_arn
  role_name   = coalesce(var.iam_role_name, var.name)
  policy_name = coalesce(var.iam_policy_name, var.name)
 }
 data "aws_region" "current" {}
 data "aws_partition" "current" {}
 data "aws_service_principal" "rds" {
  count = var.create && var.create_iam_role ? 1 : 0
  service_name = "rds"
  region       = data.aws_region.current.name
 }
 ################################################################################
 # RDS Proxy
 ################################################################################
@ -19,16 +5,18 @@ data "aws_service_principal" "rds" {
 resource "aws_db_proxy" "this" {
  count = var.create ? 1 : 0
  region = var.region
  dynamic "auth" {
    for_each = var.auth
    content {
-      auth_scheme               = try(auth.value.auth_scheme, "SECRETS")
+      auth_scheme               = auth.value.auth_scheme
-      client_password_auth_type = try(auth.value.client_password_auth_type, null)
+      client_password_auth_type = auth.value.client_password_auth_type
-      description               = try(auth.value.description, null)
+      description               = auth.value.description
-      iam_auth                  = try(auth.value.iam_auth, null)
+      iam_auth                  = auth.value.iam_auth
-      secret_arn                = try(auth.value.secret_arn, null)
+      secret_arn                = auth.value.secret_arn
-      username                  = try(auth.value.username, null)
+      username                  = auth.value.username
    }
  }
@ -37,7 +25,7 @@ resource "aws_db_proxy" "this" {
  idle_client_timeout    = var.idle_client_timeout
  name                   = var.name
  require_tls            = var.require_tls
-  role_arn               = local.role_arn
+  role_arn               = try(aws_iam_role.this[0].arn, var.role_arn)
  vpc_security_group_ids = var.vpc_security_group_ids
  vpc_subnet_ids         = var.vpc_subnet_ids
@ -46,9 +34,15 @@ resource "aws_db_proxy" "this" {
  depends_on = [aws_cloudwatch_log_group.this]
 }
 ################################################################################
 # Default Target Group
 ################################################################################
 resource "aws_db_proxy_default_target_group" "this" {
  count = var.create ? 1 : 0
  region = var.region
  db_proxy_name = aws_db_proxy.this[0].name
  connection_pool_config {
@ -60,9 +54,15 @@ resource "aws_db_proxy_default_target_group" "this" {
  }
 }
 ################################################################################
 # Target(s)
 ################################################################################
 resource "aws_db_proxy_target" "db_instance" {
  count = var.create && var.target_db_instance ? 1 : 0
  region = var.region
  db_proxy_name          = aws_db_proxy.this[0].name
  target_group_name      = aws_db_proxy_default_target_group.this[0].name
  db_instance_identifier = var.db_instance_identifier
@ -71,33 +71,44 @@ resource "aws_db_proxy_target" "db_instance" {
 resource "aws_db_proxy_target" "db_cluster" {
  count = var.create && var.target_db_cluster ? 1 : 0
  region = var.region
  db_proxy_name         = aws_db_proxy.this[0].name
  target_group_name     = aws_db_proxy_default_target_group.this[0].name
  db_cluster_identifier = var.db_cluster_identifier
 }
 ################################################################################
 # Endpoint(s)
 ################################################################################
 resource "aws_db_proxy_endpoint" "this" {
  for_each = { for k, v in var.endpoints : k => v if var.create }
-  db_proxy_name          = aws_db_proxy.this[0].name
+  region = var.region
  db_proxy_endpoint_name = each.value.name
  vpc_subnet_ids         = each.value.vpc_subnet_ids
  vpc_security_group_ids = lookup(each.value, "vpc_security_group_ids", null)
  target_role            = lookup(each.value, "target_role", null)
-  tags = lookup(each.value, "tags", var.tags)
+  db_proxy_name          = aws_db_proxy.this[0].name
  db_proxy_endpoint_name = coalesce(each.value.name, each.key)
  vpc_subnet_ids         = each.value.vpc_subnet_ids
  vpc_security_group_ids = each.value.vpc_security_group_ids
  target_role            = each.value.target_role
  tags = merge(var.tags, each.value.tags)
 }
 ################################################################################
-# CloudWatch Logs
+# CloudWatch Log Group
 ################################################################################
 resource "aws_cloudwatch_log_group" "this" {
  count = var.create && var.manage_log_group ? 1 : 0
  region = var.region
  name              = "/aws/rds/proxy/${var.name}"
  retention_in_days = var.log_group_retention_in_days
  kms_key_id        = var.log_group_kms_key_id
  log_group_class   = var.log_group_class
  tags = merge(var.tags, var.log_group_tags)
 }
@ -106,8 +117,37 @@ resource "aws_cloudwatch_log_group" "this" {
 # IAM Role
 ################################################################################
 locals {
  create_iam_role = var.create && var.create_iam_role
  role_name   = coalesce(var.iam_role_name, var.name)
  policy_name = coalesce(var.iam_policy_name, var.name)
  partition  = try(data.aws_partition.current[0].partition, "aws")
  dns_suffix = try(data.aws_partition.current[0].dns_suffix, "amazonaws.com")
  region     = try(data.aws_region.current[0].region, var.region)
 }
 data "aws_region" "current" {
  count = local.create_iam_role ? 1 : 0
  region = var.region
 }
 data "aws_partition" "current" {
  count = local.create_iam_role ? 1 : 0
 }
 data "aws_service_principal" "rds" {
  count = local.create_iam_role ? 1 : 0
  service_name = "rds"
  region       = data.aws_region.current[0].region
 }
 data "aws_iam_policy_document" "assume_role" {
-  count = var.create && var.create_iam_role ? 1 : 0
+  count = local.create_iam_role ? 1 : 0
  statement {
    sid     = "RDSAssume"
@ -122,7 +162,7 @@ data "aws_iam_policy_document" "assume_role" {
 }
 resource "aws_iam_role" "this" {
-  count = var.create && var.create_iam_role ? 1 : 0
+  count = local.create_iam_role ? 1 : 0
  name        = var.use_role_name_prefix ? null : local.role_name
  name_prefix = var.use_role_name_prefix ? "${local.role_name}-" : null
@ -137,8 +177,12 @@ resource "aws_iam_role" "this" {
  tags = merge(var.tags, var.iam_role_tags)
 }
 ################################################################################
 # IAM Role Policy
 ################################################################################
 data "aws_iam_policy_document" "this" {
-  count = var.create && var.create_iam_role && var.create_iam_policy ? 1 : 0
+  count = local.create_iam_role && var.create_iam_policy ? 1 : 0
  statement {
    sid     = "DecryptSecrets"
@ -146,14 +190,14 @@ data "aws_iam_policy_document" "this" {
    actions = ["kms:Decrypt"]
    resources = coalescelist(
      var.kms_key_arns,
-      ["arn:${data.aws_partition.current.partition}:kms:*:*:key/*"]
+      ["arn:${local.partition}:kms:*:*:key/*"]
    )
    condition {
      test     = "StringEquals"
      variable = "kms:ViaService"
      values = [
-        "secretsmanager.${data.aws_region.current.name}.${data.aws_partition.current.dns_suffix}"
+        "secretsmanager.${local.region}.${local.dns_suffix}"
      ]
    }
  }
@ -183,7 +227,7 @@ data "aws_iam_policy_document" "this" {
 }
 resource "aws_iam_role_policy" "this" {
-  count = var.create && var.create_iam_role && var.create_iam_policy ? 1 : 0
+  count = local.create_iam_role && var.create_iam_policy ? 1 : 0
  name        = var.use_policy_name_prefix ? null : local.policy_name
  name_prefix = var.use_policy_name_prefix ? "${local.policy_name}-" : null
--- a/outputs.tf
+++ b/outputs.tf
@ -1,4 +1,7 @@
 ################################################################################
 # RDS Proxy
 ################################################################################
 output "proxy_id" {
  description = "The ID for the proxy"
  value       = try(aws_db_proxy.this[0].id, null)
@ -14,7 +17,10 @@ output "proxy_endpoint" {
  value       = try(aws_db_proxy.this[0].endpoint, null)
 }
-# Proxy Default Target Group
+################################################################################
 # Default Target Group
 ################################################################################
 output "proxy_default_target_group_id" {
  description = "The ID for the default target group"
  value       = try(aws_db_proxy_default_target_group.this[0].id, null)
@ -30,7 +36,10 @@ output "proxy_default_target_group_name" {
  value       = try(aws_db_proxy_default_target_group.this[0].name, null)
 }
-# Proxy Target
+################################################################################
 # Target(s)
 ################################################################################
 output "proxy_target_endpoint" {
  description = "Hostname for the target RDS DB Instance. Only returned for `RDS_INSTANCE` type"
  value       = try(aws_db_proxy_target.db_instance[0].endpoint, aws_db_proxy_target.db_cluster[0].endpoint, null)
@ -66,13 +75,19 @@ output "proxy_target_type" {
  value       = try(aws_db_proxy_target.db_instance[0].type, aws_db_proxy_target.db_cluster[0].type, null)
 }
-# DB proxy endpoints
+################################################################################
 # Endpoint(s)
 ################################################################################
 output "db_proxy_endpoints" {
  description = "Array containing the full resource object and attributes for all DB proxy endpoints created"
  value       = aws_db_proxy_endpoint.this
 }
-# CloudWatch logs
+################################################################################
 # CloudWatch Log Group
 ################################################################################
 output "log_group_arn" {
  description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
  value       = try(aws_cloudwatch_log_group.this[0].arn, null)
@ -83,7 +98,10 @@ output "log_group_name" {
  value       = try(aws_cloudwatch_log_group.this[0].name, null)
 }
-# IAM role
+################################################################################
 # IAM Role
 ################################################################################
 output "iam_role_arn" {
  description = "The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager."
  value       = try(aws_iam_role.this[0].arn, null)
--- a/variables.tf
+++ b/variables.tf
@ -4,6 +4,12 @@ variable "create" {
  default     = true
 }
 variable "region" {
  description = "Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration"
  type        = string
  default     = null
 }
 variable "tags" {
  description = "A map of tags to add to all resources"
  type        = map(string)
@ -22,8 +28,19 @@ variable "name" {
 variable "auth" {
  description = "Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters"
-  type        = any
+  type = map(object({
-  default     = {}
+    auth_scheme               = optional(string)
    client_password_auth_type = optional(string)
    description               = optional(string)
    iam_auth                  = optional(string)
    secret_arn                = optional(string)
    username                  = optional(string)
  }))
  default = {
    default = {
      auth_scheme = "SECRETS"
    }
  }
 }
 variable "debug_logging" {
@ -74,7 +91,10 @@ variable "proxy_tags" {
  default     = {}
 }
-# Proxy Default Target Group
+################################################################################
 # Default Target Group
 ################################################################################
 variable "connection_borrow_timeout" {
  description = "The number of seconds for a proxy to wait for a connection to become available in the connection pool"
  type        = number
@ -105,7 +125,10 @@ variable "session_pinning_filters" {
  default     = []
 }
-# Proxy Target
+################################################################################
 # Target(s)
 ################################################################################
 variable "target_db_instance" {
  description = "Determines whether DB instance is targeted by proxy"
  type        = bool
@ -130,11 +153,20 @@ variable "db_cluster_identifier" {
  default     = ""
 }
-# Proxy endpoints
+################################################################################
 # Endpoint(s)
 ################################################################################
 variable "endpoints" {
-  description = "Map of DB proxy endpoints to create and their attributes (see `aws_db_proxy_endpoint`)"
+  description = "Map of DB proxy endpoints to create and their attributes"
-  type        = any
+  type = map(object({
-  default     = {}
+    name                   = optional(string)
    vpc_subnet_ids         = list(string)
    vpc_security_group_ids = optional(list(string))
    target_role            = optional(string)
    tags                   = optional(map(string), {})
  }))
  default = {}
 }
 ################################################################################
@ -159,6 +191,12 @@ variable "log_group_kms_key_id" {
  default     = null
 }
 variable "log_group_class" {
  description = "Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS`"
  type        = string
  default     = null
 }
 variable "log_group_tags" {
  description = "A map of tags to apply to the CloudWatch log group"
  type        = map(string)
@ -223,7 +261,10 @@ variable "iam_role_tags" {
  default     = {}
 }
-# IAM Policy
+################################################################################
 # IAM Role Policy
 ################################################################################
 variable "create_iam_policy" {
  description = "Determines whether an IAM policy is created"
  type        = bool
--- a/versions.tf
+++ b/versions.tf
@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.5.7"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 5.0"
+      version = ">= 6.0"
    }
  }
 }