luciano/terraform-aws-rds-proxy
1
0
Fork 0
mirror of https://github.com/terraform-aws-modules/terraform-aws-rds-proxy.git synced 2025-12-17 08:21:12 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: luciano:master
Branches Tags
luciano:master
luciano:v4.2.1
luciano:v4.2.0
luciano:v4.1.0
luciano:v4.0.0
luciano:v3.2.1
luciano:v3.2.0
luciano:v3.1.1
luciano:v3.1.0
luciano:v3.0.0
luciano:v2.1.2
luciano:v2.1.1
luciano:v2.1.0
luciano:v2.0.1
luciano:v2.0.0
luciano:v1.0.2
luciano:v1.0.1
luciano:v1.0.0
..
compare: luciano:v3.0.0
Branches Tags
luciano:master
luciano:v4.2.1
luciano:v4.2.0
luciano:v4.1.0
luciano:v4.0.0
luciano:v3.2.1
luciano:v3.2.0
luciano:v3.1.1
luciano:v3.1.0
luciano:v3.0.0
luciano:v2.1.2
luciano:v2.1.1
luciano:v2.1.0
luciano:v2.0.1
luciano:v2.0.0
luciano:v1.0.2
luciano:v1.0.1
luciano:v1.0.0

No commits in common. "master" and "v3.0.0" have entirely different histories.
master ... v3.0.0

36 changed files with 140 additions and 674 deletions
Show stats Expand all files Collapse all files

2
.github/workflows/lock.yml vendored
View file

@ -8,7 +8,7 @@ jobs:
lock:
runs-on: ubuntu-latest
steps:
- uses: dessant/lock-threads@v5
- uses: dessant/lock-threads@v4
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
issue-comment: >

2
.github/workflows/pr-title.yml vendored
View file

@ -14,7 +14,7 @@ jobs:
steps:
# Please look up the latest version from
# https://github.com/amannn/action-semantic-pull-request/releases
- uses: amannn/action-semantic-pull-request@v6.1.1
- uses: amannn/action-semantic-pull-request@v5.0.2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:

110
.github/workflows/pre-commit.yml vendored
View file

@ -7,8 +7,7 @@ on:
- master
env:
TERRAFORM_DOCS_VERSION: v0.20.0
TFLINT_VERSION: v0.59.1
TERRAFORM_DOCS_VERSION: v0.16.0
jobs:
collectInputs:
@ -18,11 +17,11 @@ jobs:
directories: ${{ steps.dirs.outputs.directories }}
steps:
- name: Checkout
uses: actions/checkout@v5
uses: actions/checkout@v3
- name: Get root directories
id: dirs
uses: clowdhaus/terraform-composite-actions/directories@v1.14.0
uses: clowdhaus/terraform-composite-actions/directories@v1.8.0
preCommitMinVersions:
name: Min TF pre-commit
@ -32,61 +31,29 @@ jobs:
matrix:
directory: ${{ fromJson(needs.collectInputs.outputs.directories) }}
steps:
- name: Install rmz
uses: jaxxstorm/action-install-gh-release@v2.1.0
with:
repo: SUPERCILEX/fuc
asset-name: x86_64-unknown-linux-gnu-rmz
rename-to: rmz
chmod: 0755
extension-matching: disable
# https://github.com/orgs/community/discussions/25678#discussioncomment-5242449
- name: Delete unnecessary files
run: |
formatByteCount() { echo $(numfmt --to=iec-i --suffix=B --padding=7 $1'000'); }
getAvailableSpace() { echo $(df -a $1 | awk 'NR > 1 {avail+=$4} END {print avail}'); }
BEFORE=$(getAvailableSpace)
ln -s /opt/hostedtoolcache/SUPERCILEX/x86_64-unknown-linux-gnu-rmz/latest/linux-x64/rmz /usr/local/bin/rmz
rmz -f /opt/hostedtoolcache/CodeQL &
rmz -f /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk &
rmz -f /opt/hostedtoolcache/PyPy &
rmz -f /opt/hostedtoolcache/Ruby &
rmz -f /opt/hostedtoolcache/go &
wait
AFTER=$(getAvailableSpace)
SAVED=$((AFTER-BEFORE))
echo "=> Saved $(formatByteCount $SAVED)"
- name: Checkout
uses: actions/checkout@v5
uses: actions/checkout@v3
- name: Terraform min/max versions
id: minMax
uses: clowdhaus/terraform-min-max@v2.1.0
uses: clowdhaus/terraform-min-max@v1.2.0
with:
directory: ${{ matrix.directory }}
- name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
# Run only validate pre-commit check on min version supported
if: ${{ matrix.directory != '.' }}
uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.0
with:
terraform-version: ${{ steps.minMax.outputs.minVersion }}
tflint-version: ${{ env.TFLINT_VERSION }}
args: 'terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*'
- name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
# Run only validate pre-commit check on min version supported
if: ${{ matrix.directory == '.' }}
uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.0
with:
terraform-version: ${{ steps.minMax.outputs.minVersion }}
tflint-version: ${{ env.TFLINT_VERSION }}
args: 'terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)'
preCommitMaxVersion:
@ -94,75 +61,18 @@ jobs:
runs-on: ubuntu-latest
needs: collectInputs
steps:
- name: Install rmz
uses: jaxxstorm/action-install-gh-release@v2.1.0
with:
repo: SUPERCILEX/fuc
asset-name: x86_64-unknown-linux-gnu-rmz
rename-to: rmz
chmod: 0755
extension-matching: disable
# https://github.com/orgs/community/discussions/25678#discussioncomment-5242449
- name: Delete unnecessary files
run: |
formatByteCount() { echo $(numfmt --to=iec-i --suffix=B --padding=7 $1'000'); }
getAvailableSpace() { echo $(df -a $1 | awk 'NR > 1 {avail+=$4} END {print avail}'); }
BEFORE=$(getAvailableSpace)
ln -s /opt/hostedtoolcache/SUPERCILEX/x86_64-unknown-linux-gnu-rmz/latest/linux-x64/rmz /usr/local/bin/rmz
rmz -f /opt/hostedtoolcache/CodeQL &
rmz -f /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk &
rmz -f /opt/hostedtoolcache/PyPy &
rmz -f /opt/hostedtoolcache/Ruby &
rmz -f /opt/hostedtoolcache/go &
sudo rmz -f /usr/local/lib/android &
if [[ ${{ github.repository }} == terraform-aws-modules/terraform-aws-security-group ]]; then
sudo rmz -f /usr/share/dotnet &
sudo rmz -f /usr/local/.ghcup &
sudo apt-get -qq remove -y 'azure-.*'
sudo apt-get -qq remove -y 'cpp-.*'
sudo apt-get -qq remove -y 'dotnet-runtime-.*'
sudo apt-get -qq remove -y 'google-.*'
sudo apt-get -qq remove -y 'libclang-.*'
sudo apt-get -qq remove -y 'libllvm.*'
sudo apt-get -qq remove -y 'llvm-.*'
sudo apt-get -qq remove -y 'mysql-.*'
sudo apt-get -qq remove -y 'postgresql-.*'
sudo apt-get -qq remove -y 'php.*'
sudo apt-get -qq remove -y 'temurin-.*'
sudo apt-get -qq remove -y kubectl firefox mono-devel
sudo apt-get -qq autoremove -y
sudo apt-get -qq clean
fi
wait
AFTER=$(getAvailableSpace)
SAVED=$((AFTER-BEFORE))
echo "=> Saved $(formatByteCount $SAVED)"
- name: Checkout
uses: actions/checkout@v5
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{github.event.pull_request.head.repo.full_name}}
- name: Terraform min/max versions
id: minMax
uses: clowdhaus/terraform-min-max@v2.1.0
- name: Hide template dir
# Special to this repo, we don't want to check this dir
if: ${{ github.repository == 'terraform-aws-modules/terraform-aws-security-group' }}
run: rm -rf modules/_templates
uses: clowdhaus/terraform-min-max@v1.2.0
- name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.0
with:
terraform-version: ${{ steps.minMax.outputs.maxVersion }}
tflint-version: ${{ env.TFLINT_VERSION }}
terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }}
install-hcledit: true

23
.github/workflows/release.yml vendored
View file

@ -4,7 +4,6 @@ on:
workflow_dispatch:
push:
branches:
- main
- master
paths:
- '**/*.tpl'
@ -20,26 +19,18 @@ jobs:
if: github.repository_owner == 'terraform-aws-modules'
steps:
- name: Checkout
uses: actions/checkout@v5
uses: actions/checkout@v3
with:
persist-credentials: false
fetch-depth: 0
- name: Set correct Node.js version
uses: actions/setup-node@v6
with:
node-version: 24
- name: Install dependencies
run: |
npm install \
@semantic-release/changelog@6.0.3 \
@semantic-release/git@10.0.1 \
conventional-changelog-conventionalcommits@9.1.0
- name: Release
uses: cycjimmy/semantic-release-action@v5
uses: cycjimmy/semantic-release-action@v3
with:
semantic_version: 25.0.0
semantic_version: 18.0.0
extra_plugins: |
@semantic-release/changelog@6.0.0
@semantic-release/git@10.0.0
conventional-changelog-conventionalcommits@4.6.3
env:
GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }}

2
.github/workflows/stale-actions.yaml vendored
View file

@ -7,7 +7,7 @@ jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v10
- uses: actions/stale@v6
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
# Staling issues and PR's

24
.gitignore vendored
View file

@ -1,13 +1,13 @@
# Local .terraform directories
**/.terraform/*
# Terraform lockfile
.terraform.lock.hcl
# .tfstate files
*.tfstate
*.tfstate.*
# terraform lockfile
.terraform.lock.hcl
# Crash log files
crash.log
@ -15,6 +15,7 @@ crash.log
# password, private keys, and other secrets. These should not be part of version
# control as they are data points which are potentially sensitive and subject
# to change depending on the environment.
#
*.tfvars
# Ignore override files as they are usually used to override resources locally and so
@ -24,16 +25,13 @@ override.tf.json
*_override.tf
*_override.tf.json
# Include override files you do wish to add to version control using negated pattern
#
# !example_override.tf
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
# example: *tfplan*
# Ignore CLI configuration files
.terraformrc
terraform.rc
# Lambda build artifacts
builds/
__pycache__/
*.zip
.tox
# Local editors/macos files
.DS_Store
.idea

8
.pre-commit-config.yaml
View file

@ -1,9 +1,9 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.103.0
rev: v1.80.0
hooks:
- id: terraform_fmt
- id: terraform_wrapper_module_for_each
- id: terraform_validate
- id: terraform_docs
args:
- '--args=--lockfile=false'
@ -22,10 +22,8 @@ repos:
- '--args=--only=terraform_required_providers'
- '--args=--only=terraform_standard_module_structure'
- '--args=--only=terraform_workspace_remote'
- id: terraform_validate
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v6.0.0
rev: v4.4.0
hooks:
- id: check-merge-conflict
- id: end-of-file-fixer
- id: trailing-whitespace

64
CHANGELOG.md
View file

@ -2,70 +2,6 @@
All notable changes to this project will be documented in this file.
## [4.2.1](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v4.2.0...v4.2.1) (2025-10-21)
### Bug Fixes
* Update CI workflow versions to latest ([#40](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/40)) ([5deff22](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/5deff22cf4c471ce824c016687c3b933cd8b783c))
## [4.2.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v4.1.0...v4.2.0) (2025-10-14)
### Features
* Support `default_auth_scheme` ([#39](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/39)) ([c2073a0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/c2073a031c947270dac3f17c7f76e2996cd1b5b1))
## [4.1.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v4.0.0...v4.1.0) (2025-10-01)
### Features
* Add Terragrunt wrappers ([#38](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/38)) ([33b43c7](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/33b43c72abdad0b01655238d844e56dabca5e6d4))
## [4.0.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.2.1...v4.0.0) (2025-09-16)
### ⚠ BREAKING CHANGES
* Upgrade AWS provider and min required Terraform version to `6.0` and `1.5.7` respectively (#34)
### Features
* Upgrade AWS provider and min required Terraform version to `6.0` and `1.5.7` respectively ([#34](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/34)) ([47c0fca](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/47c0fcad4b3e40ef112544028dba1a4c10ee50dc))
## [3.2.1](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.2.0...v3.2.1) (2025-05-22)
### Bug Fixes
* Correct service principal to rds.amazonaws.com (incl China) ([#32](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/32)) ([bbbf50c](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/bbbf50ce8734f05d4ac69fa41c23c88094b82356))
## [3.2.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.1.1...v3.2.0) (2024-11-19)
### Features
* Add CloudWatch log group name to outputs ([#28](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/28)) ([0fc0e19](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/0fc0e19e642a2fdcd8f546bf219f78b5db252c65))
### Bug Fixes
* Update CI workflow versions to latest ([#27](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/27)) ([b6f22be](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/b6f22becf63614f365e72a81151c1955ab0d4df3))
## [3.1.1](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.1.0...v3.1.1) (2024-03-06)
### Bug Fixes
* Update CI workflow versions to remove deprecated runtime warnings ([#26](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/26)) ([a31a810](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/a31a81097b9828776e91864973783d0e9530e12d))
## [3.1.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.0.0...v3.1.0) (2023-08-30)
### Features
* Add IAM role output ([#22](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/22)) ([d18ae45](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/d18ae45d9ebf8253f7144e6bdc6ef39af9a4863f))
## [3.0.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v2.1.2...v3.0.0) (2023-06-09)

30
README.md
View file

@ -52,24 +52,24 @@ module "rds_proxy" {
Examples codified under the [`examples`](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples) are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module(s). If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!
- [IAM auth. w/ MySQL Aurora cluster](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/mysql-iam-cluster)
- [IAM auth. w/ MySQL RDS instance](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/mysql-iam-instance)
- [IAM auth. w/ PostgreSQL Aurora cluster](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql-iam-cluster)
- [IAM auth. w/ PostgreSQL RDS instance](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql-iam-instance)
- [IAM auth. w/ MySQL Aurora cluster](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/mysql_iam_cluster)
- [IAM auth. w/ MySQL RDS instance](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/mysql_iam_instance)
- [IAM auth. w/ PostgreSQL Aurora cluster](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql_iam_cluster)
- [IAM auth. w/ PostgreSQL RDS instance](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql_iam_instance)
<!-- BEGIN_TF_DOCS -->
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
## Modules
@ -91,13 +91,12 @@ No modules.
| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
| [aws_service_principal.rds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/service_principal) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_auth"></a> [auth](#input\_auth) | Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters | <pre>map(object({<br/> auth_scheme = optional(string)<br/> client_password_auth_type = optional(string)<br/> description = optional(string)<br/> iam_auth = optional(string)<br/> secret_arn = optional(string)<br/> username = optional(string)<br/> }))</pre> | <pre>{<br/> "default": {<br/> "auth_scheme": "SECRETS"<br/> }<br/>}</pre> | no |
| <a name="input_auth"></a> [auth](#input\_auth) | Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters | `any` | `{}` | no |
| <a name="input_connection_borrow_timeout"></a> [connection\_borrow\_timeout](#input\_connection\_borrow\_timeout) | The number of seconds for a proxy to wait for a connection to become available in the connection pool | `number` | `null` | no |
| <a name="input_create"></a> [create](#input\_create) | Whether cluster should be created (affects nearly all resources) | `bool` | `true` | no |
| <a name="input_create_iam_policy"></a> [create\_iam\_policy](#input\_create\_iam\_policy) | Determines whether an IAM policy is created | `bool` | `true` | no |
@ -105,8 +104,7 @@ No modules.
| <a name="input_db_cluster_identifier"></a> [db\_cluster\_identifier](#input\_db\_cluster\_identifier) | DB cluster identifier | `string` | `""` | no |
| <a name="input_db_instance_identifier"></a> [db\_instance\_identifier](#input\_db\_instance\_identifier) | DB instance identifier | `string` | `""` | no |
| <a name="input_debug_logging"></a> [debug\_logging](#input\_debug\_logging) | Whether the proxy includes detailed information about SQL statements in its logs | `bool` | `false` | no |
| <a name="input_default_auth_scheme"></a> [default\_auth\_scheme](#input\_default\_auth\_scheme) | Default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database. Valid values are NONE and IAM\_AUTH. Defaults to NONE | `string` | `null` | no |
| <a name="input_endpoints"></a> [endpoints](#input\_endpoints) | Map of DB proxy endpoints to create and their attributes | <pre>map(object({<br/> name = optional(string)<br/> vpc_subnet_ids = list(string)<br/> vpc_security_group_ids = optional(list(string))<br/> target_role = optional(string)<br/> tags = optional(map(string), {})<br/> }))</pre> | `{}` | no |
| <a name="input_endpoints"></a> [endpoints](#input\_endpoints) | Map of DB proxy endpoints to create and their attributes (see `aws_db_proxy_endpoint`) | `any` | `{}` | no |
| <a name="input_engine_family"></a> [engine\_family](#input\_engine\_family) | The kind of database engine that the proxy will connect to. Valid values are `MYSQL` or `POSTGRESQL` | `string` | `""` | no |
| <a name="input_iam_policy_name"></a> [iam\_policy\_name](#input\_iam\_policy\_name) | The name of the role policy. If omitted, Terraform will assign a random, unique name | `string` | `""` | no |
| <a name="input_iam_role_description"></a> [iam\_role\_description](#input\_iam\_role\_description) | The description of the role | `string` | `""` | no |
@ -119,7 +117,6 @@ No modules.
| <a name="input_idle_client_timeout"></a> [idle\_client\_timeout](#input\_idle\_client\_timeout) | The number of seconds that a connection to the proxy can be inactive before the proxy disconnects it | `number` | `1800` | no |
| <a name="input_init_query"></a> [init\_query](#input\_init\_query) | One or more SQL statements for the proxy to run when opening each new database connection | `string` | `""` | no |
| <a name="input_kms_key_arns"></a> [kms\_key\_arns](#input\_kms\_key\_arns) | List of KMS Key ARNs to allow access to decrypt SecretsManager secrets | `list(string)` | `[]` | no |
| <a name="input_log_group_class"></a> [log\_group\_class](#input\_log\_group\_class) | Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS` | `string` | `null` | no |
| <a name="input_log_group_kms_key_id"></a> [log\_group\_kms\_key\_id](#input\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data | `string` | `null` | no |
| <a name="input_log_group_retention_in_days"></a> [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the log group | `number` | `30` | no |
| <a name="input_log_group_tags"></a> [log\_group\_tags](#input\_log\_group\_tags) | A map of tags to apply to the CloudWatch log group | `map(string)` | `{}` | no |
@ -128,7 +125,6 @@ No modules.
| <a name="input_max_idle_connections_percent"></a> [max\_idle\_connections\_percent](#input\_max\_idle\_connections\_percent) | Controls how actively the proxy closes idle database connections in the connection pool | `number` | `50` | no |
| <a name="input_name"></a> [name](#input\_name) | The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens | `string` | `""` | no |
| <a name="input_proxy_tags"></a> [proxy\_tags](#input\_proxy\_tags) | A map of tags to apply to the RDS Proxy | `map(string)` | `{}` | no |
| <a name="input_region"></a> [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no |
| <a name="input_require_tls"></a> [require\_tls](#input\_require\_tls) | A Boolean parameter that specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy | `bool` | `true` | no |
| <a name="input_role_arn"></a> [role\_arn](#input\_role\_arn) | The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager | `string` | `""` | no |
| <a name="input_session_pinning_filters"></a> [session\_pinning\_filters](#input\_session\_pinning\_filters) | Each item in the list represents a class of SQL operations that normally cause all later statements in a session using a proxy to be pinned to the same underlying database connection | `list(string)` | `[]` | no |
@ -145,11 +141,7 @@ No modules.
| Name | Description |
|------|-------------|
| <a name="output_db_proxy_endpoints"></a> [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created |
| <a name="output_iam_role_arn"></a> [iam\_role\_arn](#output\_iam\_role\_arn) | The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager. |
| <a name="output_iam_role_name"></a> [iam\_role\_name](#output\_iam\_role\_name) | IAM role name |
| <a name="output_iam_role_unique_id"></a> [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
| <a name="output_log_group_arn"></a> [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group |
| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | The name of the CloudWatch log group |
| <a name="output_proxy_arn"></a> [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy |
| <a name="output_proxy_default_target_group_arn"></a> [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group |
| <a name="output_proxy_default_target_group_id"></a> [proxy\_default\_target\_group\_id](#output\_proxy\_default\_target\_group\_id) | The ID for the default target group |
@ -163,7 +155,7 @@ No modules.
| <a name="output_proxy_target_target_arn"></a> [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
| <a name="output_proxy_target_tracked_cluster_id"></a> [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
| <a name="output_proxy_target_type"></a> [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
<!-- END_TF_DOCS -->
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## License

0
docs/UPGRADE-3.0.md → UPGRADE-3.0.md
View file

12
examples/README.md
View file

@ -1,8 +1,6 @@
# Examples
# AWS RDS Proxy Terraform Examples
Please note - the examples provided serve two primary means:
1. Show users working examples of the various ways in which the module can be configured and features supported
2. A means of testing/validating module changes
Please do not mistake the examples provided as "best practices". It is up to users to consult the AWS service documentation for best practices, usage recommendations, etc.
- [IAM auth. w/ MySQL Aurora cluster](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/mysql_iam_cluster)
- [IAM auth. w/ MySQL RDS instance](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/mysql_iam_instance)
- [IAM auth. w/ PostgreSQL Aurora cluster](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql_iam_cluster)
- [IAM auth. w/ PostgreSQL RDS instance](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql_iam_instance)

15
examples/mysql-iam-cluster/README.md
View file

@ -25,28 +25,28 @@ An EC2 instance configuration has been provided for use in validating the exampl
3. Copy the output from `superuser_proxy_iam_connect` and paste it into the window
4. You should now be connected to the `example` database in the RDS instance via the AWS Proxy using IAM authentication
<!-- BEGIN_TF_DOCS -->
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 9.0 |
| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 8.0 |
| <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
| <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
## Resources
@ -64,7 +64,6 @@ No inputs.
|------|-------------|
| <a name="output_db_proxy_endpoints"></a> [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created |
| <a name="output_log_group_arn"></a> [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group |
| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | The name of the CloudWatch log group |
| <a name="output_proxy_arn"></a> [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy |
| <a name="output_proxy_default_target_group_arn"></a> [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group |
| <a name="output_proxy_default_target_group_id"></a> [proxy\_default\_target\_group\_id](#output\_proxy\_default\_target\_group\_id) | The ID for the default target group |
@ -78,6 +77,6 @@ No inputs.
| <a name="output_proxy_target_target_arn"></a> [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
| <a name="output_proxy_target_tracked_cluster_id"></a> [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
| <a name="output_proxy_target_type"></a> [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
<!-- END_TF_DOCS -->
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/blob/master/LICENSE).

4
examples/mysql-iam-cluster/main.tf
View file

@ -69,7 +69,7 @@ module "rds_proxy" {
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 6.0"
version = "~> 5.0"
name = local.name
cidr = local.vpc_cidr
@ -84,7 +84,7 @@ module "vpc" {
module "rds" {
source = "terraform-aws-modules/rds-aurora/aws"
version = "~> 9.0"
version = "~> 8.0"
name = local.name
engine = "aurora-mysql"

5
examples/mysql-iam-cluster/outputs.tf
View file

@ -77,8 +77,3 @@ output "log_group_arn" {
description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
value = module.rds_proxy.log_group_arn
}
output "log_group_name" {
description = "The name of the CloudWatch log group"
value = module.rds_proxy.log_group_name
}

4
examples/mysql-iam-cluster/versions.tf
View file

@ -1,10 +1,10 @@
terraform {
required_version = ">= 1.5.7"
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 6.15"
version = ">= 5.0"
}
}
}

15
examples/mysql-iam-instance/README.md
View file

@ -25,31 +25,31 @@ An EC2 instance configuration has been provided for use in validating the exampl
3. Copy the output from `superuser_proxy_iam_connect` and paste it into the window
4. You should now be connected to the `example` database in the Aurora cluster via the AWS Proxy using IAM authentication
<!-- BEGIN_TF_DOCS -->
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 6.0 |
| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 5.0 |
| <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
| <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
| <a name="module_rds_sg"></a> [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
## Resources
@ -72,7 +72,6 @@ No inputs.
|------|-------------|
| <a name="output_db_proxy_endpoints"></a> [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created |
| <a name="output_log_group_arn"></a> [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group |
| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | The name of the CloudWatch log group |
| <a name="output_proxy_arn"></a> [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy |
| <a name="output_proxy_default_target_group_arn"></a> [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group |
| <a name="output_proxy_default_target_group_id"></a> [proxy\_default\_target\_group\_id](#output\_proxy\_default\_target\_group\_id) | The ID for the default target group |
@ -86,6 +85,6 @@ No inputs.
| <a name="output_proxy_target_target_arn"></a> [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
| <a name="output_proxy_target_tracked_cluster_id"></a> [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
| <a name="output_proxy_target_type"></a> [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
<!-- END_TF_DOCS -->
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/blob/master/LICENSE).

6
examples/mysql-iam-instance/main.tf
View file

@ -61,7 +61,7 @@ module "rds_proxy" {
# Target RDS instance
target_db_instance = true
db_instance_identifier = module.rds.db_instance_identifier
db_instance_identifier = module.rds.db_instance_id
tags = local.tags
}
@ -82,7 +82,7 @@ resource "random_password" "password" {
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 6.0"
version = "~> 5.0"
name = local.name
cidr = local.vpc_cidr
@ -97,7 +97,7 @@ module "vpc" {
module "rds" {
source = "terraform-aws-modules/rds/aws"
version = "~> 6.0"
version = "~> 5.0"
username = local.db_username
password = local.db_password

5
examples/mysql-iam-instance/outputs.tf
View file

@ -77,8 +77,3 @@ output "log_group_arn" {
description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
value = module.rds_proxy.log_group_arn
}
output "log_group_name" {
description = "The name of the CloudWatch log group"
value = module.rds_proxy.log_group_name
}

4
examples/mysql-iam-instance/versions.tf
View file

@ -1,10 +1,10 @@
terraform {
required_version = ">= 1.5.7"
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 6.15"
version = ">= 5.0"
}
random = {
source = "hashicorp/random"

18
examples/postgresql-iam-cluster/README.md
View file

@ -25,28 +25,28 @@ An EC2 instance configuration has been provided for use in validating the exampl
3. Copy the output from `superuser_proxy_iam_connect` and paste it into the window - NOTE: remove the string escape slashes `psql \"host...` -> `psql "host...`
4. You should now be connected to the `example` database in the RDS instance via the AWS Proxy using IAM authentication
<!-- BEGIN_TF_DOCS -->
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 9.0 |
| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 8.0 |
| <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
| <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
## Resources
@ -63,11 +63,7 @@ No inputs.
| Name | Description |
|------|-------------|
| <a name="output_db_proxy_endpoints"></a> [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created |
| <a name="output_iam_role_arn"></a> [iam\_role\_arn](#output\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the role proxy uses to access secrets |
| <a name="output_iam_role_name"></a> [iam\_role\_name](#output\_iam\_role\_name) | The name of the role proxy uses to access secrets |
| <a name="output_iam_role_unique_id"></a> [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Stable and unique string identifying the role proxy uses to access secrets |
| <a name="output_log_group_arn"></a> [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group |
| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | The name of the CloudWatch log group |
| <a name="output_proxy_arn"></a> [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy |
| <a name="output_proxy_default_target_group_arn"></a> [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group |
| <a name="output_proxy_default_target_group_id"></a> [proxy\_default\_target\_group\_id](#output\_proxy\_default\_target\_group\_id) | The ID for the default target group |
@ -81,6 +77,6 @@ No inputs.
| <a name="output_proxy_target_target_arn"></a> [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
| <a name="output_proxy_target_tracked_cluster_id"></a> [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
| <a name="output_proxy_target_type"></a> [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
<!-- END_TF_DOCS -->
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/blob/master/LICENSE).

6
examples/postgresql-iam-cluster/main.tf
View file

@ -69,7 +69,7 @@ module "rds_proxy" {
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 6.0"
version = "~> 5.0"
name = local.name
cidr = local.vpc_cidr
@ -84,11 +84,11 @@ module "vpc" {
module "rds" {
source = "terraform-aws-modules/rds-aurora/aws"
version = "~> 9.0"
version = "~> 8.0"
name = local.name
engine = "aurora-postgresql"
engine_version = "17.5"
engine_version = "14.7"
master_username = "root"
# When using RDS Proxy w/ IAM auth - Database must be username/password auth, not IAM

21
examples/postgresql-iam-cluster/outputs.tf
View file

@ -77,24 +77,3 @@ output "log_group_arn" {
description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
value = module.rds_proxy.log_group_arn
}
output "log_group_name" {
description = "The name of the CloudWatch log group"
value = module.rds_proxy.log_group_name
}
# IAM role
output "iam_role_arn" {
description = "The Amazon Resource Name (ARN) specifying the role proxy uses to access secrets"
value = module.rds_proxy.iam_role_arn
}
output "iam_role_name" {
description = "The name of the role proxy uses to access secrets"
value = module.rds_proxy.iam_role_name
}
output "iam_role_unique_id" {
description = "Stable and unique string identifying the role proxy uses to access secrets"
value = module.rds_proxy.iam_role_unique_id
}

4
examples/postgresql-iam-cluster/versions.tf
View file

@ -1,10 +1,10 @@
terraform {
required_version = ">= 1.5.7"
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 6.15"
version = ">= 5.0"
}
}
}

15
examples/postgresql-iam-instance/README.md
View file

@ -25,31 +25,31 @@ An EC2 instance configuration has been provided for use in validating the exampl
3. Copy the output from `superuser_proxy_iam_connect` and paste it into the window - NOTE: remove the string escape slashes `psql \"host...` -> `psql "host...`
4. You should now be connected to the `example` database in the Aurora cluster via the AWS Proxy using IAM authentication
<!-- BEGIN_TF_DOCS -->
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 6.0 |
| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 5.0 |
| <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
| <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
| <a name="module_rds_sg"></a> [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
## Resources
@ -72,7 +72,6 @@ No inputs.
|------|-------------|
| <a name="output_db_proxy_endpoints"></a> [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created |
| <a name="output_log_group_arn"></a> [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group |
| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | The name of the CloudWatch log group |
| <a name="output_proxy_arn"></a> [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy |
| <a name="output_proxy_default_target_group_arn"></a> [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group |
| <a name="output_proxy_default_target_group_id"></a> [proxy\_default\_target\_group\_id](#output\_proxy\_default\_target\_group\_id) | The ID for the default target group |
@ -86,6 +85,6 @@ No inputs.
| <a name="output_proxy_target_target_arn"></a> [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
| <a name="output_proxy_target_tracked_cluster_id"></a> [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
| <a name="output_proxy_target_type"></a> [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
<!-- END_TF_DOCS -->
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/blob/master/LICENSE).

6
examples/postgresql-iam-instance/main.tf
View file

@ -61,7 +61,7 @@ module "rds_proxy" {
# Target RDS instance
target_db_instance = true
db_instance_identifier = module.rds.db_instance_identifier
db_instance_identifier = module.rds.db_instance_id
tags = local.tags
}
@ -82,7 +82,7 @@ resource "random_password" "password" {
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 6.0"
version = "~> 5.0"
name = local.name
cidr = local.vpc_cidr
@ -97,7 +97,7 @@ module "vpc" {
module "rds" {
source = "terraform-aws-modules/rds/aws"
version = "~> 6.0"
version = "~> 5.0"
username = local.db_username
password = local.db_password

5
examples/postgresql-iam-instance/outputs.tf
View file

@ -77,8 +77,3 @@ output "log_group_arn" {
description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
value = module.rds_proxy.log_group_arn
}
output "log_group_name" {
description = "The name of the CloudWatch log group"
value = module.rds_proxy.log_group_name
}

4
examples/postgresql-iam-instance/versions.tf
View file

@ -1,10 +1,10 @@
terraform {
required_version = ">= 1.5.7"
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 6.15"
version = ">= 5.0"
}
random = {
source = "hashicorp/random"

106
main.tf
View file

@ -1,3 +1,12 @@
locals {
role_arn = var.create && var.create_iam_role ? aws_iam_role.this[0].arn : var.role_arn
role_name = coalesce(var.iam_role_name, var.name)
policy_name = coalesce(var.iam_policy_name, var.name)
}
data "aws_region" "current" {}
data "aws_partition" "current" {}
################################################################################
# RDS Proxy
################################################################################
@ -5,28 +14,25 @@
resource "aws_db_proxy" "this" {
count = var.create ? 1 : 0
region = var.region
dynamic "auth" {
for_each = var.auth
content {
auth_scheme = auth.value.auth_scheme
client_password_auth_type = auth.value.client_password_auth_type
description = auth.value.description
iam_auth = auth.value.iam_auth
secret_arn = auth.value.secret_arn
username = auth.value.username
auth_scheme = try(auth.value.auth_scheme, "SECRETS")
client_password_auth_type = try(auth.value.client_password_auth_type, null)
description = try(auth.value.description, null)
iam_auth = try(auth.value.iam_auth, null)
secret_arn = try(auth.value.secret_arn, null)
username = try(auth.value.username, null)
}
}
debug_logging = var.debug_logging
default_auth_scheme = var.default_auth_scheme
engine_family = var.engine_family
idle_client_timeout = var.idle_client_timeout
name = var.name
require_tls = var.require_tls
role_arn = try(aws_iam_role.this[0].arn, var.role_arn)
role_arn = local.role_arn
vpc_security_group_ids = var.vpc_security_group_ids
vpc_subnet_ids = var.vpc_subnet_ids
@ -35,15 +41,9 @@ resource "aws_db_proxy" "this" {
depends_on = [aws_cloudwatch_log_group.this]
}
################################################################################
# Default Target Group
################################################################################
resource "aws_db_proxy_default_target_group" "this" {
count = var.create ? 1 : 0
region = var.region
db_proxy_name = aws_db_proxy.this[0].name
connection_pool_config {
@ -55,15 +55,9 @@ resource "aws_db_proxy_default_target_group" "this" {
}
}
################################################################################
# Target(s)
################################################################################
resource "aws_db_proxy_target" "db_instance" {
count = var.create && var.target_db_instance ? 1 : 0
region = var.region
db_proxy_name = aws_db_proxy.this[0].name
target_group_name = aws_db_proxy_default_target_group.this[0].name
db_instance_identifier = var.db_instance_identifier
@ -72,44 +66,33 @@ resource "aws_db_proxy_target" "db_instance" {
resource "aws_db_proxy_target" "db_cluster" {
count = var.create && var.target_db_cluster ? 1 : 0
region = var.region
db_proxy_name = aws_db_proxy.this[0].name
target_group_name = aws_db_proxy_default_target_group.this[0].name
db_cluster_identifier = var.db_cluster_identifier
}
################################################################################
# Endpoint(s)
################################################################################
resource "aws_db_proxy_endpoint" "this" {
for_each = { for k, v in var.endpoints : k => v if var.create }
region = var.region
db_proxy_name = aws_db_proxy.this[0].name
db_proxy_endpoint_name = coalesce(each.value.name, each.key)
db_proxy_endpoint_name = each.value.name
vpc_subnet_ids = each.value.vpc_subnet_ids
vpc_security_group_ids = each.value.vpc_security_group_ids
target_role = each.value.target_role
vpc_security_group_ids = lookup(each.value, "vpc_security_group_ids", null)
target_role = lookup(each.value, "target_role", null)
tags = merge(var.tags, each.value.tags)
tags = lookup(each.value, "tags", var.tags)
}
################################################################################
# CloudWatch Log Group
# CloudWatch Logs
################################################################################
resource "aws_cloudwatch_log_group" "this" {
count = var.create && var.manage_log_group ? 1 : 0
region = var.region
name = "/aws/rds/proxy/${var.name}"
retention_in_days = var.log_group_retention_in_days
kms_key_id = var.log_group_kms_key_id
log_group_class = var.log_group_class
tags = merge(var.tags, var.log_group_tags)
}
@ -118,37 +101,8 @@ resource "aws_cloudwatch_log_group" "this" {
# IAM Role
################################################################################
locals {
create_iam_role = var.create && var.create_iam_role
role_name = coalesce(var.iam_role_name, var.name)
policy_name = coalesce(var.iam_policy_name, var.name)
partition = try(data.aws_partition.current[0].partition, "aws")
dns_suffix = try(data.aws_partition.current[0].dns_suffix, "amazonaws.com")
region = try(data.aws_region.current[0].region, var.region)
}
data "aws_region" "current" {
count = local.create_iam_role ? 1 : 0
region = var.region
}
data "aws_partition" "current" {
count = local.create_iam_role ? 1 : 0
}
data "aws_service_principal" "rds" {
count = local.create_iam_role ? 1 : 0
service_name = "rds"
region = data.aws_region.current[0].region
}
data "aws_iam_policy_document" "assume_role" {
count = local.create_iam_role ? 1 : 0
count = var.create && var.create_iam_role ? 1 : 0
statement {
sid = "RDSAssume"
@ -157,13 +111,13 @@ data "aws_iam_policy_document" "assume_role" {
principals {
type = "Service"
identifiers = [data.aws_service_principal.rds[0].name]
identifiers = ["rds.${data.aws_partition.current.dns_suffix}"]
}
}
}
resource "aws_iam_role" "this" {
count = local.create_iam_role ? 1 : 0
count = var.create && var.create_iam_role ? 1 : 0
name = var.use_role_name_prefix ? null : local.role_name
name_prefix = var.use_role_name_prefix ? "${local.role_name}-" : null
@ -178,12 +132,8 @@ resource "aws_iam_role" "this" {
tags = merge(var.tags, var.iam_role_tags)
}
################################################################################
# IAM Role Policy
################################################################################
data "aws_iam_policy_document" "this" {
count = local.create_iam_role && var.create_iam_policy ? 1 : 0
count = var.create && var.create_iam_role && var.create_iam_policy ? 1 : 0
statement {
sid = "DecryptSecrets"
@ -191,14 +141,14 @@ data "aws_iam_policy_document" "this" {
actions = ["kms:Decrypt"]
resources = coalescelist(
var.kms_key_arns,
["arn:${local.partition}:kms:*:*:key/*"]
["arn:${data.aws_partition.current.partition}:kms:*:*:key/*"]
)
condition {
test = "StringEquals"
variable = "kms:ViaService"
values = [
"secretsmanager.${local.region}.${local.dns_suffix}"
"secretsmanager.${data.aws_region.current.name}.${data.aws_partition.current.dns_suffix}"
]
}
}
@ -228,7 +178,7 @@ data "aws_iam_policy_document" "this" {
}
resource "aws_iam_role_policy" "this" {
count = local.create_iam_role && var.create_iam_policy ? 1 : 0
count = var.create && var.create_iam_role && var.create_iam_policy ? 1 : 0
name = var.use_policy_name_prefix ? null : local.policy_name
name_prefix = var.use_policy_name_prefix ? "${local.policy_name}-" : null

47
outputs.tf
View file

@ -1,7 +1,4 @@
################################################################################
# RDS Proxy
################################################################################
output "proxy_id" {
description = "The ID for the proxy"
value = try(aws_db_proxy.this[0].id, null)
@ -17,10 +14,7 @@ output "proxy_endpoint" {
value = try(aws_db_proxy.this[0].endpoint, null)
}
################################################################################
# Default Target Group
################################################################################
# Proxy Default Target Group
output "proxy_default_target_group_id" {
description = "The ID for the default target group"
value = try(aws_db_proxy_default_target_group.this[0].id, null)
@ -36,10 +30,7 @@ output "proxy_default_target_group_name" {
value = try(aws_db_proxy_default_target_group.this[0].name, null)
}
################################################################################
# Target(s)
################################################################################
# Proxy Target
output "proxy_target_endpoint" {
description = "Hostname for the target RDS DB Instance. Only returned for `RDS_INSTANCE` type"
value = try(aws_db_proxy_target.db_instance[0].endpoint, aws_db_proxy_target.db_cluster[0].endpoint, null)
@ -75,44 +66,14 @@ output "proxy_target_type" {
value = try(aws_db_proxy_target.db_instance[0].type, aws_db_proxy_target.db_cluster[0].type, null)
}
################################################################################
# Endpoint(s)
################################################################################
# DB proxy endpoints
output "db_proxy_endpoints" {
description = "Array containing the full resource object and attributes for all DB proxy endpoints created"
value = aws_db_proxy_endpoint.this
}
################################################################################
# CloudWatch Log Group
################################################################################
# CloudWatch logs
output "log_group_arn" {
description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
value = try(aws_cloudwatch_log_group.this[0].arn, null)
}
output "log_group_name" {
description = "The name of the CloudWatch log group"
value = try(aws_cloudwatch_log_group.this[0].name, null)
}
################################################################################
# IAM Role
################################################################################
output "iam_role_arn" {
description = "The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager."
value = try(aws_iam_role.this[0].arn, null)
}
output "iam_role_name" {
description = "IAM role name"
value = try(aws_iam_role.this[0].name, null)
}
output "iam_role_unique_id" {
description = "Stable and unique string identifying the IAM role"
value = try(aws_iam_role.this[0].unique_id, null)
}

65
variables.tf
View file

@ -4,12 +4,6 @@ variable "create" {
default = true
}
variable "region" {
description = "Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration"
type = string
default = null
}
variable "tags" {
description = "A map of tags to add to all resources"
type = map(string)
@ -28,19 +22,8 @@ variable "name" {
variable "auth" {
description = "Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters"
type = map(object({
auth_scheme = optional(string)
client_password_auth_type = optional(string)
description = optional(string)
iam_auth = optional(string)
secret_arn = optional(string)
username = optional(string)
}))
default = {
default = {
auth_scheme = "SECRETS"
}
}
type = any
default = {}
}
variable "debug_logging" {
@ -49,12 +32,6 @@ variable "debug_logging" {
default = false
}
variable "default_auth_scheme" {
description = "Default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database. Valid values are NONE and IAM_AUTH. Defaults to NONE"
type = string
default = null
}
variable "engine_family" {
description = "The kind of database engine that the proxy will connect to. Valid values are `MYSQL` or `POSTGRESQL`"
type = string
@ -97,10 +74,7 @@ variable "proxy_tags" {
default = {}
}
################################################################################
# Default Target Group
################################################################################
# Proxy Default Target Group
variable "connection_borrow_timeout" {
description = "The number of seconds for a proxy to wait for a connection to become available in the connection pool"
type = number
@ -131,10 +105,7 @@ variable "session_pinning_filters" {
default = []
}
################################################################################
# Target(s)
################################################################################
# Proxy Target
variable "target_db_instance" {
description = "Determines whether DB instance is targeted by proxy"
type = bool
@ -159,20 +130,11 @@ variable "db_cluster_identifier" {
default = ""
}
################################################################################
# Endpoint(s)
################################################################################
# Proxy endpoints
variable "endpoints" {
description = "Map of DB proxy endpoints to create and their attributes"
type = map(object({
name = optional(string)
vpc_subnet_ids = list(string)
vpc_security_group_ids = optional(list(string))
target_role = optional(string)
tags = optional(map(string), {})
}))
default = {}
description = "Map of DB proxy endpoints to create and their attributes (see `aws_db_proxy_endpoint`)"
type = any
default = {}
}
################################################################################
@ -197,12 +159,6 @@ variable "log_group_kms_key_id" {
default = null
}
variable "log_group_class" {
description = "Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS`"
type = string
default = null
}
variable "log_group_tags" {
description = "A map of tags to apply to the CloudWatch log group"
type = map(string)
@ -267,10 +223,7 @@ variable "iam_role_tags" {
default = {}
}
################################################################################
# IAM Role Policy
################################################################################
# IAM Policy
variable "create_iam_policy" {
description = "Determines whether an IAM policy is created"
type = bool

4
versions.tf
View file

@ -1,10 +1,10 @@
terraform {
required_version = ">= 1.5.7"
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 6.15"
version = ">= 5.0"
}
}
}

100
wrappers/README.md
View file

@ -1,100 +0,0 @@
# Wrapper for the root module
The configuration in this directory contains an implementation of a single module wrapper pattern, which allows managing several copies of a module in places where using the native Terraform 0.13+ `for_each` feature is not feasible (e.g., with Terragrunt).
You may want to use a single Terragrunt configuration file to manage multiple resources without duplicating `terragrunt.hcl` files for each copy of the same module.
This wrapper does not implement any extra functionality.
## Usage with Terragrunt
`terragrunt.hcl`:
```hcl
terraform {
source = "tfr:///terraform-aws-modules/rds-proxy/aws//wrappers"
# Alternative source:
# source = "git::git@github.com:terraform-aws-modules/terraform-aws-rds-proxy.git//wrappers?ref=master"
}
inputs = {
defaults = { # Default values
create = true
tags = {
Terraform = "true"
Environment = "dev"
}
}
items = {
my-item = {
# omitted... can be any argument supported by the module
}
my-second-item = {
# omitted... can be any argument supported by the module
}
# omitted...
}
}
```
## Usage with Terraform
```hcl
module "wrapper" {
source = "terraform-aws-modules/rds-proxy/aws//wrappers"
defaults = { # Default values
create = true
tags = {
Terraform = "true"
Environment = "dev"
}
}
items = {
my-item = {
# omitted... can be any argument supported by the module
}
my-second-item = {
# omitted... can be any argument supported by the module
}
# omitted...
}
}
```
## Example: Manage multiple S3 buckets in one Terragrunt layer
`eu-west-1/s3-buckets/terragrunt.hcl`:
```hcl
terraform {
source = "tfr:///terraform-aws-modules/s3-bucket/aws//wrappers"
# Alternative source:
# source = "git::git@github.com:terraform-aws-modules/terraform-aws-s3-bucket.git//wrappers?ref=master"
}
inputs = {
defaults = {
force_destroy = true
attach_elb_log_delivery_policy = true
attach_lb_log_delivery_policy = true
attach_deny_insecure_transport_policy = true
attach_require_latest_tls_policy = true
}
items = {
bucket1 = {
bucket = "my-random-bucket-1"
}
bucket2 = {
bucket = "my-random-bucket-2"
tags = {
Secure = "probably"
}
}
}
}
```

52
wrappers/main.tf
View file

@ -1,52 +0,0 @@
module "wrapper" {
source = "../"
for_each = var.items
auth = try(each.value.auth, var.defaults.auth, {
default = {
auth_scheme = "SECRETS"
}
})
connection_borrow_timeout = try(each.value.connection_borrow_timeout, var.defaults.connection_borrow_timeout, null)
create = try(each.value.create, var.defaults.create, true)
create_iam_policy = try(each.value.create_iam_policy, var.defaults.create_iam_policy, true)
create_iam_role = try(each.value.create_iam_role, var.defaults.create_iam_role, true)
db_cluster_identifier = try(each.value.db_cluster_identifier, var.defaults.db_cluster_identifier, "")
db_instance_identifier = try(each.value.db_instance_identifier, var.defaults.db_instance_identifier, "")
debug_logging = try(each.value.debug_logging, var.defaults.debug_logging, false)
default_auth_scheme = try(each.value.default_auth_scheme, var.defaults.default_auth_scheme, null)
endpoints = try(each.value.endpoints, var.defaults.endpoints, {})
engine_family = try(each.value.engine_family, var.defaults.engine_family, "")
iam_policy_name = try(each.value.iam_policy_name, var.defaults.iam_policy_name, "")
iam_role_description = try(each.value.iam_role_description, var.defaults.iam_role_description, "")
iam_role_force_detach_policies = try(each.value.iam_role_force_detach_policies, var.defaults.iam_role_force_detach_policies, true)
iam_role_max_session_duration = try(each.value.iam_role_max_session_duration, var.defaults.iam_role_max_session_duration, 43200)
iam_role_name = try(each.value.iam_role_name, var.defaults.iam_role_name, "")
iam_role_path = try(each.value.iam_role_path, var.defaults.iam_role_path, null)
iam_role_permissions_boundary = try(each.value.iam_role_permissions_boundary, var.defaults.iam_role_permissions_boundary, null)
iam_role_tags = try(each.value.iam_role_tags, var.defaults.iam_role_tags, {})
idle_client_timeout = try(each.value.idle_client_timeout, var.defaults.idle_client_timeout, 1800)
init_query = try(each.value.init_query, var.defaults.init_query, "")
kms_key_arns = try(each.value.kms_key_arns, var.defaults.kms_key_arns, [])
log_group_class = try(each.value.log_group_class, var.defaults.log_group_class, null)
log_group_kms_key_id = try(each.value.log_group_kms_key_id, var.defaults.log_group_kms_key_id, null)
log_group_retention_in_days = try(each.value.log_group_retention_in_days, var.defaults.log_group_retention_in_days, 30)
log_group_tags = try(each.value.log_group_tags, var.defaults.log_group_tags, {})
manage_log_group = try(each.value.manage_log_group, var.defaults.manage_log_group, true)
max_connections_percent = try(each.value.max_connections_percent, var.defaults.max_connections_percent, 90)
max_idle_connections_percent = try(each.value.max_idle_connections_percent, var.defaults.max_idle_connections_percent, 50)
name = try(each.value.name, var.defaults.name, "")
proxy_tags = try(each.value.proxy_tags, var.defaults.proxy_tags, {})
region = try(each.value.region, var.defaults.region, null)
require_tls = try(each.value.require_tls, var.defaults.require_tls, true)
role_arn = try(each.value.role_arn, var.defaults.role_arn, "")
session_pinning_filters = try(each.value.session_pinning_filters, var.defaults.session_pinning_filters, [])
tags = try(each.value.tags, var.defaults.tags, {})
target_db_cluster = try(each.value.target_db_cluster, var.defaults.target_db_cluster, false)
target_db_instance = try(each.value.target_db_instance, var.defaults.target_db_instance, false)
use_policy_name_prefix = try(each.value.use_policy_name_prefix, var.defaults.use_policy_name_prefix, false)
use_role_name_prefix = try(each.value.use_role_name_prefix, var.defaults.use_role_name_prefix, false)
vpc_security_group_ids = try(each.value.vpc_security_group_ids, var.defaults.vpc_security_group_ids, [])
vpc_subnet_ids = try(each.value.vpc_subnet_ids, var.defaults.vpc_subnet_ids, [])
}

5
wrappers/outputs.tf
View file

@ -1,5 +0,0 @@
output "wrapper" {
description = "Map of outputs of a wrapper."
value = module.wrapper
# sensitive = false # No sensitive module output found
}

11
wrappers/variables.tf
View file

@ -1,11 +0,0 @@
variable "defaults" {
description = "Map of default values which will be used for each item."
type = any
default = {}
}
variable "items" {
description = "Maps of items to create a wrapper from. Values are passed through to the module."
type = any
default = {}
}

10
wrappers/versions.tf
View file

@ -1,10 +0,0 @@
terraform {
required_version = ">= 1.5.7"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 6.15"
}
}
}