luciano/terraform-aws-rds-proxy
1
0
Fork 0
mirror of https://github.com/terraform-aws-modules/terraform-aws-rds-proxy.git synced 2025-12-17 16:31:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: luciano:master
Branches Tags
luciano:master
luciano:v4.2.1
luciano:v4.2.0
luciano:v4.1.0
luciano:v4.0.0
luciano:v3.2.1
luciano:v3.2.0
luciano:v3.1.1
luciano:v3.1.0
luciano:v3.0.0
luciano:v2.1.2
luciano:v2.1.1
luciano:v2.1.0
luciano:v2.0.1
luciano:v2.0.0
luciano:v1.0.2
luciano:v1.0.1
luciano:v1.0.0
..
compare: luciano:v3.1.1
Branches Tags
luciano:master
luciano:v4.2.1
luciano:v4.2.0
luciano:v4.1.0
luciano:v4.0.0
luciano:v3.2.1
luciano:v3.2.0
luciano:v3.1.1
luciano:v3.1.0
luciano:v3.0.0
luciano:v2.1.2
luciano:v2.1.1
luciano:v2.1.0
luciano:v2.0.1
luciano:v2.0.0
luciano:v1.0.2
luciano:v1.0.1
luciano:v1.0.0

No commits in common. "master" and "v3.1.1" have entirely different histories.
master ... v3.1.1

35 changed files with 147 additions and 605 deletions
Show stats Expand all files Collapse all files

2
.github/workflows/pr-title.yml vendored
View file

@ -14,7 +14,7 @@ jobs:
steps:
# Please look up the latest version from
# https://github.com/amannn/action-semantic-pull-request/releases
- uses: amannn/action-semantic-pull-request@v6.1.1
- uses: amannn/action-semantic-pull-request@v5.4.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:

111
.github/workflows/pre-commit.yml vendored
View file

@ -7,8 +7,8 @@ on:
- master
env:
TERRAFORM_DOCS_VERSION: v0.20.0
TFLINT_VERSION: v0.59.1
TERRAFORM_DOCS_VERSION: v0.16.0
TFLINT_VERSION: v0.50.3
jobs:
collectInputs:
@ -18,11 +18,11 @@ jobs:
directories: ${{ steps.dirs.outputs.directories }}
steps:
- name: Checkout
uses: actions/checkout@v5
uses: actions/checkout@v4
- name: Get root directories
id: dirs
uses: clowdhaus/terraform-composite-actions/directories@v1.14.0
uses: clowdhaus/terraform-composite-actions/directories@v1.9.0
preCommitMinVersions:
name: Min TF pre-commit
@ -32,49 +32,27 @@ jobs:
matrix:
directory: ${{ fromJson(needs.collectInputs.outputs.directories) }}
steps:
- name: Install rmz
uses: jaxxstorm/action-install-gh-release@v2.1.0
with:
repo: SUPERCILEX/fuc
asset-name: x86_64-unknown-linux-gnu-rmz
rename-to: rmz
chmod: 0755
extension-matching: disable
# https://github.com/orgs/community/discussions/25678#discussioncomment-5242449
- name: Delete unnecessary files
- name: Delete huge unnecessary tools folder
run: |
formatByteCount() { echo $(numfmt --to=iec-i --suffix=B --padding=7 $1'000'); }
getAvailableSpace() { echo $(df -a $1 | awk 'NR > 1 {avail+=$4} END {print avail}'); }
BEFORE=$(getAvailableSpace)
ln -s /opt/hostedtoolcache/SUPERCILEX/x86_64-unknown-linux-gnu-rmz/latest/linux-x64/rmz /usr/local/bin/rmz
rmz -f /opt/hostedtoolcache/CodeQL &
rmz -f /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk &
rmz -f /opt/hostedtoolcache/PyPy &
rmz -f /opt/hostedtoolcache/Ruby &
rmz -f /opt/hostedtoolcache/go &
wait
AFTER=$(getAvailableSpace)
SAVED=$((AFTER-BEFORE))
echo "=> Saved $(formatByteCount $SAVED)"
rm -rf /opt/hostedtoolcache/CodeQL
rm -rf /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk
rm -rf /opt/hostedtoolcache/Ruby
rm -rf /opt/hostedtoolcache/go
- name: Checkout
uses: actions/checkout@v5
uses: actions/checkout@v4
- name: Terraform min/max versions
id: minMax
uses: clowdhaus/terraform-min-max@v2.1.0
uses: clowdhaus/terraform-min-max@v1.3.0
with:
directory: ${{ matrix.directory }}
- name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
# Run only validate pre-commit check on min version supported
if: ${{ matrix.directory != '.' }}
uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
uses: clowdhaus/terraform-composite-actions/pre-commit@v1.9.0
with:
terraform-version: ${{ steps.minMax.outputs.minVersion }}
tflint-version: ${{ env.TFLINT_VERSION }}
@ -83,7 +61,7 @@ jobs:
- name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
# Run only validate pre-commit check on min version supported
if: ${{ matrix.directory == '.' }}
uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
uses: clowdhaus/terraform-composite-actions/pre-commit@v1.9.0
with:
terraform-version: ${{ steps.minMax.outputs.minVersion }}
tflint-version: ${{ env.TFLINT_VERSION }}
@ -94,73 +72,26 @@ jobs:
runs-on: ubuntu-latest
needs: collectInputs
steps:
- name: Install rmz
uses: jaxxstorm/action-install-gh-release@v2.1.0
with:
repo: SUPERCILEX/fuc
asset-name: x86_64-unknown-linux-gnu-rmz
rename-to: rmz
chmod: 0755
extension-matching: disable
# https://github.com/orgs/community/discussions/25678#discussioncomment-5242449
- name: Delete unnecessary files
- name: Delete huge unnecessary tools folder
run: |
formatByteCount() { echo $(numfmt --to=iec-i --suffix=B --padding=7 $1'000'); }
getAvailableSpace() { echo $(df -a $1 | awk 'NR > 1 {avail+=$4} END {print avail}'); }
BEFORE=$(getAvailableSpace)
ln -s /opt/hostedtoolcache/SUPERCILEX/x86_64-unknown-linux-gnu-rmz/latest/linux-x64/rmz /usr/local/bin/rmz
rmz -f /opt/hostedtoolcache/CodeQL &
rmz -f /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk &
rmz -f /opt/hostedtoolcache/PyPy &
rmz -f /opt/hostedtoolcache/Ruby &
rmz -f /opt/hostedtoolcache/go &
sudo rmz -f /usr/local/lib/android &
if [[ ${{ github.repository }} == terraform-aws-modules/terraform-aws-security-group ]]; then
sudo rmz -f /usr/share/dotnet &
sudo rmz -f /usr/local/.ghcup &
sudo apt-get -qq remove -y 'azure-.*'
sudo apt-get -qq remove -y 'cpp-.*'
sudo apt-get -qq remove -y 'dotnet-runtime-.*'
sudo apt-get -qq remove -y 'google-.*'
sudo apt-get -qq remove -y 'libclang-.*'
sudo apt-get -qq remove -y 'libllvm.*'
sudo apt-get -qq remove -y 'llvm-.*'
sudo apt-get -qq remove -y 'mysql-.*'
sudo apt-get -qq remove -y 'postgresql-.*'
sudo apt-get -qq remove -y 'php.*'
sudo apt-get -qq remove -y 'temurin-.*'
sudo apt-get -qq remove -y kubectl firefox mono-devel
sudo apt-get -qq autoremove -y
sudo apt-get -qq clean
fi
wait
AFTER=$(getAvailableSpace)
SAVED=$((AFTER-BEFORE))
echo "=> Saved $(formatByteCount $SAVED)"
rm -rf /opt/hostedtoolcache/CodeQL
rm -rf /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk
rm -rf /opt/hostedtoolcache/Ruby
rm -rf /opt/hostedtoolcache/go
- name: Checkout
uses: actions/checkout@v5
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{github.event.pull_request.head.repo.full_name}}
- name: Terraform min/max versions
id: minMax
uses: clowdhaus/terraform-min-max@v2.1.0
- name: Hide template dir
# Special to this repo, we don't want to check this dir
if: ${{ github.repository == 'terraform-aws-modules/terraform-aws-security-group' }}
run: rm -rf modules/_templates
uses: clowdhaus/terraform-min-max@v1.3.0
- name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
uses: clowdhaus/terraform-composite-actions/pre-commit@v1.9.0
with:
terraform-version: ${{ steps.minMax.outputs.maxVersion }}
tflint-version: ${{ env.TFLINT_VERSION }}

22
.github/workflows/release.yml vendored
View file

@ -20,26 +20,18 @@ jobs:
if: github.repository_owner == 'terraform-aws-modules'
steps:
- name: Checkout
uses: actions/checkout@v5
uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
- name: Set correct Node.js version
uses: actions/setup-node@v6
with:
node-version: 24
- name: Install dependencies
run: |
npm install \
@semantic-release/changelog@6.0.3 \
@semantic-release/git@10.0.1 \
conventional-changelog-conventionalcommits@9.1.0
- name: Release
uses: cycjimmy/semantic-release-action@v5
uses: cycjimmy/semantic-release-action@v4
with:
semantic_version: 25.0.0
semantic_version: 23.0.2
extra_plugins: |
@semantic-release/changelog@6.0.3
@semantic-release/git@10.0.1
conventional-changelog-conventionalcommits@7.0.2
env:
GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }}

2
.github/workflows/stale-actions.yaml vendored
View file

@ -7,7 +7,7 @@ jobs:
stale:
runs-on: ubuntu-latest
steps:
- uses: actions/stale@v10
- uses: actions/stale@v9
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
# Staling issues and PR's

24
.gitignore vendored
View file

@ -1,13 +1,13 @@
# Local .terraform directories
**/.terraform/*
# Terraform lockfile
.terraform.lock.hcl
# .tfstate files
*.tfstate
*.tfstate.*
# terraform lockfile
.terraform.lock.hcl
# Crash log files
crash.log
@ -15,6 +15,7 @@ crash.log
# password, private keys, and other secrets. These should not be part of version
# control as they are data points which are potentially sensitive and subject
# to change depending on the environment.
#
*.tfvars
# Ignore override files as they are usually used to override resources locally and so
@ -24,16 +25,13 @@ override.tf.json
*_override.tf
*_override.tf.json
# Include override files you do wish to add to version control using negated pattern
#
# !example_override.tf
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
# example: *tfplan*
# Ignore CLI configuration files
.terraformrc
terraform.rc
# Lambda build artifacts
builds/
__pycache__/
*.zip
.tox
# Local editors/macos files
.DS_Store
.idea

6
.pre-commit-config.yaml
View file

@ -1,9 +1,8 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.103.0
rev: v1.88.0
hooks:
- id: terraform_fmt
- id: terraform_wrapper_module_for_each
- id: terraform_docs
args:
- '--args=--lockfile=false'
@ -22,9 +21,10 @@ repos:
- '--args=--only=terraform_required_providers'
- '--args=--only=terraform_standard_module_structure'
- '--args=--only=terraform_workspace_remote'
- '--args=--only=terraform_unused_required_providers'
- id: terraform_validate
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v6.0.0
rev: v4.5.0
hooks:
- id: check-merge-conflict
- id: end-of-file-fixer

50
CHANGELOG.md
View file

@ -2,56 +2,6 @@
All notable changes to this project will be documented in this file.
## [4.2.1](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v4.2.0...v4.2.1) (2025-10-21)
### Bug Fixes
* Update CI workflow versions to latest ([#40](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/40)) ([5deff22](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/5deff22cf4c471ce824c016687c3b933cd8b783c))
## [4.2.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v4.1.0...v4.2.0) (2025-10-14)
### Features
* Support `default_auth_scheme` ([#39](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/39)) ([c2073a0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/c2073a031c947270dac3f17c7f76e2996cd1b5b1))
## [4.1.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v4.0.0...v4.1.0) (2025-10-01)
### Features
* Add Terragrunt wrappers ([#38](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/38)) ([33b43c7](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/33b43c72abdad0b01655238d844e56dabca5e6d4))
## [4.0.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.2.1...v4.0.0) (2025-09-16)
### ⚠ BREAKING CHANGES
* Upgrade AWS provider and min required Terraform version to `6.0` and `1.5.7` respectively (#34)
### Features
* Upgrade AWS provider and min required Terraform version to `6.0` and `1.5.7` respectively ([#34](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/34)) ([47c0fca](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/47c0fcad4b3e40ef112544028dba1a4c10ee50dc))
## [3.2.1](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.2.0...v3.2.1) (2025-05-22)
### Bug Fixes
* Correct service principal to rds.amazonaws.com (incl China) ([#32](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/32)) ([bbbf50c](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/bbbf50ce8734f05d4ac69fa41c23c88094b82356))
## [3.2.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.1.1...v3.2.0) (2024-11-19)
### Features
* Add CloudWatch log group name to outputs ([#28](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/28)) ([0fc0e19](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/0fc0e19e642a2fdcd8f546bf219f78b5db252c65))
### Bug Fixes
* Update CI workflow versions to latest ([#27](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/27)) ([b6f22be](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/b6f22becf63614f365e72a81151c1955ab0d4df3))
## [3.1.1](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.1.0...v3.1.1) (2024-03-06)

19
README.md
View file

@ -57,19 +57,19 @@ Examples codified under the [`examples`](https://github.com/terraform-aws-module
- [IAM auth. w/ PostgreSQL Aurora cluster](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql-iam-cluster)
- [IAM auth. w/ PostgreSQL RDS instance](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql-iam-instance)
<!-- BEGIN_TF_DOCS -->
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
## Modules
@ -91,13 +91,12 @@ No modules.
| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
| [aws_service_principal.rds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/service_principal) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_auth"></a> [auth](#input\_auth) | Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters | <pre>map(object({<br/> auth_scheme = optional(string)<br/> client_password_auth_type = optional(string)<br/> description = optional(string)<br/> iam_auth = optional(string)<br/> secret_arn = optional(string)<br/> username = optional(string)<br/> }))</pre> | <pre>{<br/> "default": {<br/> "auth_scheme": "SECRETS"<br/> }<br/>}</pre> | no |
| <a name="input_auth"></a> [auth](#input\_auth) | Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters | `any` | `{}` | no |
| <a name="input_connection_borrow_timeout"></a> [connection\_borrow\_timeout](#input\_connection\_borrow\_timeout) | The number of seconds for a proxy to wait for a connection to become available in the connection pool | `number` | `null` | no |
| <a name="input_create"></a> [create](#input\_create) | Whether cluster should be created (affects nearly all resources) | `bool` | `true` | no |
| <a name="input_create_iam_policy"></a> [create\_iam\_policy](#input\_create\_iam\_policy) | Determines whether an IAM policy is created | `bool` | `true` | no |
@ -105,8 +104,7 @@ No modules.
| <a name="input_db_cluster_identifier"></a> [db\_cluster\_identifier](#input\_db\_cluster\_identifier) | DB cluster identifier | `string` | `""` | no |
| <a name="input_db_instance_identifier"></a> [db\_instance\_identifier](#input\_db\_instance\_identifier) | DB instance identifier | `string` | `""` | no |
| <a name="input_debug_logging"></a> [debug\_logging](#input\_debug\_logging) | Whether the proxy includes detailed information about SQL statements in its logs | `bool` | `false` | no |
| <a name="input_default_auth_scheme"></a> [default\_auth\_scheme](#input\_default\_auth\_scheme) | Default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database. Valid values are NONE and IAM\_AUTH. Defaults to NONE | `string` | `null` | no |
| <a name="input_endpoints"></a> [endpoints](#input\_endpoints) | Map of DB proxy endpoints to create and their attributes | <pre>map(object({<br/> name = optional(string)<br/> vpc_subnet_ids = list(string)<br/> vpc_security_group_ids = optional(list(string))<br/> target_role = optional(string)<br/> tags = optional(map(string), {})<br/> }))</pre> | `{}` | no |
| <a name="input_endpoints"></a> [endpoints](#input\_endpoints) | Map of DB proxy endpoints to create and their attributes (see `aws_db_proxy_endpoint`) | `any` | `{}` | no |
| <a name="input_engine_family"></a> [engine\_family](#input\_engine\_family) | The kind of database engine that the proxy will connect to. Valid values are `MYSQL` or `POSTGRESQL` | `string` | `""` | no |
| <a name="input_iam_policy_name"></a> [iam\_policy\_name](#input\_iam\_policy\_name) | The name of the role policy. If omitted, Terraform will assign a random, unique name | `string` | `""` | no |
| <a name="input_iam_role_description"></a> [iam\_role\_description](#input\_iam\_role\_description) | The description of the role | `string` | `""` | no |
@ -119,7 +117,6 @@ No modules.
| <a name="input_idle_client_timeout"></a> [idle\_client\_timeout](#input\_idle\_client\_timeout) | The number of seconds that a connection to the proxy can be inactive before the proxy disconnects it | `number` | `1800` | no |
| <a name="input_init_query"></a> [init\_query](#input\_init\_query) | One or more SQL statements for the proxy to run when opening each new database connection | `string` | `""` | no |
| <a name="input_kms_key_arns"></a> [kms\_key\_arns](#input\_kms\_key\_arns) | List of KMS Key ARNs to allow access to decrypt SecretsManager secrets | `list(string)` | `[]` | no |
| <a name="input_log_group_class"></a> [log\_group\_class](#input\_log\_group\_class) | Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS` | `string` | `null` | no |
| <a name="input_log_group_kms_key_id"></a> [log\_group\_kms\_key\_id](#input\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data | `string` | `null` | no |
| <a name="input_log_group_retention_in_days"></a> [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the log group | `number` | `30` | no |
| <a name="input_log_group_tags"></a> [log\_group\_tags](#input\_log\_group\_tags) | A map of tags to apply to the CloudWatch log group | `map(string)` | `{}` | no |
@ -128,7 +125,6 @@ No modules.
| <a name="input_max_idle_connections_percent"></a> [max\_idle\_connections\_percent](#input\_max\_idle\_connections\_percent) | Controls how actively the proxy closes idle database connections in the connection pool | `number` | `50` | no |
| <a name="input_name"></a> [name](#input\_name) | The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens | `string` | `""` | no |
| <a name="input_proxy_tags"></a> [proxy\_tags](#input\_proxy\_tags) | A map of tags to apply to the RDS Proxy | `map(string)` | `{}` | no |
| <a name="input_region"></a> [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no |
| <a name="input_require_tls"></a> [require\_tls](#input\_require\_tls) | A Boolean parameter that specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy | `bool` | `true` | no |
| <a name="input_role_arn"></a> [role\_arn](#input\_role\_arn) | The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager | `string` | `""` | no |
| <a name="input_session_pinning_filters"></a> [session\_pinning\_filters](#input\_session\_pinning\_filters) | Each item in the list represents a class of SQL operations that normally cause all later statements in a session using a proxy to be pinned to the same underlying database connection | `list(string)` | `[]` | no |
@ -149,7 +145,6 @@ No modules.
| <a name="output_iam_role_name"></a> [iam\_role\_name](#output\_iam\_role\_name) | IAM role name |
| <a name="output_iam_role_unique_id"></a> [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
| <a name="output_log_group_arn"></a> [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group |
| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | The name of the CloudWatch log group |
| <a name="output_proxy_arn"></a> [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy |
| <a name="output_proxy_default_target_group_arn"></a> [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group |
| <a name="output_proxy_default_target_group_id"></a> [proxy\_default\_target\_group\_id](#output\_proxy\_default\_target\_group\_id) | The ID for the default target group |
@ -163,7 +158,7 @@ No modules.
| <a name="output_proxy_target_target_arn"></a> [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
| <a name="output_proxy_target_tracked_cluster_id"></a> [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
| <a name="output_proxy_target_type"></a> [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
<!-- END_TF_DOCS -->
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## License

0
docs/UPGRADE-3.0.md → UPGRADE-3.0.md
View file

12
examples/README.md
View file

@ -1,8 +1,6 @@
# Examples
# AWS RDS Proxy Terraform Examples
Please note - the examples provided serve two primary means:
1. Show users working examples of the various ways in which the module can be configured and features supported
2. A means of testing/validating module changes
Please do not mistake the examples provided as "best practices". It is up to users to consult the AWS service documentation for best practices, usage recommendations, etc.
- [IAM auth. w/ MySQL Aurora cluster](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/mysql-iam-cluster)
- [IAM auth. w/ MySQL RDS instance](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/mysql-iam-instance)
- [IAM auth. w/ PostgreSQL Aurora cluster](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql-iam-cluster)
- [IAM auth. w/ PostgreSQL RDS instance](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql-iam-instance)

15
examples/mysql-iam-cluster/README.md
View file

@ -25,28 +25,28 @@ An EC2 instance configuration has been provided for use in validating the exampl
3. Copy the output from `superuser_proxy_iam_connect` and paste it into the window
4. You should now be connected to the `example` database in the RDS instance via the AWS Proxy using IAM authentication
<!-- BEGIN_TF_DOCS -->
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 9.0 |
| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 8.0 |
| <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
| <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
## Resources
@ -64,7 +64,6 @@ No inputs.
|------|-------------|
| <a name="output_db_proxy_endpoints"></a> [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created |
| <a name="output_log_group_arn"></a> [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group |
| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | The name of the CloudWatch log group |
| <a name="output_proxy_arn"></a> [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy |
| <a name="output_proxy_default_target_group_arn"></a> [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group |
| <a name="output_proxy_default_target_group_id"></a> [proxy\_default\_target\_group\_id](#output\_proxy\_default\_target\_group\_id) | The ID for the default target group |
@ -78,6 +77,6 @@ No inputs.
| <a name="output_proxy_target_target_arn"></a> [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
| <a name="output_proxy_target_tracked_cluster_id"></a> [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
| <a name="output_proxy_target_type"></a> [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
<!-- END_TF_DOCS -->
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/blob/master/LICENSE).

4
examples/mysql-iam-cluster/main.tf
View file

@ -69,7 +69,7 @@ module "rds_proxy" {
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 6.0"
version = "~> 5.0"
name = local.name
cidr = local.vpc_cidr
@ -84,7 +84,7 @@ module "vpc" {
module "rds" {
source = "terraform-aws-modules/rds-aurora/aws"
version = "~> 9.0"
version = "~> 8.0"
name = local.name
engine = "aurora-mysql"

5
examples/mysql-iam-cluster/outputs.tf
View file

@ -77,8 +77,3 @@ output "log_group_arn" {
description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
value = module.rds_proxy.log_group_arn
}
output "log_group_name" {
description = "The name of the CloudWatch log group"
value = module.rds_proxy.log_group_name
}

4
examples/mysql-iam-cluster/versions.tf
View file

@ -1,10 +1,10 @@
terraform {
required_version = ">= 1.5.7"
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 6.15"
version = ">= 5.0"
}
}
}

15
examples/mysql-iam-instance/README.md
View file

@ -25,31 +25,31 @@ An EC2 instance configuration has been provided for use in validating the exampl
3. Copy the output from `superuser_proxy_iam_connect` and paste it into the window
4. You should now be connected to the `example` database in the Aurora cluster via the AWS Proxy using IAM authentication
<!-- BEGIN_TF_DOCS -->
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 6.0 |
| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 5.0 |
| <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
| <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
| <a name="module_rds_sg"></a> [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
## Resources
@ -72,7 +72,6 @@ No inputs.
|------|-------------|
| <a name="output_db_proxy_endpoints"></a> [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created |
| <a name="output_log_group_arn"></a> [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group |
| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | The name of the CloudWatch log group |
| <a name="output_proxy_arn"></a> [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy |
| <a name="output_proxy_default_target_group_arn"></a> [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group |
| <a name="output_proxy_default_target_group_id"></a> [proxy\_default\_target\_group\_id](#output\_proxy\_default\_target\_group\_id) | The ID for the default target group |
@ -86,6 +85,6 @@ No inputs.
| <a name="output_proxy_target_target_arn"></a> [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
| <a name="output_proxy_target_tracked_cluster_id"></a> [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
| <a name="output_proxy_target_type"></a> [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
<!-- END_TF_DOCS -->
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/blob/master/LICENSE).

6
examples/mysql-iam-instance/main.tf
View file

@ -61,7 +61,7 @@ module "rds_proxy" {
# Target RDS instance
target_db_instance = true
db_instance_identifier = module.rds.db_instance_identifier
db_instance_identifier = module.rds.db_instance_id
tags = local.tags
}
@ -82,7 +82,7 @@ resource "random_password" "password" {
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 6.0"
version = "~> 5.0"
name = local.name
cidr = local.vpc_cidr
@ -97,7 +97,7 @@ module "vpc" {
module "rds" {
source = "terraform-aws-modules/rds/aws"
version = "~> 6.0"
version = "~> 5.0"
username = local.db_username
password = local.db_password

5
examples/mysql-iam-instance/outputs.tf
View file

@ -77,8 +77,3 @@ output "log_group_arn" {
description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
value = module.rds_proxy.log_group_arn
}
output "log_group_name" {
description = "The name of the CloudWatch log group"
value = module.rds_proxy.log_group_name
}

4
examples/mysql-iam-instance/versions.tf
View file

@ -1,10 +1,10 @@
terraform {
required_version = ">= 1.5.7"
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 6.15"
version = ">= 5.0"
}
random = {
source = "hashicorp/random"

15
examples/postgresql-iam-cluster/README.md
View file

@ -25,28 +25,28 @@ An EC2 instance configuration has been provided for use in validating the exampl
3. Copy the output from `superuser_proxy_iam_connect` and paste it into the window - NOTE: remove the string escape slashes `psql \"host...` -> `psql "host...`
4. You should now be connected to the `example` database in the RDS instance via the AWS Proxy using IAM authentication
<!-- BEGIN_TF_DOCS -->
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 9.0 |
| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 8.0 |
| <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
| <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
## Resources
@ -67,7 +67,6 @@ No inputs.
| <a name="output_iam_role_name"></a> [iam\_role\_name](#output\_iam\_role\_name) | The name of the role proxy uses to access secrets |
| <a name="output_iam_role_unique_id"></a> [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Stable and unique string identifying the role proxy uses to access secrets |
| <a name="output_log_group_arn"></a> [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group |
| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | The name of the CloudWatch log group |
| <a name="output_proxy_arn"></a> [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy |
| <a name="output_proxy_default_target_group_arn"></a> [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group |
| <a name="output_proxy_default_target_group_id"></a> [proxy\_default\_target\_group\_id](#output\_proxy\_default\_target\_group\_id) | The ID for the default target group |
@ -81,6 +80,6 @@ No inputs.
| <a name="output_proxy_target_target_arn"></a> [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
| <a name="output_proxy_target_tracked_cluster_id"></a> [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
| <a name="output_proxy_target_type"></a> [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
<!-- END_TF_DOCS -->
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/blob/master/LICENSE).

6
examples/postgresql-iam-cluster/main.tf
View file

@ -69,7 +69,7 @@ module "rds_proxy" {
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 6.0"
version = "~> 5.0"
name = local.name
cidr = local.vpc_cidr
@ -84,11 +84,11 @@ module "vpc" {
module "rds" {
source = "terraform-aws-modules/rds-aurora/aws"
version = "~> 9.0"
version = "~> 8.0"
name = local.name
engine = "aurora-postgresql"
engine_version = "17.5"
engine_version = "14.7"
master_username = "root"
# When using RDS Proxy w/ IAM auth - Database must be username/password auth, not IAM

5
examples/postgresql-iam-cluster/outputs.tf
View file

@ -78,11 +78,6 @@ output "log_group_arn" {
value = module.rds_proxy.log_group_arn
}
output "log_group_name" {
description = "The name of the CloudWatch log group"
value = module.rds_proxy.log_group_name
}
# IAM role
output "iam_role_arn" {
description = "The Amazon Resource Name (ARN) specifying the role proxy uses to access secrets"

4
examples/postgresql-iam-cluster/versions.tf
View file

@ -1,10 +1,10 @@
terraform {
required_version = ">= 1.5.7"
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 6.15"
version = ">= 5.0"
}
}
}

15
examples/postgresql-iam-instance/README.md
View file

@ -25,31 +25,31 @@ An EC2 instance configuration has been provided for use in validating the exampl
3. Copy the output from `superuser_proxy_iam_connect` and paste it into the window - NOTE: remove the string escape slashes `psql \"host...` -> `psql "host...`
4. You should now be connected to the `example` database in the Aurora cluster via the AWS Proxy using IAM authentication
<!-- BEGIN_TF_DOCS -->
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
## Providers
| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 6.0 |
| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 5.0 |
| <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
| <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
| <a name="module_rds_sg"></a> [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
## Resources
@ -72,7 +72,6 @@ No inputs.
|------|-------------|
| <a name="output_db_proxy_endpoints"></a> [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created |
| <a name="output_log_group_arn"></a> [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group |
| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | The name of the CloudWatch log group |
| <a name="output_proxy_arn"></a> [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy |
| <a name="output_proxy_default_target_group_arn"></a> [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group |
| <a name="output_proxy_default_target_group_id"></a> [proxy\_default\_target\_group\_id](#output\_proxy\_default\_target\_group\_id) | The ID for the default target group |
@ -86,6 +85,6 @@ No inputs.
| <a name="output_proxy_target_target_arn"></a> [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
| <a name="output_proxy_target_tracked_cluster_id"></a> [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
| <a name="output_proxy_target_type"></a> [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
<!-- END_TF_DOCS -->
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/blob/master/LICENSE).

6
examples/postgresql-iam-instance/main.tf
View file

@ -61,7 +61,7 @@ module "rds_proxy" {
# Target RDS instance
target_db_instance = true
db_instance_identifier = module.rds.db_instance_identifier
db_instance_identifier = module.rds.db_instance_id
tags = local.tags
}
@ -82,7 +82,7 @@ resource "random_password" "password" {
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 6.0"
version = "~> 5.0"
name = local.name
cidr = local.vpc_cidr
@ -97,7 +97,7 @@ module "vpc" {
module "rds" {
source = "terraform-aws-modules/rds/aws"
version = "~> 6.0"
version = "~> 5.0"
username = local.db_username
password = local.db_password

5
examples/postgresql-iam-instance/outputs.tf
View file

@ -77,8 +77,3 @@ output "log_group_arn" {
description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
value = module.rds_proxy.log_group_arn
}
output "log_group_name" {
description = "The name of the CloudWatch log group"
value = module.rds_proxy.log_group_name
}

4
examples/postgresql-iam-instance/versions.tf
View file

@ -1,10 +1,10 @@
terraform {
required_version = ">= 1.5.7"
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 6.15"
version = ">= 5.0"
}
random = {
source = "hashicorp/random"

106
main.tf
View file

@ -1,3 +1,12 @@
locals {
role_arn = var.create && var.create_iam_role ? aws_iam_role.this[0].arn : var.role_arn
role_name = coalesce(var.iam_role_name, var.name)
policy_name = coalesce(var.iam_policy_name, var.name)
}
data "aws_region" "current" {}
data "aws_partition" "current" {}
################################################################################
# RDS Proxy
################################################################################
@ -5,28 +14,25 @@
resource "aws_db_proxy" "this" {
count = var.create ? 1 : 0
region = var.region
dynamic "auth" {
for_each = var.auth
content {
auth_scheme = auth.value.auth_scheme
client_password_auth_type = auth.value.client_password_auth_type
description = auth.value.description
iam_auth = auth.value.iam_auth
secret_arn = auth.value.secret_arn
username = auth.value.username
auth_scheme = try(auth.value.auth_scheme, "SECRETS")
client_password_auth_type = try(auth.value.client_password_auth_type, null)
description = try(auth.value.description, null)
iam_auth = try(auth.value.iam_auth, null)
secret_arn = try(auth.value.secret_arn, null)
username = try(auth.value.username, null)
}
}
debug_logging = var.debug_logging
default_auth_scheme = var.default_auth_scheme
engine_family = var.engine_family
idle_client_timeout = var.idle_client_timeout
name = var.name
require_tls = var.require_tls
role_arn = try(aws_iam_role.this[0].arn, var.role_arn)
role_arn = local.role_arn
vpc_security_group_ids = var.vpc_security_group_ids
vpc_subnet_ids = var.vpc_subnet_ids
@ -35,15 +41,9 @@ resource "aws_db_proxy" "this" {
depends_on = [aws_cloudwatch_log_group.this]
}
################################################################################
# Default Target Group
################################################################################
resource "aws_db_proxy_default_target_group" "this" {
count = var.create ? 1 : 0
region = var.region
db_proxy_name = aws_db_proxy.this[0].name
connection_pool_config {
@ -55,15 +55,9 @@ resource "aws_db_proxy_default_target_group" "this" {
}
}
################################################################################
# Target(s)
################################################################################
resource "aws_db_proxy_target" "db_instance" {
count = var.create && var.target_db_instance ? 1 : 0
region = var.region
db_proxy_name = aws_db_proxy.this[0].name
target_group_name = aws_db_proxy_default_target_group.this[0].name
db_instance_identifier = var.db_instance_identifier
@ -72,44 +66,33 @@ resource "aws_db_proxy_target" "db_instance" {
resource "aws_db_proxy_target" "db_cluster" {
count = var.create && var.target_db_cluster ? 1 : 0
region = var.region
db_proxy_name = aws_db_proxy.this[0].name
target_group_name = aws_db_proxy_default_target_group.this[0].name
db_cluster_identifier = var.db_cluster_identifier
}
################################################################################
# Endpoint(s)
################################################################################
resource "aws_db_proxy_endpoint" "this" {
for_each = { for k, v in var.endpoints : k => v if var.create }
region = var.region
db_proxy_name = aws_db_proxy.this[0].name
db_proxy_endpoint_name = coalesce(each.value.name, each.key)
db_proxy_endpoint_name = each.value.name
vpc_subnet_ids = each.value.vpc_subnet_ids
vpc_security_group_ids = each.value.vpc_security_group_ids
target_role = each.value.target_role
vpc_security_group_ids = lookup(each.value, "vpc_security_group_ids", null)
target_role = lookup(each.value, "target_role", null)
tags = merge(var.tags, each.value.tags)
tags = lookup(each.value, "tags", var.tags)
}
################################################################################
# CloudWatch Log Group
# CloudWatch Logs
################################################################################
resource "aws_cloudwatch_log_group" "this" {
count = var.create && var.manage_log_group ? 1 : 0
region = var.region
name = "/aws/rds/proxy/${var.name}"
retention_in_days = var.log_group_retention_in_days
kms_key_id = var.log_group_kms_key_id
log_group_class = var.log_group_class
tags = merge(var.tags, var.log_group_tags)
}
@ -118,37 +101,8 @@ resource "aws_cloudwatch_log_group" "this" {
# IAM Role
################################################################################
locals {
create_iam_role = var.create && var.create_iam_role
role_name = coalesce(var.iam_role_name, var.name)
policy_name = coalesce(var.iam_policy_name, var.name)
partition = try(data.aws_partition.current[0].partition, "aws")
dns_suffix = try(data.aws_partition.current[0].dns_suffix, "amazonaws.com")
region = try(data.aws_region.current[0].region, var.region)
}
data "aws_region" "current" {
count = local.create_iam_role ? 1 : 0
region = var.region
}
data "aws_partition" "current" {
count = local.create_iam_role ? 1 : 0
}
data "aws_service_principal" "rds" {
count = local.create_iam_role ? 1 : 0
service_name = "rds"
region = data.aws_region.current[0].region
}
data "aws_iam_policy_document" "assume_role" {
count = local.create_iam_role ? 1 : 0
count = var.create && var.create_iam_role ? 1 : 0
statement {
sid = "RDSAssume"
@ -157,13 +111,13 @@ data "aws_iam_policy_document" "assume_role" {
principals {
type = "Service"
identifiers = [data.aws_service_principal.rds[0].name]
identifiers = ["rds.${data.aws_partition.current.dns_suffix}"]
}
}
}
resource "aws_iam_role" "this" {
count = local.create_iam_role ? 1 : 0
count = var.create && var.create_iam_role ? 1 : 0
name = var.use_role_name_prefix ? null : local.role_name
name_prefix = var.use_role_name_prefix ? "${local.role_name}-" : null
@ -178,12 +132,8 @@ resource "aws_iam_role" "this" {
tags = merge(var.tags, var.iam_role_tags)
}
################################################################################
# IAM Role Policy
################################################################################
data "aws_iam_policy_document" "this" {
count = local.create_iam_role && var.create_iam_policy ? 1 : 0
count = var.create && var.create_iam_role && var.create_iam_policy ? 1 : 0
statement {
sid = "DecryptSecrets"
@ -191,14 +141,14 @@ data "aws_iam_policy_document" "this" {
actions = ["kms:Decrypt"]
resources = coalescelist(
var.kms_key_arns,
["arn:${local.partition}:kms:*:*:key/*"]
["arn:${data.aws_partition.current.partition}:kms:*:*:key/*"]
)
condition {
test = "StringEquals"
variable = "kms:ViaService"
values = [
"secretsmanager.${local.region}.${local.dns_suffix}"
"secretsmanager.${data.aws_region.current.name}.${data.aws_partition.current.dns_suffix}"
]
}
}
@ -228,7 +178,7 @@ data "aws_iam_policy_document" "this" {
}
resource "aws_iam_role_policy" "this" {
count = local.create_iam_role && var.create_iam_policy ? 1 : 0
count = var.create && var.create_iam_role && var.create_iam_policy ? 1 : 0
name = var.use_policy_name_prefix ? null : local.policy_name
name_prefix = var.use_policy_name_prefix ? "${local.policy_name}-" : null

33
outputs.tf
View file

@ -1,7 +1,4 @@
################################################################################
# RDS Proxy
################################################################################
output "proxy_id" {
description = "The ID for the proxy"
value = try(aws_db_proxy.this[0].id, null)
@ -17,10 +14,7 @@ output "proxy_endpoint" {
value = try(aws_db_proxy.this[0].endpoint, null)
}
################################################################################
# Default Target Group
################################################################################
# Proxy Default Target Group
output "proxy_default_target_group_id" {
description = "The ID for the default target group"
value = try(aws_db_proxy_default_target_group.this[0].id, null)
@ -36,10 +30,7 @@ output "proxy_default_target_group_name" {
value = try(aws_db_proxy_default_target_group.this[0].name, null)
}
################################################################################
# Target(s)
################################################################################
# Proxy Target
output "proxy_target_endpoint" {
description = "Hostname for the target RDS DB Instance. Only returned for `RDS_INSTANCE` type"
value = try(aws_db_proxy_target.db_instance[0].endpoint, aws_db_proxy_target.db_cluster[0].endpoint, null)
@ -75,33 +66,19 @@ output "proxy_target_type" {
value = try(aws_db_proxy_target.db_instance[0].type, aws_db_proxy_target.db_cluster[0].type, null)
}
################################################################################
# Endpoint(s)
################################################################################
# DB proxy endpoints
output "db_proxy_endpoints" {
description = "Array containing the full resource object and attributes for all DB proxy endpoints created"
value = aws_db_proxy_endpoint.this
}
################################################################################
# CloudWatch Log Group
################################################################################
# CloudWatch logs
output "log_group_arn" {
description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
value = try(aws_cloudwatch_log_group.this[0].arn, null)
}
output "log_group_name" {
description = "The name of the CloudWatch log group"
value = try(aws_cloudwatch_log_group.this[0].name, null)
}
################################################################################
# IAM Role
################################################################################
# IAM role
output "iam_role_arn" {
description = "The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager."
value = try(aws_iam_role.this[0].arn, null)

65
variables.tf
View file

@ -4,12 +4,6 @@ variable "create" {
default = true
}
variable "region" {
description = "Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration"
type = string
default = null
}
variable "tags" {
description = "A map of tags to add to all resources"
type = map(string)
@ -28,19 +22,8 @@ variable "name" {
variable "auth" {
description = "Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters"
type = map(object({
auth_scheme = optional(string)
client_password_auth_type = optional(string)
description = optional(string)
iam_auth = optional(string)
secret_arn = optional(string)
username = optional(string)
}))
default = {
default = {
auth_scheme = "SECRETS"
}
}
type = any
default = {}
}
variable "debug_logging" {
@ -49,12 +32,6 @@ variable "debug_logging" {
default = false
}
variable "default_auth_scheme" {
description = "Default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database. Valid values are NONE and IAM_AUTH. Defaults to NONE"
type = string
default = null
}
variable "engine_family" {
description = "The kind of database engine that the proxy will connect to. Valid values are `MYSQL` or `POSTGRESQL`"
type = string
@ -97,10 +74,7 @@ variable "proxy_tags" {
default = {}
}
################################################################################
# Default Target Group
################################################################################
# Proxy Default Target Group
variable "connection_borrow_timeout" {
description = "The number of seconds for a proxy to wait for a connection to become available in the connection pool"
type = number
@ -131,10 +105,7 @@ variable "session_pinning_filters" {
default = []
}
################################################################################
# Target(s)
################################################################################
# Proxy Target
variable "target_db_instance" {
description = "Determines whether DB instance is targeted by proxy"
type = bool
@ -159,20 +130,11 @@ variable "db_cluster_identifier" {
default = ""
}
################################################################################
# Endpoint(s)
################################################################################
# Proxy endpoints
variable "endpoints" {
description = "Map of DB proxy endpoints to create and their attributes"
type = map(object({
name = optional(string)
vpc_subnet_ids = list(string)
vpc_security_group_ids = optional(list(string))
target_role = optional(string)
tags = optional(map(string), {})
}))
default = {}
description = "Map of DB proxy endpoints to create and their attributes (see `aws_db_proxy_endpoint`)"
type = any
default = {}
}
################################################################################
@ -197,12 +159,6 @@ variable "log_group_kms_key_id" {
default = null
}
variable "log_group_class" {
description = "Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS`"
type = string
default = null
}
variable "log_group_tags" {
description = "A map of tags to apply to the CloudWatch log group"
type = map(string)
@ -267,10 +223,7 @@ variable "iam_role_tags" {
default = {}
}
################################################################################
# IAM Role Policy
################################################################################
# IAM Policy
variable "create_iam_policy" {
description = "Determines whether an IAM policy is created"
type = bool

4
versions.tf
View file

@ -1,10 +1,10 @@
terraform {
required_version = ">= 1.5.7"
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 6.15"
version = ">= 5.0"
}
}
}

100
wrappers/README.md
View file

@ -1,100 +0,0 @@
# Wrapper for the root module
The configuration in this directory contains an implementation of a single module wrapper pattern, which allows managing several copies of a module in places where using the native Terraform 0.13+ `for_each` feature is not feasible (e.g., with Terragrunt).
You may want to use a single Terragrunt configuration file to manage multiple resources without duplicating `terragrunt.hcl` files for each copy of the same module.
This wrapper does not implement any extra functionality.
## Usage with Terragrunt
`terragrunt.hcl`:
```hcl
terraform {
source = "tfr:///terraform-aws-modules/rds-proxy/aws//wrappers"
# Alternative source:
# source = "git::git@github.com:terraform-aws-modules/terraform-aws-rds-proxy.git//wrappers?ref=master"
}
inputs = {
defaults = { # Default values
create = true
tags = {
Terraform = "true"
Environment = "dev"
}
}
items = {
my-item = {
# omitted... can be any argument supported by the module
}
my-second-item = {
# omitted... can be any argument supported by the module
}
# omitted...
}
}
```
## Usage with Terraform
```hcl
module "wrapper" {
source = "terraform-aws-modules/rds-proxy/aws//wrappers"
defaults = { # Default values
create = true
tags = {
Terraform = "true"
Environment = "dev"
}
}
items = {
my-item = {
# omitted... can be any argument supported by the module
}
my-second-item = {
# omitted... can be any argument supported by the module
}
# omitted...
}
}
```
## Example: Manage multiple S3 buckets in one Terragrunt layer
`eu-west-1/s3-buckets/terragrunt.hcl`:
```hcl
terraform {
source = "tfr:///terraform-aws-modules/s3-bucket/aws//wrappers"
# Alternative source:
# source = "git::git@github.com:terraform-aws-modules/terraform-aws-s3-bucket.git//wrappers?ref=master"
}
inputs = {
defaults = {
force_destroy = true
attach_elb_log_delivery_policy = true
attach_lb_log_delivery_policy = true
attach_deny_insecure_transport_policy = true
attach_require_latest_tls_policy = true
}
items = {
bucket1 = {
bucket = "my-random-bucket-1"
}
bucket2 = {
bucket = "my-random-bucket-2"
tags = {
Secure = "probably"
}
}
}
}
```

52
wrappers/main.tf
View file

@ -1,52 +0,0 @@
module "wrapper" {
source = "../"
for_each = var.items
auth = try(each.value.auth, var.defaults.auth, {
default = {
auth_scheme = "SECRETS"
}
})
connection_borrow_timeout = try(each.value.connection_borrow_timeout, var.defaults.connection_borrow_timeout, null)
create = try(each.value.create, var.defaults.create, true)
create_iam_policy = try(each.value.create_iam_policy, var.defaults.create_iam_policy, true)
create_iam_role = try(each.value.create_iam_role, var.defaults.create_iam_role, true)
db_cluster_identifier = try(each.value.db_cluster_identifier, var.defaults.db_cluster_identifier, "")
db_instance_identifier = try(each.value.db_instance_identifier, var.defaults.db_instance_identifier, "")
debug_logging = try(each.value.debug_logging, var.defaults.debug_logging, false)
default_auth_scheme = try(each.value.default_auth_scheme, var.defaults.default_auth_scheme, null)
endpoints = try(each.value.endpoints, var.defaults.endpoints, {})
engine_family = try(each.value.engine_family, var.defaults.engine_family, "")
iam_policy_name = try(each.value.iam_policy_name, var.defaults.iam_policy_name, "")
iam_role_description = try(each.value.iam_role_description, var.defaults.iam_role_description, "")
iam_role_force_detach_policies = try(each.value.iam_role_force_detach_policies, var.defaults.iam_role_force_detach_policies, true)
iam_role_max_session_duration = try(each.value.iam_role_max_session_duration, var.defaults.iam_role_max_session_duration, 43200)
iam_role_name = try(each.value.iam_role_name, var.defaults.iam_role_name, "")
iam_role_path = try(each.value.iam_role_path, var.defaults.iam_role_path, null)
iam_role_permissions_boundary = try(each.value.iam_role_permissions_boundary, var.defaults.iam_role_permissions_boundary, null)
iam_role_tags = try(each.value.iam_role_tags, var.defaults.iam_role_tags, {})
idle_client_timeout = try(each.value.idle_client_timeout, var.defaults.idle_client_timeout, 1800)
init_query = try(each.value.init_query, var.defaults.init_query, "")
kms_key_arns = try(each.value.kms_key_arns, var.defaults.kms_key_arns, [])
log_group_class = try(each.value.log_group_class, var.defaults.log_group_class, null)
log_group_kms_key_id = try(each.value.log_group_kms_key_id, var.defaults.log_group_kms_key_id, null)
log_group_retention_in_days = try(each.value.log_group_retention_in_days, var.defaults.log_group_retention_in_days, 30)
log_group_tags = try(each.value.log_group_tags, var.defaults.log_group_tags, {})
manage_log_group = try(each.value.manage_log_group, var.defaults.manage_log_group, true)
max_connections_percent = try(each.value.max_connections_percent, var.defaults.max_connections_percent, 90)
max_idle_connections_percent = try(each.value.max_idle_connections_percent, var.defaults.max_idle_connections_percent, 50)
name = try(each.value.name, var.defaults.name, "")
proxy_tags = try(each.value.proxy_tags, var.defaults.proxy_tags, {})
region = try(each.value.region, var.defaults.region, null)
require_tls = try(each.value.require_tls, var.defaults.require_tls, true)
role_arn = try(each.value.role_arn, var.defaults.role_arn, "")
session_pinning_filters = try(each.value.session_pinning_filters, var.defaults.session_pinning_filters, [])
tags = try(each.value.tags, var.defaults.tags, {})
target_db_cluster = try(each.value.target_db_cluster, var.defaults.target_db_cluster, false)
target_db_instance = try(each.value.target_db_instance, var.defaults.target_db_instance, false)
use_policy_name_prefix = try(each.value.use_policy_name_prefix, var.defaults.use_policy_name_prefix, false)
use_role_name_prefix = try(each.value.use_role_name_prefix, var.defaults.use_role_name_prefix, false)
vpc_security_group_ids = try(each.value.vpc_security_group_ids, var.defaults.vpc_security_group_ids, [])
vpc_subnet_ids = try(each.value.vpc_subnet_ids, var.defaults.vpc_subnet_ids, [])
}

5
wrappers/outputs.tf
View file

@ -1,5 +0,0 @@
output "wrapper" {
description = "Map of outputs of a wrapper."
value = module.wrapper
# sensitive = false # No sensitive module output found
}

11
wrappers/variables.tf
View file

@ -1,11 +0,0 @@
variable "defaults" {
description = "Map of default values which will be used for each item."
type = any
default = {}
}
variable "items" {
description = "Maps of items to create a wrapper from. Values are passed through to the module."
type = any
default = {}
}

10
wrappers/versions.tf
View file

@ -1,10 +0,0 @@
terraform {
required_version = ">= 1.5.7"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 6.15"
}
}
}