chore(release): version 4.2.1 [skip ci]

## [4.2.1](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v4.2.0...v4.2.1) (2025-10-21)

### Bug Fixes

* Update CI workflow versions to latest ([#40](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/40)) ([5deff22](5deff22cf4))

.github/workflows/lock.yml

@@ -8,7 +8,7 @@ jobs:
   lock:
     runs-on: ubuntu-latest
     steps:
-      - uses: dessant/lock-threads@v3
+      - uses: dessant/lock-threads@v5
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           issue-comment: >

.github/workflows/pr-title.yml

@@ -14,7 +14,7 @@ jobs:
     steps:
       # Please look up the latest version from
       # https://github.com/amannn/action-semantic-pull-request/releases
-      - uses: amannn/action-semantic-pull-request@v5.0.2
+      - uses: amannn/action-semantic-pull-request@v6.1.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.github/workflows/pre-commit.yml

@@ -7,7 +7,8 @@ on:
       - master
 
 env:
-  TERRAFORM_DOCS_VERSION: v0.16.0
+  TERRAFORM_DOCS_VERSION: v0.20.0
+  TFLINT_VERSION: v0.59.1
 
 jobs:
   collectInputs:
@@ -17,11 +18,11 @@ jobs:
       directories: ${{ steps.dirs.outputs.directories }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
 
       - name: Get root directories
         id: dirs
-        uses: clowdhaus/terraform-composite-actions/directories@v1.8.0
+        uses: clowdhaus/terraform-composite-actions/directories@v1.14.0
 
   preCommitMinVersions:
     name: Min TF pre-commit
@@ -31,29 +32,61 @@ jobs:
       matrix:
         directory: ${{ fromJson(needs.collectInputs.outputs.directories) }}
     steps:
+      - name: Install rmz
+        uses: jaxxstorm/action-install-gh-release@v2.1.0
+        with:
+          repo: SUPERCILEX/fuc
+          asset-name: x86_64-unknown-linux-gnu-rmz
+          rename-to: rmz
+          chmod: 0755
+          extension-matching: disable
+
+      # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449
+      - name: Delete unnecessary files
+        run: |
+          formatByteCount() { echo $(numfmt --to=iec-i --suffix=B --padding=7 $1'000'); }
+          getAvailableSpace() { echo $(df -a $1 | awk 'NR > 1 {avail+=$4} END {print avail}'); }
+
+          BEFORE=$(getAvailableSpace)
+
+          ln -s /opt/hostedtoolcache/SUPERCILEX/x86_64-unknown-linux-gnu-rmz/latest/linux-x64/rmz /usr/local/bin/rmz
+          rmz -f /opt/hostedtoolcache/CodeQL &
+          rmz -f /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk &
+          rmz -f /opt/hostedtoolcache/PyPy &
+          rmz -f /opt/hostedtoolcache/Ruby &
+          rmz -f /opt/hostedtoolcache/go &
+
+          wait
+
+          AFTER=$(getAvailableSpace)
+          SAVED=$((AFTER-BEFORE))
+          echo "=> Saved $(formatByteCount $SAVED)"
+
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
 
       - name: Terraform min/max versions
         id: minMax
-        uses: clowdhaus/terraform-min-max@v1.2.0
+        uses: clowdhaus/terraform-min-max@v2.1.0
         with:
           directory: ${{ matrix.directory }}
 
       - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
         # Run only validate pre-commit check on min version supported
         if: ${{ matrix.directory !=  '.' }}
-        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.0
+        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
         with:
           terraform-version: ${{ steps.minMax.outputs.minVersion }}
+          tflint-version: ${{ env.TFLINT_VERSION }}
           args: 'terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*'
 
       - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
         # Run only validate pre-commit check on min version supported
         if: ${{ matrix.directory ==  '.' }}
-        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.0
+        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
         with:
           terraform-version: ${{ steps.minMax.outputs.minVersion }}
+          tflint-version: ${{ env.TFLINT_VERSION }}
           args: 'terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)'
 
   preCommitMaxVersion:
@@ -61,18 +94,75 @@ jobs:
     runs-on: ubuntu-latest
     needs: collectInputs
     steps:
+      - name: Install rmz
+        uses: jaxxstorm/action-install-gh-release@v2.1.0
+        with:
+          repo: SUPERCILEX/fuc
+          asset-name: x86_64-unknown-linux-gnu-rmz
+          rename-to: rmz
+          chmod: 0755
+          extension-matching: disable
+
+      # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449
+      - name: Delete unnecessary files
+        run: |
+          formatByteCount() { echo $(numfmt --to=iec-i --suffix=B --padding=7 $1'000'); }
+          getAvailableSpace() { echo $(df -a $1 | awk 'NR > 1 {avail+=$4} END {print avail}'); }
+
+          BEFORE=$(getAvailableSpace)
+
+          ln -s /opt/hostedtoolcache/SUPERCILEX/x86_64-unknown-linux-gnu-rmz/latest/linux-x64/rmz /usr/local/bin/rmz
+          rmz -f /opt/hostedtoolcache/CodeQL &
+          rmz -f /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk &
+          rmz -f /opt/hostedtoolcache/PyPy &
+          rmz -f /opt/hostedtoolcache/Ruby &
+          rmz -f /opt/hostedtoolcache/go &
+          sudo rmz -f /usr/local/lib/android &
+
+          if [[ ${{ github.repository }} == terraform-aws-modules/terraform-aws-security-group ]]; then
+            sudo rmz -f /usr/share/dotnet &
+            sudo rmz -f /usr/local/.ghcup &
+            sudo apt-get -qq remove -y 'azure-.*'
+            sudo apt-get -qq remove -y 'cpp-.*'
+            sudo apt-get -qq remove -y 'dotnet-runtime-.*'
+            sudo apt-get -qq remove -y 'google-.*'
+            sudo apt-get -qq remove -y 'libclang-.*'
+            sudo apt-get -qq remove -y 'libllvm.*'
+            sudo apt-get -qq remove -y 'llvm-.*'
+            sudo apt-get -qq remove -y 'mysql-.*'
+            sudo apt-get -qq remove -y 'postgresql-.*'
+            sudo apt-get -qq remove -y 'php.*'
+            sudo apt-get -qq remove -y 'temurin-.*'
+            sudo apt-get -qq remove -y kubectl firefox mono-devel
+            sudo apt-get -qq autoremove -y
+            sudo apt-get -qq clean
+          fi
+
+          wait
+
+          AFTER=$(getAvailableSpace)
+          SAVED=$((AFTER-BEFORE))
+          echo "=> Saved $(formatByteCount $SAVED)"
+
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{github.event.pull_request.head.repo.full_name}}
 
       - name: Terraform min/max versions
         id: minMax
-        uses: clowdhaus/terraform-min-max@v1.2.0
+        uses: clowdhaus/terraform-min-max@v2.1.0
+
+      - name: Hide template dir
+        # Special to this repo, we don't want to check this dir
+        if: ${{ github.repository ==  'terraform-aws-modules/terraform-aws-security-group' }}
+        run: rm -rf modules/_templates
 
       - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
-        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.0
+        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
         with:
           terraform-version: ${{ steps.minMax.outputs.maxVersion }}
+          tflint-version: ${{ env.TFLINT_VERSION }}
           terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }}
+          install-hcledit: true

.github/workflows/release.yml

@@ -4,6 +4,7 @@ on:
   workflow_dispatch:
   push:
     branches:
+      - main
       - master
     paths:
       - '**/*.tpl'
@@ -19,18 +20,26 @@ jobs:
     if: github.repository_owner == 'terraform-aws-modules'
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           fetch-depth: 0
 
-      - name: Release
+      - name: Set correct Node.js version
-        uses: cycjimmy/semantic-release-action@v2
+        uses: actions/setup-node@v6
         with:
-          semantic_version: 18.0.0
+          node-version: 24
-          extra_plugins: |
+
-            @semantic-release/changelog@6.0.0
+      - name: Install dependencies
-            @semantic-release/git@10.0.0
+        run: |
-            conventional-changelog-conventionalcommits@4.6.3
+          npm install \
+            @semantic-release/changelog@6.0.3 \
+            @semantic-release/git@10.0.1 \
+            conventional-changelog-conventionalcommits@9.1.0
+
+      - name: Release
+        uses: cycjimmy/semantic-release-action@v5
+        with:
+          semantic_version: 25.0.0
         env:
           GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }}

.github/workflows/stale-actions.yaml

@@ -7,7 +7,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v6
+      - uses: actions/stale@v10
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           # Staling issues and PR's

.gitignore

@@ -1,13 +1,13 @@
 # Local .terraform directories
 **/.terraform/*
 
+# Terraform lockfile
+.terraform.lock.hcl
+
 # .tfstate files
 *.tfstate
 *.tfstate.*
 
-# terraform lockfile
-.terraform.lock.hcl
-
 # Crash log files
 crash.log
 
@@ -15,7 +15,6 @@ crash.log
 # password, private keys, and other secrets. These should not be part of version
 # control as they are data points which are potentially sensitive and subject
 # to change depending on the environment.
-#
 *.tfvars
 
 # Ignore override files as they are usually used to override resources locally and so
@@ -25,13 +24,16 @@ override.tf.json
 *_override.tf
 *_override.tf.json
 
-# Include override files you do wish to add to version control using negated pattern
-#
-# !example_override.tf
-
-# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
-# example: *tfplan*
-
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
+
+# Lambda build artifacts
+builds/
+__pycache__/
+*.zip
+.tox
+
+# Local editors/macos files
+.DS_Store
+.idea

.pre-commit-config.yaml

@@ -1,9 +1,9 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.76.0
+    rev: v1.103.0
     hooks:
       - id: terraform_fmt
-      - id: terraform_validate
+      - id: terraform_wrapper_module_for_each
       - id: terraform_docs
         args:
           - '--args=--lockfile=false'
@@ -22,8 +22,10 @@ repos:
           - '--args=--only=terraform_required_providers'
           - '--args=--only=terraform_standard_module_structure'
           - '--args=--only=terraform_workspace_remote'
+      - id: terraform_validate
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.3.0
+    rev: v6.0.0
     hooks:
       - id: check-merge-conflict
       - id: end-of-file-fixer
+      - id: trailing-whitespace

CHANGELOG.md

@@ -2,6 +2,81 @@
 
 All notable changes to this project will be documented in this file.
 
+## [4.2.1](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v4.2.0...v4.2.1) (2025-10-21)
+
+### Bug Fixes
+
+* Update CI workflow versions to latest ([#40](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/40)) ([5deff22](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/5deff22cf4c471ce824c016687c3b933cd8b783c))
+
+## [4.2.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v4.1.0...v4.2.0) (2025-10-14)
+
+
+### Features
+
+* Support `default_auth_scheme` ([#39](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/39)) ([c2073a0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/c2073a031c947270dac3f17c7f76e2996cd1b5b1))
+
+## [4.1.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v4.0.0...v4.1.0) (2025-10-01)
+
+
+### Features
+
+* Add Terragrunt wrappers ([#38](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/38)) ([33b43c7](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/33b43c72abdad0b01655238d844e56dabca5e6d4))
+
+## [4.0.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.2.1...v4.0.0) (2025-09-16)
+
+
+### ⚠ BREAKING CHANGES
+
+* Upgrade AWS provider and min required Terraform version to `6.0` and `1.5.7` respectively (#34)
+
+### Features
+
+* Upgrade AWS provider and min required Terraform version to `6.0` and `1.5.7` respectively ([#34](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/34)) ([47c0fca](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/47c0fcad4b3e40ef112544028dba1a4c10ee50dc))
+
+## [3.2.1](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.2.0...v3.2.1) (2025-05-22)
+
+
+### Bug Fixes
+
+* Correct service principal to rds.amazonaws.com (incl China) ([#32](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/32)) ([bbbf50c](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/bbbf50ce8734f05d4ac69fa41c23c88094b82356))
+
+## [3.2.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.1.1...v3.2.0) (2024-11-19)
+
+
+### Features
+
+* Add CloudWatch log group name to outputs ([#28](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/28)) ([0fc0e19](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/0fc0e19e642a2fdcd8f546bf219f78b5db252c65))
+
+
+### Bug Fixes
+
+* Update CI workflow versions to latest ([#27](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/27)) ([b6f22be](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/b6f22becf63614f365e72a81151c1955ab0d4df3))
+
+## [3.1.1](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.1.0...v3.1.1) (2024-03-06)
+
+
+### Bug Fixes
+
+* Update CI workflow versions to remove deprecated runtime warnings ([#26](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/26)) ([a31a810](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/a31a81097b9828776e91864973783d0e9530e12d))
+
+## [3.1.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.0.0...v3.1.0) (2023-08-30)
+
+
+### Features
+
+* Add IAM role output ([#22](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/22)) ([d18ae45](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/d18ae45d9ebf8253f7144e6bdc6ef39af9a4863f))
+
+## [3.0.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v2.1.2...v3.0.0) (2023-06-09)
+
+
+### ⚠ BREAKING CHANGES
+
+* Increase Terraform and AWS provider minimum supported versions; update `auth` configuration schema (#17)
+
+### Features
+
+* Increase Terraform and AWS provider minimum supported versions; update `auth` configuration schema ([#17](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/17)) ([cc39e9d](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/cc39e9d0295495574c406acfed9e288fb6d5df3c))
+
 ### [2.1.2](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v2.1.1...v2.1.2) (2022-10-27)
 
 

README.md

@@ -15,7 +15,7 @@ module "rds_proxy" {
   vpc_subnet_ids         = ["subnet-30ef7b3c", "subnet-1ecda77b", "subnet-ca09ddbc"]
   vpc_security_group_ids = ["sg-f1d03a88"]
 
-  db_proxy_endpoints = {
+  endpoints = {
     read_write = {
       name                   = "read-write-endpoint"
       vpc_subnet_ids         = ["subnet-30ef7b3c", "subnet-1ecda77b", "subnet-ca09ddbc"]
@@ -29,18 +29,17 @@ module "rds_proxy" {
     }
   }
 
-  secrets = {
+  auth = {
     "superuser" = {
       description        = "Aurora PostgreSQL superuser password"
-      arn         = "arn:aws:secretsmanager:us-east-1:123456789012:secret:superuser-6gsjLD"
+      secret_arn         = "arn:aws:secretsmanager:us-east-1:123456789012:secret:superuser-6gsjLD"
-      kms_key_id  = "6ca29066-552a-46c5-a7d7-7bf9a15fc255"
     }
   }
 
   # Target Aurora cluster
   engine_family         = "POSTGRESQL"
   target_db_cluster     = true
-  db_cluster_identifier = "myendpoint"
+  db_cluster_identifier = "my-endpoint"
 
   tags = {
     Terraform   = "true"
@@ -53,24 +52,24 @@ module "rds_proxy" {
 
 Examples codified under the [`examples`](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples) are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module(s). If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!
 
-- [IAM auth. w/ MySQL Aurora cluster](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/mysql_iam_cluster)
+- [IAM auth. w/ MySQL Aurora cluster](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/mysql-iam-cluster)
-- [IAM auth. w/ MySQL RDS instance](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/mysql_iam_instance)
+- [IAM auth. w/ MySQL RDS instance](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/mysql-iam-instance)
-- [IAM auth. w/ PostgreSQL Aurora cluster](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql_iam_cluster)
+- [IAM auth. w/ PostgreSQL Aurora cluster](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql-iam-cluster)
-- [IAM auth. w/ PostgreSQL RDS instance](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql_iam_instance)
+- [IAM auth. w/ PostgreSQL RDS instance](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql-iam-instance)
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.38 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.38 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
 
 ## Modules
 
@@ -90,23 +89,25 @@ No modules.
 | [aws_iam_role_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_service_principal.rds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/service_principal) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_auth_scheme"></a> [auth\_scheme](#input\_auth\_scheme) | The type of authentication that the proxy uses for connections from the proxy to the underlying database. One of `SECRETS` | `string` | `"SECRETS"` | no |
+| <a name="input_auth"></a> [auth](#input\_auth) | Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters | <pre>map(object({<br/>    auth_scheme               = optional(string)<br/>    client_password_auth_type = optional(string)<br/>    description               = optional(string)<br/>    iam_auth                  = optional(string)<br/>    secret_arn                = optional(string)<br/>    username                  = optional(string)<br/>  }))</pre> | <pre>{<br/>  "default": {<br/>    "auth_scheme": "SECRETS"<br/>  }<br/>}</pre> | no |
 | <a name="input_connection_borrow_timeout"></a> [connection\_borrow\_timeout](#input\_connection\_borrow\_timeout) | The number of seconds for a proxy to wait for a connection to become available in the connection pool | `number` | `null` | no |
+| <a name="input_create"></a> [create](#input\_create) | Whether cluster should be created (affects nearly all resources) | `bool` | `true` | no |
 | <a name="input_create_iam_policy"></a> [create\_iam\_policy](#input\_create\_iam\_policy) | Determines whether an IAM policy is created | `bool` | `true` | no |
 | <a name="input_create_iam_role"></a> [create\_iam\_role](#input\_create\_iam\_role) | Determines whether an IAM role is created | `bool` | `true` | no |
-| <a name="input_create_proxy"></a> [create\_proxy](#input\_create\_proxy) | Determines whether a proxy and its resources will be created | `bool` | `true` | no |
 | <a name="input_db_cluster_identifier"></a> [db\_cluster\_identifier](#input\_db\_cluster\_identifier) | DB cluster identifier | `string` | `""` | no |
 | <a name="input_db_instance_identifier"></a> [db\_instance\_identifier](#input\_db\_instance\_identifier) | DB instance identifier | `string` | `""` | no |
-| <a name="input_db_proxy_endpoints"></a> [db\_proxy\_endpoints](#input\_db\_proxy\_endpoints) | Map of DB proxy endpoints to create and their attributes (see `aws_db_proxy_endpoint`) | `any` | `{}` | no |
 | <a name="input_debug_logging"></a> [debug\_logging](#input\_debug\_logging) | Whether the proxy includes detailed information about SQL statements in its logs | `bool` | `false` | no |
+| <a name="input_default_auth_scheme"></a> [default\_auth\_scheme](#input\_default\_auth\_scheme) | Default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database. Valid values are NONE and IAM\_AUTH. Defaults to NONE | `string` | `null` | no |
+| <a name="input_endpoints"></a> [endpoints](#input\_endpoints) | Map of DB proxy endpoints to create and their attributes | <pre>map(object({<br/>    name                   = optional(string)<br/>    vpc_subnet_ids         = list(string)<br/>    vpc_security_group_ids = optional(list(string))<br/>    target_role            = optional(string)<br/>    tags                   = optional(map(string), {})<br/>  }))</pre> | `{}` | no |
 | <a name="input_engine_family"></a> [engine\_family](#input\_engine\_family) | The kind of database engine that the proxy will connect to. Valid values are `MYSQL` or `POSTGRESQL` | `string` | `""` | no |
-| <a name="input_iam_auth"></a> [iam\_auth](#input\_iam\_auth) | Whether to require or disallow AWS Identity and Access Management (IAM) authentication for connections to the proxy. One of `DISABLED`, `REQUIRED` | `string` | `"REQUIRED"` | no |
 | <a name="input_iam_policy_name"></a> [iam\_policy\_name](#input\_iam\_policy\_name) | The name of the role policy. If omitted, Terraform will assign a random, unique name | `string` | `""` | no |
 | <a name="input_iam_role_description"></a> [iam\_role\_description](#input\_iam\_role\_description) | The description of the role | `string` | `""` | no |
 | <a name="input_iam_role_force_detach_policies"></a> [iam\_role\_force\_detach\_policies](#input\_iam\_role\_force\_detach\_policies) | Specifies to force detaching any policies the role has before destroying it | `bool` | `true` | no |
@@ -117,6 +118,8 @@ No modules.
 | <a name="input_iam_role_tags"></a> [iam\_role\_tags](#input\_iam\_role\_tags) | A map of tags to apply to the IAM role | `map(string)` | `{}` | no |
 | <a name="input_idle_client_timeout"></a> [idle\_client\_timeout](#input\_idle\_client\_timeout) | The number of seconds that a connection to the proxy can be inactive before the proxy disconnects it | `number` | `1800` | no |
 | <a name="input_init_query"></a> [init\_query](#input\_init\_query) | One or more SQL statements for the proxy to run when opening each new database connection | `string` | `""` | no |
+| <a name="input_kms_key_arns"></a> [kms\_key\_arns](#input\_kms\_key\_arns) | List of KMS Key ARNs to allow access to decrypt SecretsManager secrets | `list(string)` | `[]` | no |
+| <a name="input_log_group_class"></a> [log\_group\_class](#input\_log\_group\_class) | Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS` | `string` | `null` | no |
 | <a name="input_log_group_kms_key_id"></a> [log\_group\_kms\_key\_id](#input\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data | `string` | `null` | no |
 | <a name="input_log_group_retention_in_days"></a> [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the log group | `number` | `30` | no |
 | <a name="input_log_group_tags"></a> [log\_group\_tags](#input\_log\_group\_tags) | A map of tags to apply to the CloudWatch log group | `map(string)` | `{}` | no |
@@ -125,13 +128,13 @@ No modules.
 | <a name="input_max_idle_connections_percent"></a> [max\_idle\_connections\_percent](#input\_max\_idle\_connections\_percent) | Controls how actively the proxy closes idle database connections in the connection pool | `number` | `50` | no |
 | <a name="input_name"></a> [name](#input\_name) | The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens | `string` | `""` | no |
 | <a name="input_proxy_tags"></a> [proxy\_tags](#input\_proxy\_tags) | A map of tags to apply to the RDS Proxy | `map(string)` | `{}` | no |
+| <a name="input_region"></a> [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no |
 | <a name="input_require_tls"></a> [require\_tls](#input\_require\_tls) | A Boolean parameter that specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy | `bool` | `true` | no |
 | <a name="input_role_arn"></a> [role\_arn](#input\_role\_arn) | The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager | `string` | `""` | no |
-| <a name="input_secrets"></a> [secrets](#input\_secrets) | Map of secerets to be used by RDS Proxy for authentication to the database | `map(object({ arn = string, description = string, kms_key_id = string }))` | `{}` | no |
 | <a name="input_session_pinning_filters"></a> [session\_pinning\_filters](#input\_session\_pinning\_filters) | Each item in the list represents a class of SQL operations that normally cause all later statements in a session using a proxy to be pinned to the same underlying database connection | `list(string)` | `[]` | no |
-| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to use on all resources | `map(string)` | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
-| <a name="input_target_db_cluster"></a> [target\_db\_cluster](#input\_target\_db\_cluster) | Determines whether DB cluster is targetted by proxy | `bool` | `false` | no |
+| <a name="input_target_db_cluster"></a> [target\_db\_cluster](#input\_target\_db\_cluster) | Determines whether DB cluster is targeted by proxy | `bool` | `false` | no |
-| <a name="input_target_db_instance"></a> [target\_db\_instance](#input\_target\_db\_instance) | Determines whether DB instance is targetted by proxy | `bool` | `false` | no |
+| <a name="input_target_db_instance"></a> [target\_db\_instance](#input\_target\_db\_instance) | Determines whether DB instance is targeted by proxy | `bool` | `false` | no |
 | <a name="input_use_policy_name_prefix"></a> [use\_policy\_name\_prefix](#input\_use\_policy\_name\_prefix) | Whether to use unique name beginning with the specified `iam_policy_name` | `bool` | `false` | no |
 | <a name="input_use_role_name_prefix"></a> [use\_role\_name\_prefix](#input\_use\_role\_name\_prefix) | Whether to use unique name beginning with the specified `iam_role_name` | `bool` | `false` | no |
 | <a name="input_vpc_security_group_ids"></a> [vpc\_security\_group\_ids](#input\_vpc\_security\_group\_ids) | One or more VPC security group IDs to associate with the new proxy | `list(string)` | `[]` | no |
@@ -142,7 +145,11 @@ No modules.
 | Name | Description |
 |------|-------------|
 | <a name="output_db_proxy_endpoints"></a> [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created |
+| <a name="output_iam_role_arn"></a> [iam\_role\_arn](#output\_iam\_role\_arn) | The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager. |
+| <a name="output_iam_role_name"></a> [iam\_role\_name](#output\_iam\_role\_name) | IAM role name |
+| <a name="output_iam_role_unique_id"></a> [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
 | <a name="output_log_group_arn"></a> [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group |
+| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | The name of the CloudWatch log group |
 | <a name="output_proxy_arn"></a> [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy |
 | <a name="output_proxy_default_target_group_arn"></a> [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group |
 | <a name="output_proxy_default_target_group_id"></a> [proxy\_default\_target\_group\_id](#output\_proxy\_default\_target\_group\_id) | The ID for the default target group |
@@ -156,7 +163,7 @@ No modules.
 | <a name="output_proxy_target_target_arn"></a> [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
 | <a name="output_proxy_target_tracked_cluster_id"></a> [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
 | <a name="output_proxy_target_type"></a> [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->
 
 ## License
 

docs/UPGRADE-3.0.md

@@ -0,0 +1,79 @@
+# Upgrade from v2.x to v3.x
+
+If you have any questions regarding this upgrade process, please consult the `examples` directory.
+If you find a bug, please open an issue with supporting configuration to reproduce.
+
+## List of backwards incompatible changes
+
+- Minimum supported Terraform version is now 1.0
+- Minimum supported AWS provider version is now 5.0
+- The manner in which authentication is configured has changed - previously auth settings were provided under `secrets` in conjunction with `auth_scheme` and `iam_auth` variables. Now, auth settings are provided under the `auth` variable for multiple auth entries.
+
+### Variable and output changes
+
+1. Removed variables:
+
+    - `auth_scheme` is now set under the `auth` variable for a given auth entry
+    - `iam_auth` is now set under the `auth` variable for a given auth entry
+
+2. Renamed variables:
+
+    - `create_proxy` -> `create`
+    - `secrets` -> `auth`
+    - `db_proxy_endpoints` -> `endpoints`
+
+3. Added variables:
+
+    - `kms_key_arns` - list of KMS key ARNs to use allowing permission to decrypt SecretsManager secrets
+
+4. Removed outputs:
+
+    - None
+
+5. Renamed outputs:
+
+    - None
+
+6. Added outputs:
+
+    - None
+
+## Diff of Before (v2.x) vs After (v3.x)
+
+```diff
+module "rds_proxy" {
+  source  = "terraform-aws-modules/rds-proxy/aws"
+-  version = "~> 2.0"
++  version = "~> 3.0"
+
+  # Only the affected attributes are shown
+-  create_proxy = true
++  create       = true
+
+-  db_proxy_endpoints = {
+-  ...
+-  }
++  endpoints = {
++    ...
++  }
+
+-  secrets = {
+-    "superuser" = {
+-      description = "Aurora PostgreSQL superuser password"
+-      arn         = "arn:aws:secretsmanager:eu-west-1:123456789012:secret:superuser-6gsjLD"
+-      kms_key_id  = "6ca29066-552a-46c5-a7d7-7bf9a15fc255"
+-    }
+-  }
++  auth = {
++    "superuser" = {
++      description = "Aurora PostgreSQL superuser password"
++      secret_arn  = "arn:aws:secretsmanager:us-east-1:123456789012:secret:superuser-6gsjLD"
++    }
++  }
++  kms_key_arns = ["arn:aws:kms:eu-west-1:123456789012:key/6ca29066-552a-46c5-a7d7-7bf9a15fc255"]
+}
+```
+
+### State Changes
+
+- None

examples/README.md

@@ -1,6 +1,8 @@
-# AWS RDS Proxy Terraform Examples
+# Examples
 
-- [IAM auth. w/ MySQL Aurora cluster](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/mysql_iam_cluster)
+Please note - the examples provided serve two primary means:
-- [IAM auth. w/ MySQL RDS instance](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/mysql_iam_instance)
+
-- [IAM auth. w/ PostgreSQL Aurora cluster](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql_iam_cluster)
+1. Show users working examples of the various ways in which the module can be configured and features supported
-- [IAM auth. w/ PostgreSQL RDS instance](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql_iam_instance)
+2. A means of testing/validating module changes
+
+Please do not mistake the examples provided as "best practices". It is up to users to consult the AWS service documentation for best practices, usage recommendations, etc.

examples/mysql-iam-cluster/README.md

@@ -25,42 +25,34 @@ An EC2 instance configuration has been provided for use in validating the exampl
 3. Copy the output from `superuser_proxy_iam_connect` and paste it into the window
 4. You should now be connected to the `example` database in the RDS instance via the AWS Proxy using IAM authentication
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.38 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
-| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.38 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
-| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 6.0 |
+| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 9.0 |
 | <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
-| <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4.0 |
+| <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
-| [aws_db_parameter_group.aurora_db_mysql57_parameter_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_parameter_group) | resource |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
-| [aws_rds_cluster_parameter_group.aurora_cluster_mysql57_parameter_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_parameter_group) | resource |
-| [aws_secretsmanager_secret.superuser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
-| [aws_secretsmanager_secret_version.superuser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
-| [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
-| [random_pet.users](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
-| [aws_kms_alias.secretsmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
 
 ## Inputs
 
@@ -72,6 +64,7 @@ No inputs.
 |------|-------------|
 | <a name="output_db_proxy_endpoints"></a> [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created |
 | <a name="output_log_group_arn"></a> [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group |
+| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | The name of the CloudWatch log group |
 | <a name="output_proxy_arn"></a> [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy |
 | <a name="output_proxy_default_target_group_arn"></a> [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group |
 | <a name="output_proxy_default_target_group_id"></a> [proxy\_default\_target\_group\_id](#output\_proxy\_default\_target\_group\_id) | The ID for the default target group |
@@ -85,6 +78,6 @@ No inputs.
 | <a name="output_proxy_target_target_arn"></a> [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
 | <a name="output_proxy_target_tracked_cluster_id"></a> [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
 | <a name="output_proxy_target_type"></a> [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->
 
 Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/blob/master/LICENSE).

examples/mysql-iam-cluster/main.tf

@@ -0,0 +1,144 @@
+provider "aws" {
+  region = local.region
+}
+
+data "aws_availability_zones" "available" {}
+
+locals {
+  name   = "ex-${basename(path.cwd)}"
+  region = "eu-west-1"
+
+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+
+  tags = {
+    Example    = local.name
+    GithubRepo = "terraform-aws-rds-proxy"
+    GithubOrg  = "terraform-aws-modules"
+  }
+}
+
+################################################################################
+# RDS Proxy
+################################################################################
+
+module "rds_proxy" {
+  source = "../../"
+
+  name                   = local.name
+  iam_role_name          = local.name
+  vpc_subnet_ids         = module.vpc.private_subnets
+  vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
+
+  endpoints = {
+    read_write = {
+      name                   = "read-write-endpoint"
+      vpc_subnet_ids         = module.vpc.private_subnets
+      vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
+      tags                   = local.tags
+    },
+    read_only = {
+      name                   = "read-only-endpoint"
+      vpc_subnet_ids         = module.vpc.private_subnets
+      vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
+      target_role            = "READ_ONLY"
+      tags                   = local.tags
+    }
+  }
+
+  auth = {
+    "root" = {
+      description = "Cluster generated master user password"
+      secret_arn  = module.rds.cluster_master_user_secret[0].secret_arn
+    }
+  }
+
+  engine_family = "MYSQL"
+  debug_logging = true
+
+  # Target Aurora cluster
+  target_db_cluster     = true
+  db_cluster_identifier = module.rds.cluster_id
+
+  tags = local.tags
+}
+
+################################################################################
+# Supporting Resources
+################################################################################
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 6.0"
+
+  name = local.name
+  cidr = local.vpc_cidr
+
+  azs              = local.azs
+  public_subnets   = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
+  private_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 3)]
+  database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 6)]
+
+  tags = local.tags
+}
+
+module "rds" {
+  source  = "terraform-aws-modules/rds-aurora/aws"
+  version = "~> 9.0"
+
+  name            = local.name
+  engine          = "aurora-mysql"
+  engine_version  = "8.0"
+  master_username = "root"
+
+  # When using RDS Proxy w/ IAM auth - Database must be username/password auth, not IAM
+  iam_database_authentication_enabled = false
+
+  instance_class = "db.r6g.large"
+  instances = {
+    1 = {}
+    2 = {}
+  }
+
+  vpc_id               = module.vpc.vpc_id
+  db_subnet_group_name = module.vpc.database_subnet_group_name
+  security_group_rules = {
+    vpc_ingress = {
+      cidr_blocks = module.vpc.private_subnets_cidr_blocks
+    }
+  }
+
+  apply_immediately   = true
+  skip_final_snapshot = true
+
+  tags = local.tags
+}
+
+module "rds_proxy_sg" {
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "~> 5.0"
+
+  name        = "${local.name}-proxy"
+  description = "PostgreSQL RDS Proxy example security group"
+  vpc_id      = module.vpc.vpc_id
+
+  revoke_rules_on_delete = true
+
+  ingress_with_cidr_blocks = [
+    {
+      description = "Private subnet MySQL access"
+      rule        = "mysql-tcp"
+      cidr_blocks = join(",", module.vpc.private_subnets_cidr_blocks)
+    }
+  ]
+
+  egress_with_cidr_blocks = [
+    {
+      description = "Database subnet MySQL access"
+      rule        = "mysql-tcp"
+      cidr_blocks = join(",", module.vpc.database_subnets_cidr_blocks)
+    },
+  ]
+
+  tags = local.tags
+}

examples/mysql-iam-cluster/outputs.tf

@@ -66,7 +66,7 @@ output "proxy_target_type" {
   value       = module.rds_proxy.proxy_target_type
 }
 
-# DB proxy endponts
+# DB proxy endpoints
 output "db_proxy_endpoints" {
   description = "Array containing the full resource object and attributes for all DB proxy endpoints created"
   value       = module.rds_proxy.db_proxy_endpoints
@@ -77,3 +77,8 @@ output "log_group_arn" {
   description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
   value       = module.rds_proxy.log_group_arn
 }
+
+output "log_group_name" {
+  description = "The name of the CloudWatch log group"
+  value       = module.rds_proxy.log_group_name
+}

examples/mysql-iam-cluster/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.5.7"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.15"
+    }
+  }
+}

examples/mysql-iam-instance/README.md

@@ -25,31 +25,31 @@ An EC2 instance configuration has been provided for use in validating the exampl
 3. Copy the output from `superuser_proxy_iam_connect` and paste it into the window
 4. You should now be connected to the `example` database in the Aurora cluster via the AWS Proxy using IAM authentication
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.38 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.38 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 3.0 |
+| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 6.0 |
 | <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
-| <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4.0 |
+| <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
-| <a name="module_rds_sg"></a> [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 4.0 |
+| <a name="module_rds_sg"></a> [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
 
 ## Resources
 
@@ -59,6 +59,7 @@ An EC2 instance configuration has been provided for use in validating the exampl
 | [aws_secretsmanager_secret_version.superuser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
 | [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [random_pet.users](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 | [aws_kms_alias.secretsmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
 
 ## Inputs
@@ -71,6 +72,7 @@ No inputs.
 |------|-------------|
 | <a name="output_db_proxy_endpoints"></a> [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created |
 | <a name="output_log_group_arn"></a> [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group |
+| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | The name of the CloudWatch log group |
 | <a name="output_proxy_arn"></a> [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy |
 | <a name="output_proxy_default_target_group_arn"></a> [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group |
 | <a name="output_proxy_default_target_group_id"></a> [proxy\_default\_target\_group\_id](#output\_proxy\_default\_target\_group\_id) | The ID for the default target group |
@@ -84,6 +86,6 @@ No inputs.
 | <a name="output_proxy_target_target_arn"></a> [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
 | <a name="output_proxy_target_tracked_cluster_id"></a> [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
 | <a name="output_proxy_target_type"></a> [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->
 
 Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/blob/master/LICENSE).

examples/mysql-iam-instance/main.tf

@@ -2,17 +2,22 @@ provider "aws" {
   region = local.region
 }
 
+data "aws_availability_zones" "available" {}
+
 locals {
-  region = "us-east-1"
+  name   = "ex-${basename(path.cwd)}"
-  name   = "rds-proxy-ex-${replace(basename(path.cwd), "_", "-")}"
+  region = "eu-west-1"
 
   db_username = random_pet.users.id # using random here due to secrets taking at least 7 days before fully deleting from account
   db_password = random_password.password.result
 
+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+
   tags = {
-    Name       = local.name
     Example    = local.name
-    Repository = "https://github.com/terraform-aws-modules/terraform-aws-rds-proxy"
+    GithubRepo = "terraform-aws-rds-proxy"
+    GithubOrg  = "terraform-aws-modules"
   }
 }
 
@@ -23,14 +28,12 @@ locals {
 module "rds_proxy" {
   source = "../../"
 
-  create_proxy = true
-
   name                   = local.name
   iam_role_name          = local.name
   vpc_subnet_ids         = module.vpc.private_subnets
   vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
 
-  db_proxy_endpoints = {
+  endpoints = {
     read_write = {
       name                   = "read-write-endpoint"
       vpc_subnet_ids         = module.vpc.private_subnets
@@ -46,11 +49,10 @@ module "rds_proxy" {
     }
   }
 
-  secrets = {
+  auth = {
     (local.db_username) = {
       description = aws_secretsmanager_secret.superuser.description
-      arn         = aws_secretsmanager_secret.superuser.arn
+      secret_arn  = aws_secretsmanager_secret.superuser.arn
-      kms_key_id  = aws_secretsmanager_secret.superuser.kms_key_id
     }
   }
 
@@ -59,7 +61,7 @@ module "rds_proxy" {
 
   # Target RDS instance
   target_db_instance     = true
-  db_instance_identifier = module.rds.db_instance_id
+  db_instance_identifier = module.rds.db_instance_identifier
 
   tags = local.tags
 }
@@ -80,38 +82,52 @@ resource "random_password" "password" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 3.0"
+  version = "~> 6.0"
 
   name = local.name
-  cidr = "10.0.0.0/18"
+  cidr = local.vpc_cidr
 
-  azs              = ["${local.region}a", "${local.region}b", "${local.region}c"]
+  azs              = local.azs
-  public_subnets   = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"]
+  public_subnets   = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
-  private_subnets  = ["10.0.3.0/24", "10.0.4.0/24", "10.0.5.0/24"]
+  private_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 3)]
-  database_subnets = ["10.0.7.0/24", "10.0.8.0/24", "10.0.9.0/24"]
+  database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 6)]
 
-  create_database_subnet_group = true
+  tags = local.tags
-  enable_nat_gateway           = true
+}
-  single_nat_gateway           = true
-  map_public_ip_on_launch      = false
 
-  manage_default_security_group  = true
+module "rds" {
-  default_security_group_ingress = []
+  source  = "terraform-aws-modules/rds/aws"
-  default_security_group_egress  = []
+  version = "~> 6.0"
 
-  enable_flow_log                      = true
+  username = local.db_username
-  flow_log_destination_type            = "cloud-watch-logs"
+  password = local.db_password
-  create_flow_log_cloudwatch_log_group = true
+
-  create_flow_log_cloudwatch_iam_role  = true
+  # When using RDS Proxy w/ IAM auth - Database must be username/password auth, not IAM
-  flow_log_max_aggregation_interval    = 60
+  iam_database_authentication_enabled = false
-  flow_log_log_format                  = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id}"
+
+  identifier           = local.name
+  engine               = "mysql"
+  engine_version       = "8.0"
+  family               = "mysql8.0" # DB parameter group
+  major_engine_version = "8.0"      # DB option group
+  instance_class       = "db.t4g.large"
+  allocated_storage    = 20
+  port                 = 3306
+  apply_immediately    = true
+
+  db_subnet_group_name   = module.vpc.database_subnet_group
+  vpc_security_group_ids = [module.rds_sg.security_group_id]
+  multi_az               = true
+
+  backup_retention_period = 0
+  deletion_protection     = false
 
   tags = local.tags
 }
 
 module "rds_sg" {
   source  = "terraform-aws-modules/security-group/aws"
-  version = "~> 4.0"
+  version = "~> 5.0"
 
   name        = "rds"
   description = "MySQL RDS example security group"
@@ -130,57 +146,19 @@ module "rds_sg" {
   tags = local.tags
 }
 
-module "rds" {
-  source  = "terraform-aws-modules/rds/aws"
-  version = "~> 3.0"
-
-  name     = "example"
-  username = local.db_username
-  password = local.db_password
-
-  # When using RDS Proxy w/ IAM auth - Database must be username/password auth, not IAM
-  iam_database_authentication_enabled = false
-
-  identifier           = local.name
-  engine               = "mysql"
-  engine_version       = "5.7.31"
-  family               = "mysql5.7"
-  major_engine_version = "5.7"
-  port                 = 3306
-  instance_class       = "db.t3.micro"
-  allocated_storage    = 5
-  storage_encrypted    = true
-  apply_immediately    = true
-
-  enabled_cloudwatch_logs_exports = ["general", "error", "slowquery"]
-  monitoring_interval             = 60
-  create_monitoring_role          = true
-
-  vpc_security_group_ids = [module.rds_sg.security_group_id]
-  subnet_ids             = module.vpc.database_subnets
-  multi_az               = true
-
-  maintenance_window      = "Mon:00:00-Mon:03:00"
-  backup_window           = "03:00-06:00"
-  backup_retention_period = 0
-  deletion_protection     = false
-
-  tags = local.tags
-}
-
 module "rds_proxy_sg" {
   source  = "terraform-aws-modules/security-group/aws"
-  version = "~> 4.0"
+  version = "~> 5.0"
 
-  name        = "rds_proxy"
+  name        = "${local.name}-proxy"
-  description = "MySQL RDS Proxy example security group"
+  description = "PostgreSQL RDS Proxy example security group"
   vpc_id      = module.vpc.vpc_id
 
   revoke_rules_on_delete = true
 
   ingress_with_cidr_blocks = [
     {
-      description = "Private subnet PostgreSQL access"
+      description = "Private subnet MySQL access"
       rule        = "mysql-tcp"
       cidr_blocks = join(",", module.vpc.private_subnets_cidr_blocks)
     }
@@ -207,7 +185,7 @@ data "aws_kms_alias" "secretsmanager" {
 
 resource "aws_secretsmanager_secret" "superuser" {
   name        = local.db_username
-  description = "Database superuser, ${local.db_username}, databse connection values"
+  description = "Database superuser, ${local.db_username}, database connection values"
   kms_key_id  = data.aws_kms_alias.secretsmanager.id
 
   tags = local.tags

examples/mysql-iam-instance/outputs.tf

@@ -66,7 +66,7 @@ output "proxy_target_type" {
   value       = module.rds_proxy.proxy_target_type
 }
 
-# DB proxy endponts
+# DB proxy endpoints
 output "db_proxy_endpoints" {
   description = "Array containing the full resource object and attributes for all DB proxy endpoints created"
   value       = module.rds_proxy.db_proxy_endpoints
@@ -77,3 +77,8 @@ output "log_group_arn" {
   description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
   value       = module.rds_proxy.log_group_arn
 }
+
+output "log_group_name" {
+  description = "The name of the CloudWatch log group"
+  value       = module.rds_proxy.log_group_name
+}

examples/mysql-iam-instance/versions.tf

@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.5.7"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.38"
+      version = ">= 6.15"
     }
     random = {
       source  = "hashicorp/random"

examples/mysql_iam_cluster/main.tf

@@ -1,217 +0,0 @@
-provider "aws" {
-  region = local.region
-}
-
-locals {
-  region = "us-east-1"
-  name   = "rds-proxy-ex-${replace(basename(path.cwd), "_", "-")}"
-
-  db_username = random_pet.users.id # using random here due to secrets taking at least 7 days before fully deleting from account
-  db_password = random_password.password.result
-
-  tags = {
-    Name       = local.name
-    Example    = local.name
-    Repository = "https://github.com/terraform-aws-modules/terraform-aws-rds-proxy"
-  }
-}
-
-################################################################################
-# RDS Proxy
-################################################################################
-
-module "rds_proxy" {
-  source = "../../"
-
-  create_proxy = true
-
-  name                   = local.name
-  iam_role_name          = local.name
-  vpc_subnet_ids         = module.vpc.private_subnets
-  vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
-
-  db_proxy_endpoints = {
-    read_write = {
-      name                   = "read-write-endpoint"
-      vpc_subnet_ids         = module.vpc.private_subnets
-      vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
-      tags                   = local.tags
-    },
-    read_only = {
-      name                   = "read-only-endpoint"
-      vpc_subnet_ids         = module.vpc.private_subnets
-      vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
-      target_role            = "READ_ONLY"
-      tags                   = local.tags
-    }
-  }
-
-  secrets = {
-    (local.db_username) = {
-      description = aws_secretsmanager_secret.superuser.description
-      arn         = aws_secretsmanager_secret.superuser.arn
-      kms_key_id  = aws_secretsmanager_secret.superuser.kms_key_id
-    }
-  }
-
-  engine_family = "MYSQL"
-  debug_logging = true
-
-  # Target Aurora cluster
-  target_db_cluster     = true
-  db_cluster_identifier = module.rds.cluster_id
-
-  tags = local.tags
-}
-
-################################################################################
-# Supporting Resources
-################################################################################
-
-resource "random_pet" "users" {
-  length    = 2
-  separator = "_"
-}
-
-resource "random_password" "password" {
-  length  = 16
-  special = false
-}
-
-module "vpc" {
-  source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 3.0"
-
-  name = local.name
-  cidr = "10.0.0.0/18"
-
-  azs              = ["${local.region}a", "${local.region}b", "${local.region}c"]
-  public_subnets   = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"]
-  private_subnets  = ["10.0.3.0/24", "10.0.4.0/24", "10.0.5.0/24"]
-  database_subnets = ["10.0.7.0/24", "10.0.8.0/24", "10.0.9.0/24"]
-
-  create_database_subnet_group = true
-  enable_nat_gateway           = true
-  single_nat_gateway           = true
-  map_public_ip_on_launch      = false
-
-  manage_default_security_group  = true
-  default_security_group_ingress = []
-  default_security_group_egress  = []
-
-  enable_flow_log                      = true
-  flow_log_destination_type            = "cloud-watch-logs"
-  create_flow_log_cloudwatch_log_group = true
-  create_flow_log_cloudwatch_iam_role  = true
-  flow_log_max_aggregation_interval    = 60
-  flow_log_log_format                  = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id}"
-
-  tags = local.tags
-}
-
-module "rds" {
-  source  = "terraform-aws-modules/rds-aurora/aws"
-  version = "~> 6.0"
-
-  name            = local.name
-  database_name   = "example"
-  master_username = local.db_username
-  master_password = local.db_password
-
-  # When using RDS Proxy w/ IAM auth - Database must be username/password auth, not IAM
-  iam_database_authentication_enabled = false
-
-  engine         = "aurora-mysql"
-  engine_version = "5.7.12"
-  instance_class = "db.r6g.large"
-  instances      = { 1 = {}, 2 = {} }
-
-  storage_encrypted   = true
-  apply_immediately   = true
-  skip_final_snapshot = true
-
-  enabled_cloudwatch_logs_exports = ["general", "error", "slowquery"]
-  monitoring_interval             = 60
-  create_monitoring_role          = true
-
-  vpc_id                 = module.vpc.vpc_id
-  subnets                = module.vpc.database_subnets
-  create_security_group  = false
-  vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
-
-  db_subnet_group_name            = local.name # Created by VPC module
-  create_db_subnet_group          = false
-  db_parameter_group_name         = aws_db_parameter_group.aurora_db_mysql57_parameter_group.id
-  db_cluster_parameter_group_name = aws_rds_cluster_parameter_group.aurora_cluster_mysql57_parameter_group.id
-
-  tags = local.tags
-}
-
-resource "aws_db_parameter_group" "aurora_db_mysql57_parameter_group" {
-  name        = "example-aurora-db-57-parameter-group"
-  family      = "aurora-mysql5.7"
-  description = "example-aurora-db-57-parameter-group"
-
-  tags = local.tags
-}
-
-resource "aws_rds_cluster_parameter_group" "aurora_cluster_mysql57_parameter_group" {
-  name        = "example-aurora-57-cluster-parameter-group"
-  family      = "aurora-mysql5.7"
-  description = "example-aurora-57-cluster-parameter-group"
-
-  tags = local.tags
-}
-
-module "rds_proxy_sg" {
-  source  = "terraform-aws-modules/security-group/aws"
-  version = "~> 4.0"
-
-  name        = "rds_proxy"
-  description = "PostgreSQL RDS Proxy example security group"
-  vpc_id      = module.vpc.vpc_id
-
-  revoke_rules_on_delete = true
-
-  ingress_with_cidr_blocks = [
-    {
-      description = "Private subnet MySQL access"
-      rule        = "mysql-tcp"
-      cidr_blocks = join(",", module.vpc.private_subnets_cidr_blocks)
-    }
-  ]
-
-  egress_with_cidr_blocks = [
-    {
-      description = "Database subnet MySQL access"
-      rule        = "mysql-tcp"
-      cidr_blocks = join(",", module.vpc.database_subnets_cidr_blocks)
-    },
-  ]
-
-  tags = local.tags
-}
-
-################################################################################
-# Secrets - DB user passwords
-################################################################################
-
-data "aws_kms_alias" "secretsmanager" {
-  name = "alias/aws/secretsmanager"
-}
-
-resource "aws_secretsmanager_secret" "superuser" {
-  name        = local.db_username
-  description = "Database superuser, ${local.db_username}, databse connection values"
-  kms_key_id  = data.aws_kms_alias.secretsmanager.id
-
-  tags = local.tags
-}
-
-resource "aws_secretsmanager_secret_version" "superuser" {
-  secret_id = aws_secretsmanager_secret.superuser.id
-  secret_string = jsonencode({
-    username = local.db_username
-    password = local.db_password
-  })
-}

examples/mysql_iam_cluster/versions.tf

@@ -1,14 +0,0 @@
-terraform {
-  required_version = ">= 0.13.1"
-
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = ">= 3.38"
-    }
-    random = {
-      source  = "hashicorp/random"
-      version = ">= 2.0"
-    }
-  }
-}

examples/postgresql-iam-cluster/README.md

@@ -25,42 +25,34 @@ An EC2 instance configuration has been provided for use in validating the exampl
 3. Copy the output from `superuser_proxy_iam_connect` and paste it into the window - NOTE: remove the string escape slashes `psql \"host...` -> `psql "host...`
 4. You should now be connected to the `example` database in the RDS instance via the AWS Proxy using IAM authentication
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.38 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
-| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.38 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
-| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 6.0 |
+| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 9.0 |
 | <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
-| <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4.0 |
+| <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
-| [aws_db_parameter_group.aurora_db_postgres11_parameter_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_parameter_group) | resource |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
-| [aws_rds_cluster_parameter_group.aurora_cluster_postgres11_parameter_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_parameter_group) | resource |
-| [aws_secretsmanager_secret.superuser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
-| [aws_secretsmanager_secret_version.superuser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
-| [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
-| [random_pet.users](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
-| [aws_kms_alias.secretsmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
 
 ## Inputs
 
@@ -71,7 +63,11 @@ No inputs.
 | Name | Description |
 |------|-------------|
 | <a name="output_db_proxy_endpoints"></a> [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created |
+| <a name="output_iam_role_arn"></a> [iam\_role\_arn](#output\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the role proxy uses to access secrets |
+| <a name="output_iam_role_name"></a> [iam\_role\_name](#output\_iam\_role\_name) | The name of the role proxy uses to access secrets |
+| <a name="output_iam_role_unique_id"></a> [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Stable and unique string identifying the role proxy uses to access secrets |
 | <a name="output_log_group_arn"></a> [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group |
+| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | The name of the CloudWatch log group |
 | <a name="output_proxy_arn"></a> [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy |
 | <a name="output_proxy_default_target_group_arn"></a> [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group |
 | <a name="output_proxy_default_target_group_id"></a> [proxy\_default\_target\_group\_id](#output\_proxy\_default\_target\_group\_id) | The ID for the default target group |
@@ -85,6 +81,6 @@ No inputs.
 | <a name="output_proxy_target_target_arn"></a> [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
 | <a name="output_proxy_target_tracked_cluster_id"></a> [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
 | <a name="output_proxy_target_type"></a> [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->
 
 Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/blob/master/LICENSE).

examples/postgresql-iam-cluster/main.tf

@@ -0,0 +1,144 @@
+provider "aws" {
+  region = local.region
+}
+
+data "aws_availability_zones" "available" {}
+
+locals {
+  name   = "ex-${basename(path.cwd)}"
+  region = "eu-west-1"
+
+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+
+  tags = {
+    Example    = local.name
+    GithubRepo = "terraform-aws-rds-proxy"
+    GithubOrg  = "terraform-aws-modules"
+  }
+}
+
+################################################################################
+# RDS Proxy
+################################################################################
+
+module "rds_proxy" {
+  source = "../../"
+
+  name                   = local.name
+  iam_role_name          = local.name
+  vpc_subnet_ids         = module.vpc.private_subnets
+  vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
+
+  endpoints = {
+    read_write = {
+      name                   = "read-write-endpoint"
+      vpc_subnet_ids         = module.vpc.private_subnets
+      vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
+      tags                   = local.tags
+    },
+    read_only = {
+      name                   = "read-only-endpoint"
+      vpc_subnet_ids         = module.vpc.private_subnets
+      vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
+      target_role            = "READ_ONLY"
+      tags                   = local.tags
+    }
+  }
+
+  auth = {
+    "root" = {
+      description = "Cluster generated master user password"
+      secret_arn  = module.rds.cluster_master_user_secret[0].secret_arn
+    }
+  }
+
+  engine_family = "POSTGRESQL"
+  debug_logging = true
+
+  # Target Aurora cluster
+  target_db_cluster     = true
+  db_cluster_identifier = module.rds.cluster_id
+
+  tags = local.tags
+}
+
+################################################################################
+# Supporting Resources
+################################################################################
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 6.0"
+
+  name = local.name
+  cidr = local.vpc_cidr
+
+  azs              = local.azs
+  public_subnets   = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
+  private_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 3)]
+  database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 6)]
+
+  tags = local.tags
+}
+
+module "rds" {
+  source  = "terraform-aws-modules/rds-aurora/aws"
+  version = "~> 9.0"
+
+  name            = local.name
+  engine          = "aurora-postgresql"
+  engine_version  = "17.5"
+  master_username = "root"
+
+  # When using RDS Proxy w/ IAM auth - Database must be username/password auth, not IAM
+  iam_database_authentication_enabled = false
+
+  instance_class = "db.r6g.large"
+  instances = {
+    1 = {}
+    2 = {}
+  }
+
+  vpc_id               = module.vpc.vpc_id
+  db_subnet_group_name = module.vpc.database_subnet_group_name
+  security_group_rules = {
+    vpc_ingress = {
+      cidr_blocks = module.vpc.private_subnets_cidr_blocks
+    }
+  }
+
+  apply_immediately   = true
+  skip_final_snapshot = true
+
+  tags = local.tags
+}
+
+module "rds_proxy_sg" {
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "~> 5.0"
+
+  name        = "${local.name}-proxy"
+  description = "PostgreSQL RDS Proxy example security group"
+  vpc_id      = module.vpc.vpc_id
+
+  revoke_rules_on_delete = true
+
+  ingress_with_cidr_blocks = [
+    {
+      description = "Private subnet PostgreSQL access"
+      rule        = "postgresql-tcp"
+      cidr_blocks = join(",", module.vpc.private_subnets_cidr_blocks)
+    }
+  ]
+
+  egress_with_cidr_blocks = [
+    {
+      description = "Database subnet PostgreSQL access"
+      rule        = "postgresql-tcp"
+      cidr_blocks = join(",", module.vpc.database_subnets_cidr_blocks)
+    },
+  ]
+
+  tags = local.tags
+}

examples/postgresql-iam-cluster/outputs.tf

@@ -66,7 +66,7 @@ output "proxy_target_type" {
   value       = module.rds_proxy.proxy_target_type
 }
 
-# DB proxy endponts
+# DB proxy endpoints
 output "db_proxy_endpoints" {
   description = "Array containing the full resource object and attributes for all DB proxy endpoints created"
   value       = module.rds_proxy.db_proxy_endpoints
@@ -77,3 +77,24 @@ output "log_group_arn" {
   description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
   value       = module.rds_proxy.log_group_arn
 }
+
+output "log_group_name" {
+  description = "The name of the CloudWatch log group"
+  value       = module.rds_proxy.log_group_name
+}
+
+# IAM role
+output "iam_role_arn" {
+  description = "The Amazon Resource Name (ARN) specifying the role proxy uses to access secrets"
+  value       = module.rds_proxy.iam_role_arn
+}
+
+output "iam_role_name" {
+  description = "The name of the role proxy uses to access secrets"
+  value       = module.rds_proxy.iam_role_name
+}
+
+output "iam_role_unique_id" {
+  description = "Stable and unique string identifying the role proxy uses to access secrets"
+  value       = module.rds_proxy.iam_role_unique_id
+}

examples/postgresql-iam-cluster/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.5.7"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.15"
+    }
+  }
+}

examples/postgresql-iam-instance/README.md

@@ -25,31 +25,31 @@ An EC2 instance configuration has been provided for use in validating the exampl
 3. Copy the output from `superuser_proxy_iam_connect` and paste it into the window - NOTE: remove the string escape slashes `psql \"host...` -> `psql "host...`
 4. You should now be connected to the `example` database in the Aurora cluster via the AWS Proxy using IAM authentication
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.38 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.38 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 3.0 |
+| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 6.0 |
 | <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
-| <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4.0 |
+| <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
-| <a name="module_rds_sg"></a> [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 4.0 |
+| <a name="module_rds_sg"></a> [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
 
 ## Resources
 
@@ -59,6 +59,7 @@ An EC2 instance configuration has been provided for use in validating the exampl
 | [aws_secretsmanager_secret_version.superuser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
 | [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [random_pet.users](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 | [aws_kms_alias.secretsmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
 
 ## Inputs
@@ -71,6 +72,7 @@ No inputs.
 |------|-------------|
 | <a name="output_db_proxy_endpoints"></a> [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created |
 | <a name="output_log_group_arn"></a> [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group |
+| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | The name of the CloudWatch log group |
 | <a name="output_proxy_arn"></a> [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy |
 | <a name="output_proxy_default_target_group_arn"></a> [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group |
 | <a name="output_proxy_default_target_group_id"></a> [proxy\_default\_target\_group\_id](#output\_proxy\_default\_target\_group\_id) | The ID for the default target group |
@@ -84,6 +86,6 @@ No inputs.
 | <a name="output_proxy_target_target_arn"></a> [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
 | <a name="output_proxy_target_tracked_cluster_id"></a> [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
 | <a name="output_proxy_target_type"></a> [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->
 
 Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/blob/master/LICENSE).

examples/postgresql-iam-instance/main.tf

@@ -2,17 +2,22 @@ provider "aws" {
   region = local.region
 }
 
+data "aws_availability_zones" "available" {}
+
 locals {
-  region = "us-east-1"
+  name   = "ex-${basename(path.cwd)}"
-  name   = "rds-proxy-ex-${replace(basename(path.cwd), "_", "-")}"
+  region = "eu-west-1"
 
   db_username = random_pet.users.id # using random here due to secrets taking at least 7 days before fully deleting from account
   db_password = random_password.password.result
 
+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+
   tags = {
-    Name       = local.name
     Example    = local.name
-    Repository = "https://github.com/terraform-aws-modules/terraform-aws-rds-proxy"
+    GithubRepo = "terraform-aws-rds-proxy"
+    GithubOrg  = "terraform-aws-modules"
   }
 }
 
@@ -23,14 +28,12 @@ locals {
 module "rds_proxy" {
   source = "../../"
 
-  create_proxy = true
-
   name                   = local.name
   iam_role_name          = local.name
   vpc_subnet_ids         = module.vpc.private_subnets
   vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
 
-  db_proxy_endpoints = {
+  endpoints = {
     read_write = {
       name                   = "read-write-endpoint"
       vpc_subnet_ids         = module.vpc.private_subnets
@@ -46,11 +49,10 @@ module "rds_proxy" {
     }
   }
 
-  secrets = {
+  auth = {
     (local.db_username) = {
       description = aws_secretsmanager_secret.superuser.description
-      arn         = aws_secretsmanager_secret.superuser.arn
+      secret_arn  = aws_secretsmanager_secret.superuser.arn
-      kms_key_id  = aws_secretsmanager_secret.superuser.kms_key_id
     }
   }
 
@@ -59,7 +61,7 @@ module "rds_proxy" {
 
   # Target RDS instance
   target_db_instance     = true
-  db_instance_identifier = module.rds.db_instance_id
+  db_instance_identifier = module.rds.db_instance_identifier
 
   tags = local.tags
 }
@@ -80,38 +82,52 @@ resource "random_password" "password" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 3.0"
+  version = "~> 6.0"
 
   name = local.name
-  cidr = "10.0.0.0/18"
+  cidr = local.vpc_cidr
 
-  azs              = ["${local.region}a", "${local.region}b", "${local.region}c"]
+  azs              = local.azs
-  public_subnets   = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"]
+  public_subnets   = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
-  private_subnets  = ["10.0.3.0/24", "10.0.4.0/24", "10.0.5.0/24"]
+  private_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 3)]
-  database_subnets = ["10.0.7.0/24", "10.0.8.0/24", "10.0.9.0/24"]
+  database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 6)]
 
-  create_database_subnet_group = true
+  tags = local.tags
-  enable_nat_gateway           = true
+}
-  single_nat_gateway           = true
-  map_public_ip_on_launch      = false
 
-  manage_default_security_group  = true
+module "rds" {
-  default_security_group_ingress = []
+  source  = "terraform-aws-modules/rds/aws"
-  default_security_group_egress  = []
+  version = "~> 6.0"
 
-  enable_flow_log                      = true
+  username = local.db_username
-  flow_log_destination_type            = "cloud-watch-logs"
+  password = local.db_password
-  create_flow_log_cloudwatch_log_group = true
+
-  create_flow_log_cloudwatch_iam_role  = true
+  # When using RDS Proxy w/ IAM auth - Database must be username/password auth, not IAM
-  flow_log_max_aggregation_interval    = 60
+  iam_database_authentication_enabled = false
-  flow_log_log_format                  = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id}"
+
+  identifier           = local.name
+  engine               = "postgres"
+  engine_version       = "14"
+  family               = "postgres14" # DB parameter group
+  major_engine_version = "14"         # DB option group
+  instance_class       = "db.t4g.large"
+  allocated_storage    = 20
+  port                 = 5432
+  apply_immediately    = true
+
+  db_subnet_group_name   = module.vpc.database_subnet_group
+  vpc_security_group_ids = [module.rds_sg.security_group_id]
+  multi_az               = true
+
+  backup_retention_period = 0
+  deletion_protection     = false
 
   tags = local.tags
 }
 
 module "rds_sg" {
   source  = "terraform-aws-modules/security-group/aws"
-  version = "~> 4.0"
+  version = "~> 5.0"
 
   name        = "rds"
   description = "PostgreSQL RDS example security group"
@@ -130,47 +146,9 @@ module "rds_sg" {
   tags = local.tags
 }
 
-module "rds" {
-  source  = "terraform-aws-modules/rds/aws"
-  version = "~> 3.0"
-
-  name     = "example"
-  username = local.db_username
-  password = local.db_password
-
-  # When using RDS Proxy w/ IAM auth - Database must be username/password auth, not IAM
-  iam_database_authentication_enabled = false
-
-  identifier           = local.name
-  engine               = "postgres"
-  engine_version       = "11.12"
-  family               = "postgres11"
-  major_engine_version = "11"
-  port                 = 5432
-  instance_class       = "db.t3.micro"
-  allocated_storage    = 5
-  storage_encrypted    = true
-  apply_immediately    = true
-
-  enabled_cloudwatch_logs_exports = ["postgresql"]
-  monitoring_interval             = 60
-  create_monitoring_role          = true
-
-  vpc_security_group_ids = [module.rds_sg.security_group_id]
-  subnet_ids             = module.vpc.database_subnets
-  multi_az               = true
-
-  maintenance_window      = "Mon:00:00-Mon:03:00"
-  backup_window           = "03:00-06:00"
-  backup_retention_period = 0
-  deletion_protection     = false
-
-  tags = local.tags
-}
-
 module "rds_proxy_sg" {
   source  = "terraform-aws-modules/security-group/aws"
-  version = "~> 4.0"
+  version = "~> 5.0"
 
   name        = "rds_proxy"
   description = "PostgreSQL RDS Proxy example security group"
@@ -207,7 +185,7 @@ data "aws_kms_alias" "secretsmanager" {
 
 resource "aws_secretsmanager_secret" "superuser" {
   name        = local.db_username
-  description = "Database superuser, ${local.db_username}, databse connection values"
+  description = "Database superuser, ${local.db_username}, database connection values"
   kms_key_id  = data.aws_kms_alias.secretsmanager.id
 
   tags = local.tags

examples/postgresql-iam-instance/outputs.tf

@@ -66,7 +66,7 @@ output "proxy_target_type" {
   value       = module.rds_proxy.proxy_target_type
 }
 
-# DB proxy endponts
+# DB proxy endpoints
 output "db_proxy_endpoints" {
   description = "Array containing the full resource object and attributes for all DB proxy endpoints created"
   value       = module.rds_proxy.db_proxy_endpoints
@@ -77,3 +77,8 @@ output "log_group_arn" {
   description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
   value       = module.rds_proxy.log_group_arn
 }
+
+output "log_group_name" {
+  description = "The name of the CloudWatch log group"
+  value       = module.rds_proxy.log_group_name
+}

examples/postgresql-iam-instance/versions.tf

@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.5.7"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.38"
+      version = ">= 6.15"
     }
     random = {
       source  = "hashicorp/random"

examples/postgresql_iam_cluster/main.tf

@@ -1,217 +0,0 @@
-provider "aws" {
-  region = local.region
-}
-
-locals {
-  region = "us-east-1"
-  name   = "rds-proxy-ex-${replace(basename(path.cwd), "_", "-")}"
-
-  db_username = random_pet.users.id # using random here due to secrets taking at least 7 days before fully deleting from account
-  db_password = random_password.password.result
-
-  tags = {
-    Name       = local.name
-    Example    = local.name
-    Repository = "https://github.com/terraform-aws-modules/terraform-aws-rds-proxy"
-  }
-}
-
-################################################################################
-# RDS Proxy
-################################################################################
-
-module "rds_proxy" {
-  source = "../../"
-
-  create_proxy = true
-
-  name                   = local.name
-  iam_role_name          = local.name
-  vpc_subnet_ids         = module.vpc.private_subnets
-  vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
-
-  db_proxy_endpoints = {
-    read_write = {
-      name                   = "read-write-endpoint"
-      vpc_subnet_ids         = module.vpc.private_subnets
-      vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
-      tags                   = local.tags
-    },
-    read_only = {
-      name                   = "read-only-endpoint"
-      vpc_subnet_ids         = module.vpc.private_subnets
-      vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
-      target_role            = "READ_ONLY"
-      tags                   = local.tags
-    }
-  }
-
-  secrets = {
-    (local.db_username) = {
-      description = aws_secretsmanager_secret.superuser.description
-      arn         = aws_secretsmanager_secret.superuser.arn
-      kms_key_id  = aws_secretsmanager_secret.superuser.kms_key_id
-    }
-  }
-
-  engine_family = "POSTGRESQL"
-  debug_logging = true
-
-  # Target Aurora cluster
-  target_db_cluster     = true
-  db_cluster_identifier = module.rds.cluster_id
-
-  tags = local.tags
-}
-
-################################################################################
-# Supporting Resources
-################################################################################
-
-resource "random_pet" "users" {
-  length    = 2
-  separator = "_"
-}
-
-resource "random_password" "password" {
-  length  = 16
-  special = false
-}
-
-module "vpc" {
-  source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 3.0"
-
-  name = local.name
-  cidr = "10.0.0.0/18"
-
-  azs              = ["${local.region}a", "${local.region}b", "${local.region}c"]
-  public_subnets   = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"]
-  private_subnets  = ["10.0.3.0/24", "10.0.4.0/24", "10.0.5.0/24"]
-  database_subnets = ["10.0.7.0/24", "10.0.8.0/24", "10.0.9.0/24"]
-
-  create_database_subnet_group = true
-  enable_nat_gateway           = true
-  single_nat_gateway           = true
-  map_public_ip_on_launch      = false
-
-  manage_default_security_group  = true
-  default_security_group_ingress = []
-  default_security_group_egress  = []
-
-  enable_flow_log                      = true
-  flow_log_destination_type            = "cloud-watch-logs"
-  create_flow_log_cloudwatch_log_group = true
-  create_flow_log_cloudwatch_iam_role  = true
-  flow_log_max_aggregation_interval    = 60
-  flow_log_log_format                  = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id}"
-
-  tags = local.tags
-}
-
-module "rds" {
-  source  = "terraform-aws-modules/rds-aurora/aws"
-  version = "~> 6.0"
-
-  name            = local.name
-  database_name   = "example"
-  master_username = local.db_username
-  master_password = local.db_password
-
-  # When using RDS Proxy w/ IAM auth - Database must be username/password auth, not IAM
-  iam_database_authentication_enabled = false
-
-  engine         = "aurora-postgresql"
-  engine_version = "11.12"
-  instance_class = "db.r6g.large"
-  instances      = { 1 = {}, 2 = {} }
-
-  storage_encrypted   = true
-  apply_immediately   = true
-  skip_final_snapshot = true
-
-  enabled_cloudwatch_logs_exports = ["postgresql"]
-  monitoring_interval             = 60
-  create_monitoring_role          = true
-
-  vpc_id                 = module.vpc.vpc_id
-  subnets                = module.vpc.database_subnets
-  create_security_group  = false
-  vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
-
-  db_subnet_group_name            = local.name # Created by VPC module
-  create_db_subnet_group          = false
-  db_parameter_group_name         = aws_db_parameter_group.aurora_db_postgres11_parameter_group.id
-  db_cluster_parameter_group_name = aws_rds_cluster_parameter_group.aurora_cluster_postgres11_parameter_group.id
-
-  tags = local.tags
-}
-
-resource "aws_db_parameter_group" "aurora_db_postgres11_parameter_group" {
-  name        = "example-aurora-db-postgres11-parameter-group"
-  family      = "aurora-postgresql11"
-  description = "test-aurora-db-postgres11-parameter-group"
-
-  tags = local.tags
-}
-
-resource "aws_rds_cluster_parameter_group" "aurora_cluster_postgres11_parameter_group" {
-  name        = "example-aurora-postgres11-cluster-parameter-group"
-  family      = "aurora-postgresql11"
-  description = "example-aurora-postgres11-cluster-parameter-group"
-
-  tags = local.tags
-}
-
-module "rds_proxy_sg" {
-  source  = "terraform-aws-modules/security-group/aws"
-  version = "~> 4.0"
-
-  name        = "rds_proxy"
-  description = "PostgreSQL RDS Proxy example security group"
-  vpc_id      = module.vpc.vpc_id
-
-  revoke_rules_on_delete = true
-
-  ingress_with_cidr_blocks = [
-    {
-      description = "Private subnet PostgreSQL access"
-      rule        = "postgresql-tcp"
-      cidr_blocks = join(",", module.vpc.private_subnets_cidr_blocks)
-    }
-  ]
-
-  egress_with_cidr_blocks = [
-    {
-      description = "Database subnet PostgreSQL access"
-      rule        = "postgresql-tcp"
-      cidr_blocks = join(",", module.vpc.database_subnets_cidr_blocks)
-    },
-  ]
-
-  tags = local.tags
-}
-
-################################################################################
-# Secrets - DB user passwords
-################################################################################
-
-data "aws_kms_alias" "secretsmanager" {
-  name = "alias/aws/secretsmanager"
-}
-
-resource "aws_secretsmanager_secret" "superuser" {
-  name        = local.db_username
-  description = "Database superuser, ${local.db_username}, databse connection values"
-  kms_key_id  = data.aws_kms_alias.secretsmanager.id
-
-  tags = local.tags
-}
-
-resource "aws_secretsmanager_secret_version" "superuser" {
-  secret_id = aws_secretsmanager_secret.superuser.id
-  secret_string = jsonencode({
-    username = local.db_username
-    password = local.db_password
-  })
-}

examples/postgresql_iam_instance/versions.tf

@@ -1,14 +0,0 @@
-terraform {
-  required_version = ">= 0.13.1"
-
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = ">= 3.38"
-    }
-    random = {
-      source  = "hashicorp/random"
-      version = ">= 2.0"
-    }
-  }
-}

main.tf

@@ -1,44 +1,48 @@
-locals {
-  role_arn    = var.create_proxy && var.create_iam_role ? aws_iam_role.this[0].arn : var.role_arn
-  role_name   = coalesce(var.iam_role_name, var.name)
-  policy_name = coalesce(var.iam_policy_name, var.name)
-}
-
-data "aws_region" "current" {}
-
 ################################################################################
 # RDS Proxy
 ################################################################################
 
 resource "aws_db_proxy" "this" {
-  count = var.create_proxy ? 1 : 0
+  count = var.create ? 1 : 0
 
-  name                   = var.name
+  region = var.region
-  debug_logging          = var.debug_logging
-  engine_family          = var.engine_family
-  idle_client_timeout    = var.idle_client_timeout
-  require_tls            = var.require_tls
-  role_arn               = local.role_arn
-  vpc_security_group_ids = var.vpc_security_group_ids
-  vpc_subnet_ids         = var.vpc_subnet_ids
 
   dynamic "auth" {
-    for_each = var.secrets
+    for_each = var.auth
+
     content {
-      auth_scheme = var.auth_scheme
+      auth_scheme               = auth.value.auth_scheme
+      client_password_auth_type = auth.value.client_password_auth_type
       description               = auth.value.description
-      iam_auth    = var.iam_auth
+      iam_auth                  = auth.value.iam_auth
-      secret_arn  = auth.value.arn
+      secret_arn                = auth.value.secret_arn
+      username                  = auth.value.username
     }
   }
 
+  debug_logging          = var.debug_logging
+  default_auth_scheme    = var.default_auth_scheme
+  engine_family          = var.engine_family
+  idle_client_timeout    = var.idle_client_timeout
+  name                   = var.name
+  require_tls            = var.require_tls
+  role_arn               = try(aws_iam_role.this[0].arn, var.role_arn)
+  vpc_security_group_ids = var.vpc_security_group_ids
+  vpc_subnet_ids         = var.vpc_subnet_ids
+
   tags = merge(var.tags, var.proxy_tags)
 
   depends_on = [aws_cloudwatch_log_group.this]
 }
 
+################################################################################
+# Default Target Group
+################################################################################
+
 resource "aws_db_proxy_default_target_group" "this" {
-  count = var.create_proxy ? 1 : 0
+  count = var.create ? 1 : 0
+
+  region = var.region
 
   db_proxy_name = aws_db_proxy.this[0].name
 
@@ -51,8 +55,14 @@ resource "aws_db_proxy_default_target_group" "this" {
   }
 }
 
+################################################################################
+# Target(s)
+################################################################################
+
 resource "aws_db_proxy_target" "db_instance" {
-  count = var.create_proxy && var.target_db_instance ? 1 : 0
+  count = var.create && var.target_db_instance ? 1 : 0
+
+  region = var.region
 
   db_proxy_name          = aws_db_proxy.this[0].name
   target_group_name      = aws_db_proxy_default_target_group.this[0].name
@@ -60,35 +70,46 @@ resource "aws_db_proxy_target" "db_instance" {
 }
 
 resource "aws_db_proxy_target" "db_cluster" {
-  count = var.create_proxy && var.target_db_cluster ? 1 : 0
+  count = var.create && var.target_db_cluster ? 1 : 0
+
+  region = var.region
 
   db_proxy_name         = aws_db_proxy.this[0].name
   target_group_name     = aws_db_proxy_default_target_group.this[0].name
   db_cluster_identifier = var.db_cluster_identifier
 }
 
+################################################################################
+# Endpoint(s)
+################################################################################
+
 resource "aws_db_proxy_endpoint" "this" {
-  for_each = { for k, v in var.db_proxy_endpoints : k => v if var.create_proxy }
+  for_each = { for k, v in var.endpoints : k => v if var.create }
+
+  region = var.region
 
   db_proxy_name          = aws_db_proxy.this[0].name
-  db_proxy_endpoint_name = each.value.name
+  db_proxy_endpoint_name = coalesce(each.value.name, each.key)
   vpc_subnet_ids         = each.value.vpc_subnet_ids
-  vpc_security_group_ids = lookup(each.value, "vpc_security_group_ids", null)
+  vpc_security_group_ids = each.value.vpc_security_group_ids
-  target_role            = lookup(each.value, "target_role", null)
+  target_role            = each.value.target_role
 
-  tags = lookup(each.value, "tags", var.tags)
+  tags = merge(var.tags, each.value.tags)
 }
 
 ################################################################################
-# CloudWatch Logs
+# CloudWatch Log Group
 ################################################################################
 
 resource "aws_cloudwatch_log_group" "this" {
-  count = var.create_proxy && var.manage_log_group ? 1 : 0
+  count = var.create && var.manage_log_group ? 1 : 0
+
+  region = var.region
 
   name              = "/aws/rds/proxy/${var.name}"
   retention_in_days = var.log_group_retention_in_days
   kms_key_id        = var.log_group_kms_key_id
+  log_group_class   = var.log_group_class
 
   tags = merge(var.tags, var.log_group_tags)
 }
@@ -97,8 +118,37 @@ resource "aws_cloudwatch_log_group" "this" {
 # IAM Role
 ################################################################################
 
+locals {
+  create_iam_role = var.create && var.create_iam_role
+
+  role_name   = coalesce(var.iam_role_name, var.name)
+  policy_name = coalesce(var.iam_policy_name, var.name)
+
+  partition  = try(data.aws_partition.current[0].partition, "aws")
+  dns_suffix = try(data.aws_partition.current[0].dns_suffix, "amazonaws.com")
+  region     = try(data.aws_region.current[0].region, var.region)
+}
+
+data "aws_region" "current" {
+  count = local.create_iam_role ? 1 : 0
+
+  region = var.region
+}
+
+data "aws_partition" "current" {
+  count = local.create_iam_role ? 1 : 0
+}
+
+data "aws_service_principal" "rds" {
+  count = local.create_iam_role ? 1 : 0
+
+  service_name = "rds"
+  region       = data.aws_region.current[0].region
+}
+
+
 data "aws_iam_policy_document" "assume_role" {
-  count = var.create_proxy && var.create_iam_role ? 1 : 0
+  count = local.create_iam_role ? 1 : 0
 
   statement {
     sid     = "RDSAssume"
@@ -107,13 +157,13 @@ data "aws_iam_policy_document" "assume_role" {
 
     principals {
       type        = "Service"
-      identifiers = ["rds.amazonaws.com"]
+      identifiers = [data.aws_service_principal.rds[0].name]
     }
   }
 }
 
 resource "aws_iam_role" "this" {
-  count = var.create_proxy && var.create_iam_role ? 1 : 0
+  count = local.create_iam_role ? 1 : 0
 
   name        = var.use_role_name_prefix ? null : local.role_name
   name_prefix = var.use_role_name_prefix ? "${local.role_name}-" : null
@@ -128,20 +178,27 @@ resource "aws_iam_role" "this" {
   tags = merge(var.tags, var.iam_role_tags)
 }
 
+################################################################################
+# IAM Role Policy
+################################################################################
+
 data "aws_iam_policy_document" "this" {
-  count = var.create_proxy && var.create_iam_role ? 1 : 0
+  count = local.create_iam_role && var.create_iam_policy ? 1 : 0
 
   statement {
     sid     = "DecryptSecrets"
     effect  = "Allow"
     actions = ["kms:Decrypt"]
-    resources = distinct([for secret in var.secrets : secret.kms_key_id])
+    resources = coalescelist(
+      var.kms_key_arns,
+      ["arn:${local.partition}:kms:*:*:key/*"]
+    )
+
     condition {
       test     = "StringEquals"
       variable = "kms:ViaService"
-
       values = [
-        "secretsmanager.${data.aws_region.current.name}.amazonaws.com"
+        "secretsmanager.${local.region}.${local.dns_suffix}"
       ]
     }
   }
@@ -166,12 +223,12 @@ data "aws_iam_policy_document" "this" {
       "secretsmanager:ListSecretVersionIds",
     ]
 
-    resources = distinct([for secret in var.secrets : secret.arn])
+    resources = distinct([for auth in var.auth : auth.secret_arn])
   }
 }
 
 resource "aws_iam_role_policy" "this" {
-  count = var.create_proxy && var.create_iam_role && var.create_iam_policy ? 1 : 0
+  count = local.create_iam_role && var.create_iam_policy ? 1 : 0
 
   name        = var.use_policy_name_prefix ? null : local.policy_name
   name_prefix = var.use_policy_name_prefix ? "${local.policy_name}-" : null

outputs.tf

@@ -1,79 +1,118 @@
+################################################################################
 # RDS Proxy
+################################################################################
+
 output "proxy_id" {
   description = "The ID for the proxy"
-  value       = try(aws_db_proxy.this[0].id, "")
+  value       = try(aws_db_proxy.this[0].id, null)
 }
 
 output "proxy_arn" {
   description = "The Amazon Resource Name (ARN) for the proxy"
-  value       = try(aws_db_proxy.this[0].arn, "")
+  value       = try(aws_db_proxy.this[0].arn, null)
 }
 
 output "proxy_endpoint" {
   description = "The endpoint that you can use to connect to the proxy"
-  value       = try(aws_db_proxy.this[0].endpoint, "")
+  value       = try(aws_db_proxy.this[0].endpoint, null)
 }
 
-# Proxy Default Target Group
+################################################################################
+# Default Target Group
+################################################################################
+
 output "proxy_default_target_group_id" {
   description = "The ID for the default target group"
-  value       = try(aws_db_proxy_default_target_group.this[0].id, "")
+  value       = try(aws_db_proxy_default_target_group.this[0].id, null)
 }
 
 output "proxy_default_target_group_arn" {
   description = "The Amazon Resource Name (ARN) for the default target group"
-  value       = try(aws_db_proxy_default_target_group.this[0].arn, "")
+  value       = try(aws_db_proxy_default_target_group.this[0].arn, null)
 }
 
 output "proxy_default_target_group_name" {
   description = "The name of the default target group"
-  value       = try(aws_db_proxy_default_target_group.this[0].name, "")
+  value       = try(aws_db_proxy_default_target_group.this[0].name, null)
 }
 
-# Proxy Target
+################################################################################
+# Target(s)
+################################################################################
+
 output "proxy_target_endpoint" {
   description = "Hostname for the target RDS DB Instance. Only returned for `RDS_INSTANCE` type"
-  value       = try(aws_db_proxy_target.db_instance[0].endpoint, aws_db_proxy_target.db_cluster[0].endpoint, "")
+  value       = try(aws_db_proxy_target.db_instance[0].endpoint, aws_db_proxy_target.db_cluster[0].endpoint, null)
 }
 
 output "proxy_target_id" {
   description = "Identifier of `db_proxy_name`, `target_group_name`, target type (e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER`), and resource identifier separated by forward slashes (/)"
-  value       = try(aws_db_proxy_target.db_instance[0].id, aws_db_proxy_target.db_cluster[0].id, "")
+  value       = try(aws_db_proxy_target.db_instance[0].id, aws_db_proxy_target.db_cluster[0].id, null)
 }
 
 output "proxy_target_port" {
   description = "Port for the target RDS DB Instance or Aurora DB Cluster"
-  value       = try(aws_db_proxy_target.db_instance[0].port, aws_db_proxy_target.db_cluster[0].port, "")
+  value       = try(aws_db_proxy_target.db_instance[0].port, aws_db_proxy_target.db_cluster[0].port, null)
 }
 
 output "proxy_target_rds_resource_id" {
   description = "Identifier representing the DB Instance or DB Cluster target"
-  value       = try(aws_db_proxy_target.db_instance[0].rds_resource_id, aws_db_proxy_target.db_cluster[0].rds_resource_id, "")
+  value       = try(aws_db_proxy_target.db_instance[0].rds_resource_id, aws_db_proxy_target.db_cluster[0].rds_resource_id, null)
 }
 
 output "proxy_target_target_arn" {
   description = "Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API"
-  value       = try(aws_db_proxy_target.db_instance[0].target_arn, aws_db_proxy_target.db_cluster[0].target_arn, "")
+  value       = try(aws_db_proxy_target.db_instance[0].target_arn, aws_db_proxy_target.db_cluster[0].target_arn, null)
 }
 
 output "proxy_target_tracked_cluster_id" {
   description = "DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS_INSTANCE target that is part of a DB Cluster"
-  value       = try(aws_db_proxy_target.db_cluster[0].tracked_cluster_id, "")
+  value       = try(aws_db_proxy_target.db_cluster[0].tracked_cluster_id, null)
 }
 
 output "proxy_target_type" {
   description = "Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER`"
-  value       = try(aws_db_proxy_target.db_instance[0].type, aws_db_proxy_target.db_cluster[0].type, "")
+  value       = try(aws_db_proxy_target.db_instance[0].type, aws_db_proxy_target.db_cluster[0].type, null)
 }
 
-# DB proxy endponts
+################################################################################
+# Endpoint(s)
+################################################################################
+
 output "db_proxy_endpoints" {
   description = "Array containing the full resource object and attributes for all DB proxy endpoints created"
   value       = aws_db_proxy_endpoint.this
 }
 
-# CloudWatch logs
+################################################################################
+# CloudWatch Log Group
+################################################################################
+
 output "log_group_arn" {
   description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
-  value       = try(aws_cloudwatch_log_group.this[0].arn, "")
+  value       = try(aws_cloudwatch_log_group.this[0].arn, null)
+}
+
+output "log_group_name" {
+  description = "The name of the CloudWatch log group"
+  value       = try(aws_cloudwatch_log_group.this[0].name, null)
+}
+
+################################################################################
+# IAM Role
+################################################################################
+
+output "iam_role_arn" {
+  description = "The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager."
+  value       = try(aws_iam_role.this[0].arn, null)
+}
+
+output "iam_role_name" {
+  description = "IAM role name"
+  value       = try(aws_iam_role.this[0].name, null)
+}
+
+output "iam_role_unique_id" {
+  description = "Stable and unique string identifying the IAM role"
+  value       = try(aws_iam_role.this[0].unique_id, null)
 }

variables.tf

@@ -1,15 +1,24 @@
+variable "create" {
+  description = "Whether cluster should be created (affects nearly all resources)"
+  type        = bool
+  default     = true
+}
+
+variable "region" {
+  description = "Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration"
+  type        = string
+  default     = null
+}
+
 variable "tags" {
-  description = "A map of tags to use on all resources"
+  description = "A map of tags to add to all resources"
   type        = map(string)
   default     = {}
 }
 
+################################################################################
 # RDS Proxy
-variable "create_proxy" {
+################################################################################
-  description = "Determines whether a proxy and its resources will be created"
-  type        = bool
-  default     = true
-}
 
 variable "name" {
   description = "The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens"
@@ -17,12 +26,35 @@ variable "name" {
   default     = ""
 }
 
+variable "auth" {
+  description = "Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters"
+  type = map(object({
+    auth_scheme               = optional(string)
+    client_password_auth_type = optional(string)
+    description               = optional(string)
+    iam_auth                  = optional(string)
+    secret_arn                = optional(string)
+    username                  = optional(string)
+  }))
+  default = {
+    default = {
+      auth_scheme = "SECRETS"
+    }
+  }
+}
+
 variable "debug_logging" {
   description = "Whether the proxy includes detailed information about SQL statements in its logs"
   type        = bool
   default     = false
 }
 
+variable "default_auth_scheme" {
+  description = "Default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database. Valid values are NONE and IAM_AUTH. Defaults to NONE"
+  type        = string
+  default     = null
+}
+
 variable "engine_family" {
   description = "The kind of database engine that the proxy will connect to. Valid values are `MYSQL` or `POSTGRESQL`"
   type        = string
@@ -59,31 +91,16 @@ variable "vpc_subnet_ids" {
   default     = []
 }
 
-variable "auth_scheme" {
-  description = "The type of authentication that the proxy uses for connections from the proxy to the underlying database. One of `SECRETS`"
-  type        = string
-  default     = "SECRETS"
-}
-
-variable "iam_auth" {
-  description = "Whether to require or disallow AWS Identity and Access Management (IAM) authentication for connections to the proxy. One of `DISABLED`, `REQUIRED`"
-  type        = string
-  default     = "REQUIRED"
-}
-
 variable "proxy_tags" {
   description = "A map of tags to apply to the RDS Proxy"
   type        = map(string)
   default     = {}
 }
 
-variable "secrets" {
+################################################################################
-  description = "Map of secerets to be used by RDS Proxy for authentication to the database"
+# Default Target Group
-  type        = map(object({ arn = string, description = string, kms_key_id = string }))
+################################################################################
-  default     = {}
-}
 
-# Proxy Default Target Group
 variable "connection_borrow_timeout" {
   description = "The number of seconds for a proxy to wait for a connection to become available in the connection pool"
   type        = number
@@ -114,9 +131,12 @@ variable "session_pinning_filters" {
   default     = []
 }
 
-# Proxy Target
+################################################################################
+# Target(s)
+################################################################################
+
 variable "target_db_instance" {
-  description = "Determines whether DB instance is targetted by proxy"
+  description = "Determines whether DB instance is targeted by proxy"
   type        = bool
   default     = false
 }
@@ -128,7 +148,7 @@ variable "db_instance_identifier" {
 }
 
 variable "target_db_cluster" {
-  description = "Determines whether DB cluster is targetted by proxy"
+  description = "Determines whether DB cluster is targeted by proxy"
   type        = bool
   default     = false
 }
@@ -139,14 +159,26 @@ variable "db_cluster_identifier" {
   default     = ""
 }
 
-# Proxy endpoints
+################################################################################
-variable "db_proxy_endpoints" {
+# Endpoint(s)
-  description = "Map of DB proxy endpoints to create and their attributes (see `aws_db_proxy_endpoint`)"
+################################################################################
-  type        = any
+
+variable "endpoints" {
+  description = "Map of DB proxy endpoints to create and their attributes"
+  type = map(object({
+    name                   = optional(string)
+    vpc_subnet_ids         = list(string)
+    vpc_security_group_ids = optional(list(string))
+    target_role            = optional(string)
+    tags                   = optional(map(string), {})
+  }))
   default = {}
 }
 
+################################################################################
 # CloudWatch Logs
+################################################################################
+
 variable "manage_log_group" {
   description = "Determines whether Terraform will create/manage the CloudWatch log group or not. Note - this will fail if set to true after the log group has been created as the resource will already exist"
   type        = bool
@@ -165,13 +197,22 @@ variable "log_group_kms_key_id" {
   default     = null
 }
 
+variable "log_group_class" {
+  description = "Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS`"
+  type        = string
+  default     = null
+}
+
 variable "log_group_tags" {
   description = "A map of tags to apply to the CloudWatch log group"
   type        = map(string)
   default     = {}
 }
 
+################################################################################
 # IAM Role
+################################################################################
+
 variable "create_iam_role" {
   description = "Determines whether an IAM role is created"
   type        = bool
@@ -226,7 +267,10 @@ variable "iam_role_tags" {
   default     = {}
 }
 
-# IAM Policy
+################################################################################
+# IAM Role Policy
+################################################################################
+
 variable "create_iam_policy" {
   description = "Determines whether an IAM policy is created"
   type        = bool
@@ -244,3 +288,9 @@ variable "use_policy_name_prefix" {
   type        = bool
   default     = false
 }
+
+variable "kms_key_arns" {
+  description = "List of KMS Key ARNs to allow access to decrypt SecretsManager secrets"
+  type        = list(string)
+  default     = []
+}

versions.tf

@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.5.7"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.38"
+      version = ">= 6.15"
     }
   }
 }

wrappers/README.md

@@ -0,0 +1,100 @@
+# Wrapper for the root module
+
+The configuration in this directory contains an implementation of a single module wrapper pattern, which allows managing several copies of a module in places where using the native Terraform 0.13+ `for_each` feature is not feasible (e.g., with Terragrunt).
+
+You may want to use a single Terragrunt configuration file to manage multiple resources without duplicating `terragrunt.hcl` files for each copy of the same module.
+
+This wrapper does not implement any extra functionality.
+
+## Usage with Terragrunt
+
+`terragrunt.hcl`:
+
+```hcl
+terraform {
+  source = "tfr:///terraform-aws-modules/rds-proxy/aws//wrappers"
+  # Alternative source:
+  # source = "git::git@github.com:terraform-aws-modules/terraform-aws-rds-proxy.git//wrappers?ref=master"
+}
+
+inputs = {
+  defaults = { # Default values
+    create = true
+    tags = {
+      Terraform   = "true"
+      Environment = "dev"
+    }
+  }
+
+  items = {
+    my-item = {
+      # omitted... can be any argument supported by the module
+    }
+    my-second-item = {
+      # omitted... can be any argument supported by the module
+    }
+    # omitted...
+  }
+}
+```
+
+## Usage with Terraform
+
+```hcl
+module "wrapper" {
+  source = "terraform-aws-modules/rds-proxy/aws//wrappers"
+
+  defaults = { # Default values
+    create = true
+    tags = {
+      Terraform   = "true"
+      Environment = "dev"
+    }
+  }
+
+  items = {
+    my-item = {
+      # omitted... can be any argument supported by the module
+    }
+    my-second-item = {
+      # omitted... can be any argument supported by the module
+    }
+    # omitted...
+  }
+}
+```
+
+## Example: Manage multiple S3 buckets in one Terragrunt layer
+
+`eu-west-1/s3-buckets/terragrunt.hcl`:
+
+```hcl
+terraform {
+  source = "tfr:///terraform-aws-modules/s3-bucket/aws//wrappers"
+  # Alternative source:
+  # source = "git::git@github.com:terraform-aws-modules/terraform-aws-s3-bucket.git//wrappers?ref=master"
+}
+
+inputs = {
+  defaults = {
+    force_destroy = true
+
+    attach_elb_log_delivery_policy        = true
+    attach_lb_log_delivery_policy         = true
+    attach_deny_insecure_transport_policy = true
+    attach_require_latest_tls_policy      = true
+  }
+
+  items = {
+    bucket1 = {
+      bucket = "my-random-bucket-1"
+    }
+    bucket2 = {
+      bucket = "my-random-bucket-2"
+      tags = {
+        Secure = "probably"
+      }
+    }
+  }
+}
+```

wrappers/main.tf

@@ -0,0 +1,52 @@
+module "wrapper" {
+  source = "../"
+
+  for_each = var.items
+
+  auth = try(each.value.auth, var.defaults.auth, {
+    default = {
+      auth_scheme = "SECRETS"
+    }
+  })
+  connection_borrow_timeout      = try(each.value.connection_borrow_timeout, var.defaults.connection_borrow_timeout, null)
+  create                         = try(each.value.create, var.defaults.create, true)
+  create_iam_policy              = try(each.value.create_iam_policy, var.defaults.create_iam_policy, true)
+  create_iam_role                = try(each.value.create_iam_role, var.defaults.create_iam_role, true)
+  db_cluster_identifier          = try(each.value.db_cluster_identifier, var.defaults.db_cluster_identifier, "")
+  db_instance_identifier         = try(each.value.db_instance_identifier, var.defaults.db_instance_identifier, "")
+  debug_logging                  = try(each.value.debug_logging, var.defaults.debug_logging, false)
+  default_auth_scheme            = try(each.value.default_auth_scheme, var.defaults.default_auth_scheme, null)
+  endpoints                      = try(each.value.endpoints, var.defaults.endpoints, {})
+  engine_family                  = try(each.value.engine_family, var.defaults.engine_family, "")
+  iam_policy_name                = try(each.value.iam_policy_name, var.defaults.iam_policy_name, "")
+  iam_role_description           = try(each.value.iam_role_description, var.defaults.iam_role_description, "")
+  iam_role_force_detach_policies = try(each.value.iam_role_force_detach_policies, var.defaults.iam_role_force_detach_policies, true)
+  iam_role_max_session_duration  = try(each.value.iam_role_max_session_duration, var.defaults.iam_role_max_session_duration, 43200)
+  iam_role_name                  = try(each.value.iam_role_name, var.defaults.iam_role_name, "")
+  iam_role_path                  = try(each.value.iam_role_path, var.defaults.iam_role_path, null)
+  iam_role_permissions_boundary  = try(each.value.iam_role_permissions_boundary, var.defaults.iam_role_permissions_boundary, null)
+  iam_role_tags                  = try(each.value.iam_role_tags, var.defaults.iam_role_tags, {})
+  idle_client_timeout            = try(each.value.idle_client_timeout, var.defaults.idle_client_timeout, 1800)
+  init_query                     = try(each.value.init_query, var.defaults.init_query, "")
+  kms_key_arns                   = try(each.value.kms_key_arns, var.defaults.kms_key_arns, [])
+  log_group_class                = try(each.value.log_group_class, var.defaults.log_group_class, null)
+  log_group_kms_key_id           = try(each.value.log_group_kms_key_id, var.defaults.log_group_kms_key_id, null)
+  log_group_retention_in_days    = try(each.value.log_group_retention_in_days, var.defaults.log_group_retention_in_days, 30)
+  log_group_tags                 = try(each.value.log_group_tags, var.defaults.log_group_tags, {})
+  manage_log_group               = try(each.value.manage_log_group, var.defaults.manage_log_group, true)
+  max_connections_percent        = try(each.value.max_connections_percent, var.defaults.max_connections_percent, 90)
+  max_idle_connections_percent   = try(each.value.max_idle_connections_percent, var.defaults.max_idle_connections_percent, 50)
+  name                           = try(each.value.name, var.defaults.name, "")
+  proxy_tags                     = try(each.value.proxy_tags, var.defaults.proxy_tags, {})
+  region                         = try(each.value.region, var.defaults.region, null)
+  require_tls                    = try(each.value.require_tls, var.defaults.require_tls, true)
+  role_arn                       = try(each.value.role_arn, var.defaults.role_arn, "")
+  session_pinning_filters        = try(each.value.session_pinning_filters, var.defaults.session_pinning_filters, [])
+  tags                           = try(each.value.tags, var.defaults.tags, {})
+  target_db_cluster              = try(each.value.target_db_cluster, var.defaults.target_db_cluster, false)
+  target_db_instance             = try(each.value.target_db_instance, var.defaults.target_db_instance, false)
+  use_policy_name_prefix         = try(each.value.use_policy_name_prefix, var.defaults.use_policy_name_prefix, false)
+  use_role_name_prefix           = try(each.value.use_role_name_prefix, var.defaults.use_role_name_prefix, false)
+  vpc_security_group_ids         = try(each.value.vpc_security_group_ids, var.defaults.vpc_security_group_ids, [])
+  vpc_subnet_ids                 = try(each.value.vpc_subnet_ids, var.defaults.vpc_subnet_ids, [])
+}

wrappers/outputs.tf

@@ -0,0 +1,5 @@
+output "wrapper" {
+  description = "Map of outputs of a wrapper."
+  value       = module.wrapper
+  # sensitive = false # No sensitive module output found
+}

wrappers/variables.tf

@@ -0,0 +1,11 @@
+variable "defaults" {
+  description = "Map of default values which will be used for each item."
+  type        = any
+  default     = {}
+}
+
+variable "items" {
+  description = "Maps of items to create a wrapper from. Values are passed through to the module."
+  type        = any
+  default     = {}
+}

wrappers/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.5.7"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.15"
+    }
+  }
+}