chore(release): version 4.2.1 [skip ci]

## [4.2.1](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v4.2.0...v4.2.1) (2025-10-21) ### Bug Fixes * Update CI workflow versions to latest ([#40](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/40)) ([5deff22](5deff22cf4))
fix: Update CI workflow versions to latest (#40 )
2025-12-17 08:21:12 +00:00 · 2025-10-21 09:10:15 +00:00 · 2025-10-21 11:09:40 +02:00 · 2025-10-14 13:10:34 +00:00 · 2025-10-14 08:10:07 -05:00 · 2025-10-01 14:13:37 +00:00
44 changed files with 1248 additions and 827 deletions
--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@ -8,7 +8,7 @@ jobs:
  lock:
    runs-on: ubuntu-latest
    steps:
-      - uses: dessant/lock-threads@v3
+      - uses: dessant/lock-threads@v5
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          issue-comment: >
--- a/.github/workflows/pr-title.yml
+++ b/.github/workflows/pr-title.yml
@ -14,7 +14,7 @@ jobs:
    steps:
      # Please look up the latest version from
      # https://github.com/amannn/action-semantic-pull-request/releases
-      - uses: amannn/action-semantic-pull-request@v5.0.2
+      - uses: amannn/action-semantic-pull-request@v6.1.1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@ -7,7 +7,8 @@ on:
      - master

 env:
-  TERRAFORM_DOCS_VERSION: v0.16.0
+  TERRAFORM_DOCS_VERSION: v0.20.0
+  TFLINT_VERSION: v0.59.1

 jobs:
  collectInputs:
@ -17,11 +18,11 @@ jobs:
      directories: ${{ steps.dirs.outputs.directories }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5

      - name: Get root directories
        id: dirs
-        uses: clowdhaus/terraform-composite-actions/directories@v1.8.0
+        uses: clowdhaus/terraform-composite-actions/directories@v1.14.0

  preCommitMinVersions:
    name: Min TF pre-commit
@ -31,29 +32,61 @@ jobs:
      matrix:
        directory: ${{ fromJson(needs.collectInputs.outputs.directories) }}
    steps:
+      - name: Install rmz
+        uses: jaxxstorm/action-install-gh-release@v2.1.0
+        with:
+          repo: SUPERCILEX/fuc
+          asset-name: x86_64-unknown-linux-gnu-rmz
+          rename-to: rmz
+          chmod: 0755
+          extension-matching: disable
+
+      # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449
+      - name: Delete unnecessary files
+        run: |
+          formatByteCount() { echo $(numfmt --to=iec-i --suffix=B --padding=7 $1'000'); }
+          getAvailableSpace() { echo $(df -a $1 | awk 'NR > 1 {avail+=$4} END {print avail}'); }
+
+          BEFORE=$(getAvailableSpace)
+
+          ln -s /opt/hostedtoolcache/SUPERCILEX/x86_64-unknown-linux-gnu-rmz/latest/linux-x64/rmz /usr/local/bin/rmz
+          rmz -f /opt/hostedtoolcache/CodeQL &
+          rmz -f /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk &
+          rmz -f /opt/hostedtoolcache/PyPy &
+          rmz -f /opt/hostedtoolcache/Ruby &
+          rmz -f /opt/hostedtoolcache/go &
+
+          wait
+
+          AFTER=$(getAvailableSpace)
+          SAVED=$((AFTER-BEFORE))
+          echo "=> Saved $(formatByteCount $SAVED)"
+
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5

      - name: Terraform min/max versions
        id: minMax
-        uses: clowdhaus/terraform-min-max@v1.2.0
+        uses: clowdhaus/terraform-min-max@v2.1.0
        with:
          directory: ${{ matrix.directory }}

      - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
        # Run only validate pre-commit check on min version supported
        if: ${{ matrix.directory !=  '.' }}
-        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.0
+        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
        with:
          terraform-version: ${{ steps.minMax.outputs.minVersion }}
+          tflint-version: ${{ env.TFLINT_VERSION }}
          args: 'terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*'

      - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
        # Run only validate pre-commit check on min version supported
        if: ${{ matrix.directory ==  '.' }}
-        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.0
+        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
        with:
          terraform-version: ${{ steps.minMax.outputs.minVersion }}
+          tflint-version: ${{ env.TFLINT_VERSION }}
          args: 'terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)'

  preCommitMaxVersion:
@ -61,18 +94,75 @@ jobs:
    runs-on: ubuntu-latest
    needs: collectInputs
    steps:
+      - name: Install rmz
+        uses: jaxxstorm/action-install-gh-release@v2.1.0
+        with:
+          repo: SUPERCILEX/fuc
+          asset-name: x86_64-unknown-linux-gnu-rmz
+          rename-to: rmz
+          chmod: 0755
+          extension-matching: disable
+
+      # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449
+      - name: Delete unnecessary files
+        run: |
+          formatByteCount() { echo $(numfmt --to=iec-i --suffix=B --padding=7 $1'000'); }
+          getAvailableSpace() { echo $(df -a $1 | awk 'NR > 1 {avail+=$4} END {print avail}'); }
+
+          BEFORE=$(getAvailableSpace)
+
+          ln -s /opt/hostedtoolcache/SUPERCILEX/x86_64-unknown-linux-gnu-rmz/latest/linux-x64/rmz /usr/local/bin/rmz
+          rmz -f /opt/hostedtoolcache/CodeQL &
+          rmz -f /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk &
+          rmz -f /opt/hostedtoolcache/PyPy &
+          rmz -f /opt/hostedtoolcache/Ruby &
+          rmz -f /opt/hostedtoolcache/go &
+          sudo rmz -f /usr/local/lib/android &
+
+          if [[ ${{ github.repository }} == terraform-aws-modules/terraform-aws-security-group ]]; then
+            sudo rmz -f /usr/share/dotnet &
+            sudo rmz -f /usr/local/.ghcup &
+            sudo apt-get -qq remove -y 'azure-.*'
+            sudo apt-get -qq remove -y 'cpp-.*'
+            sudo apt-get -qq remove -y 'dotnet-runtime-.*'
+            sudo apt-get -qq remove -y 'google-.*'
+            sudo apt-get -qq remove -y 'libclang-.*'
+            sudo apt-get -qq remove -y 'libllvm.*'
+            sudo apt-get -qq remove -y 'llvm-.*'
+            sudo apt-get -qq remove -y 'mysql-.*'
+            sudo apt-get -qq remove -y 'postgresql-.*'
+            sudo apt-get -qq remove -y 'php.*'
+            sudo apt-get -qq remove -y 'temurin-.*'
+            sudo apt-get -qq remove -y kubectl firefox mono-devel
+            sudo apt-get -qq autoremove -y
+            sudo apt-get -qq clean
+          fi
+
+          wait
+
+          AFTER=$(getAvailableSpace)
+          SAVED=$((AFTER-BEFORE))
+          echo "=> Saved $(formatByteCount $SAVED)"
+
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
        with:
          ref: ${{ github.event.pull_request.head.ref }}
          repository: ${{github.event.pull_request.head.repo.full_name}}

      - name: Terraform min/max versions
        id: minMax
-        uses: clowdhaus/terraform-min-max@v1.2.0
+        uses: clowdhaus/terraform-min-max@v2.1.0
+
+      - name: Hide template dir
+        # Special to this repo, we don't want to check this dir
+        if: ${{ github.repository ==  'terraform-aws-modules/terraform-aws-security-group' }}
+        run: rm -rf modules/_templates

      - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
-        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.0
+        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
        with:
          terraform-version: ${{ steps.minMax.outputs.maxVersion }}
+          tflint-version: ${{ env.TFLINT_VERSION }}
          terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }}
+          install-hcledit: true
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -4,6 +4,7 @@ on:
  workflow_dispatch:
  push:
    branches:
+      - main
      - master
    paths:
      - '**/*.tpl'
@ -19,18 +20,26 @@ jobs:
    if: github.repository_owner == 'terraform-aws-modules'
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v5
        with:
          persist-credentials: false
          fetch-depth: 0

-      - name: Release
-        uses: cycjimmy/semantic-release-action@v2
+      - name: Set correct Node.js version
+        uses: actions/setup-node@v6
        with:
-          semantic_version: 18.0.0
-          extra_plugins: |
-            @semantic-release/changelog@6.0.0
-            @semantic-release/git@10.0.0
-            conventional-changelog-conventionalcommits@4.6.3
+          node-version: 24
+
+      - name: Install dependencies
+        run: |
+          npm install \
+            @semantic-release/changelog@6.0.3 \
+            @semantic-release/git@10.0.1 \
+            conventional-changelog-conventionalcommits@9.1.0
+
+      - name: Release
+        uses: cycjimmy/semantic-release-action@v5
+        with:
+          semantic_version: 25.0.0
        env:
          GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }}
--- a/.github/workflows/stale-actions.yaml
+++ b/.github/workflows/stale-actions.yaml
@ -7,7 +7,7 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@v6
+      - uses: actions/stale@v10
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          # Staling issues and PR's
--- a/.gitignore
+++ b/.gitignore
@ -1,13 +1,13 @@
 # Local .terraform directories
 **/.terraform/*

+# Terraform lockfile
+.terraform.lock.hcl
+
 # .tfstate files
 *.tfstate
 *.tfstate.*

-# terraform lockfile
-.terraform.lock.hcl
-
 # Crash log files
 crash.log

@ -15,7 +15,6 @@ crash.log
 # password, private keys, and other secrets. These should not be part of version
 # control as they are data points which are potentially sensitive and subject
 # to change depending on the environment.
-#
 *.tfvars

 # Ignore override files as they are usually used to override resources locally and so
@ -25,13 +24,16 @@ override.tf.json
 *_override.tf
 *_override.tf.json

-# Include override files you do wish to add to version control using negated pattern
-#
-# !example_override.tf
-
-# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
-# example: *tfplan*
-
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
+
+# Lambda build artifacts
+builds/
+__pycache__/
+*.zip
+.tox
+
+# Local editors/macos files
+.DS_Store
+.idea
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -1,9 +1,9 @@
 repos:
  - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.76.0
+    rev: v1.103.0
    hooks:
      - id: terraform_fmt
-      - id: terraform_validate
+      - id: terraform_wrapper_module_for_each
      - id: terraform_docs
        args:
          - '--args=--lockfile=false'
@ -22,8 +22,10 @@ repos:
          - '--args=--only=terraform_required_providers'
          - '--args=--only=terraform_standard_module_structure'
          - '--args=--only=terraform_workspace_remote'
+      - id: terraform_validate
  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.3.0
+    rev: v6.0.0
    hooks:
      - id: check-merge-conflict
      - id: end-of-file-fixer
+      - id: trailing-whitespace
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,81 @@

 All notable changes to this project will be documented in this file.

+## [4.2.1](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v4.2.0...v4.2.1) (2025-10-21)
+
+### Bug Fixes
+
+* Update CI workflow versions to latest ([#40](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/40)) ([5deff22](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/5deff22cf4c471ce824c016687c3b933cd8b783c))
+
+## [4.2.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v4.1.0...v4.2.0) (2025-10-14)
+
+
+### Features
+
+* Support `default_auth_scheme` ([#39](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/39)) ([c2073a0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/c2073a031c947270dac3f17c7f76e2996cd1b5b1))
+
+## [4.1.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v4.0.0...v4.1.0) (2025-10-01)
+
+
+### Features
+
+* Add Terragrunt wrappers ([#38](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/38)) ([33b43c7](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/33b43c72abdad0b01655238d844e56dabca5e6d4))
+
+## [4.0.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.2.1...v4.0.0) (2025-09-16)
+
+
+### ⚠ BREAKING CHANGES
+
+* Upgrade AWS provider and min required Terraform version to `6.0` and `1.5.7` respectively (#34)
+
+### Features
+
+* Upgrade AWS provider and min required Terraform version to `6.0` and `1.5.7` respectively ([#34](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/34)) ([47c0fca](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/47c0fcad4b3e40ef112544028dba1a4c10ee50dc))
+
+## [3.2.1](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.2.0...v3.2.1) (2025-05-22)
+
+
+### Bug Fixes
+
+* Correct service principal to rds.amazonaws.com (incl China) ([#32](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/32)) ([bbbf50c](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/bbbf50ce8734f05d4ac69fa41c23c88094b82356))
+
+## [3.2.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.1.1...v3.2.0) (2024-11-19)
+
+
+### Features
+
+* Add CloudWatch log group name to outputs ([#28](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/28)) ([0fc0e19](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/0fc0e19e642a2fdcd8f546bf219f78b5db252c65))
+
+
+### Bug Fixes
+
+* Update CI workflow versions to latest ([#27](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/27)) ([b6f22be](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/b6f22becf63614f365e72a81151c1955ab0d4df3))
+
+## [3.1.1](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.1.0...v3.1.1) (2024-03-06)
+
+
+### Bug Fixes
+
+* Update CI workflow versions to remove deprecated runtime warnings ([#26](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/26)) ([a31a810](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/a31a81097b9828776e91864973783d0e9530e12d))
+
+## [3.1.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.0.0...v3.1.0) (2023-08-30)
+
+
+### Features
+
+* Add IAM role output ([#22](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/22)) ([d18ae45](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/d18ae45d9ebf8253f7144e6bdc6ef39af9a4863f))
+
+## [3.0.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v2.1.2...v3.0.0) (2023-06-09)
+
+
+### ⚠ BREAKING CHANGES
+
+* Increase Terraform and AWS provider minimum supported versions; update `auth` configuration schema (#17)
+
+### Features
+
+* Increase Terraform and AWS provider minimum supported versions; update `auth` configuration schema ([#17](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/17)) ([cc39e9d](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/cc39e9d0295495574c406acfed9e288fb6d5df3c))
+
 ### [2.1.2](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v2.1.1...v2.1.2) (2022-10-27)


--- a/README.md
+++ b/README.md
@ -15,7 +15,7 @@ module "rds_proxy" {
  vpc_subnet_ids         = ["subnet-30ef7b3c", "subnet-1ecda77b", "subnet-ca09ddbc"]
  vpc_security_group_ids = ["sg-f1d03a88"]

-  db_proxy_endpoints = {
+  endpoints = {
    read_write = {
      name                   = "read-write-endpoint"
      vpc_subnet_ids         = ["subnet-30ef7b3c", "subnet-1ecda77b", "subnet-ca09ddbc"]
@ -29,18 +29,17 @@ module "rds_proxy" {
    }
  }

-  secrets = {
+  auth = {
    "superuser" = {
-      description = "Aurora PostgreSQL superuser password"
-      arn         = "arn:aws:secretsmanager:us-east-1:123456789012:secret:superuser-6gsjLD"
-      kms_key_id  = "6ca29066-552a-46c5-a7d7-7bf9a15fc255"
+      description        = "Aurora PostgreSQL superuser password"
+      secret_arn         = "arn:aws:secretsmanager:us-east-1:123456789012:secret:superuser-6gsjLD"
    }
  }

  # Target Aurora cluster
  engine_family         = "POSTGRESQL"
  target_db_cluster     = true
-  db_cluster_identifier = "myendpoint"
+  db_cluster_identifier = "my-endpoint"

  tags = {
    Terraform   = "true"
@ -53,24 +52,24 @@ module "rds_proxy" {

 Examples codified under the [`examples`](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples) are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module(s). If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!

- [IAM auth. w/ MySQL Aurora cluster](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/mysql_iam_cluster)
- [IAM auth. w/ MySQL RDS instance](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/mysql_iam_instance)
- [IAM auth. w/ PostgreSQL Aurora cluster](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql_iam_cluster)
- [IAM auth. w/ PostgreSQL RDS instance](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql_iam_instance)
+- [IAM auth. w/ MySQL Aurora cluster](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/mysql-iam-cluster)
+- [IAM auth. w/ MySQL RDS instance](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/mysql-iam-instance)
+- [IAM auth. w/ PostgreSQL Aurora cluster](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql-iam-cluster)
+- [IAM auth. w/ PostgreSQL RDS instance](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql-iam-instance)

-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements

 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.38 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |

 ## Providers

 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.38 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |

 ## Modules

@ -90,23 +89,25 @@ No modules.
 | [aws_iam_role_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_service_principal.rds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/service_principal) | data source |

 ## Inputs

 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_auth_scheme"></a> [auth\_scheme](#input\_auth\_scheme) | The type of authentication that the proxy uses for connections from the proxy to the underlying database. One of `SECRETS` | `string` | `"SECRETS"` | no |
+| <a name="input_auth"></a> [auth](#input\_auth) | Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters | <pre>map(object({<br/>    auth_scheme               = optional(string)<br/>    client_password_auth_type = optional(string)<br/>    description               = optional(string)<br/>    iam_auth                  = optional(string)<br/>    secret_arn                = optional(string)<br/>    username                  = optional(string)<br/>  }))</pre> | <pre>{<br/>  "default": {<br/>    "auth_scheme": "SECRETS"<br/>  }<br/>}</pre> | no |
 | <a name="input_connection_borrow_timeout"></a> [connection\_borrow\_timeout](#input\_connection\_borrow\_timeout) | The number of seconds for a proxy to wait for a connection to become available in the connection pool | `number` | `null` | no |
+| <a name="input_create"></a> [create](#input\_create) | Whether cluster should be created (affects nearly all resources) | `bool` | `true` | no |
 | <a name="input_create_iam_policy"></a> [create\_iam\_policy](#input\_create\_iam\_policy) | Determines whether an IAM policy is created | `bool` | `true` | no |
 | <a name="input_create_iam_role"></a> [create\_iam\_role](#input\_create\_iam\_role) | Determines whether an IAM role is created | `bool` | `true` | no |
-| <a name="input_create_proxy"></a> [create\_proxy](#input\_create\_proxy) | Determines whether a proxy and its resources will be created | `bool` | `true` | no |
 | <a name="input_db_cluster_identifier"></a> [db\_cluster\_identifier](#input\_db\_cluster\_identifier) | DB cluster identifier | `string` | `""` | no |
 | <a name="input_db_instance_identifier"></a> [db\_instance\_identifier](#input\_db\_instance\_identifier) | DB instance identifier | `string` | `""` | no |
-| <a name="input_db_proxy_endpoints"></a> [db\_proxy\_endpoints](#input\_db\_proxy\_endpoints) | Map of DB proxy endpoints to create and their attributes (see `aws_db_proxy_endpoint`) | `any` | `{}` | no |
 | <a name="input_debug_logging"></a> [debug\_logging](#input\_debug\_logging) | Whether the proxy includes detailed information about SQL statements in its logs | `bool` | `false` | no |
+| <a name="input_default_auth_scheme"></a> [default\_auth\_scheme](#input\_default\_auth\_scheme) | Default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database. Valid values are NONE and IAM\_AUTH. Defaults to NONE | `string` | `null` | no |
+| <a name="input_endpoints"></a> [endpoints](#input\_endpoints) | Map of DB proxy endpoints to create and their attributes | <pre>map(object({<br/>    name                   = optional(string)<br/>    vpc_subnet_ids         = list(string)<br/>    vpc_security_group_ids = optional(list(string))<br/>    target_role            = optional(string)<br/>    tags                   = optional(map(string), {})<br/>  }))</pre> | `{}` | no |
 | <a name="input_engine_family"></a> [engine\_family](#input\_engine\_family) | The kind of database engine that the proxy will connect to. Valid values are `MYSQL` or `POSTGRESQL` | `string` | `""` | no |
-| <a name="input_iam_auth"></a> [iam\_auth](#input\_iam\_auth) | Whether to require or disallow AWS Identity and Access Management (IAM) authentication for connections to the proxy. One of `DISABLED`, `REQUIRED` | `string` | `"REQUIRED"` | no |
 | <a name="input_iam_policy_name"></a> [iam\_policy\_name](#input\_iam\_policy\_name) | The name of the role policy. If omitted, Terraform will assign a random, unique name | `string` | `""` | no |
 | <a name="input_iam_role_description"></a> [iam\_role\_description](#input\_iam\_role\_description) | The description of the role | `string` | `""` | no |
 | <a name="input_iam_role_force_detach_policies"></a> [iam\_role\_force\_detach\_policies](#input\_iam\_role\_force\_detach\_policies) | Specifies to force detaching any policies the role has before destroying it | `bool` | `true` | no |
@ -117,6 +118,8 @@ No modules.
 | <a name="input_iam_role_tags"></a> [iam\_role\_tags](#input\_iam\_role\_tags) | A map of tags to apply to the IAM role | `map(string)` | `{}` | no |
 | <a name="input_idle_client_timeout"></a> [idle\_client\_timeout](#input\_idle\_client\_timeout) | The number of seconds that a connection to the proxy can be inactive before the proxy disconnects it | `number` | `1800` | no |
 | <a name="input_init_query"></a> [init\_query](#input\_init\_query) | One or more SQL statements for the proxy to run when opening each new database connection | `string` | `""` | no |
+| <a name="input_kms_key_arns"></a> [kms\_key\_arns](#input\_kms\_key\_arns) | List of KMS Key ARNs to allow access to decrypt SecretsManager secrets | `list(string)` | `[]` | no |
+| <a name="input_log_group_class"></a> [log\_group\_class](#input\_log\_group\_class) | Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS` | `string` | `null` | no |
 | <a name="input_log_group_kms_key_id"></a> [log\_group\_kms\_key\_id](#input\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data | `string` | `null` | no |
 | <a name="input_log_group_retention_in_days"></a> [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the log group | `number` | `30` | no |
 | <a name="input_log_group_tags"></a> [log\_group\_tags](#input\_log\_group\_tags) | A map of tags to apply to the CloudWatch log group | `map(string)` | `{}` | no |
@ -125,13 +128,13 @@ No modules.
 | <a name="input_max_idle_connections_percent"></a> [max\_idle\_connections\_percent](#input\_max\_idle\_connections\_percent) | Controls how actively the proxy closes idle database connections in the connection pool | `number` | `50` | no |
 | <a name="input_name"></a> [name](#input\_name) | The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens | `string` | `""` | no |
 | <a name="input_proxy_tags"></a> [proxy\_tags](#input\_proxy\_tags) | A map of tags to apply to the RDS Proxy | `map(string)` | `{}` | no |
+| <a name="input_region"></a> [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no |
 | <a name="input_require_tls"></a> [require\_tls](#input\_require\_tls) | A Boolean parameter that specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy | `bool` | `true` | no |
 | <a name="input_role_arn"></a> [role\_arn](#input\_role\_arn) | The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager | `string` | `""` | no |
-| <a name="input_secrets"></a> [secrets](#input\_secrets) | Map of secerets to be used by RDS Proxy for authentication to the database | `map(object({ arn = string, description = string, kms_key_id = string }))` | `{}` | no |
 | <a name="input_session_pinning_filters"></a> [session\_pinning\_filters](#input\_session\_pinning\_filters) | Each item in the list represents a class of SQL operations that normally cause all later statements in a session using a proxy to be pinned to the same underlying database connection | `list(string)` | `[]` | no |
-| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to use on all resources | `map(string)` | `{}` | no |
-| <a name="input_target_db_cluster"></a> [target\_db\_cluster](#input\_target\_db\_cluster) | Determines whether DB cluster is targetted by proxy | `bool` | `false` | no |
-| <a name="input_target_db_instance"></a> [target\_db\_instance](#input\_target\_db\_instance) | Determines whether DB instance is targetted by proxy | `bool` | `false` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
+| <a name="input_target_db_cluster"></a> [target\_db\_cluster](#input\_target\_db\_cluster) | Determines whether DB cluster is targeted by proxy | `bool` | `false` | no |
+| <a name="input_target_db_instance"></a> [target\_db\_instance](#input\_target\_db\_instance) | Determines whether DB instance is targeted by proxy | `bool` | `false` | no |
 | <a name="input_use_policy_name_prefix"></a> [use\_policy\_name\_prefix](#input\_use\_policy\_name\_prefix) | Whether to use unique name beginning with the specified `iam_policy_name` | `bool` | `false` | no |
 | <a name="input_use_role_name_prefix"></a> [use\_role\_name\_prefix](#input\_use\_role\_name\_prefix) | Whether to use unique name beginning with the specified `iam_role_name` | `bool` | `false` | no |
 | <a name="input_vpc_security_group_ids"></a> [vpc\_security\_group\_ids](#input\_vpc\_security\_group\_ids) | One or more VPC security group IDs to associate with the new proxy | `list(string)` | `[]` | no |
@ -142,7 +145,11 @@ No modules.
 | Name | Description |
 |------|-------------|
 | <a name="output_db_proxy_endpoints"></a> [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created |
+| <a name="output_iam_role_arn"></a> [iam\_role\_arn](#output\_iam\_role\_arn) | The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager. |
+| <a name="output_iam_role_name"></a> [iam\_role\_name](#output\_iam\_role\_name) | IAM role name |
+| <a name="output_iam_role_unique_id"></a> [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
 | <a name="output_log_group_arn"></a> [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group |
+| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | The name of the CloudWatch log group |
 | <a name="output_proxy_arn"></a> [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy |
 | <a name="output_proxy_default_target_group_arn"></a> [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group |
 | <a name="output_proxy_default_target_group_id"></a> [proxy\_default\_target\_group\_id](#output\_proxy\_default\_target\_group\_id) | The ID for the default target group |
@ -156,7 +163,7 @@ No modules.
 | <a name="output_proxy_target_target_arn"></a> [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
 | <a name="output_proxy_target_tracked_cluster_id"></a> [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
 | <a name="output_proxy_target_type"></a> [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->

 ## License

--- a/docs/UPGRADE-3.0.md
+++ b/docs/UPGRADE-3.0.md
@ -0,0 +1,79 @@
+# Upgrade from v2.x to v3.x
+
+If you have any questions regarding this upgrade process, please consult the `examples` directory.
+If you find a bug, please open an issue with supporting configuration to reproduce.
+
+## List of backwards incompatible changes
+
+- Minimum supported Terraform version is now 1.0
+- Minimum supported AWS provider version is now 5.0
+- The manner in which authentication is configured has changed - previously auth settings were provided under `secrets` in conjunction with `auth_scheme` and `iam_auth` variables. Now, auth settings are provided under the `auth` variable for multiple auth entries.
+
+### Variable and output changes
+
+1. Removed variables:
+
+    - `auth_scheme` is now set under the `auth` variable for a given auth entry
+    - `iam_auth` is now set under the `auth` variable for a given auth entry
+
+2. Renamed variables:
+
+    - `create_proxy` -> `create`
+    - `secrets` -> `auth`
+    - `db_proxy_endpoints` -> `endpoints`
+
+3. Added variables:
+
+    - `kms_key_arns` - list of KMS key ARNs to use allowing permission to decrypt SecretsManager secrets
+
+4. Removed outputs:
+
+    - None
+
+5. Renamed outputs:
+
+    - None
+
+6. Added outputs:
+
+    - None
+
+## Diff of Before (v2.x) vs After (v3.x)
+
+```diff
+module "rds_proxy" {
+  source  = "terraform-aws-modules/rds-proxy/aws"
+-  version = "~> 2.0"
+  version = "~> 3.0"
+
+  # Only the affected attributes are shown
+-  create_proxy = true
+  create       = true
+
+-  db_proxy_endpoints = {
+-  ...
+-  }
+  endpoints = {
+    ...
+  }
+
+-  secrets = {
+-    "superuser" = {
+-      description = "Aurora PostgreSQL superuser password"
+-      arn         = "arn:aws:secretsmanager:eu-west-1:123456789012:secret:superuser-6gsjLD"
+-      kms_key_id  = "6ca29066-552a-46c5-a7d7-7bf9a15fc255"
+-    }
+-  }
+  auth = {
+    "superuser" = {
+      description = "Aurora PostgreSQL superuser password"
+      secret_arn  = "arn:aws:secretsmanager:us-east-1:123456789012:secret:superuser-6gsjLD"
+    }
+  }
+  kms_key_arns = ["arn:aws:kms:eu-west-1:123456789012:key/6ca29066-552a-46c5-a7d7-7bf9a15fc255"]
+}
+```
+
+### State Changes
+
+- None
--- a/examples/README.md
+++ b/examples/README.md
@ -1,6 +1,8 @@
-# AWS RDS Proxy Terraform Examples
+# Examples

- [IAM auth. w/ MySQL Aurora cluster](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/mysql_iam_cluster)
- [IAM auth. w/ MySQL RDS instance](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/mysql_iam_instance)
- [IAM auth. w/ PostgreSQL Aurora cluster](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql_iam_cluster)
- [IAM auth. w/ PostgreSQL RDS instance](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql_iam_instance)
+Please note - the examples provided serve two primary means:
+
+1. Show users working examples of the various ways in which the module can be configured and features supported
+2. A means of testing/validating module changes
+
+Please do not mistake the examples provided as "best practices". It is up to users to consult the AWS service documentation for best practices, usage recommendations, etc.
--- a/examples/mysql-iam-cluster/README.md
+++ b/examples/mysql-iam-cluster/README.md
@ -25,42 +25,34 @@ An EC2 instance configuration has been provided for use in validating the exampl
 3. Copy the output from `superuser_proxy_iam_connect` and paste it into the window
 4. You should now be connected to the `example` database in the RDS instance via the AWS Proxy using IAM authentication

-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements

 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.38 |
-| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |

 ## Providers

 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.38 |
-| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |

 ## Modules

 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 6.0 |
+| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 9.0 |
 | <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
-| <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4.0 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
+| <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |

 ## Resources

 | Name | Type |
 |------|------|
-| [aws_db_parameter_group.aurora_db_mysql57_parameter_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_parameter_group) | resource |
-| [aws_rds_cluster_parameter_group.aurora_cluster_mysql57_parameter_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_parameter_group) | resource |
-| [aws_secretsmanager_secret.superuser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
-| [aws_secretsmanager_secret_version.superuser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
-| [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
-| [random_pet.users](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
-| [aws_kms_alias.secretsmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |

 ## Inputs

@ -72,6 +64,7 @@ No inputs.
 |------|-------------|
 | <a name="output_db_proxy_endpoints"></a> [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created |
 | <a name="output_log_group_arn"></a> [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group |
+| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | The name of the CloudWatch log group |
 | <a name="output_proxy_arn"></a> [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy |
 | <a name="output_proxy_default_target_group_arn"></a> [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group |
 | <a name="output_proxy_default_target_group_id"></a> [proxy\_default\_target\_group\_id](#output\_proxy\_default\_target\_group\_id) | The ID for the default target group |
@ -85,6 +78,6 @@ No inputs.
 | <a name="output_proxy_target_target_arn"></a> [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
 | <a name="output_proxy_target_tracked_cluster_id"></a> [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
 | <a name="output_proxy_target_type"></a> [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->

 Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/blob/master/LICENSE).
--- a/examples/mysql-iam-cluster/main.tf
+++ b/examples/mysql-iam-cluster/main.tf
@ -0,0 +1,144 @@
+provider "aws" {
+  region = local.region
+}
+
+data "aws_availability_zones" "available" {}
+
+locals {
+  name   = "ex-${basename(path.cwd)}"
+  region = "eu-west-1"
+
+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+
+  tags = {
+    Example    = local.name
+    GithubRepo = "terraform-aws-rds-proxy"
+    GithubOrg  = "terraform-aws-modules"
+  }
+}
+
+################################################################################
+# RDS Proxy
+################################################################################
+
+module "rds_proxy" {
+  source = "../../"
+
+  name                   = local.name
+  iam_role_name          = local.name
+  vpc_subnet_ids         = module.vpc.private_subnets
+  vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
+
+  endpoints = {
+    read_write = {
+      name                   = "read-write-endpoint"
+      vpc_subnet_ids         = module.vpc.private_subnets
+      vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
+      tags                   = local.tags
+    },
+    read_only = {
+      name                   = "read-only-endpoint"
+      vpc_subnet_ids         = module.vpc.private_subnets
+      vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
+      target_role            = "READ_ONLY"
+      tags                   = local.tags
+    }
+  }
+
+  auth = {
+    "root" = {
+      description = "Cluster generated master user password"
+      secret_arn  = module.rds.cluster_master_user_secret[0].secret_arn
+    }
+  }
+
+  engine_family = "MYSQL"
+  debug_logging = true
+
+  # Target Aurora cluster
+  target_db_cluster     = true
+  db_cluster_identifier = module.rds.cluster_id
+
+  tags = local.tags
+}
+
+################################################################################
+# Supporting Resources
+################################################################################
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 6.0"
+
+  name = local.name
+  cidr = local.vpc_cidr
+
+  azs              = local.azs
+  public_subnets   = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
+  private_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 3)]
+  database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 6)]
+
+  tags = local.tags
+}
+
+module "rds" {
+  source  = "terraform-aws-modules/rds-aurora/aws"
+  version = "~> 9.0"
+
+  name            = local.name
+  engine          = "aurora-mysql"
+  engine_version  = "8.0"
+  master_username = "root"
+
+  # When using RDS Proxy w/ IAM auth - Database must be username/password auth, not IAM
+  iam_database_authentication_enabled = false
+
+  instance_class = "db.r6g.large"
+  instances = {
+    1 = {}
+    2 = {}
+  }
+
+  vpc_id               = module.vpc.vpc_id
+  db_subnet_group_name = module.vpc.database_subnet_group_name
+  security_group_rules = {
+    vpc_ingress = {
+      cidr_blocks = module.vpc.private_subnets_cidr_blocks
+    }
+  }
+
+  apply_immediately   = true
+  skip_final_snapshot = true
+
+  tags = local.tags
+}
+
+module "rds_proxy_sg" {
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "~> 5.0"
+
+  name        = "${local.name}-proxy"
+  description = "PostgreSQL RDS Proxy example security group"
+  vpc_id      = module.vpc.vpc_id
+
+  revoke_rules_on_delete = true
+
+  ingress_with_cidr_blocks = [
+    {
+      description = "Private subnet MySQL access"
+      rule        = "mysql-tcp"
+      cidr_blocks = join(",", module.vpc.private_subnets_cidr_blocks)
+    }
+  ]
+
+  egress_with_cidr_blocks = [
+    {
+      description = "Database subnet MySQL access"
+      rule        = "mysql-tcp"
+      cidr_blocks = join(",", module.vpc.database_subnets_cidr_blocks)
+    },
+  ]
+
+  tags = local.tags
+}
--- a/examples/mysql_iam_instance/outputs.tf
+++ b/examples/mysql_iam_instance/outputs.tf
@ -66,7 +66,7 @@ output "proxy_target_type" {
  value       = module.rds_proxy.proxy_target_type
 }

-# DB proxy endponts
+# DB proxy endpoints
 output "db_proxy_endpoints" {
  description = "Array containing the full resource object and attributes for all DB proxy endpoints created"
  value       = module.rds_proxy.db_proxy_endpoints
@ -77,3 +77,8 @@ output "log_group_arn" {
  description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
  value       = module.rds_proxy.log_group_arn
 }
+
+output "log_group_name" {
+  description = "The name of the CloudWatch log group"
+  value       = module.rds_proxy.log_group_name
+}
--- a/examples/mysql-iam-cluster/variables.tf
+++ b/examples/mysql-iam-cluster/variables.tf
--- a/examples/mysql-iam-cluster/versions.tf
+++ b/examples/mysql-iam-cluster/versions.tf
@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.5.7"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.15"
+    }
+  }
+}
--- a/examples/mysql-iam-instance/README.md
+++ b/examples/mysql-iam-instance/README.md
@ -25,31 +25,31 @@ An EC2 instance configuration has been provided for use in validating the exampl
 3. Copy the output from `superuser_proxy_iam_connect` and paste it into the window
 4. You should now be connected to the `example` database in the Aurora cluster via the AWS Proxy using IAM authentication

-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements

 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.38 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |

 ## Providers

 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.38 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |

 ## Modules

 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 3.0 |
+| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 6.0 |
 | <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
-| <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4.0 |
-| <a name="module_rds_sg"></a> [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 4.0 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
+| <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
+| <a name="module_rds_sg"></a> [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |

 ## Resources

@ -59,6 +59,7 @@ An EC2 instance configuration has been provided for use in validating the exampl
 | [aws_secretsmanager_secret_version.superuser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
 | [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [random_pet.users](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 | [aws_kms_alias.secretsmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |

 ## Inputs
@ -71,6 +72,7 @@ No inputs.
 |------|-------------|
 | <a name="output_db_proxy_endpoints"></a> [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created |
 | <a name="output_log_group_arn"></a> [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group |
+| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | The name of the CloudWatch log group |
 | <a name="output_proxy_arn"></a> [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy |
 | <a name="output_proxy_default_target_group_arn"></a> [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group |
 | <a name="output_proxy_default_target_group_id"></a> [proxy\_default\_target\_group\_id](#output\_proxy\_default\_target\_group\_id) | The ID for the default target group |
@ -84,6 +86,6 @@ No inputs.
 | <a name="output_proxy_target_target_arn"></a> [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
 | <a name="output_proxy_target_tracked_cluster_id"></a> [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
 | <a name="output_proxy_target_type"></a> [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->

 Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/blob/master/LICENSE).
--- a/examples/mysql-iam-instance/main.tf
+++ b/examples/mysql-iam-instance/main.tf
@ -2,17 +2,22 @@ provider "aws" {
  region = local.region
 }

+data "aws_availability_zones" "available" {}
+
 locals {
-  region = "us-east-1"
-  name   = "rds-proxy-ex-${replace(basename(path.cwd), "_", "-")}"
+  name   = "ex-${basename(path.cwd)}"
+  region = "eu-west-1"

  db_username = random_pet.users.id # using random here due to secrets taking at least 7 days before fully deleting from account
  db_password = random_password.password.result

+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+
  tags = {
-    Name       = local.name
    Example    = local.name
-    Repository = "https://github.com/terraform-aws-modules/terraform-aws-rds-proxy"
+    GithubRepo = "terraform-aws-rds-proxy"
+    GithubOrg  = "terraform-aws-modules"
  }
 }

@ -23,14 +28,12 @@ locals {
 module "rds_proxy" {
  source = "../../"

-  create_proxy = true
-
  name                   = local.name
  iam_role_name          = local.name
  vpc_subnet_ids         = module.vpc.private_subnets
  vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]

-  db_proxy_endpoints = {
+  endpoints = {
    read_write = {
      name                   = "read-write-endpoint"
      vpc_subnet_ids         = module.vpc.private_subnets
@ -46,11 +49,10 @@ module "rds_proxy" {
    }
  }

-  secrets = {
+  auth = {
    (local.db_username) = {
      description = aws_secretsmanager_secret.superuser.description
-      arn         = aws_secretsmanager_secret.superuser.arn
-      kms_key_id  = aws_secretsmanager_secret.superuser.kms_key_id
+      secret_arn  = aws_secretsmanager_secret.superuser.arn
    }
  }

@ -59,7 +61,7 @@ module "rds_proxy" {

  # Target RDS instance
  target_db_instance     = true
-  db_instance_identifier = module.rds.db_instance_id
+  db_instance_identifier = module.rds.db_instance_identifier

  tags = local.tags
 }
@ -80,38 +82,52 @@ resource "random_password" "password" {

 module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 3.0"
+  version = "~> 6.0"

  name = local.name
-  cidr = "10.0.0.0/18"
+  cidr = local.vpc_cidr

-  azs              = ["${local.region}a", "${local.region}b", "${local.region}c"]
-  public_subnets   = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"]
-  private_subnets  = ["10.0.3.0/24", "10.0.4.0/24", "10.0.5.0/24"]
-  database_subnets = ["10.0.7.0/24", "10.0.8.0/24", "10.0.9.0/24"]
+  azs              = local.azs
+  public_subnets   = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
+  private_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 3)]
+  database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 6)]

-  create_database_subnet_group = true
-  enable_nat_gateway           = true
-  single_nat_gateway           = true
-  map_public_ip_on_launch      = false
+  tags = local.tags
+}

-  manage_default_security_group  = true
-  default_security_group_ingress = []
-  default_security_group_egress  = []
+module "rds" {
+  source  = "terraform-aws-modules/rds/aws"
+  version = "~> 6.0"

-  enable_flow_log                      = true
-  flow_log_destination_type            = "cloud-watch-logs"
-  create_flow_log_cloudwatch_log_group = true
-  create_flow_log_cloudwatch_iam_role  = true
-  flow_log_max_aggregation_interval    = 60
-  flow_log_log_format                  = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id}"
+  username = local.db_username
+  password = local.db_password
+
+  # When using RDS Proxy w/ IAM auth - Database must be username/password auth, not IAM
+  iam_database_authentication_enabled = false
+
+  identifier           = local.name
+  engine               = "mysql"
+  engine_version       = "8.0"
+  family               = "mysql8.0" # DB parameter group
+  major_engine_version = "8.0"      # DB option group
+  instance_class       = "db.t4g.large"
+  allocated_storage    = 20
+  port                 = 3306
+  apply_immediately    = true
+
+  db_subnet_group_name   = module.vpc.database_subnet_group
+  vpc_security_group_ids = [module.rds_sg.security_group_id]
+  multi_az               = true
+
+  backup_retention_period = 0
+  deletion_protection     = false

  tags = local.tags
 }

 module "rds_sg" {
  source  = "terraform-aws-modules/security-group/aws"
-  version = "~> 4.0"
+  version = "~> 5.0"

  name        = "rds"
  description = "MySQL RDS example security group"
@ -130,57 +146,19 @@ module "rds_sg" {
  tags = local.tags
 }

-module "rds" {
-  source  = "terraform-aws-modules/rds/aws"
-  version = "~> 3.0"
-
-  name     = "example"
-  username = local.db_username
-  password = local.db_password
-
-  # When using RDS Proxy w/ IAM auth - Database must be username/password auth, not IAM
-  iam_database_authentication_enabled = false
-
-  identifier           = local.name
-  engine               = "mysql"
-  engine_version       = "5.7.31"
-  family               = "mysql5.7"
-  major_engine_version = "5.7"
-  port                 = 3306
-  instance_class       = "db.t3.micro"
-  allocated_storage    = 5
-  storage_encrypted    = true
-  apply_immediately    = true
-
-  enabled_cloudwatch_logs_exports = ["general", "error", "slowquery"]
-  monitoring_interval             = 60
-  create_monitoring_role          = true
-
-  vpc_security_group_ids = [module.rds_sg.security_group_id]
-  subnet_ids             = module.vpc.database_subnets
-  multi_az               = true
-
-  maintenance_window      = "Mon:00:00-Mon:03:00"
-  backup_window           = "03:00-06:00"
-  backup_retention_period = 0
-  deletion_protection     = false
-
-  tags = local.tags
-}
-
 module "rds_proxy_sg" {
  source  = "terraform-aws-modules/security-group/aws"
-  version = "~> 4.0"
+  version = "~> 5.0"

-  name        = "rds_proxy"
-  description = "MySQL RDS Proxy example security group"
+  name        = "${local.name}-proxy"
+  description = "PostgreSQL RDS Proxy example security group"
  vpc_id      = module.vpc.vpc_id

  revoke_rules_on_delete = true

  ingress_with_cidr_blocks = [
    {
-      description = "Private subnet PostgreSQL access"
+      description = "Private subnet MySQL access"
      rule        = "mysql-tcp"
      cidr_blocks = join(",", module.vpc.private_subnets_cidr_blocks)
    }
@ -207,7 +185,7 @@ data "aws_kms_alias" "secretsmanager" {

 resource "aws_secretsmanager_secret" "superuser" {
  name        = local.db_username
-  description = "Database superuser, ${local.db_username}, databse connection values"
+  description = "Database superuser, ${local.db_username}, database connection values"
  kms_key_id  = data.aws_kms_alias.secretsmanager.id

  tags = local.tags
--- a/examples/postgresql_iam_cluster/outputs.tf
+++ b/examples/postgresql_iam_cluster/outputs.tf
@ -66,7 +66,7 @@ output "proxy_target_type" {
  value       = module.rds_proxy.proxy_target_type
 }

-# DB proxy endponts
+# DB proxy endpoints
 output "db_proxy_endpoints" {
  description = "Array containing the full resource object and attributes for all DB proxy endpoints created"
  value       = module.rds_proxy.db_proxy_endpoints
@ -77,3 +77,8 @@ output "log_group_arn" {
  description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
  value       = module.rds_proxy.log_group_arn
 }
+
+output "log_group_name" {
+  description = "The name of the CloudWatch log group"
+  value       = module.rds_proxy.log_group_name
+}
--- a/examples/mysql-iam-instance/variables.tf
+++ b/examples/mysql-iam-instance/variables.tf
--- a/examples/mysql-iam-instance/versions.tf
+++ b/examples/mysql-iam-instance/versions.tf
@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.5.7"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.38"
+      version = ">= 6.15"
    }
    random = {
      source  = "hashicorp/random"
--- a/examples/mysql_iam_cluster/main.tf
+++ b/examples/mysql_iam_cluster/main.tf
@ -1,217 +0,0 @@
-provider "aws" {
-  region = local.region
-}
-
-locals {
-  region = "us-east-1"
-  name   = "rds-proxy-ex-${replace(basename(path.cwd), "_", "-")}"
-
-  db_username = random_pet.users.id # using random here due to secrets taking at least 7 days before fully deleting from account
-  db_password = random_password.password.result
-
-  tags = {
-    Name       = local.name
-    Example    = local.name
-    Repository = "https://github.com/terraform-aws-modules/terraform-aws-rds-proxy"
-  }
-}
-
-################################################################################
-# RDS Proxy
-################################################################################
-
-module "rds_proxy" {
-  source = "../../"
-
-  create_proxy = true
-
-  name                   = local.name
-  iam_role_name          = local.name
-  vpc_subnet_ids         = module.vpc.private_subnets
-  vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
-
-  db_proxy_endpoints = {
-    read_write = {
-      name                   = "read-write-endpoint"
-      vpc_subnet_ids         = module.vpc.private_subnets
-      vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
-      tags                   = local.tags
-    },
-    read_only = {
-      name                   = "read-only-endpoint"
-      vpc_subnet_ids         = module.vpc.private_subnets
-      vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
-      target_role            = "READ_ONLY"
-      tags                   = local.tags
-    }
-  }
-
-  secrets = {
-    (local.db_username) = {
-      description = aws_secretsmanager_secret.superuser.description
-      arn         = aws_secretsmanager_secret.superuser.arn
-      kms_key_id  = aws_secretsmanager_secret.superuser.kms_key_id
-    }
-  }
-
-  engine_family = "MYSQL"
-  debug_logging = true
-
-  # Target Aurora cluster
-  target_db_cluster     = true
-  db_cluster_identifier = module.rds.cluster_id
-
-  tags = local.tags
-}
-
-################################################################################
-# Supporting Resources
-################################################################################
-
-resource "random_pet" "users" {
-  length    = 2
-  separator = "_"
-}
-
-resource "random_password" "password" {
-  length  = 16
-  special = false
-}
-
-module "vpc" {
-  source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 3.0"
-
-  name = local.name
-  cidr = "10.0.0.0/18"
-
-  azs              = ["${local.region}a", "${local.region}b", "${local.region}c"]
-  public_subnets   = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"]
-  private_subnets  = ["10.0.3.0/24", "10.0.4.0/24", "10.0.5.0/24"]
-  database_subnets = ["10.0.7.0/24", "10.0.8.0/24", "10.0.9.0/24"]
-
-  create_database_subnet_group = true
-  enable_nat_gateway           = true
-  single_nat_gateway           = true
-  map_public_ip_on_launch      = false
-
-  manage_default_security_group  = true
-  default_security_group_ingress = []
-  default_security_group_egress  = []
-
-  enable_flow_log                      = true
-  flow_log_destination_type            = "cloud-watch-logs"
-  create_flow_log_cloudwatch_log_group = true
-  create_flow_log_cloudwatch_iam_role  = true
-  flow_log_max_aggregation_interval    = 60
-  flow_log_log_format                  = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id}"
-
-  tags = local.tags
-}
-
-module "rds" {
-  source  = "terraform-aws-modules/rds-aurora/aws"
-  version = "~> 6.0"
-
-  name            = local.name
-  database_name   = "example"
-  master_username = local.db_username
-  master_password = local.db_password
-
-  # When using RDS Proxy w/ IAM auth - Database must be username/password auth, not IAM
-  iam_database_authentication_enabled = false
-
-  engine         = "aurora-mysql"
-  engine_version = "5.7.12"
-  instance_class = "db.r6g.large"
-  instances      = { 1 = {}, 2 = {} }
-
-  storage_encrypted   = true
-  apply_immediately   = true
-  skip_final_snapshot = true
-
-  enabled_cloudwatch_logs_exports = ["general", "error", "slowquery"]
-  monitoring_interval             = 60
-  create_monitoring_role          = true
-
-  vpc_id                 = module.vpc.vpc_id
-  subnets                = module.vpc.database_subnets
-  create_security_group  = false
-  vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
-
-  db_subnet_group_name            = local.name # Created by VPC module
-  create_db_subnet_group          = false
-  db_parameter_group_name         = aws_db_parameter_group.aurora_db_mysql57_parameter_group.id
-  db_cluster_parameter_group_name = aws_rds_cluster_parameter_group.aurora_cluster_mysql57_parameter_group.id
-
-  tags = local.tags
-}
-
-resource "aws_db_parameter_group" "aurora_db_mysql57_parameter_group" {
-  name        = "example-aurora-db-57-parameter-group"
-  family      = "aurora-mysql5.7"
-  description = "example-aurora-db-57-parameter-group"
-
-  tags = local.tags
-}
-
-resource "aws_rds_cluster_parameter_group" "aurora_cluster_mysql57_parameter_group" {
-  name        = "example-aurora-57-cluster-parameter-group"
-  family      = "aurora-mysql5.7"
-  description = "example-aurora-57-cluster-parameter-group"
-
-  tags = local.tags
-}
-
-module "rds_proxy_sg" {
-  source  = "terraform-aws-modules/security-group/aws"
-  version = "~> 4.0"
-
-  name        = "rds_proxy"
-  description = "PostgreSQL RDS Proxy example security group"
-  vpc_id      = module.vpc.vpc_id
-
-  revoke_rules_on_delete = true
-
-  ingress_with_cidr_blocks = [
-    {
-      description = "Private subnet MySQL access"
-      rule        = "mysql-tcp"
-      cidr_blocks = join(",", module.vpc.private_subnets_cidr_blocks)
-    }
-  ]
-
-  egress_with_cidr_blocks = [
-    {
-      description = "Database subnet MySQL access"
-      rule        = "mysql-tcp"
-      cidr_blocks = join(",", module.vpc.database_subnets_cidr_blocks)
-    },
-  ]
-
-  tags = local.tags
-}
-
-################################################################################
-# Secrets - DB user passwords
-################################################################################
-
-data "aws_kms_alias" "secretsmanager" {
-  name = "alias/aws/secretsmanager"
-}
-
-resource "aws_secretsmanager_secret" "superuser" {
-  name        = local.db_username
-  description = "Database superuser, ${local.db_username}, databse connection values"
-  kms_key_id  = data.aws_kms_alias.secretsmanager.id
-
-  tags = local.tags
-}
-
-resource "aws_secretsmanager_secret_version" "superuser" {
-  secret_id = aws_secretsmanager_secret.superuser.id
-  secret_string = jsonencode({
-    username = local.db_username
-    password = local.db_password
-  })
-}
--- a/examples/mysql_iam_cluster/versions.tf
+++ b/examples/mysql_iam_cluster/versions.tf
@ -1,14 +0,0 @@
-terraform {
-  required_version = ">= 0.13.1"
-
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = ">= 3.38"
-    }
-    random = {
-      source  = "hashicorp/random"
-      version = ">= 2.0"
-    }
-  }
-}
--- a/examples/postgresql-iam-cluster/README.md
+++ b/examples/postgresql-iam-cluster/README.md
@ -25,42 +25,34 @@ An EC2 instance configuration has been provided for use in validating the exampl
 3. Copy the output from `superuser_proxy_iam_connect` and paste it into the window - NOTE: remove the string escape slashes `psql \"host...` -> `psql "host...`
 4. You should now be connected to the `example` database in the RDS instance via the AWS Proxy using IAM authentication

-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements

 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.38 |
-| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |

 ## Providers

 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.38 |
-| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |

 ## Modules

 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 6.0 |
+| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 9.0 |
 | <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
-| <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4.0 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
+| <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |

 ## Resources

 | Name | Type |
 |------|------|
-| [aws_db_parameter_group.aurora_db_postgres11_parameter_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_parameter_group) | resource |
-| [aws_rds_cluster_parameter_group.aurora_cluster_postgres11_parameter_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_parameter_group) | resource |
-| [aws_secretsmanager_secret.superuser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
-| [aws_secretsmanager_secret_version.superuser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
-| [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
-| [random_pet.users](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
-| [aws_kms_alias.secretsmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |

 ## Inputs

@ -71,7 +63,11 @@ No inputs.
 | Name | Description |
 |------|-------------|
 | <a name="output_db_proxy_endpoints"></a> [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created |
+| <a name="output_iam_role_arn"></a> [iam\_role\_arn](#output\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the role proxy uses to access secrets |
+| <a name="output_iam_role_name"></a> [iam\_role\_name](#output\_iam\_role\_name) | The name of the role proxy uses to access secrets |
+| <a name="output_iam_role_unique_id"></a> [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Stable and unique string identifying the role proxy uses to access secrets |
 | <a name="output_log_group_arn"></a> [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group |
+| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | The name of the CloudWatch log group |
 | <a name="output_proxy_arn"></a> [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy |
 | <a name="output_proxy_default_target_group_arn"></a> [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group |
 | <a name="output_proxy_default_target_group_id"></a> [proxy\_default\_target\_group\_id](#output\_proxy\_default\_target\_group\_id) | The ID for the default target group |
@ -85,6 +81,6 @@ No inputs.
 | <a name="output_proxy_target_target_arn"></a> [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
 | <a name="output_proxy_target_tracked_cluster_id"></a> [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
 | <a name="output_proxy_target_type"></a> [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->

 Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/blob/master/LICENSE).
--- a/examples/postgresql-iam-cluster/main.tf
+++ b/examples/postgresql-iam-cluster/main.tf
@ -0,0 +1,144 @@
+provider "aws" {
+  region = local.region
+}
+
+data "aws_availability_zones" "available" {}
+
+locals {
+  name   = "ex-${basename(path.cwd)}"
+  region = "eu-west-1"
+
+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+
+  tags = {
+    Example    = local.name
+    GithubRepo = "terraform-aws-rds-proxy"
+    GithubOrg  = "terraform-aws-modules"
+  }
+}
+
+################################################################################
+# RDS Proxy
+################################################################################
+
+module "rds_proxy" {
+  source = "../../"
+
+  name                   = local.name
+  iam_role_name          = local.name
+  vpc_subnet_ids         = module.vpc.private_subnets
+  vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
+
+  endpoints = {
+    read_write = {
+      name                   = "read-write-endpoint"
+      vpc_subnet_ids         = module.vpc.private_subnets
+      vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
+      tags                   = local.tags
+    },
+    read_only = {
+      name                   = "read-only-endpoint"
+      vpc_subnet_ids         = module.vpc.private_subnets
+      vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
+      target_role            = "READ_ONLY"
+      tags                   = local.tags
+    }
+  }
+
+  auth = {
+    "root" = {
+      description = "Cluster generated master user password"
+      secret_arn  = module.rds.cluster_master_user_secret[0].secret_arn
+    }
+  }
+
+  engine_family = "POSTGRESQL"
+  debug_logging = true
+
+  # Target Aurora cluster
+  target_db_cluster     = true
+  db_cluster_identifier = module.rds.cluster_id
+
+  tags = local.tags
+}
+
+################################################################################
+# Supporting Resources
+################################################################################
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 6.0"
+
+  name = local.name
+  cidr = local.vpc_cidr
+
+  azs              = local.azs
+  public_subnets   = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
+  private_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 3)]
+  database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 6)]
+
+  tags = local.tags
+}
+
+module "rds" {
+  source  = "terraform-aws-modules/rds-aurora/aws"
+  version = "~> 9.0"
+
+  name            = local.name
+  engine          = "aurora-postgresql"
+  engine_version  = "17.5"
+  master_username = "root"
+
+  # When using RDS Proxy w/ IAM auth - Database must be username/password auth, not IAM
+  iam_database_authentication_enabled = false
+
+  instance_class = "db.r6g.large"
+  instances = {
+    1 = {}
+    2 = {}
+  }
+
+  vpc_id               = module.vpc.vpc_id
+  db_subnet_group_name = module.vpc.database_subnet_group_name
+  security_group_rules = {
+    vpc_ingress = {
+      cidr_blocks = module.vpc.private_subnets_cidr_blocks
+    }
+  }
+
+  apply_immediately   = true
+  skip_final_snapshot = true
+
+  tags = local.tags
+}
+
+module "rds_proxy_sg" {
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "~> 5.0"
+
+  name        = "${local.name}-proxy"
+  description = "PostgreSQL RDS Proxy example security group"
+  vpc_id      = module.vpc.vpc_id
+
+  revoke_rules_on_delete = true
+
+  ingress_with_cidr_blocks = [
+    {
+      description = "Private subnet PostgreSQL access"
+      rule        = "postgresql-tcp"
+      cidr_blocks = join(",", module.vpc.private_subnets_cidr_blocks)
+    }
+  ]
+
+  egress_with_cidr_blocks = [
+    {
+      description = "Database subnet PostgreSQL access"
+      rule        = "postgresql-tcp"
+      cidr_blocks = join(",", module.vpc.database_subnets_cidr_blocks)
+    },
+  ]
+
+  tags = local.tags
+}
--- a/examples/postgresql_iam_instance/outputs.tf
+++ b/examples/postgresql_iam_instance/outputs.tf
@ -66,7 +66,7 @@ output "proxy_target_type" {
  value       = module.rds_proxy.proxy_target_type
 }

-# DB proxy endponts
+# DB proxy endpoints
 output "db_proxy_endpoints" {
  description = "Array containing the full resource object and attributes for all DB proxy endpoints created"
  value       = module.rds_proxy.db_proxy_endpoints
@ -77,3 +77,24 @@ output "log_group_arn" {
  description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
  value       = module.rds_proxy.log_group_arn
 }
+
+output "log_group_name" {
+  description = "The name of the CloudWatch log group"
+  value       = module.rds_proxy.log_group_name
+}
+
+# IAM role
+output "iam_role_arn" {
+  description = "The Amazon Resource Name (ARN) specifying the role proxy uses to access secrets"
+  value       = module.rds_proxy.iam_role_arn
+}
+
+output "iam_role_name" {
+  description = "The name of the role proxy uses to access secrets"
+  value       = module.rds_proxy.iam_role_name
+}
+
+output "iam_role_unique_id" {
+  description = "Stable and unique string identifying the role proxy uses to access secrets"
+  value       = module.rds_proxy.iam_role_unique_id
+}
--- a/examples/postgresql-iam-cluster/variables.tf
+++ b/examples/postgresql-iam-cluster/variables.tf
--- a/examples/postgresql-iam-cluster/versions.tf
+++ b/examples/postgresql-iam-cluster/versions.tf
@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.5.7"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.15"
+    }
+  }
+}
--- a/examples/postgresql-iam-instance/README.md
+++ b/examples/postgresql-iam-instance/README.md
@ -25,31 +25,31 @@ An EC2 instance configuration has been provided for use in validating the exampl
 3. Copy the output from `superuser_proxy_iam_connect` and paste it into the window - NOTE: remove the string escape slashes `psql \"host...` -> `psql "host...`
 4. You should now be connected to the `example` database in the Aurora cluster via the AWS Proxy using IAM authentication

-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements

 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.38 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |

 ## Providers

 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.38 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |

 ## Modules

 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 3.0 |
+| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 6.0 |
 | <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
-| <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 4.0 |
-| <a name="module_rds_sg"></a> [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 4.0 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
+| <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
+| <a name="module_rds_sg"></a> [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |

 ## Resources

@ -59,6 +59,7 @@ An EC2 instance configuration has been provided for use in validating the exampl
 | [aws_secretsmanager_secret_version.superuser](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
 | [random_password.password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [random_pet.users](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 | [aws_kms_alias.secretsmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |

 ## Inputs
@ -71,6 +72,7 @@ No inputs.
 |------|-------------|
 | <a name="output_db_proxy_endpoints"></a> [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created |
 | <a name="output_log_group_arn"></a> [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group |
+| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | The name of the CloudWatch log group |
 | <a name="output_proxy_arn"></a> [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy |
 | <a name="output_proxy_default_target_group_arn"></a> [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group |
 | <a name="output_proxy_default_target_group_id"></a> [proxy\_default\_target\_group\_id](#output\_proxy\_default\_target\_group\_id) | The ID for the default target group |
@ -84,6 +86,6 @@ No inputs.
 | <a name="output_proxy_target_target_arn"></a> [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
 | <a name="output_proxy_target_tracked_cluster_id"></a> [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
 | <a name="output_proxy_target_type"></a> [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->

 Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/blob/master/LICENSE).
--- a/examples/postgresql-iam-instance/main.tf
+++ b/examples/postgresql-iam-instance/main.tf
@ -2,17 +2,22 @@ provider "aws" {
  region = local.region
 }

+data "aws_availability_zones" "available" {}
+
 locals {
-  region = "us-east-1"
-  name   = "rds-proxy-ex-${replace(basename(path.cwd), "_", "-")}"
+  name   = "ex-${basename(path.cwd)}"
+  region = "eu-west-1"

  db_username = random_pet.users.id # using random here due to secrets taking at least 7 days before fully deleting from account
  db_password = random_password.password.result

+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+
  tags = {
-    Name       = local.name
    Example    = local.name
-    Repository = "https://github.com/terraform-aws-modules/terraform-aws-rds-proxy"
+    GithubRepo = "terraform-aws-rds-proxy"
+    GithubOrg  = "terraform-aws-modules"
  }
 }

@ -23,14 +28,12 @@ locals {
 module "rds_proxy" {
  source = "../../"

-  create_proxy = true
-
  name                   = local.name
  iam_role_name          = local.name
  vpc_subnet_ids         = module.vpc.private_subnets
  vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]

-  db_proxy_endpoints = {
+  endpoints = {
    read_write = {
      name                   = "read-write-endpoint"
      vpc_subnet_ids         = module.vpc.private_subnets
@ -46,11 +49,10 @@ module "rds_proxy" {
    }
  }

-  secrets = {
+  auth = {
    (local.db_username) = {
      description = aws_secretsmanager_secret.superuser.description
-      arn         = aws_secretsmanager_secret.superuser.arn
-      kms_key_id  = aws_secretsmanager_secret.superuser.kms_key_id
+      secret_arn  = aws_secretsmanager_secret.superuser.arn
    }
  }

@ -59,7 +61,7 @@ module "rds_proxy" {

  # Target RDS instance
  target_db_instance     = true
-  db_instance_identifier = module.rds.db_instance_id
+  db_instance_identifier = module.rds.db_instance_identifier

  tags = local.tags
 }
@ -80,38 +82,52 @@ resource "random_password" "password" {

 module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 3.0"
+  version = "~> 6.0"

  name = local.name
-  cidr = "10.0.0.0/18"
+  cidr = local.vpc_cidr

-  azs              = ["${local.region}a", "${local.region}b", "${local.region}c"]
-  public_subnets   = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"]
-  private_subnets  = ["10.0.3.0/24", "10.0.4.0/24", "10.0.5.0/24"]
-  database_subnets = ["10.0.7.0/24", "10.0.8.0/24", "10.0.9.0/24"]
+  azs              = local.azs
+  public_subnets   = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k)]
+  private_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 3)]
+  database_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 6)]

-  create_database_subnet_group = true
-  enable_nat_gateway           = true
-  single_nat_gateway           = true
-  map_public_ip_on_launch      = false
+  tags = local.tags
+}

-  manage_default_security_group  = true
-  default_security_group_ingress = []
-  default_security_group_egress  = []
+module "rds" {
+  source  = "terraform-aws-modules/rds/aws"
+  version = "~> 6.0"

-  enable_flow_log                      = true
-  flow_log_destination_type            = "cloud-watch-logs"
-  create_flow_log_cloudwatch_log_group = true
-  create_flow_log_cloudwatch_iam_role  = true
-  flow_log_max_aggregation_interval    = 60
-  flow_log_log_format                  = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id}"
+  username = local.db_username
+  password = local.db_password
+
+  # When using RDS Proxy w/ IAM auth - Database must be username/password auth, not IAM
+  iam_database_authentication_enabled = false
+
+  identifier           = local.name
+  engine               = "postgres"
+  engine_version       = "14"
+  family               = "postgres14" # DB parameter group
+  major_engine_version = "14"         # DB option group
+  instance_class       = "db.t4g.large"
+  allocated_storage    = 20
+  port                 = 5432
+  apply_immediately    = true
+
+  db_subnet_group_name   = module.vpc.database_subnet_group
+  vpc_security_group_ids = [module.rds_sg.security_group_id]
+  multi_az               = true
+
+  backup_retention_period = 0
+  deletion_protection     = false

  tags = local.tags
 }

 module "rds_sg" {
  source  = "terraform-aws-modules/security-group/aws"
-  version = "~> 4.0"
+  version = "~> 5.0"

  name        = "rds"
  description = "PostgreSQL RDS example security group"
@ -130,47 +146,9 @@ module "rds_sg" {
  tags = local.tags
 }

-module "rds" {
-  source  = "terraform-aws-modules/rds/aws"
-  version = "~> 3.0"
-
-  name     = "example"
-  username = local.db_username
-  password = local.db_password
-
-  # When using RDS Proxy w/ IAM auth - Database must be username/password auth, not IAM
-  iam_database_authentication_enabled = false
-
-  identifier           = local.name
-  engine               = "postgres"
-  engine_version       = "11.12"
-  family               = "postgres11"
-  major_engine_version = "11"
-  port                 = 5432
-  instance_class       = "db.t3.micro"
-  allocated_storage    = 5
-  storage_encrypted    = true
-  apply_immediately    = true
-
-  enabled_cloudwatch_logs_exports = ["postgresql"]
-  monitoring_interval             = 60
-  create_monitoring_role          = true
-
-  vpc_security_group_ids = [module.rds_sg.security_group_id]
-  subnet_ids             = module.vpc.database_subnets
-  multi_az               = true
-
-  maintenance_window      = "Mon:00:00-Mon:03:00"
-  backup_window           = "03:00-06:00"
-  backup_retention_period = 0
-  deletion_protection     = false
-
-  tags = local.tags
-}
-
 module "rds_proxy_sg" {
  source  = "terraform-aws-modules/security-group/aws"
-  version = "~> 4.0"
+  version = "~> 5.0"

  name        = "rds_proxy"
  description = "PostgreSQL RDS Proxy example security group"
@ -207,7 +185,7 @@ data "aws_kms_alias" "secretsmanager" {

 resource "aws_secretsmanager_secret" "superuser" {
  name        = local.db_username
-  description = "Database superuser, ${local.db_username}, databse connection values"
+  description = "Database superuser, ${local.db_username}, database connection values"
  kms_key_id  = data.aws_kms_alias.secretsmanager.id

  tags = local.tags
--- a/examples/postgresql-iam-instance/outputs.tf
+++ b/examples/postgresql-iam-instance/outputs.tf
@ -66,7 +66,7 @@ output "proxy_target_type" {
  value       = module.rds_proxy.proxy_target_type
 }

-# DB proxy endponts
+# DB proxy endpoints
 output "db_proxy_endpoints" {
  description = "Array containing the full resource object and attributes for all DB proxy endpoints created"
  value       = module.rds_proxy.db_proxy_endpoints
@ -77,3 +77,8 @@ output "log_group_arn" {
  description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
  value       = module.rds_proxy.log_group_arn
 }
+
+output "log_group_name" {
+  description = "The name of the CloudWatch log group"
+  value       = module.rds_proxy.log_group_name
+}
--- a/examples/postgresql-iam-instance/variables.tf
+++ b/examples/postgresql-iam-instance/variables.tf
--- a/examples/postgresql-iam-instance/versions.tf
+++ b/examples/postgresql-iam-instance/versions.tf
@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.5.7"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.38"
+      version = ">= 6.15"
    }
    random = {
      source  = "hashicorp/random"
--- a/examples/postgresql_iam_cluster/main.tf
+++ b/examples/postgresql_iam_cluster/main.tf
@ -1,217 +0,0 @@
-provider "aws" {
-  region = local.region
-}
-
-locals {
-  region = "us-east-1"
-  name   = "rds-proxy-ex-${replace(basename(path.cwd), "_", "-")}"
-
-  db_username = random_pet.users.id # using random here due to secrets taking at least 7 days before fully deleting from account
-  db_password = random_password.password.result
-
-  tags = {
-    Name       = local.name
-    Example    = local.name
-    Repository = "https://github.com/terraform-aws-modules/terraform-aws-rds-proxy"
-  }
-}
-
-################################################################################
-# RDS Proxy
-################################################################################
-
-module "rds_proxy" {
-  source = "../../"
-
-  create_proxy = true
-
-  name                   = local.name
-  iam_role_name          = local.name
-  vpc_subnet_ids         = module.vpc.private_subnets
-  vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
-
-  db_proxy_endpoints = {
-    read_write = {
-      name                   = "read-write-endpoint"
-      vpc_subnet_ids         = module.vpc.private_subnets
-      vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
-      tags                   = local.tags
-    },
-    read_only = {
-      name                   = "read-only-endpoint"
-      vpc_subnet_ids         = module.vpc.private_subnets
-      vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
-      target_role            = "READ_ONLY"
-      tags                   = local.tags
-    }
-  }
-
-  secrets = {
-    (local.db_username) = {
-      description = aws_secretsmanager_secret.superuser.description
-      arn         = aws_secretsmanager_secret.superuser.arn
-      kms_key_id  = aws_secretsmanager_secret.superuser.kms_key_id
-    }
-  }
-
-  engine_family = "POSTGRESQL"
-  debug_logging = true
-
-  # Target Aurora cluster
-  target_db_cluster     = true
-  db_cluster_identifier = module.rds.cluster_id
-
-  tags = local.tags
-}
-
-################################################################################
-# Supporting Resources
-################################################################################
-
-resource "random_pet" "users" {
-  length    = 2
-  separator = "_"
-}
-
-resource "random_password" "password" {
-  length  = 16
-  special = false
-}
-
-module "vpc" {
-  source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 3.0"
-
-  name = local.name
-  cidr = "10.0.0.0/18"
-
-  azs              = ["${local.region}a", "${local.region}b", "${local.region}c"]
-  public_subnets   = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"]
-  private_subnets  = ["10.0.3.0/24", "10.0.4.0/24", "10.0.5.0/24"]
-  database_subnets = ["10.0.7.0/24", "10.0.8.0/24", "10.0.9.0/24"]
-
-  create_database_subnet_group = true
-  enable_nat_gateway           = true
-  single_nat_gateway           = true
-  map_public_ip_on_launch      = false
-
-  manage_default_security_group  = true
-  default_security_group_ingress = []
-  default_security_group_egress  = []
-
-  enable_flow_log                      = true
-  flow_log_destination_type            = "cloud-watch-logs"
-  create_flow_log_cloudwatch_log_group = true
-  create_flow_log_cloudwatch_iam_role  = true
-  flow_log_max_aggregation_interval    = 60
-  flow_log_log_format                  = "$${version} $${account-id} $${interface-id} $${srcaddr} $${dstaddr} $${srcport} $${dstport} $${protocol} $${packets} $${bytes} $${start} $${end} $${action} $${log-status} $${vpc-id} $${subnet-id} $${instance-id} $${tcp-flags} $${type} $${pkt-srcaddr} $${pkt-dstaddr} $${region} $${az-id} $${sublocation-type} $${sublocation-id}"
-
-  tags = local.tags
-}
-
-module "rds" {
-  source  = "terraform-aws-modules/rds-aurora/aws"
-  version = "~> 6.0"
-
-  name            = local.name
-  database_name   = "example"
-  master_username = local.db_username
-  master_password = local.db_password
-
-  # When using RDS Proxy w/ IAM auth - Database must be username/password auth, not IAM
-  iam_database_authentication_enabled = false
-
-  engine         = "aurora-postgresql"
-  engine_version = "11.12"
-  instance_class = "db.r6g.large"
-  instances      = { 1 = {}, 2 = {} }
-
-  storage_encrypted   = true
-  apply_immediately   = true
-  skip_final_snapshot = true
-
-  enabled_cloudwatch_logs_exports = ["postgresql"]
-  monitoring_interval             = 60
-  create_monitoring_role          = true
-
-  vpc_id                 = module.vpc.vpc_id
-  subnets                = module.vpc.database_subnets
-  create_security_group  = false
-  vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
-
-  db_subnet_group_name            = local.name # Created by VPC module
-  create_db_subnet_group          = false
-  db_parameter_group_name         = aws_db_parameter_group.aurora_db_postgres11_parameter_group.id
-  db_cluster_parameter_group_name = aws_rds_cluster_parameter_group.aurora_cluster_postgres11_parameter_group.id
-
-  tags = local.tags
-}
-
-resource "aws_db_parameter_group" "aurora_db_postgres11_parameter_group" {
-  name        = "example-aurora-db-postgres11-parameter-group"
-  family      = "aurora-postgresql11"
-  description = "test-aurora-db-postgres11-parameter-group"
-
-  tags = local.tags
-}
-
-resource "aws_rds_cluster_parameter_group" "aurora_cluster_postgres11_parameter_group" {
-  name        = "example-aurora-postgres11-cluster-parameter-group"
-  family      = "aurora-postgresql11"
-  description = "example-aurora-postgres11-cluster-parameter-group"
-
-  tags = local.tags
-}
-
-module "rds_proxy_sg" {
-  source  = "terraform-aws-modules/security-group/aws"
-  version = "~> 4.0"
-
-  name        = "rds_proxy"
-  description = "PostgreSQL RDS Proxy example security group"
-  vpc_id      = module.vpc.vpc_id
-
-  revoke_rules_on_delete = true
-
-  ingress_with_cidr_blocks = [
-    {
-      description = "Private subnet PostgreSQL access"
-      rule        = "postgresql-tcp"
-      cidr_blocks = join(",", module.vpc.private_subnets_cidr_blocks)
-    }
-  ]
-
-  egress_with_cidr_blocks = [
-    {
-      description = "Database subnet PostgreSQL access"
-      rule        = "postgresql-tcp"
-      cidr_blocks = join(",", module.vpc.database_subnets_cidr_blocks)
-    },
-  ]
-
-  tags = local.tags
-}
-
-################################################################################
-# Secrets - DB user passwords
-################################################################################
-
-data "aws_kms_alias" "secretsmanager" {
-  name = "alias/aws/secretsmanager"
-}
-
-resource "aws_secretsmanager_secret" "superuser" {
-  name        = local.db_username
-  description = "Database superuser, ${local.db_username}, databse connection values"
-  kms_key_id  = data.aws_kms_alias.secretsmanager.id
-
-  tags = local.tags
-}
-
-resource "aws_secretsmanager_secret_version" "superuser" {
-  secret_id = aws_secretsmanager_secret.superuser.id
-  secret_string = jsonencode({
-    username = local.db_username
-    password = local.db_password
-  })
-}
--- a/examples/postgresql_iam_instance/versions.tf
+++ b/examples/postgresql_iam_instance/versions.tf
@ -1,14 +0,0 @@
-terraform {
-  required_version = ">= 0.13.1"
-
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = ">= 3.38"
-    }
-    random = {
-      source  = "hashicorp/random"
-      version = ">= 2.0"
-    }
-  }
-}
--- a/main.tf
+++ b/main.tf
@ -1,44 +1,48 @@
-locals {
-  role_arn    = var.create_proxy && var.create_iam_role ? aws_iam_role.this[0].arn : var.role_arn
-  role_name   = coalesce(var.iam_role_name, var.name)
-  policy_name = coalesce(var.iam_policy_name, var.name)
-}
-
-data "aws_region" "current" {}
-
 ################################################################################
 # RDS Proxy
 ################################################################################

 resource "aws_db_proxy" "this" {
-  count = var.create_proxy ? 1 : 0
+  count = var.create ? 1 : 0

-  name                   = var.name
-  debug_logging          = var.debug_logging
-  engine_family          = var.engine_family
-  idle_client_timeout    = var.idle_client_timeout
-  require_tls            = var.require_tls
-  role_arn               = local.role_arn
-  vpc_security_group_ids = var.vpc_security_group_ids
-  vpc_subnet_ids         = var.vpc_subnet_ids
+  region = var.region

  dynamic "auth" {
-    for_each = var.secrets
+    for_each = var.auth
+
    content {
-      auth_scheme = var.auth_scheme
-      description = auth.value.description
-      iam_auth    = var.iam_auth
-      secret_arn  = auth.value.arn
+      auth_scheme               = auth.value.auth_scheme
+      client_password_auth_type = auth.value.client_password_auth_type
+      description               = auth.value.description
+      iam_auth                  = auth.value.iam_auth
+      secret_arn                = auth.value.secret_arn
+      username                  = auth.value.username
    }
  }

+  debug_logging          = var.debug_logging
+  default_auth_scheme    = var.default_auth_scheme
+  engine_family          = var.engine_family
+  idle_client_timeout    = var.idle_client_timeout
+  name                   = var.name
+  require_tls            = var.require_tls
+  role_arn               = try(aws_iam_role.this[0].arn, var.role_arn)
+  vpc_security_group_ids = var.vpc_security_group_ids
+  vpc_subnet_ids         = var.vpc_subnet_ids
+
  tags = merge(var.tags, var.proxy_tags)

  depends_on = [aws_cloudwatch_log_group.this]
 }

+################################################################################
+# Default Target Group
+################################################################################
+
 resource "aws_db_proxy_default_target_group" "this" {
-  count = var.create_proxy ? 1 : 0
+  count = var.create ? 1 : 0
+
+  region = var.region

  db_proxy_name = aws_db_proxy.this[0].name

@ -51,8 +55,14 @@ resource "aws_db_proxy_default_target_group" "this" {
  }
 }

+################################################################################
+# Target(s)
+################################################################################
+
 resource "aws_db_proxy_target" "db_instance" {
-  count = var.create_proxy && var.target_db_instance ? 1 : 0
+  count = var.create && var.target_db_instance ? 1 : 0
+
+  region = var.region

  db_proxy_name          = aws_db_proxy.this[0].name
  target_group_name      = aws_db_proxy_default_target_group.this[0].name
@ -60,35 +70,46 @@ resource "aws_db_proxy_target" "db_instance" {
 }

 resource "aws_db_proxy_target" "db_cluster" {
-  count = var.create_proxy && var.target_db_cluster ? 1 : 0
+  count = var.create && var.target_db_cluster ? 1 : 0
+
+  region = var.region

  db_proxy_name         = aws_db_proxy.this[0].name
  target_group_name     = aws_db_proxy_default_target_group.this[0].name
  db_cluster_identifier = var.db_cluster_identifier
 }

+################################################################################
+# Endpoint(s)
+################################################################################
+
 resource "aws_db_proxy_endpoint" "this" {
-  for_each = { for k, v in var.db_proxy_endpoints : k => v if var.create_proxy }
+  for_each = { for k, v in var.endpoints : k => v if var.create }
+
+  region = var.region

  db_proxy_name          = aws_db_proxy.this[0].name
-  db_proxy_endpoint_name = each.value.name
+  db_proxy_endpoint_name = coalesce(each.value.name, each.key)
  vpc_subnet_ids         = each.value.vpc_subnet_ids
-  vpc_security_group_ids = lookup(each.value, "vpc_security_group_ids", null)
-  target_role            = lookup(each.value, "target_role", null)
+  vpc_security_group_ids = each.value.vpc_security_group_ids
+  target_role            = each.value.target_role

-  tags = lookup(each.value, "tags", var.tags)
+  tags = merge(var.tags, each.value.tags)
 }

 ################################################################################
-# CloudWatch Logs
+# CloudWatch Log Group
 ################################################################################

 resource "aws_cloudwatch_log_group" "this" {
-  count = var.create_proxy && var.manage_log_group ? 1 : 0
+  count = var.create && var.manage_log_group ? 1 : 0
+
+  region = var.region

  name              = "/aws/rds/proxy/${var.name}"
  retention_in_days = var.log_group_retention_in_days
  kms_key_id        = var.log_group_kms_key_id
+  log_group_class   = var.log_group_class

  tags = merge(var.tags, var.log_group_tags)
 }
@ -97,8 +118,37 @@ resource "aws_cloudwatch_log_group" "this" {
 # IAM Role
 ################################################################################

+locals {
+  create_iam_role = var.create && var.create_iam_role
+
+  role_name   = coalesce(var.iam_role_name, var.name)
+  policy_name = coalesce(var.iam_policy_name, var.name)
+
+  partition  = try(data.aws_partition.current[0].partition, "aws")
+  dns_suffix = try(data.aws_partition.current[0].dns_suffix, "amazonaws.com")
+  region     = try(data.aws_region.current[0].region, var.region)
+}
+
+data "aws_region" "current" {
+  count = local.create_iam_role ? 1 : 0
+
+  region = var.region
+}
+
+data "aws_partition" "current" {
+  count = local.create_iam_role ? 1 : 0
+}
+
+data "aws_service_principal" "rds" {
+  count = local.create_iam_role ? 1 : 0
+
+  service_name = "rds"
+  region       = data.aws_region.current[0].region
+}
+
+
 data "aws_iam_policy_document" "assume_role" {
-  count = var.create_proxy && var.create_iam_role ? 1 : 0
+  count = local.create_iam_role ? 1 : 0

  statement {
    sid     = "RDSAssume"
@ -107,13 +157,13 @@ data "aws_iam_policy_document" "assume_role" {

    principals {
      type        = "Service"
-      identifiers = ["rds.amazonaws.com"]
+      identifiers = [data.aws_service_principal.rds[0].name]
    }
  }
 }

 resource "aws_iam_role" "this" {
-  count = var.create_proxy && var.create_iam_role ? 1 : 0
+  count = local.create_iam_role ? 1 : 0

  name        = var.use_role_name_prefix ? null : local.role_name
  name_prefix = var.use_role_name_prefix ? "${local.role_name}-" : null
@ -128,20 +178,27 @@ resource "aws_iam_role" "this" {
  tags = merge(var.tags, var.iam_role_tags)
 }

+################################################################################
+# IAM Role Policy
+################################################################################
+
 data "aws_iam_policy_document" "this" {
-  count = var.create_proxy && var.create_iam_role ? 1 : 0
+  count = local.create_iam_role && var.create_iam_policy ? 1 : 0

  statement {
-    sid       = "DecryptSecrets"
-    effect    = "Allow"
-    actions   = ["kms:Decrypt"]
-    resources = distinct([for secret in var.secrets : secret.kms_key_id])
+    sid     = "DecryptSecrets"
+    effect  = "Allow"
+    actions = ["kms:Decrypt"]
+    resources = coalescelist(
+      var.kms_key_arns,
+      ["arn:${local.partition}:kms:*:*:key/*"]
+    )
+
    condition {
      test     = "StringEquals"
      variable = "kms:ViaService"
-
      values = [
-        "secretsmanager.${data.aws_region.current.name}.amazonaws.com"
+        "secretsmanager.${local.region}.${local.dns_suffix}"
      ]
    }
  }
@ -166,12 +223,12 @@ data "aws_iam_policy_document" "this" {
      "secretsmanager:ListSecretVersionIds",
    ]

-    resources = distinct([for secret in var.secrets : secret.arn])
+    resources = distinct([for auth in var.auth : auth.secret_arn])
  }
 }

 resource "aws_iam_role_policy" "this" {
-  count = var.create_proxy && var.create_iam_role && var.create_iam_policy ? 1 : 0
+  count = local.create_iam_role && var.create_iam_policy ? 1 : 0

  name        = var.use_policy_name_prefix ? null : local.policy_name
  name_prefix = var.use_policy_name_prefix ? "${local.policy_name}-" : null
--- a/outputs.tf
+++ b/outputs.tf
@ -1,79 +1,118 @@
+################################################################################
 # RDS Proxy
+################################################################################
+
 output "proxy_id" {
  description = "The ID for the proxy"
-  value       = try(aws_db_proxy.this[0].id, "")
+  value       = try(aws_db_proxy.this[0].id, null)
 }

 output "proxy_arn" {
  description = "The Amazon Resource Name (ARN) for the proxy"
-  value       = try(aws_db_proxy.this[0].arn, "")
+  value       = try(aws_db_proxy.this[0].arn, null)
 }

 output "proxy_endpoint" {
  description = "The endpoint that you can use to connect to the proxy"
-  value       = try(aws_db_proxy.this[0].endpoint, "")
+  value       = try(aws_db_proxy.this[0].endpoint, null)
 }

-# Proxy Default Target Group
+################################################################################
+# Default Target Group
+################################################################################
+
 output "proxy_default_target_group_id" {
  description = "The ID for the default target group"
-  value       = try(aws_db_proxy_default_target_group.this[0].id, "")
+  value       = try(aws_db_proxy_default_target_group.this[0].id, null)
 }

 output "proxy_default_target_group_arn" {
  description = "The Amazon Resource Name (ARN) for the default target group"
-  value       = try(aws_db_proxy_default_target_group.this[0].arn, "")
+  value       = try(aws_db_proxy_default_target_group.this[0].arn, null)
 }

 output "proxy_default_target_group_name" {
  description = "The name of the default target group"
-  value       = try(aws_db_proxy_default_target_group.this[0].name, "")
+  value       = try(aws_db_proxy_default_target_group.this[0].name, null)
 }

-# Proxy Target
+################################################################################
+# Target(s)
+################################################################################
+
 output "proxy_target_endpoint" {
  description = "Hostname for the target RDS DB Instance. Only returned for `RDS_INSTANCE` type"
-  value       = try(aws_db_proxy_target.db_instance[0].endpoint, aws_db_proxy_target.db_cluster[0].endpoint, "")
+  value       = try(aws_db_proxy_target.db_instance[0].endpoint, aws_db_proxy_target.db_cluster[0].endpoint, null)
 }

 output "proxy_target_id" {
  description = "Identifier of `db_proxy_name`, `target_group_name`, target type (e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER`), and resource identifier separated by forward slashes (/)"
-  value       = try(aws_db_proxy_target.db_instance[0].id, aws_db_proxy_target.db_cluster[0].id, "")
+  value       = try(aws_db_proxy_target.db_instance[0].id, aws_db_proxy_target.db_cluster[0].id, null)
 }

 output "proxy_target_port" {
  description = "Port for the target RDS DB Instance or Aurora DB Cluster"
-  value       = try(aws_db_proxy_target.db_instance[0].port, aws_db_proxy_target.db_cluster[0].port, "")
+  value       = try(aws_db_proxy_target.db_instance[0].port, aws_db_proxy_target.db_cluster[0].port, null)
 }

 output "proxy_target_rds_resource_id" {
  description = "Identifier representing the DB Instance or DB Cluster target"
-  value       = try(aws_db_proxy_target.db_instance[0].rds_resource_id, aws_db_proxy_target.db_cluster[0].rds_resource_id, "")
+  value       = try(aws_db_proxy_target.db_instance[0].rds_resource_id, aws_db_proxy_target.db_cluster[0].rds_resource_id, null)
 }

 output "proxy_target_target_arn" {
  description = "Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API"
-  value       = try(aws_db_proxy_target.db_instance[0].target_arn, aws_db_proxy_target.db_cluster[0].target_arn, "")
+  value       = try(aws_db_proxy_target.db_instance[0].target_arn, aws_db_proxy_target.db_cluster[0].target_arn, null)
 }

 output "proxy_target_tracked_cluster_id" {
  description = "DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS_INSTANCE target that is part of a DB Cluster"
-  value       = try(aws_db_proxy_target.db_cluster[0].tracked_cluster_id, "")
+  value       = try(aws_db_proxy_target.db_cluster[0].tracked_cluster_id, null)
 }

 output "proxy_target_type" {
  description = "Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER`"
-  value       = try(aws_db_proxy_target.db_instance[0].type, aws_db_proxy_target.db_cluster[0].type, "")
+  value       = try(aws_db_proxy_target.db_instance[0].type, aws_db_proxy_target.db_cluster[0].type, null)
 }

-# DB proxy endponts
+################################################################################
+# Endpoint(s)
+################################################################################
+
 output "db_proxy_endpoints" {
  description = "Array containing the full resource object and attributes for all DB proxy endpoints created"
  value       = aws_db_proxy_endpoint.this
 }

-# CloudWatch logs
+################################################################################
+# CloudWatch Log Group
+################################################################################
+
 output "log_group_arn" {
  description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
-  value       = try(aws_cloudwatch_log_group.this[0].arn, "")
+  value       = try(aws_cloudwatch_log_group.this[0].arn, null)
+}
+
+output "log_group_name" {
+  description = "The name of the CloudWatch log group"
+  value       = try(aws_cloudwatch_log_group.this[0].name, null)
+}
+
+################################################################################
+# IAM Role
+################################################################################
+
+output "iam_role_arn" {
+  description = "The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager."
+  value       = try(aws_iam_role.this[0].arn, null)
+}
+
+output "iam_role_name" {
+  description = "IAM role name"
+  value       = try(aws_iam_role.this[0].name, null)
+}
+
+output "iam_role_unique_id" {
+  description = "Stable and unique string identifying the IAM role"
+  value       = try(aws_iam_role.this[0].unique_id, null)
 }
--- a/variables.tf
+++ b/variables.tf
@ -1,15 +1,24 @@
+variable "create" {
+  description = "Whether cluster should be created (affects nearly all resources)"
+  type        = bool
+  default     = true
+}
+
+variable "region" {
+  description = "Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration"
+  type        = string
+  default     = null
+}
+
 variable "tags" {
-  description = "A map of tags to use on all resources"
+  description = "A map of tags to add to all resources"
  type        = map(string)
  default     = {}
 }

+################################################################################
 # RDS Proxy
-variable "create_proxy" {
-  description = "Determines whether a proxy and its resources will be created"
-  type        = bool
-  default     = true
-}
+################################################################################

 variable "name" {
  description = "The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens"
@ -17,12 +26,35 @@ variable "name" {
  default     = ""
 }

+variable "auth" {
+  description = "Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters"
+  type = map(object({
+    auth_scheme               = optional(string)
+    client_password_auth_type = optional(string)
+    description               = optional(string)
+    iam_auth                  = optional(string)
+    secret_arn                = optional(string)
+    username                  = optional(string)
+  }))
+  default = {
+    default = {
+      auth_scheme = "SECRETS"
+    }
+  }
+}
+
 variable "debug_logging" {
  description = "Whether the proxy includes detailed information about SQL statements in its logs"
  type        = bool
  default     = false
 }

+variable "default_auth_scheme" {
+  description = "Default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database. Valid values are NONE and IAM_AUTH. Defaults to NONE"
+  type        = string
+  default     = null
+}
+
 variable "engine_family" {
  description = "The kind of database engine that the proxy will connect to. Valid values are `MYSQL` or `POSTGRESQL`"
  type        = string
@ -59,31 +91,16 @@ variable "vpc_subnet_ids" {
  default     = []
 }

-variable "auth_scheme" {
-  description = "The type of authentication that the proxy uses for connections from the proxy to the underlying database. One of `SECRETS`"
-  type        = string
-  default     = "SECRETS"
-}
-
-variable "iam_auth" {
-  description = "Whether to require or disallow AWS Identity and Access Management (IAM) authentication for connections to the proxy. One of `DISABLED`, `REQUIRED`"
-  type        = string
-  default     = "REQUIRED"
-}
-
 variable "proxy_tags" {
  description = "A map of tags to apply to the RDS Proxy"
  type        = map(string)
  default     = {}
 }

-variable "secrets" {
-  description = "Map of secerets to be used by RDS Proxy for authentication to the database"
-  type        = map(object({ arn = string, description = string, kms_key_id = string }))
-  default     = {}
-}
+################################################################################
+# Default Target Group
+################################################################################

-# Proxy Default Target Group
 variable "connection_borrow_timeout" {
  description = "The number of seconds for a proxy to wait for a connection to become available in the connection pool"
  type        = number
@ -114,9 +131,12 @@ variable "session_pinning_filters" {
  default     = []
 }

-# Proxy Target
+################################################################################
+# Target(s)
+################################################################################
+
 variable "target_db_instance" {
-  description = "Determines whether DB instance is targetted by proxy"
+  description = "Determines whether DB instance is targeted by proxy"
  type        = bool
  default     = false
 }
@ -128,7 +148,7 @@ variable "db_instance_identifier" {
 }

 variable "target_db_cluster" {
-  description = "Determines whether DB cluster is targetted by proxy"
+  description = "Determines whether DB cluster is targeted by proxy"
  type        = bool
  default     = false
 }
@ -139,14 +159,26 @@ variable "db_cluster_identifier" {
  default     = ""
 }

-# Proxy endpoints
-variable "db_proxy_endpoints" {
-  description = "Map of DB proxy endpoints to create and their attributes (see `aws_db_proxy_endpoint`)"
-  type        = any
-  default     = {}
+################################################################################
+# Endpoint(s)
+################################################################################
+
+variable "endpoints" {
+  description = "Map of DB proxy endpoints to create and their attributes"
+  type = map(object({
+    name                   = optional(string)
+    vpc_subnet_ids         = list(string)
+    vpc_security_group_ids = optional(list(string))
+    target_role            = optional(string)
+    tags                   = optional(map(string), {})
+  }))
+  default = {}
 }

+################################################################################
 # CloudWatch Logs
+################################################################################
+
 variable "manage_log_group" {
  description = "Determines whether Terraform will create/manage the CloudWatch log group or not. Note - this will fail if set to true after the log group has been created as the resource will already exist"
  type        = bool
@ -165,13 +197,22 @@ variable "log_group_kms_key_id" {
  default     = null
 }

+variable "log_group_class" {
+  description = "Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS`"
+  type        = string
+  default     = null
+}
+
 variable "log_group_tags" {
  description = "A map of tags to apply to the CloudWatch log group"
  type        = map(string)
  default     = {}
 }

+################################################################################
 # IAM Role
+################################################################################
+
 variable "create_iam_role" {
  description = "Determines whether an IAM role is created"
  type        = bool
@ -226,7 +267,10 @@ variable "iam_role_tags" {
  default     = {}
 }

-# IAM Policy
+################################################################################
+# IAM Role Policy
+################################################################################
+
 variable "create_iam_policy" {
  description = "Determines whether an IAM policy is created"
  type        = bool
@ -244,3 +288,9 @@ variable "use_policy_name_prefix" {
  type        = bool
  default     = false
 }
+
+variable "kms_key_arns" {
+  description = "List of KMS Key ARNs to allow access to decrypt SecretsManager secrets"
+  type        = list(string)
+  default     = []
+}
--- a/versions.tf
+++ b/versions.tf
@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 0.13.1"
+  required_version = ">= 1.5.7"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.38"
+      version = ">= 6.15"
    }
  }
 }
--- a/wrappers/README.md
+++ b/wrappers/README.md
@ -0,0 +1,100 @@
+# Wrapper for the root module
+
+The configuration in this directory contains an implementation of a single module wrapper pattern, which allows managing several copies of a module in places where using the native Terraform 0.13+ `for_each` feature is not feasible (e.g., with Terragrunt).
+
+You may want to use a single Terragrunt configuration file to manage multiple resources without duplicating `terragrunt.hcl` files for each copy of the same module.
+
+This wrapper does not implement any extra functionality.
+
+## Usage with Terragrunt
+
+`terragrunt.hcl`:
+
+```hcl
+terraform {
+  source = "tfr:///terraform-aws-modules/rds-proxy/aws//wrappers"
+  # Alternative source:
+  # source = "git::git@github.com:terraform-aws-modules/terraform-aws-rds-proxy.git//wrappers?ref=master"
+}
+
+inputs = {
+  defaults = { # Default values
+    create = true
+    tags = {
+      Terraform   = "true"
+      Environment = "dev"
+    }
+  }
+
+  items = {
+    my-item = {
+      # omitted... can be any argument supported by the module
+    }
+    my-second-item = {
+      # omitted... can be any argument supported by the module
+    }
+    # omitted...
+  }
+}
+```
+
+## Usage with Terraform
+
+```hcl
+module "wrapper" {
+  source = "terraform-aws-modules/rds-proxy/aws//wrappers"
+
+  defaults = { # Default values
+    create = true
+    tags = {
+      Terraform   = "true"
+      Environment = "dev"
+    }
+  }
+
+  items = {
+    my-item = {
+      # omitted... can be any argument supported by the module
+    }
+    my-second-item = {
+      # omitted... can be any argument supported by the module
+    }
+    # omitted...
+  }
+}
+```
+
+## Example: Manage multiple S3 buckets in one Terragrunt layer
+
+`eu-west-1/s3-buckets/terragrunt.hcl`:
+
+```hcl
+terraform {
+  source = "tfr:///terraform-aws-modules/s3-bucket/aws//wrappers"
+  # Alternative source:
+  # source = "git::git@github.com:terraform-aws-modules/terraform-aws-s3-bucket.git//wrappers?ref=master"
+}
+
+inputs = {
+  defaults = {
+    force_destroy = true
+
+    attach_elb_log_delivery_policy        = true
+    attach_lb_log_delivery_policy         = true
+    attach_deny_insecure_transport_policy = true
+    attach_require_latest_tls_policy      = true
+  }
+
+  items = {
+    bucket1 = {
+      bucket = "my-random-bucket-1"
+    }
+    bucket2 = {
+      bucket = "my-random-bucket-2"
+      tags = {
+        Secure = "probably"
+      }
+    }
+  }
+}
+```
--- a/wrappers/main.tf
+++ b/wrappers/main.tf
@ -0,0 +1,52 @@
+module "wrapper" {
+  source = "../"
+
+  for_each = var.items
+
+  auth = try(each.value.auth, var.defaults.auth, {
+    default = {
+      auth_scheme = "SECRETS"
+    }
+  })
+  connection_borrow_timeout      = try(each.value.connection_borrow_timeout, var.defaults.connection_borrow_timeout, null)
+  create                         = try(each.value.create, var.defaults.create, true)
+  create_iam_policy              = try(each.value.create_iam_policy, var.defaults.create_iam_policy, true)
+  create_iam_role                = try(each.value.create_iam_role, var.defaults.create_iam_role, true)
+  db_cluster_identifier          = try(each.value.db_cluster_identifier, var.defaults.db_cluster_identifier, "")
+  db_instance_identifier         = try(each.value.db_instance_identifier, var.defaults.db_instance_identifier, "")
+  debug_logging                  = try(each.value.debug_logging, var.defaults.debug_logging, false)
+  default_auth_scheme            = try(each.value.default_auth_scheme, var.defaults.default_auth_scheme, null)
+  endpoints                      = try(each.value.endpoints, var.defaults.endpoints, {})
+  engine_family                  = try(each.value.engine_family, var.defaults.engine_family, "")
+  iam_policy_name                = try(each.value.iam_policy_name, var.defaults.iam_policy_name, "")
+  iam_role_description           = try(each.value.iam_role_description, var.defaults.iam_role_description, "")
+  iam_role_force_detach_policies = try(each.value.iam_role_force_detach_policies, var.defaults.iam_role_force_detach_policies, true)
+  iam_role_max_session_duration  = try(each.value.iam_role_max_session_duration, var.defaults.iam_role_max_session_duration, 43200)
+  iam_role_name                  = try(each.value.iam_role_name, var.defaults.iam_role_name, "")
+  iam_role_path                  = try(each.value.iam_role_path, var.defaults.iam_role_path, null)
+  iam_role_permissions_boundary  = try(each.value.iam_role_permissions_boundary, var.defaults.iam_role_permissions_boundary, null)
+  iam_role_tags                  = try(each.value.iam_role_tags, var.defaults.iam_role_tags, {})
+  idle_client_timeout            = try(each.value.idle_client_timeout, var.defaults.idle_client_timeout, 1800)
+  init_query                     = try(each.value.init_query, var.defaults.init_query, "")
+  kms_key_arns                   = try(each.value.kms_key_arns, var.defaults.kms_key_arns, [])
+  log_group_class                = try(each.value.log_group_class, var.defaults.log_group_class, null)
+  log_group_kms_key_id           = try(each.value.log_group_kms_key_id, var.defaults.log_group_kms_key_id, null)
+  log_group_retention_in_days    = try(each.value.log_group_retention_in_days, var.defaults.log_group_retention_in_days, 30)
+  log_group_tags                 = try(each.value.log_group_tags, var.defaults.log_group_tags, {})
+  manage_log_group               = try(each.value.manage_log_group, var.defaults.manage_log_group, true)
+  max_connections_percent        = try(each.value.max_connections_percent, var.defaults.max_connections_percent, 90)
+  max_idle_connections_percent   = try(each.value.max_idle_connections_percent, var.defaults.max_idle_connections_percent, 50)
+  name                           = try(each.value.name, var.defaults.name, "")
+  proxy_tags                     = try(each.value.proxy_tags, var.defaults.proxy_tags, {})
+  region                         = try(each.value.region, var.defaults.region, null)
+  require_tls                    = try(each.value.require_tls, var.defaults.require_tls, true)
+  role_arn                       = try(each.value.role_arn, var.defaults.role_arn, "")
+  session_pinning_filters        = try(each.value.session_pinning_filters, var.defaults.session_pinning_filters, [])
+  tags                           = try(each.value.tags, var.defaults.tags, {})
+  target_db_cluster              = try(each.value.target_db_cluster, var.defaults.target_db_cluster, false)
+  target_db_instance             = try(each.value.target_db_instance, var.defaults.target_db_instance, false)
+  use_policy_name_prefix         = try(each.value.use_policy_name_prefix, var.defaults.use_policy_name_prefix, false)
+  use_role_name_prefix           = try(each.value.use_role_name_prefix, var.defaults.use_role_name_prefix, false)
+  vpc_security_group_ids         = try(each.value.vpc_security_group_ids, var.defaults.vpc_security_group_ids, [])
+  vpc_subnet_ids                 = try(each.value.vpc_subnet_ids, var.defaults.vpc_subnet_ids, [])
+}
--- a/wrappers/outputs.tf
+++ b/wrappers/outputs.tf
@ -0,0 +1,5 @@
+output "wrapper" {
+  description = "Map of outputs of a wrapper."
+  value       = module.wrapper
+  # sensitive = false # No sensitive module output found
+}
--- a/wrappers/variables.tf
+++ b/wrappers/variables.tf
@ -0,0 +1,11 @@
+variable "defaults" {
+  description = "Map of default values which will be used for each item."
+  type        = any
+  default     = {}
+}
+
+variable "items" {
+  description = "Maps of items to create a wrapper from. Values are passed through to the module."
+  type        = any
+  default     = {}
+}
--- a/wrappers/versions.tf
+++ b/wrappers/versions.tf
@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.5.7"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.15"
+    }
+  }
+}
Author	SHA1	Message	Date
semantic-release-bot	cf3a8f41f6	chore(release): version 4.2.1 [skip ci] ## [4.2.1](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v4.2.0...v4.2.1) (2025-10-21) ### Bug Fixes * Update CI workflow versions to latest ([#40](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/40)) ([`5deff22`](`5deff22cf4`))	2025-10-21 09:10:15 +00:00
Bryant Biggs	5deff22cf4	fix: Update CI workflow versions to latest (#40 )	2025-10-21 11:09:40 +02:00
semantic-release-bot	c0b0204344	chore(release): version 4.2.0 [skip ci] ## [4.2.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v4.1.0...v4.2.0) (2025-10-14) ### Features * Support `default_auth_scheme` ([#39](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/39)) ([`c2073a0`](`c2073a031c`))	2025-10-14 13:10:34 +00:00
Melissa Greenbaum	c2073a031c	feat: Support `default_auth_scheme` (#39 )	2025-10-14 08:10:07 -05:00
semantic-release-bot	c65b5f03a7	chore(release): version 4.1.0 [skip ci] ## [4.1.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v4.0.0...v4.1.0) (2025-10-01) ### Features * Add Terragrunt wrappers ([#38](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/38)) ([`33b43c7`](`33b43c72ab`))	2025-10-01 14:13:37 +00:00
flora-five	33b43c72ab	feat: Add Terragrunt wrappers (#38 )	2025-10-01 09:13:12 -05:00
semantic-release-bot	3cd004baa3	chore(release): version 4.0.0 [skip ci] ## [4.0.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.2.1...v4.0.0) (2025-09-16) ### ⚠ BREAKING CHANGES * Upgrade AWS provider and min required Terraform version to `6.0` and `1.5.7` respectively (#34) ### Features * Upgrade AWS provider and min required Terraform version to `6.0` and `1.5.7` respectively ([#34](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/34)) ([`47c0fca`](`47c0fcad4b`))	2025-09-16 14:29:24 +00:00
mrobinson1022	47c0fcad4b	feat!: Upgrade AWS provider and min required Terraform version to `6.0` and `1.5.7` respectively (#34 ) Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>	2025-09-16 09:28:55 -05:00
semantic-release-bot	e8ffe8f2f1	chore(release): version 3.2.1 [skip ci] ## [3.2.1](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.2.0...v3.2.1) (2025-05-22) ### Bug Fixes * Correct service principal to rds.amazonaws.com (incl China) ([#32](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/32)) ([`bbbf50c`](`bbbf50ce87`))	2025-05-22 09:51:36 +00:00
vladislav-orlovskiy	bbbf50ce87	fix: Correct service principal to rds.amazonaws.com (incl China) (#32 ) Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com> Co-authored-by: Anton Babenko <anton@antonbabenko.com>	2025-05-22 11:51:06 +02:00
semantic-release-bot	99df7e3913	chore(release): version 3.2.0 [skip ci] ## [3.2.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.1.1...v3.2.0) (2024-11-19) ### Features * Add CloudWatch log group name to outputs ([#28](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/28)) ([`0fc0e19`](`0fc0e19e64`)) ### Bug Fixes * Update CI workflow versions to latest ([#27](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/27)) ([`b6f22be`](`b6f22becf6`))	2024-11-19 19:29:43 +00:00
Kevin Kortum	0fc0e19e64	feat: Add CloudWatch log group name to outputs (#28 ) * feat: adds cloudwatch group name to module outputs * test: align tests with the new output	2024-11-19 13:29:15 -06:00
Bryant Biggs	b6f22becf6	fix: Update CI workflow versions to latest (#27 )	2024-10-11 18:25:27 +02:00
semantic-release-bot	56a832c60d	chore(release): version 3.1.1 [skip ci] ## [3.1.1](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.1.0...v3.1.1) (2024-03-06) ### Bug Fixes * Update CI workflow versions to remove deprecated runtime warnings ([#26](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/26)) ([`a31a810`](`a31a81097b`))	2024-03-06 19:15:03 +00:00
Bryant Biggs	a31a81097b	fix: Update CI workflow versions to remove deprecated runtime warnings (#26 )	2024-03-06 11:14:39 -08:00
semantic-release-bot	67116fc717	chore(release): version 3.1.0 [skip ci] ## [3.1.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.0.0...v3.1.0) (2023-08-30) ### Features * Add IAM role output ([#22](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/22)) ([`d18ae45`](`d18ae45d9e`))	2023-08-30 23:59:54 +00:00
Matt McLane	d18ae45d9e	feat: Add IAM role output (#22 ) Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>	2023-08-30 19:59:28 -04:00
Akihiro YAMAZAKI	4e5c8068b9	chore: Fix broken links to examples (#21 )	2023-06-27 13:19:28 +02:00
semantic-release-bot	cb79f9c5dc	chore(release): version 3.0.0 [skip ci] ## [3.0.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v2.1.2...v3.0.0) (2023-06-09) ### ⚠ BREAKING CHANGES * Increase Terraform and AWS provider minimum supported versions; update `auth` configuration schema (#17) ### Features * Increase Terraform and AWS provider minimum supported versions; update `auth` configuration schema ([#17](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/17)) ([`cc39e9d`](`cc39e9d029`))	2023-06-09 11:31:21 +00:00
jatalocks	cc39e9d029	feat!: Increase Terraform and AWS provider minimum supported versions; update `auth` configuration schema (#17 ) Co-authored-by: Orest Kapko <orest.kapko@welltech.com> Co-authored-by: Amitai Getzler <amitai.getzler@explorium.ai> Co-authored-by: Orest Kapko <kapko2311@gmail.com> Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com> Co-authored-by: Anton Babenko <anton@antonbabenko.com>	2023-06-09 07:30:52 -04:00
Pål-Magnus Slåtto	5d1c5e67ea	chore: Upgrade CI workflows to use non-deprecated runtimes (#15 )	2023-01-24 13:44:33 -08:00