chore(release): version 4.2.1 [skip ci]

## [4.2.1](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v4.2.0...v4.2.1) (2025-10-21)

### Bug Fixes

* Update CI workflow versions to latest ([#40](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/40)) ([5deff22](5deff22cf4))

.github/workflows/pr-title.yml

@@ -14,7 +14,7 @@ jobs:
     steps:
       # Please look up the latest version from
       # https://github.com/amannn/action-semantic-pull-request/releases
-      - uses: amannn/action-semantic-pull-request@v5.4.0
+      - uses: amannn/action-semantic-pull-request@v6.1.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.github/workflows/pre-commit.yml

@@ -7,8 +7,8 @@ on:
       - master
 
 env:
-  TERRAFORM_DOCS_VERSION: v0.16.0
+  TERRAFORM_DOCS_VERSION: v0.20.0
-  TFLINT_VERSION: v0.50.3
+  TFLINT_VERSION: v0.59.1
 
 jobs:
   collectInputs:
@@ -18,11 +18,11 @@ jobs:
       directories: ${{ steps.dirs.outputs.directories }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Get root directories
         id: dirs
-        uses: clowdhaus/terraform-composite-actions/directories@v1.9.0
+        uses: clowdhaus/terraform-composite-actions/directories@v1.14.0
 
   preCommitMinVersions:
     name: Min TF pre-commit
@@ -32,27 +32,49 @@ jobs:
       matrix:
         directory: ${{ fromJson(needs.collectInputs.outputs.directories) }}
     steps:
+      - name: Install rmz
+        uses: jaxxstorm/action-install-gh-release@v2.1.0
+        with:
+          repo: SUPERCILEX/fuc
+          asset-name: x86_64-unknown-linux-gnu-rmz
+          rename-to: rmz
+          chmod: 0755
+          extension-matching: disable
+
       # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449
-      - name: Delete huge unnecessary tools folder
+      - name: Delete unnecessary files
         run: |
-          rm -rf /opt/hostedtoolcache/CodeQL
+          formatByteCount() { echo $(numfmt --to=iec-i --suffix=B --padding=7 $1'000'); }
-          rm -rf /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk
+          getAvailableSpace() { echo $(df -a $1 | awk 'NR > 1 {avail+=$4} END {print avail}'); }
-          rm -rf /opt/hostedtoolcache/Ruby
+
-          rm -rf /opt/hostedtoolcache/go
+          BEFORE=$(getAvailableSpace)
+
+          ln -s /opt/hostedtoolcache/SUPERCILEX/x86_64-unknown-linux-gnu-rmz/latest/linux-x64/rmz /usr/local/bin/rmz
+          rmz -f /opt/hostedtoolcache/CodeQL &
+          rmz -f /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk &
+          rmz -f /opt/hostedtoolcache/PyPy &
+          rmz -f /opt/hostedtoolcache/Ruby &
+          rmz -f /opt/hostedtoolcache/go &
+
+          wait
+
+          AFTER=$(getAvailableSpace)
+          SAVED=$((AFTER-BEFORE))
+          echo "=> Saved $(formatByteCount $SAVED)"
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Terraform min/max versions
         id: minMax
-        uses: clowdhaus/terraform-min-max@v1.3.0
+        uses: clowdhaus/terraform-min-max@v2.1.0
         with:
           directory: ${{ matrix.directory }}
 
       - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
         # Run only validate pre-commit check on min version supported
         if: ${{ matrix.directory !=  '.' }}
-        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.9.0
+        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
         with:
           terraform-version: ${{ steps.minMax.outputs.minVersion }}
           tflint-version: ${{ env.TFLINT_VERSION }}
@@ -61,7 +83,7 @@ jobs:
       - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }}
         # Run only validate pre-commit check on min version supported
         if: ${{ matrix.directory ==  '.' }}
-        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.9.0
+        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
         with:
           terraform-version: ${{ steps.minMax.outputs.minVersion }}
           tflint-version: ${{ env.TFLINT_VERSION }}
@@ -72,26 +94,73 @@ jobs:
     runs-on: ubuntu-latest
     needs: collectInputs
     steps:
+      - name: Install rmz
+        uses: jaxxstorm/action-install-gh-release@v2.1.0
+        with:
+          repo: SUPERCILEX/fuc
+          asset-name: x86_64-unknown-linux-gnu-rmz
+          rename-to: rmz
+          chmod: 0755
+          extension-matching: disable
+
       # https://github.com/orgs/community/discussions/25678#discussioncomment-5242449
-      - name: Delete huge unnecessary tools folder
+      - name: Delete unnecessary files
         run: |
-          rm -rf /opt/hostedtoolcache/CodeQL
+          formatByteCount() { echo $(numfmt --to=iec-i --suffix=B --padding=7 $1'000'); }
-          rm -rf /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk
+          getAvailableSpace() { echo $(df -a $1 | awk 'NR > 1 {avail+=$4} END {print avail}'); }
-          rm -rf /opt/hostedtoolcache/Ruby
+
-          rm -rf /opt/hostedtoolcache/go
+          BEFORE=$(getAvailableSpace)
+
+          ln -s /opt/hostedtoolcache/SUPERCILEX/x86_64-unknown-linux-gnu-rmz/latest/linux-x64/rmz /usr/local/bin/rmz
+          rmz -f /opt/hostedtoolcache/CodeQL &
+          rmz -f /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk &
+          rmz -f /opt/hostedtoolcache/PyPy &
+          rmz -f /opt/hostedtoolcache/Ruby &
+          rmz -f /opt/hostedtoolcache/go &
+          sudo rmz -f /usr/local/lib/android &
+
+          if [[ ${{ github.repository }} == terraform-aws-modules/terraform-aws-security-group ]]; then
+            sudo rmz -f /usr/share/dotnet &
+            sudo rmz -f /usr/local/.ghcup &
+            sudo apt-get -qq remove -y 'azure-.*'
+            sudo apt-get -qq remove -y 'cpp-.*'
+            sudo apt-get -qq remove -y 'dotnet-runtime-.*'
+            sudo apt-get -qq remove -y 'google-.*'
+            sudo apt-get -qq remove -y 'libclang-.*'
+            sudo apt-get -qq remove -y 'libllvm.*'
+            sudo apt-get -qq remove -y 'llvm-.*'
+            sudo apt-get -qq remove -y 'mysql-.*'
+            sudo apt-get -qq remove -y 'postgresql-.*'
+            sudo apt-get -qq remove -y 'php.*'
+            sudo apt-get -qq remove -y 'temurin-.*'
+            sudo apt-get -qq remove -y kubectl firefox mono-devel
+            sudo apt-get -qq autoremove -y
+            sudo apt-get -qq clean
+          fi
+
+          wait
+
+          AFTER=$(getAvailableSpace)
+          SAVED=$((AFTER-BEFORE))
+          echo "=> Saved $(formatByteCount $SAVED)"
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{github.event.pull_request.head.repo.full_name}}
 
       - name: Terraform min/max versions
         id: minMax
-        uses: clowdhaus/terraform-min-max@v1.3.0
+        uses: clowdhaus/terraform-min-max@v2.1.0
+
+      - name: Hide template dir
+        # Special to this repo, we don't want to check this dir
+        if: ${{ github.repository ==  'terraform-aws-modules/terraform-aws-security-group' }}
+        run: rm -rf modules/_templates
 
       - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }}
-        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.9.0
+        uses: clowdhaus/terraform-composite-actions/pre-commit@v1.14.0
         with:
           terraform-version: ${{ steps.minMax.outputs.maxVersion }}
           tflint-version: ${{ env.TFLINT_VERSION }}

.github/workflows/release.yml

@@ -20,18 +20,26 @@ jobs:
     if: github.repository_owner == 'terraform-aws-modules'
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           persist-credentials: false
           fetch-depth: 0
 
-      - name: Release
+      - name: Set correct Node.js version
-        uses: cycjimmy/semantic-release-action@v4
+        uses: actions/setup-node@v6
         with:
-          semantic_version: 23.0.2
+          node-version: 24
-          extra_plugins: |
+
-            @semantic-release/changelog@6.0.3
+      - name: Install dependencies
-            @semantic-release/git@10.0.1
+        run: |
-            conventional-changelog-conventionalcommits@7.0.2
+          npm install \
+            @semantic-release/changelog@6.0.3 \
+            @semantic-release/git@10.0.1 \
+            conventional-changelog-conventionalcommits@9.1.0
+
+      - name: Release
+        uses: cycjimmy/semantic-release-action@v5
+        with:
+          semantic_version: 25.0.0
         env:
           GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }}

.github/workflows/stale-actions.yaml

@@ -7,7 +7,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@v10
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           # Staling issues and PR's

.gitignore

@@ -1,13 +1,13 @@
 # Local .terraform directories
 **/.terraform/*
 
+# Terraform lockfile
+.terraform.lock.hcl
+
 # .tfstate files
 *.tfstate
 *.tfstate.*
 
-# terraform lockfile
-.terraform.lock.hcl
-
 # Crash log files
 crash.log
 
@@ -15,7 +15,6 @@ crash.log
 # password, private keys, and other secrets. These should not be part of version
 # control as they are data points which are potentially sensitive and subject
 # to change depending on the environment.
-#
 *.tfvars
 
 # Ignore override files as they are usually used to override resources locally and so
@@ -25,13 +24,16 @@ override.tf.json
 *_override.tf
 *_override.tf.json
 
-# Include override files you do wish to add to version control using negated pattern
-#
-# !example_override.tf
-
-# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
-# example: *tfplan*
-
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
+
+# Lambda build artifacts
+builds/
+__pycache__/
+*.zip
+.tox
+
+# Local editors/macos files
+.DS_Store
+.idea

.pre-commit-config.yaml

@@ -1,8 +1,9 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.88.0
+    rev: v1.103.0
     hooks:
       - id: terraform_fmt
+      - id: terraform_wrapper_module_for_each
       - id: terraform_docs
         args:
           - '--args=--lockfile=false'
@@ -21,10 +22,9 @@ repos:
           - '--args=--only=terraform_required_providers'
           - '--args=--only=terraform_standard_module_structure'
           - '--args=--only=terraform_workspace_remote'
-          - '--args=--only=terraform_unused_required_providers'
       - id: terraform_validate
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.5.0
+    rev: v6.0.0
     hooks:
       - id: check-merge-conflict
       - id: end-of-file-fixer

CHANGELOG.md

@@ -2,6 +2,56 @@
 
 All notable changes to this project will be documented in this file.
 
+## [4.2.1](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v4.2.0...v4.2.1) (2025-10-21)
+
+### Bug Fixes
+
+* Update CI workflow versions to latest ([#40](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/40)) ([5deff22](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/5deff22cf4c471ce824c016687c3b933cd8b783c))
+
+## [4.2.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v4.1.0...v4.2.0) (2025-10-14)
+
+
+### Features
+
+* Support `default_auth_scheme` ([#39](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/39)) ([c2073a0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/c2073a031c947270dac3f17c7f76e2996cd1b5b1))
+
+## [4.1.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v4.0.0...v4.1.0) (2025-10-01)
+
+
+### Features
+
+* Add Terragrunt wrappers ([#38](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/38)) ([33b43c7](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/33b43c72abdad0b01655238d844e56dabca5e6d4))
+
+## [4.0.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.2.1...v4.0.0) (2025-09-16)
+
+
+### ⚠ BREAKING CHANGES
+
+* Upgrade AWS provider and min required Terraform version to `6.0` and `1.5.7` respectively (#34)
+
+### Features
+
+* Upgrade AWS provider and min required Terraform version to `6.0` and `1.5.7` respectively ([#34](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/34)) ([47c0fca](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/47c0fcad4b3e40ef112544028dba1a4c10ee50dc))
+
+## [3.2.1](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.2.0...v3.2.1) (2025-05-22)
+
+
+### Bug Fixes
+
+* Correct service principal to rds.amazonaws.com (incl China) ([#32](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/32)) ([bbbf50c](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/bbbf50ce8734f05d4ac69fa41c23c88094b82356))
+
+## [3.2.0](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.1.1...v3.2.0) (2024-11-19)
+
+
+### Features
+
+* Add CloudWatch log group name to outputs ([#28](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/28)) ([0fc0e19](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/0fc0e19e642a2fdcd8f546bf219f78b5db252c65))
+
+
+### Bug Fixes
+
+* Update CI workflow versions to latest ([#27](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/issues/27)) ([b6f22be](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/commit/b6f22becf63614f365e72a81151c1955ab0d4df3))
+
 ## [3.1.1](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/compare/v3.1.0...v3.1.1) (2024-03-06)
 
 

README.md

@@ -57,19 +57,19 @@ Examples codified under the [`examples`](https://github.com/terraform-aws-module
 - [IAM auth. w/ PostgreSQL Aurora cluster](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql-iam-cluster)
 - [IAM auth. w/ PostgreSQL RDS instance](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql-iam-instance)
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
 
 ## Modules
 
@@ -91,12 +91,13 @@ No modules.
 | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_service_principal.rds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/service_principal) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_auth"></a> [auth](#input\_auth) | Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters | `any` | `{}` | no |
+| <a name="input_auth"></a> [auth](#input\_auth) | Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters | <pre>map(object({<br/>    auth_scheme               = optional(string)<br/>    client_password_auth_type = optional(string)<br/>    description               = optional(string)<br/>    iam_auth                  = optional(string)<br/>    secret_arn                = optional(string)<br/>    username                  = optional(string)<br/>  }))</pre> | <pre>{<br/>  "default": {<br/>    "auth_scheme": "SECRETS"<br/>  }<br/>}</pre> | no |
 | <a name="input_connection_borrow_timeout"></a> [connection\_borrow\_timeout](#input\_connection\_borrow\_timeout) | The number of seconds for a proxy to wait for a connection to become available in the connection pool | `number` | `null` | no |
 | <a name="input_create"></a> [create](#input\_create) | Whether cluster should be created (affects nearly all resources) | `bool` | `true` | no |
 | <a name="input_create_iam_policy"></a> [create\_iam\_policy](#input\_create\_iam\_policy) | Determines whether an IAM policy is created | `bool` | `true` | no |
@@ -104,7 +105,8 @@ No modules.
 | <a name="input_db_cluster_identifier"></a> [db\_cluster\_identifier](#input\_db\_cluster\_identifier) | DB cluster identifier | `string` | `""` | no |
 | <a name="input_db_instance_identifier"></a> [db\_instance\_identifier](#input\_db\_instance\_identifier) | DB instance identifier | `string` | `""` | no |
 | <a name="input_debug_logging"></a> [debug\_logging](#input\_debug\_logging) | Whether the proxy includes detailed information about SQL statements in its logs | `bool` | `false` | no |
-| <a name="input_endpoints"></a> [endpoints](#input\_endpoints) | Map of DB proxy endpoints to create and their attributes (see `aws_db_proxy_endpoint`) | `any` | `{}` | no |
+| <a name="input_default_auth_scheme"></a> [default\_auth\_scheme](#input\_default\_auth\_scheme) | Default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database. Valid values are NONE and IAM\_AUTH. Defaults to NONE | `string` | `null` | no |
+| <a name="input_endpoints"></a> [endpoints](#input\_endpoints) | Map of DB proxy endpoints to create and their attributes | <pre>map(object({<br/>    name                   = optional(string)<br/>    vpc_subnet_ids         = list(string)<br/>    vpc_security_group_ids = optional(list(string))<br/>    target_role            = optional(string)<br/>    tags                   = optional(map(string), {})<br/>  }))</pre> | `{}` | no |
 | <a name="input_engine_family"></a> [engine\_family](#input\_engine\_family) | The kind of database engine that the proxy will connect to. Valid values are `MYSQL` or `POSTGRESQL` | `string` | `""` | no |
 | <a name="input_iam_policy_name"></a> [iam\_policy\_name](#input\_iam\_policy\_name) | The name of the role policy. If omitted, Terraform will assign a random, unique name | `string` | `""` | no |
 | <a name="input_iam_role_description"></a> [iam\_role\_description](#input\_iam\_role\_description) | The description of the role | `string` | `""` | no |
@@ -117,6 +119,7 @@ No modules.
 | <a name="input_idle_client_timeout"></a> [idle\_client\_timeout](#input\_idle\_client\_timeout) | The number of seconds that a connection to the proxy can be inactive before the proxy disconnects it | `number` | `1800` | no |
 | <a name="input_init_query"></a> [init\_query](#input\_init\_query) | One or more SQL statements for the proxy to run when opening each new database connection | `string` | `""` | no |
 | <a name="input_kms_key_arns"></a> [kms\_key\_arns](#input\_kms\_key\_arns) | List of KMS Key ARNs to allow access to decrypt SecretsManager secrets | `list(string)` | `[]` | no |
+| <a name="input_log_group_class"></a> [log\_group\_class](#input\_log\_group\_class) | Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS` | `string` | `null` | no |
 | <a name="input_log_group_kms_key_id"></a> [log\_group\_kms\_key\_id](#input\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data | `string` | `null` | no |
 | <a name="input_log_group_retention_in_days"></a> [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the log group | `number` | `30` | no |
 | <a name="input_log_group_tags"></a> [log\_group\_tags](#input\_log\_group\_tags) | A map of tags to apply to the CloudWatch log group | `map(string)` | `{}` | no |
@@ -125,6 +128,7 @@ No modules.
 | <a name="input_max_idle_connections_percent"></a> [max\_idle\_connections\_percent](#input\_max\_idle\_connections\_percent) | Controls how actively the proxy closes idle database connections in the connection pool | `number` | `50` | no |
 | <a name="input_name"></a> [name](#input\_name) | The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens | `string` | `""` | no |
 | <a name="input_proxy_tags"></a> [proxy\_tags](#input\_proxy\_tags) | A map of tags to apply to the RDS Proxy | `map(string)` | `{}` | no |
+| <a name="input_region"></a> [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no |
 | <a name="input_require_tls"></a> [require\_tls](#input\_require\_tls) | A Boolean parameter that specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy | `bool` | `true` | no |
 | <a name="input_role_arn"></a> [role\_arn](#input\_role\_arn) | The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager | `string` | `""` | no |
 | <a name="input_session_pinning_filters"></a> [session\_pinning\_filters](#input\_session\_pinning\_filters) | Each item in the list represents a class of SQL operations that normally cause all later statements in a session using a proxy to be pinned to the same underlying database connection | `list(string)` | `[]` | no |
@@ -145,6 +149,7 @@ No modules.
 | <a name="output_iam_role_name"></a> [iam\_role\_name](#output\_iam\_role\_name) | IAM role name |
 | <a name="output_iam_role_unique_id"></a> [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
 | <a name="output_log_group_arn"></a> [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group |
+| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | The name of the CloudWatch log group |
 | <a name="output_proxy_arn"></a> [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy |
 | <a name="output_proxy_default_target_group_arn"></a> [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group |
 | <a name="output_proxy_default_target_group_id"></a> [proxy\_default\_target\_group\_id](#output\_proxy\_default\_target\_group\_id) | The ID for the default target group |
@@ -158,7 +163,7 @@ No modules.
 | <a name="output_proxy_target_target_arn"></a> [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
 | <a name="output_proxy_target_tracked_cluster_id"></a> [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
 | <a name="output_proxy_target_type"></a> [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->
 
 ## License
 

examples/README.md

@@ -1,6 +1,8 @@
-# AWS RDS Proxy Terraform Examples
+# Examples
 
-- [IAM auth. w/ MySQL Aurora cluster](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/mysql-iam-cluster)
+Please note - the examples provided serve two primary means:
-- [IAM auth. w/ MySQL RDS instance](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/mysql-iam-instance)
+
-- [IAM auth. w/ PostgreSQL Aurora cluster](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql-iam-cluster)
+1. Show users working examples of the various ways in which the module can be configured and features supported
-- [IAM auth. w/ PostgreSQL RDS instance](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/tree/master/examples/postgresql-iam-instance)
+2. A means of testing/validating module changes
+
+Please do not mistake the examples provided as "best practices". It is up to users to consult the AWS service documentation for best practices, usage recommendations, etc.

examples/mysql-iam-cluster/README.md

@@ -25,28 +25,28 @@ An EC2 instance configuration has been provided for use in validating the exampl
 3. Copy the output from `superuser_proxy_iam_connect` and paste it into the window
 4. You should now be connected to the `example` database in the RDS instance via the AWS Proxy using IAM authentication
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 8.0 |
+| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 9.0 |
 | <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
 | <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
 
 ## Resources
 
@@ -64,6 +64,7 @@ No inputs.
 |------|-------------|
 | <a name="output_db_proxy_endpoints"></a> [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created |
 | <a name="output_log_group_arn"></a> [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group |
+| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | The name of the CloudWatch log group |
 | <a name="output_proxy_arn"></a> [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy |
 | <a name="output_proxy_default_target_group_arn"></a> [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group |
 | <a name="output_proxy_default_target_group_id"></a> [proxy\_default\_target\_group\_id](#output\_proxy\_default\_target\_group\_id) | The ID for the default target group |
@@ -77,6 +78,6 @@ No inputs.
 | <a name="output_proxy_target_target_arn"></a> [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
 | <a name="output_proxy_target_tracked_cluster_id"></a> [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
 | <a name="output_proxy_target_type"></a> [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->
 
 Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/blob/master/LICENSE).

examples/mysql-iam-cluster/main.tf

@@ -69,7 +69,7 @@ module "rds_proxy" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 5.0"
+  version = "~> 6.0"
 
   name = local.name
   cidr = local.vpc_cidr
@@ -84,7 +84,7 @@ module "vpc" {
 
 module "rds" {
   source  = "terraform-aws-modules/rds-aurora/aws"
-  version = "~> 8.0"
+  version = "~> 9.0"
 
   name            = local.name
   engine          = "aurora-mysql"

examples/mysql-iam-cluster/outputs.tf

@@ -77,3 +77,8 @@ output "log_group_arn" {
   description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
   value       = module.rds_proxy.log_group_arn
 }
+
+output "log_group_name" {
+  description = "The name of the CloudWatch log group"
+  value       = module.rds_proxy.log_group_name
+}

examples/mysql-iam-cluster/versions.tf

@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.5.7"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0"
+      version = ">= 6.15"
     }
   }
 }

examples/mysql-iam-instance/README.md

@@ -25,31 +25,31 @@ An EC2 instance configuration has been provided for use in validating the exampl
 3. Copy the output from `superuser_proxy_iam_connect` and paste it into the window
 4. You should now be connected to the `example` database in the Aurora cluster via the AWS Proxy using IAM authentication
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 5.0 |
+| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 6.0 |
 | <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
 | <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
 | <a name="module_rds_sg"></a> [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
 
 ## Resources
 
@@ -72,6 +72,7 @@ No inputs.
 |------|-------------|
 | <a name="output_db_proxy_endpoints"></a> [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created |
 | <a name="output_log_group_arn"></a> [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group |
+| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | The name of the CloudWatch log group |
 | <a name="output_proxy_arn"></a> [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy |
 | <a name="output_proxy_default_target_group_arn"></a> [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group |
 | <a name="output_proxy_default_target_group_id"></a> [proxy\_default\_target\_group\_id](#output\_proxy\_default\_target\_group\_id) | The ID for the default target group |
@@ -85,6 +86,6 @@ No inputs.
 | <a name="output_proxy_target_target_arn"></a> [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
 | <a name="output_proxy_target_tracked_cluster_id"></a> [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
 | <a name="output_proxy_target_type"></a> [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->
 
 Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/blob/master/LICENSE).

examples/mysql-iam-instance/main.tf

@@ -61,7 +61,7 @@ module "rds_proxy" {
 
   # Target RDS instance
   target_db_instance     = true
-  db_instance_identifier = module.rds.db_instance_id
+  db_instance_identifier = module.rds.db_instance_identifier
 
   tags = local.tags
 }
@@ -82,7 +82,7 @@ resource "random_password" "password" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 5.0"
+  version = "~> 6.0"
 
   name = local.name
   cidr = local.vpc_cidr
@@ -97,7 +97,7 @@ module "vpc" {
 
 module "rds" {
   source  = "terraform-aws-modules/rds/aws"
-  version = "~> 5.0"
+  version = "~> 6.0"
 
   username = local.db_username
   password = local.db_password

examples/mysql-iam-instance/outputs.tf

@@ -77,3 +77,8 @@ output "log_group_arn" {
   description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
   value       = module.rds_proxy.log_group_arn
 }
+
+output "log_group_name" {
+  description = "The name of the CloudWatch log group"
+  value       = module.rds_proxy.log_group_name
+}

examples/mysql-iam-instance/versions.tf

@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.5.7"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0"
+      version = ">= 6.15"
     }
     random = {
       source  = "hashicorp/random"

examples/postgresql-iam-cluster/README.md

@@ -25,28 +25,28 @@ An EC2 instance configuration has been provided for use in validating the exampl
 3. Copy the output from `superuser_proxy_iam_connect` and paste it into the window - NOTE: remove the string escape slashes `psql \"host...` -> `psql "host...`
 4. You should now be connected to the `example` database in the RDS instance via the AWS Proxy using IAM authentication
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 8.0 |
+| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 9.0 |
 | <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
 | <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
 
 ## Resources
 
@@ -67,6 +67,7 @@ No inputs.
 | <a name="output_iam_role_name"></a> [iam\_role\_name](#output\_iam\_role\_name) | The name of the role proxy uses to access secrets |
 | <a name="output_iam_role_unique_id"></a> [iam\_role\_unique\_id](#output\_iam\_role\_unique\_id) | Stable and unique string identifying the role proxy uses to access secrets |
 | <a name="output_log_group_arn"></a> [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group |
+| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | The name of the CloudWatch log group |
 | <a name="output_proxy_arn"></a> [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy |
 | <a name="output_proxy_default_target_group_arn"></a> [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group |
 | <a name="output_proxy_default_target_group_id"></a> [proxy\_default\_target\_group\_id](#output\_proxy\_default\_target\_group\_id) | The ID for the default target group |
@@ -80,6 +81,6 @@ No inputs.
 | <a name="output_proxy_target_target_arn"></a> [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
 | <a name="output_proxy_target_tracked_cluster_id"></a> [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
 | <a name="output_proxy_target_type"></a> [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->
 
 Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/blob/master/LICENSE).

examples/postgresql-iam-cluster/main.tf

@@ -69,7 +69,7 @@ module "rds_proxy" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 5.0"
+  version = "~> 6.0"
 
   name = local.name
   cidr = local.vpc_cidr
@@ -84,11 +84,11 @@ module "vpc" {
 
 module "rds" {
   source  = "terraform-aws-modules/rds-aurora/aws"
-  version = "~> 8.0"
+  version = "~> 9.0"
 
   name            = local.name
   engine          = "aurora-postgresql"
-  engine_version  = "14.7"
+  engine_version  = "17.5"
   master_username = "root"
 
   # When using RDS Proxy w/ IAM auth - Database must be username/password auth, not IAM

examples/postgresql-iam-cluster/outputs.tf

@@ -78,6 +78,11 @@ output "log_group_arn" {
   value       = module.rds_proxy.log_group_arn
 }
 
+output "log_group_name" {
+  description = "The name of the CloudWatch log group"
+  value       = module.rds_proxy.log_group_name
+}
+
 # IAM role
 output "iam_role_arn" {
   description = "The Amazon Resource Name (ARN) specifying the role proxy uses to access secrets"

examples/postgresql-iam-cluster/versions.tf

@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.5.7"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0"
+      version = ">= 6.15"
     }
   }
 }

examples/postgresql-iam-instance/README.md

@@ -25,31 +25,31 @@ An EC2 instance configuration has been provided for use in validating the exampl
 3. Copy the output from `superuser_proxy_iam_connect` and paste it into the window - NOTE: remove the string escape slashes `psql \"host...` -> `psql "host...`
 4. You should now be connected to the `example` database in the Aurora cluster via the AWS Proxy using IAM authentication
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.15 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.15 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 5.0 |
+| <a name="module_rds"></a> [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 6.0 |
 | <a name="module_rds_proxy"></a> [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
 | <a name="module_rds_proxy_sg"></a> [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
 | <a name="module_rds_sg"></a> [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
 
 ## Resources
 
@@ -72,6 +72,7 @@ No inputs.
 |------|-------------|
 | <a name="output_db_proxy_endpoints"></a> [db\_proxy\_endpoints](#output\_db\_proxy\_endpoints) | Array containing the full resource object and attributes for all DB proxy endpoints created |
 | <a name="output_log_group_arn"></a> [log\_group\_arn](#output\_log\_group\_arn) | The Amazon Resource Name (ARN) of the CloudWatch log group |
+| <a name="output_log_group_name"></a> [log\_group\_name](#output\_log\_group\_name) | The name of the CloudWatch log group |
 | <a name="output_proxy_arn"></a> [proxy\_arn](#output\_proxy\_arn) | The Amazon Resource Name (ARN) for the proxy |
 | <a name="output_proxy_default_target_group_arn"></a> [proxy\_default\_target\_group\_arn](#output\_proxy\_default\_target\_group\_arn) | The Amazon Resource Name (ARN) for the default target group |
 | <a name="output_proxy_default_target_group_id"></a> [proxy\_default\_target\_group\_id](#output\_proxy\_default\_target\_group\_id) | The ID for the default target group |
@@ -85,6 +86,6 @@ No inputs.
 | <a name="output_proxy_target_target_arn"></a> [proxy\_target\_target\_arn](#output\_proxy\_target\_target\_arn) | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
 | <a name="output_proxy_target_tracked_cluster_id"></a> [proxy\_target\_tracked\_cluster\_id](#output\_proxy\_target\_tracked\_cluster\_id) | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS\_INSTANCE target that is part of a DB Cluster |
 | <a name="output_proxy_target_type"></a> [proxy\_target\_type](#output\_proxy\_target\_type) | Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER` |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->
 
 Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-rds-proxy/blob/master/LICENSE).

examples/postgresql-iam-instance/main.tf

@@ -61,7 +61,7 @@ module "rds_proxy" {
 
   # Target RDS instance
   target_db_instance     = true
-  db_instance_identifier = module.rds.db_instance_id
+  db_instance_identifier = module.rds.db_instance_identifier
 
   tags = local.tags
 }
@@ -82,7 +82,7 @@ resource "random_password" "password" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 5.0"
+  version = "~> 6.0"
 
   name = local.name
   cidr = local.vpc_cidr
@@ -97,7 +97,7 @@ module "vpc" {
 
 module "rds" {
   source  = "terraform-aws-modules/rds/aws"
-  version = "~> 5.0"
+  version = "~> 6.0"
 
   username = local.db_username
   password = local.db_password

examples/postgresql-iam-instance/outputs.tf

@@ -77,3 +77,8 @@ output "log_group_arn" {
   description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
   value       = module.rds_proxy.log_group_arn
 }
+
+output "log_group_name" {
+  description = "The name of the CloudWatch log group"
+  value       = module.rds_proxy.log_group_name
+}

examples/postgresql-iam-instance/versions.tf

@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.5.7"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0"
+      version = ">= 6.15"
     }
     random = {
       source  = "hashicorp/random"

main.tf

@@ -1,12 +1,3 @@
-locals {
-  role_arn    = var.create && var.create_iam_role ? aws_iam_role.this[0].arn : var.role_arn
-  role_name   = coalesce(var.iam_role_name, var.name)
-  policy_name = coalesce(var.iam_policy_name, var.name)
-}
-
-data "aws_region" "current" {}
-data "aws_partition" "current" {}
-
 ################################################################################
 # RDS Proxy
 ################################################################################
@@ -14,25 +5,28 @@ data "aws_partition" "current" {}
 resource "aws_db_proxy" "this" {
   count = var.create ? 1 : 0
 
+  region = var.region
+
   dynamic "auth" {
     for_each = var.auth
 
     content {
-      auth_scheme               = try(auth.value.auth_scheme, "SECRETS")
+      auth_scheme               = auth.value.auth_scheme
-      client_password_auth_type = try(auth.value.client_password_auth_type, null)
+      client_password_auth_type = auth.value.client_password_auth_type
-      description               = try(auth.value.description, null)
+      description               = auth.value.description
-      iam_auth                  = try(auth.value.iam_auth, null)
+      iam_auth                  = auth.value.iam_auth
-      secret_arn                = try(auth.value.secret_arn, null)
+      secret_arn                = auth.value.secret_arn
-      username                  = try(auth.value.username, null)
+      username                  = auth.value.username
     }
   }
 
   debug_logging          = var.debug_logging
+  default_auth_scheme    = var.default_auth_scheme
   engine_family          = var.engine_family
   idle_client_timeout    = var.idle_client_timeout
   name                   = var.name
   require_tls            = var.require_tls
-  role_arn               = local.role_arn
+  role_arn               = try(aws_iam_role.this[0].arn, var.role_arn)
   vpc_security_group_ids = var.vpc_security_group_ids
   vpc_subnet_ids         = var.vpc_subnet_ids
 
@@ -41,9 +35,15 @@ resource "aws_db_proxy" "this" {
   depends_on = [aws_cloudwatch_log_group.this]
 }
 
+################################################################################
+# Default Target Group
+################################################################################
+
 resource "aws_db_proxy_default_target_group" "this" {
   count = var.create ? 1 : 0
 
+  region = var.region
+
   db_proxy_name = aws_db_proxy.this[0].name
 
   connection_pool_config {
@@ -55,9 +55,15 @@ resource "aws_db_proxy_default_target_group" "this" {
   }
 }
 
+################################################################################
+# Target(s)
+################################################################################
+
 resource "aws_db_proxy_target" "db_instance" {
   count = var.create && var.target_db_instance ? 1 : 0
 
+  region = var.region
+
   db_proxy_name          = aws_db_proxy.this[0].name
   target_group_name      = aws_db_proxy_default_target_group.this[0].name
   db_instance_identifier = var.db_instance_identifier
@@ -66,33 +72,44 @@ resource "aws_db_proxy_target" "db_instance" {
 resource "aws_db_proxy_target" "db_cluster" {
   count = var.create && var.target_db_cluster ? 1 : 0
 
+  region = var.region
+
   db_proxy_name         = aws_db_proxy.this[0].name
   target_group_name     = aws_db_proxy_default_target_group.this[0].name
   db_cluster_identifier = var.db_cluster_identifier
 }
 
+################################################################################
+# Endpoint(s)
+################################################################################
+
 resource "aws_db_proxy_endpoint" "this" {
   for_each = { for k, v in var.endpoints : k => v if var.create }
 
-  db_proxy_name          = aws_db_proxy.this[0].name
+  region = var.region
-  db_proxy_endpoint_name = each.value.name
-  vpc_subnet_ids         = each.value.vpc_subnet_ids
-  vpc_security_group_ids = lookup(each.value, "vpc_security_group_ids", null)
-  target_role            = lookup(each.value, "target_role", null)
 
-  tags = lookup(each.value, "tags", var.tags)
+  db_proxy_name          = aws_db_proxy.this[0].name
+  db_proxy_endpoint_name = coalesce(each.value.name, each.key)
+  vpc_subnet_ids         = each.value.vpc_subnet_ids
+  vpc_security_group_ids = each.value.vpc_security_group_ids
+  target_role            = each.value.target_role
+
+  tags = merge(var.tags, each.value.tags)
 }
 
 ################################################################################
-# CloudWatch Logs
+# CloudWatch Log Group
 ################################################################################
 
 resource "aws_cloudwatch_log_group" "this" {
   count = var.create && var.manage_log_group ? 1 : 0
 
+  region = var.region
+
   name              = "/aws/rds/proxy/${var.name}"
   retention_in_days = var.log_group_retention_in_days
   kms_key_id        = var.log_group_kms_key_id
+  log_group_class   = var.log_group_class
 
   tags = merge(var.tags, var.log_group_tags)
 }
@@ -101,8 +118,37 @@ resource "aws_cloudwatch_log_group" "this" {
 # IAM Role
 ################################################################################
 
+locals {
+  create_iam_role = var.create && var.create_iam_role
+
+  role_name   = coalesce(var.iam_role_name, var.name)
+  policy_name = coalesce(var.iam_policy_name, var.name)
+
+  partition  = try(data.aws_partition.current[0].partition, "aws")
+  dns_suffix = try(data.aws_partition.current[0].dns_suffix, "amazonaws.com")
+  region     = try(data.aws_region.current[0].region, var.region)
+}
+
+data "aws_region" "current" {
+  count = local.create_iam_role ? 1 : 0
+
+  region = var.region
+}
+
+data "aws_partition" "current" {
+  count = local.create_iam_role ? 1 : 0
+}
+
+data "aws_service_principal" "rds" {
+  count = local.create_iam_role ? 1 : 0
+
+  service_name = "rds"
+  region       = data.aws_region.current[0].region
+}
+
+
 data "aws_iam_policy_document" "assume_role" {
-  count = var.create && var.create_iam_role ? 1 : 0
+  count = local.create_iam_role ? 1 : 0
 
   statement {
     sid     = "RDSAssume"
@@ -111,13 +157,13 @@ data "aws_iam_policy_document" "assume_role" {
 
     principals {
       type        = "Service"
-      identifiers = ["rds.${data.aws_partition.current.dns_suffix}"]
+      identifiers = [data.aws_service_principal.rds[0].name]
     }
   }
 }
 
 resource "aws_iam_role" "this" {
-  count = var.create && var.create_iam_role ? 1 : 0
+  count = local.create_iam_role ? 1 : 0
 
   name        = var.use_role_name_prefix ? null : local.role_name
   name_prefix = var.use_role_name_prefix ? "${local.role_name}-" : null
@@ -132,8 +178,12 @@ resource "aws_iam_role" "this" {
   tags = merge(var.tags, var.iam_role_tags)
 }
 
+################################################################################
+# IAM Role Policy
+################################################################################
+
 data "aws_iam_policy_document" "this" {
-  count = var.create && var.create_iam_role && var.create_iam_policy ? 1 : 0
+  count = local.create_iam_role && var.create_iam_policy ? 1 : 0
 
   statement {
     sid     = "DecryptSecrets"
@@ -141,14 +191,14 @@ data "aws_iam_policy_document" "this" {
     actions = ["kms:Decrypt"]
     resources = coalescelist(
       var.kms_key_arns,
-      ["arn:${data.aws_partition.current.partition}:kms:*:*:key/*"]
+      ["arn:${local.partition}:kms:*:*:key/*"]
     )
 
     condition {
       test     = "StringEquals"
       variable = "kms:ViaService"
       values = [
-        "secretsmanager.${data.aws_region.current.name}.${data.aws_partition.current.dns_suffix}"
+        "secretsmanager.${local.region}.${local.dns_suffix}"
       ]
     }
   }
@@ -178,7 +228,7 @@ data "aws_iam_policy_document" "this" {
 }
 
 resource "aws_iam_role_policy" "this" {
-  count = var.create && var.create_iam_role && var.create_iam_policy ? 1 : 0
+  count = local.create_iam_role && var.create_iam_policy ? 1 : 0
 
   name        = var.use_policy_name_prefix ? null : local.policy_name
   name_prefix = var.use_policy_name_prefix ? "${local.policy_name}-" : null

outputs.tf

@@ -1,4 +1,7 @@
+################################################################################
 # RDS Proxy
+################################################################################
+
 output "proxy_id" {
   description = "The ID for the proxy"
   value       = try(aws_db_proxy.this[0].id, null)
@@ -14,7 +17,10 @@ output "proxy_endpoint" {
   value       = try(aws_db_proxy.this[0].endpoint, null)
 }
 
-# Proxy Default Target Group
+################################################################################
+# Default Target Group
+################################################################################
+
 output "proxy_default_target_group_id" {
   description = "The ID for the default target group"
   value       = try(aws_db_proxy_default_target_group.this[0].id, null)
@@ -30,7 +36,10 @@ output "proxy_default_target_group_name" {
   value       = try(aws_db_proxy_default_target_group.this[0].name, null)
 }
 
-# Proxy Target
+################################################################################
+# Target(s)
+################################################################################
+
 output "proxy_target_endpoint" {
   description = "Hostname for the target RDS DB Instance. Only returned for `RDS_INSTANCE` type"
   value       = try(aws_db_proxy_target.db_instance[0].endpoint, aws_db_proxy_target.db_cluster[0].endpoint, null)
@@ -66,19 +75,33 @@ output "proxy_target_type" {
   value       = try(aws_db_proxy_target.db_instance[0].type, aws_db_proxy_target.db_cluster[0].type, null)
 }
 
-# DB proxy endpoints
+################################################################################
+# Endpoint(s)
+################################################################################
+
 output "db_proxy_endpoints" {
   description = "Array containing the full resource object and attributes for all DB proxy endpoints created"
   value       = aws_db_proxy_endpoint.this
 }
 
-# CloudWatch logs
+################################################################################
+# CloudWatch Log Group
+################################################################################
+
 output "log_group_arn" {
   description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
   value       = try(aws_cloudwatch_log_group.this[0].arn, null)
 }
 
-# IAM role
+output "log_group_name" {
+  description = "The name of the CloudWatch log group"
+  value       = try(aws_cloudwatch_log_group.this[0].name, null)
+}
+
+################################################################################
+# IAM Role
+################################################################################
+
 output "iam_role_arn" {
   description = "The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager."
   value       = try(aws_iam_role.this[0].arn, null)

variables.tf

@@ -4,6 +4,12 @@ variable "create" {
   default     = true
 }
 
+variable "region" {
+  description = "Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration"
+  type        = string
+  default     = null
+}
+
 variable "tags" {
   description = "A map of tags to add to all resources"
   type        = map(string)
@@ -22,8 +28,19 @@ variable "name" {
 
 variable "auth" {
   description = "Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters"
-  type        = any
+  type = map(object({
-  default     = {}
+    auth_scheme               = optional(string)
+    client_password_auth_type = optional(string)
+    description               = optional(string)
+    iam_auth                  = optional(string)
+    secret_arn                = optional(string)
+    username                  = optional(string)
+  }))
+  default = {
+    default = {
+      auth_scheme = "SECRETS"
+    }
+  }
 }
 
 variable "debug_logging" {
@@ -32,6 +49,12 @@ variable "debug_logging" {
   default     = false
 }
 
+variable "default_auth_scheme" {
+  description = "Default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database. Valid values are NONE and IAM_AUTH. Defaults to NONE"
+  type        = string
+  default     = null
+}
+
 variable "engine_family" {
   description = "The kind of database engine that the proxy will connect to. Valid values are `MYSQL` or `POSTGRESQL`"
   type        = string
@@ -74,7 +97,10 @@ variable "proxy_tags" {
   default     = {}
 }
 
-# Proxy Default Target Group
+################################################################################
+# Default Target Group
+################################################################################
+
 variable "connection_borrow_timeout" {
   description = "The number of seconds for a proxy to wait for a connection to become available in the connection pool"
   type        = number
@@ -105,7 +131,10 @@ variable "session_pinning_filters" {
   default     = []
 }
 
-# Proxy Target
+################################################################################
+# Target(s)
+################################################################################
+
 variable "target_db_instance" {
   description = "Determines whether DB instance is targeted by proxy"
   type        = bool
@@ -130,11 +159,20 @@ variable "db_cluster_identifier" {
   default     = ""
 }
 
-# Proxy endpoints
+################################################################################
+# Endpoint(s)
+################################################################################
+
 variable "endpoints" {
-  description = "Map of DB proxy endpoints to create and their attributes (see `aws_db_proxy_endpoint`)"
+  description = "Map of DB proxy endpoints to create and their attributes"
-  type        = any
+  type = map(object({
-  default     = {}
+    name                   = optional(string)
+    vpc_subnet_ids         = list(string)
+    vpc_security_group_ids = optional(list(string))
+    target_role            = optional(string)
+    tags                   = optional(map(string), {})
+  }))
+  default = {}
 }
 
 ################################################################################
@@ -159,6 +197,12 @@ variable "log_group_kms_key_id" {
   default     = null
 }
 
+variable "log_group_class" {
+  description = "Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS`"
+  type        = string
+  default     = null
+}
+
 variable "log_group_tags" {
   description = "A map of tags to apply to the CloudWatch log group"
   type        = map(string)
@@ -223,7 +267,10 @@ variable "iam_role_tags" {
   default     = {}
 }
 
-# IAM Policy
+################################################################################
+# IAM Role Policy
+################################################################################
+
 variable "create_iam_policy" {
   description = "Determines whether an IAM policy is created"
   type        = bool

versions.tf

@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.5.7"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.0"
+      version = ">= 6.15"
     }
   }
 }

wrappers/README.md

@@ -0,0 +1,100 @@
+# Wrapper for the root module
+
+The configuration in this directory contains an implementation of a single module wrapper pattern, which allows managing several copies of a module in places where using the native Terraform 0.13+ `for_each` feature is not feasible (e.g., with Terragrunt).
+
+You may want to use a single Terragrunt configuration file to manage multiple resources without duplicating `terragrunt.hcl` files for each copy of the same module.
+
+This wrapper does not implement any extra functionality.
+
+## Usage with Terragrunt
+
+`terragrunt.hcl`:
+
+```hcl
+terraform {
+  source = "tfr:///terraform-aws-modules/rds-proxy/aws//wrappers"
+  # Alternative source:
+  # source = "git::git@github.com:terraform-aws-modules/terraform-aws-rds-proxy.git//wrappers?ref=master"
+}
+
+inputs = {
+  defaults = { # Default values
+    create = true
+    tags = {
+      Terraform   = "true"
+      Environment = "dev"
+    }
+  }
+
+  items = {
+    my-item = {
+      # omitted... can be any argument supported by the module
+    }
+    my-second-item = {
+      # omitted... can be any argument supported by the module
+    }
+    # omitted...
+  }
+}
+```
+
+## Usage with Terraform
+
+```hcl
+module "wrapper" {
+  source = "terraform-aws-modules/rds-proxy/aws//wrappers"
+
+  defaults = { # Default values
+    create = true
+    tags = {
+      Terraform   = "true"
+      Environment = "dev"
+    }
+  }
+
+  items = {
+    my-item = {
+      # omitted... can be any argument supported by the module
+    }
+    my-second-item = {
+      # omitted... can be any argument supported by the module
+    }
+    # omitted...
+  }
+}
+```
+
+## Example: Manage multiple S3 buckets in one Terragrunt layer
+
+`eu-west-1/s3-buckets/terragrunt.hcl`:
+
+```hcl
+terraform {
+  source = "tfr:///terraform-aws-modules/s3-bucket/aws//wrappers"
+  # Alternative source:
+  # source = "git::git@github.com:terraform-aws-modules/terraform-aws-s3-bucket.git//wrappers?ref=master"
+}
+
+inputs = {
+  defaults = {
+    force_destroy = true
+
+    attach_elb_log_delivery_policy        = true
+    attach_lb_log_delivery_policy         = true
+    attach_deny_insecure_transport_policy = true
+    attach_require_latest_tls_policy      = true
+  }
+
+  items = {
+    bucket1 = {
+      bucket = "my-random-bucket-1"
+    }
+    bucket2 = {
+      bucket = "my-random-bucket-2"
+      tags = {
+        Secure = "probably"
+      }
+    }
+  }
+}
+```

wrappers/main.tf

@@ -0,0 +1,52 @@
+module "wrapper" {
+  source = "../"
+
+  for_each = var.items
+
+  auth = try(each.value.auth, var.defaults.auth, {
+    default = {
+      auth_scheme = "SECRETS"
+    }
+  })
+  connection_borrow_timeout      = try(each.value.connection_borrow_timeout, var.defaults.connection_borrow_timeout, null)
+  create                         = try(each.value.create, var.defaults.create, true)
+  create_iam_policy              = try(each.value.create_iam_policy, var.defaults.create_iam_policy, true)
+  create_iam_role                = try(each.value.create_iam_role, var.defaults.create_iam_role, true)
+  db_cluster_identifier          = try(each.value.db_cluster_identifier, var.defaults.db_cluster_identifier, "")
+  db_instance_identifier         = try(each.value.db_instance_identifier, var.defaults.db_instance_identifier, "")
+  debug_logging                  = try(each.value.debug_logging, var.defaults.debug_logging, false)
+  default_auth_scheme            = try(each.value.default_auth_scheme, var.defaults.default_auth_scheme, null)
+  endpoints                      = try(each.value.endpoints, var.defaults.endpoints, {})
+  engine_family                  = try(each.value.engine_family, var.defaults.engine_family, "")
+  iam_policy_name                = try(each.value.iam_policy_name, var.defaults.iam_policy_name, "")
+  iam_role_description           = try(each.value.iam_role_description, var.defaults.iam_role_description, "")
+  iam_role_force_detach_policies = try(each.value.iam_role_force_detach_policies, var.defaults.iam_role_force_detach_policies, true)
+  iam_role_max_session_duration  = try(each.value.iam_role_max_session_duration, var.defaults.iam_role_max_session_duration, 43200)
+  iam_role_name                  = try(each.value.iam_role_name, var.defaults.iam_role_name, "")
+  iam_role_path                  = try(each.value.iam_role_path, var.defaults.iam_role_path, null)
+  iam_role_permissions_boundary  = try(each.value.iam_role_permissions_boundary, var.defaults.iam_role_permissions_boundary, null)
+  iam_role_tags                  = try(each.value.iam_role_tags, var.defaults.iam_role_tags, {})
+  idle_client_timeout            = try(each.value.idle_client_timeout, var.defaults.idle_client_timeout, 1800)
+  init_query                     = try(each.value.init_query, var.defaults.init_query, "")
+  kms_key_arns                   = try(each.value.kms_key_arns, var.defaults.kms_key_arns, [])
+  log_group_class                = try(each.value.log_group_class, var.defaults.log_group_class, null)
+  log_group_kms_key_id           = try(each.value.log_group_kms_key_id, var.defaults.log_group_kms_key_id, null)
+  log_group_retention_in_days    = try(each.value.log_group_retention_in_days, var.defaults.log_group_retention_in_days, 30)
+  log_group_tags                 = try(each.value.log_group_tags, var.defaults.log_group_tags, {})
+  manage_log_group               = try(each.value.manage_log_group, var.defaults.manage_log_group, true)
+  max_connections_percent        = try(each.value.max_connections_percent, var.defaults.max_connections_percent, 90)
+  max_idle_connections_percent   = try(each.value.max_idle_connections_percent, var.defaults.max_idle_connections_percent, 50)
+  name                           = try(each.value.name, var.defaults.name, "")
+  proxy_tags                     = try(each.value.proxy_tags, var.defaults.proxy_tags, {})
+  region                         = try(each.value.region, var.defaults.region, null)
+  require_tls                    = try(each.value.require_tls, var.defaults.require_tls, true)
+  role_arn                       = try(each.value.role_arn, var.defaults.role_arn, "")
+  session_pinning_filters        = try(each.value.session_pinning_filters, var.defaults.session_pinning_filters, [])
+  tags                           = try(each.value.tags, var.defaults.tags, {})
+  target_db_cluster              = try(each.value.target_db_cluster, var.defaults.target_db_cluster, false)
+  target_db_instance             = try(each.value.target_db_instance, var.defaults.target_db_instance, false)
+  use_policy_name_prefix         = try(each.value.use_policy_name_prefix, var.defaults.use_policy_name_prefix, false)
+  use_role_name_prefix           = try(each.value.use_role_name_prefix, var.defaults.use_role_name_prefix, false)
+  vpc_security_group_ids         = try(each.value.vpc_security_group_ids, var.defaults.vpc_security_group_ids, [])
+  vpc_subnet_ids                 = try(each.value.vpc_subnet_ids, var.defaults.vpc_subnet_ids, [])
+}

wrappers/outputs.tf

@@ -0,0 +1,5 @@
+output "wrapper" {
+  description = "Map of outputs of a wrapper."
+  value       = module.wrapper
+  # sensitive = false # No sensitive module output found
+}

wrappers/variables.tf

@@ -0,0 +1,11 @@
+variable "defaults" {
+  description = "Map of default values which will be used for each item."
+  type        = any
+  default     = {}
+}
+
+variable "items" {
+  description = "Maps of items to create a wrapper from. Values are passed through to the module."
+  type        = any
+  default     = {}
+}

wrappers/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.5.7"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.15"
+    }
+  }
+}