Awesome
AWS RDS Proxy Terraform module
Terraform module which creates an AWS RDS Proxy and its supporting resources.
Usage
See examples directory for working examples to reference:
module "rds_proxy" {
source = "terraform-aws-modules/rds-proxy/aws"
name = "rds-proxy"
iam_role_name = "rds-proxy-role"
vpc_subnet_ids = ["subnet-30ef7b3c", "subnet-1ecda77b", "subnet-ca09ddbc"]
vpc_security_group_ids = ["sg-f1d03a88"]
endpoints = {
read_write = {
name = "read-write-endpoint"
vpc_subnet_ids = ["subnet-30ef7b3c", "subnet-1ecda77b", "subnet-ca09ddbc"]
vpc_security_group_ids = ["sg-f1d03a88"]
},
read_only = {
name = "read-only-endpoint"
vpc_subnet_ids = ["subnet-30ef7b3c", "subnet-1ecda77b", "subnet-ca09ddbc"]
vpc_security_group_ids = ["sg-f1d03a88"]
target_role = "READ_ONLY"
}
}
auth = {
"superuser" = {
description = "Aurora PostgreSQL superuser password"
secret_arn = "arn:aws:secretsmanager:us-east-1:123456789012:secret:superuser-6gsjLD"
}
}
# Target Aurora cluster
engine_family = "POSTGRESQL"
target_db_cluster = true
db_cluster_identifier = "my-endpoint"
tags = {
Terraform = "true"
Environment = "dev"
}
}
Examples
Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module(s). If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!
- IAM auth. w/ MySQL Aurora cluster
- IAM auth. w/ MySQL RDS instance
- IAM auth. w/ PostgreSQL Aurora cluster
- IAM auth. w/ PostgreSQL RDS instance
Requirements
| Name | Version |
|---|---|
| <a name="requirement_terraform"></a> terraform | >= 1.0 |
| <a name="requirement_aws"></a> aws | >= 5.0 |
Providers
| Name | Version |
|---|---|
| <a name="provider_aws"></a> aws | >= 5.0 |
Modules
No modules.
Resources
| Name | Type |
|---|---|
| aws_cloudwatch_log_group.this | resource |
| aws_db_proxy.this | resource |
| aws_db_proxy_default_target_group.this | resource |
| aws_db_proxy_endpoint.this | resource |
| aws_db_proxy_target.db_cluster | resource |
| aws_db_proxy_target.db_instance | resource |
| aws_iam_role.this | resource |
| aws_iam_role_policy.this | resource |
| aws_iam_policy_document.assume_role | data source |
| aws_iam_policy_document.this | data source |
| aws_partition.current | data source |
| aws_region.current | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| <a name="input_auth"></a> auth | Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters | any | {} | no |
| <a name="input_connection_borrow_timeout"></a> connection_borrow_timeout | The number of seconds for a proxy to wait for a connection to become available in the connection pool | number | null | no |
| <a name="input_create"></a> create | Whether cluster should be created (affects nearly all resources) | bool | true | no |
| <a name="input_create_iam_policy"></a> create_iam_policy | Determines whether an IAM policy is created | bool | true | no |
| <a name="input_create_iam_role"></a> create_iam_role | Determines whether an IAM role is created | bool | true | no |
| <a name="input_db_cluster_identifier"></a> db_cluster_identifier | DB cluster identifier | string | "" | no |
| <a name="input_db_instance_identifier"></a> db_instance_identifier | DB instance identifier | string | "" | no |
| <a name="input_debug_logging"></a> debug_logging | Whether the proxy includes detailed information about SQL statements in its logs | bool | false | no |
| <a name="input_endpoints"></a> endpoints | Map of DB proxy endpoints to create and their attributes (see aws_db_proxy_endpoint) | any | {} | no |
| <a name="input_engine_family"></a> engine_family | The kind of database engine that the proxy will connect to. Valid values are MYSQL or POSTGRESQL | string | "" | no |
| <a name="input_iam_policy_name"></a> iam_policy_name | The name of the role policy. If omitted, Terraform will assign a random, unique name | string | "" | no |
| <a name="input_iam_role_description"></a> iam_role_description | The description of the role | string | "" | no |
| <a name="input_iam_role_force_detach_policies"></a> iam_role_force_detach_policies | Specifies to force detaching any policies the role has before destroying it | bool | true | no |
| <a name="input_iam_role_max_session_duration"></a> iam_role_max_session_duration | The maximum session duration (in seconds) that you want to set for the specified role | number | 43200 | no |
| <a name="input_iam_role_name"></a> iam_role_name | The name of the role. If omitted, Terraform will assign a random, unique name | string | "" | no |
| <a name="input_iam_role_path"></a> iam_role_path | The path to the role | string | null | no |
| <a name="input_iam_role_permissions_boundary"></a> iam_role_permissions_boundary | The ARN of the policy that is used to set the permissions boundary for the role | string | null | no |
| <a name="input_iam_role_tags"></a> iam_role_tags | A map of tags to apply to the IAM role | map(string) | {} | no |
| <a name="input_idle_client_timeout"></a> idle_client_timeout | The number of seconds that a connection to the proxy can be inactive before the proxy disconnects it | number | 1800 | no |
| <a name="input_init_query"></a> init_query | One or more SQL statements for the proxy to run when opening each new database connection | string | "" | no |
| <a name="input_kms_key_arns"></a> kms_key_arns | List of KMS Key ARNs to allow access to decrypt SecretsManager secrets | list(string) | [] | no |
| <a name="input_log_group_kms_key_id"></a> log_group_kms_key_id | The ARN of the KMS Key to use when encrypting log data | string | null | no |
| <a name="input_log_group_retention_in_days"></a> log_group_retention_in_days | Specifies the number of days you want to retain log events in the log group | number | 30 | no |
| <a name="input_log_group_tags"></a> log_group_tags | A map of tags to apply to the CloudWatch log group | map(string) | {} | no |
| <a name="input_manage_log_group"></a> manage_log_group | Determines whether Terraform will create/manage the CloudWatch log group or not. Note - this will fail if set to true after the log group has been created as the resource will already exist | bool | true | no |
| <a name="input_max_connections_percent"></a> max_connections_percent | The maximum size of the connection pool for each target in a target group | number | 90 | no |
| <a name="input_max_idle_connections_percent"></a> max_idle_connections_percent | Controls how actively the proxy closes idle database connections in the connection pool | number | 50 | no |
| <a name="input_name"></a> name | The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens | string | "" | no |
| <a name="input_proxy_tags"></a> proxy_tags | A map of tags to apply to the RDS Proxy | map(string) | {} | no |
| <a name="input_require_tls"></a> require_tls | A Boolean parameter that specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy | bool | true | no |
| <a name="input_role_arn"></a> role_arn | The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager | string | "" | no |
| <a name="input_session_pinning_filters"></a> session_pinning_filters | Each item in the list represents a class of SQL operations that normally cause all later statements in a session using a proxy to be pinned to the same underlying database connection | list(string) | [] | no |
| <a name="input_tags"></a> tags | A map of tags to add to all resources | map(string) | {} | no |
| <a name="input_target_db_cluster"></a> target_db_cluster | Determines whether DB cluster is targeted by proxy | bool | false | no |
| <a name="input_target_db_instance"></a> target_db_instance | Determines whether DB instance is targeted by proxy | bool | false | no |
| <a name="input_use_policy_name_prefix"></a> use_policy_name_prefix | Whether to use unique name beginning with the specified iam_policy_name | bool | false | no |
| <a name="input_use_role_name_prefix"></a> use_role_name_prefix | Whether to use unique name beginning with the specified iam_role_name | bool | false | no |
| <a name="input_vpc_security_group_ids"></a> vpc_security_group_ids | One or more VPC security group IDs to associate with the new proxy | list(string) | [] | no |
| <a name="input_vpc_subnet_ids"></a> vpc_subnet_ids | One or more VPC subnet IDs to associate with the new proxy | list(string) | [] | no |
Outputs
| Name | Description |
|---|---|
| <a name="output_db_proxy_endpoints"></a> db_proxy_endpoints | Array containing the full resource object and attributes for all DB proxy endpoints created |
| <a name="output_iam_role_arn"></a> iam_role_arn | The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager. |
| <a name="output_iam_role_name"></a> iam_role_name | IAM role name |
| <a name="output_iam_role_unique_id"></a> iam_role_unique_id | Stable and unique string identifying the IAM role |
| <a name="output_log_group_arn"></a> log_group_arn | The Amazon Resource Name (ARN) of the CloudWatch log group |
| <a name="output_proxy_arn"></a> proxy_arn | The Amazon Resource Name (ARN) for the proxy |
| <a name="output_proxy_default_target_group_arn"></a> proxy_default_target_group_arn | The Amazon Resource Name (ARN) for the default target group |
| <a name="output_proxy_default_target_group_id"></a> proxy_default_target_group_id | The ID for the default target group |
| <a name="output_proxy_default_target_group_name"></a> proxy_default_target_group_name | The name of the default target group |
| <a name="output_proxy_endpoint"></a> proxy_endpoint | The endpoint that you can use to connect to the proxy |
| <a name="output_proxy_id"></a> proxy_id | The ID for the proxy |
| <a name="output_proxy_target_endpoint"></a> proxy_target_endpoint | Hostname for the target RDS DB Instance. Only returned for RDS_INSTANCE type |
| <a name="output_proxy_target_id"></a> proxy_target_id | Identifier of db_proxy_name, target_group_name, target type (e.g. RDS_INSTANCE or TRACKED_CLUSTER), and resource identifier separated by forward slashes (/) |
| <a name="output_proxy_target_port"></a> proxy_target_port | Port for the target RDS DB Instance or Aurora DB Cluster |
| <a name="output_proxy_target_rds_resource_id"></a> proxy_target_rds_resource_id | Identifier representing the DB Instance or DB Cluster target |
| <a name="output_proxy_target_target_arn"></a> proxy_target_target_arn | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
| <a name="output_proxy_target_tracked_cluster_id"></a> proxy_target_tracked_cluster_id | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS_INSTANCE target that is part of a DB Cluster |
| <a name="output_proxy_target_type"></a> proxy_target_type | Type of target. e.g. RDS_INSTANCE or TRACKED_CLUSTER |
License
Apache-2.0 Licensed. See LICENSE.