Home

Awesome

AWS RDS Proxy Terraform module

Terraform module which creates an AWS RDS Proxy and its supporting resources.

Usage

See examples directory for working examples to reference:

module "rds_proxy" {
  source = "terraform-aws-modules/rds-proxy/aws"

  name                   = "rds-proxy"
  iam_role_name          = "rds-proxy-role"
  vpc_subnet_ids         = ["subnet-30ef7b3c", "subnet-1ecda77b", "subnet-ca09ddbc"]
  vpc_security_group_ids = ["sg-f1d03a88"]

  endpoints = {
    read_write = {
      name                   = "read-write-endpoint"
      vpc_subnet_ids         = ["subnet-30ef7b3c", "subnet-1ecda77b", "subnet-ca09ddbc"]
      vpc_security_group_ids = ["sg-f1d03a88"]
    },
    read_only = {
      name                   = "read-only-endpoint"
      vpc_subnet_ids         = ["subnet-30ef7b3c", "subnet-1ecda77b", "subnet-ca09ddbc"]
      vpc_security_group_ids = ["sg-f1d03a88"]
      target_role            = "READ_ONLY"
    }
  }

  auth = {
    "superuser" = {
      description        = "Aurora PostgreSQL superuser password"
      secret_arn         = "arn:aws:secretsmanager:us-east-1:123456789012:secret:superuser-6gsjLD"
    }
  }

  # Target Aurora cluster
  engine_family         = "POSTGRESQL"
  target_db_cluster     = true
  db_cluster_identifier = "my-endpoint"

  tags = {
    Terraform   = "true"
    Environment = "dev"
  }
}

Examples

Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module(s). If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!

<!-- BEGIN_TF_DOCS -->

Requirements

NameVersion
<a name="requirement_terraform"></a> terraform>= 1.0
<a name="requirement_aws"></a> aws>= 5.0

Providers

NameVersion
<a name="provider_aws"></a> aws>= 5.0

Modules

No modules.

Resources

NameType
aws_cloudwatch_log_group.thisresource
aws_db_proxy.thisresource
aws_db_proxy_default_target_group.thisresource
aws_db_proxy_endpoint.thisresource
aws_db_proxy_target.db_clusterresource
aws_db_proxy_target.db_instanceresource
aws_iam_role.thisresource
aws_iam_role_policy.thisresource
aws_iam_policy_document.assume_roledata source
aws_iam_policy_document.thisdata source
aws_partition.currentdata source
aws_region.currentdata source

Inputs

NameDescriptionTypeDefaultRequired
<a name="input_auth"></a> authConfiguration block(s) with authorization mechanisms to connect to the associated instances or clustersany{}no
<a name="input_connection_borrow_timeout"></a> connection_borrow_timeoutThe number of seconds for a proxy to wait for a connection to become available in the connection poolnumbernullno
<a name="input_create"></a> createWhether cluster should be created (affects nearly all resources)booltrueno
<a name="input_create_iam_policy"></a> create_iam_policyDetermines whether an IAM policy is createdbooltrueno
<a name="input_create_iam_role"></a> create_iam_roleDetermines whether an IAM role is createdbooltrueno
<a name="input_db_cluster_identifier"></a> db_cluster_identifierDB cluster identifierstring""no
<a name="input_db_instance_identifier"></a> db_instance_identifierDB instance identifierstring""no
<a name="input_debug_logging"></a> debug_loggingWhether the proxy includes detailed information about SQL statements in its logsboolfalseno
<a name="input_endpoints"></a> endpointsMap of DB proxy endpoints to create and their attributes (see aws_db_proxy_endpoint)any{}no
<a name="input_engine_family"></a> engine_familyThe kind of database engine that the proxy will connect to. Valid values are MYSQL or POSTGRESQLstring""no
<a name="input_iam_policy_name"></a> iam_policy_nameThe name of the role policy. If omitted, Terraform will assign a random, unique namestring""no
<a name="input_iam_role_description"></a> iam_role_descriptionThe description of the rolestring""no
<a name="input_iam_role_force_detach_policies"></a> iam_role_force_detach_policiesSpecifies to force detaching any policies the role has before destroying itbooltrueno
<a name="input_iam_role_max_session_duration"></a> iam_role_max_session_durationThe maximum session duration (in seconds) that you want to set for the specified rolenumber43200no
<a name="input_iam_role_name"></a> iam_role_nameThe name of the role. If omitted, Terraform will assign a random, unique namestring""no
<a name="input_iam_role_path"></a> iam_role_pathThe path to the rolestringnullno
<a name="input_iam_role_permissions_boundary"></a> iam_role_permissions_boundaryThe ARN of the policy that is used to set the permissions boundary for the rolestringnullno
<a name="input_iam_role_tags"></a> iam_role_tagsA map of tags to apply to the IAM rolemap(string){}no
<a name="input_idle_client_timeout"></a> idle_client_timeoutThe number of seconds that a connection to the proxy can be inactive before the proxy disconnects itnumber1800no
<a name="input_init_query"></a> init_queryOne or more SQL statements for the proxy to run when opening each new database connectionstring""no
<a name="input_kms_key_arns"></a> kms_key_arnsList of KMS Key ARNs to allow access to decrypt SecretsManager secretslist(string)[]no
<a name="input_log_group_kms_key_id"></a> log_group_kms_key_idThe ARN of the KMS Key to use when encrypting log datastringnullno
<a name="input_log_group_retention_in_days"></a> log_group_retention_in_daysSpecifies the number of days you want to retain log events in the log groupnumber30no
<a name="input_log_group_tags"></a> log_group_tagsA map of tags to apply to the CloudWatch log groupmap(string){}no
<a name="input_manage_log_group"></a> manage_log_groupDetermines whether Terraform will create/manage the CloudWatch log group or not. Note - this will fail if set to true after the log group has been created as the resource will already existbooltrueno
<a name="input_max_connections_percent"></a> max_connections_percentThe maximum size of the connection pool for each target in a target groupnumber90no
<a name="input_max_idle_connections_percent"></a> max_idle_connections_percentControls how actively the proxy closes idle database connections in the connection poolnumber50no
<a name="input_name"></a> nameThe identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphensstring""no
<a name="input_proxy_tags"></a> proxy_tagsA map of tags to apply to the RDS Proxymap(string){}no
<a name="input_require_tls"></a> require_tlsA Boolean parameter that specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxybooltrueno
<a name="input_role_arn"></a> role_arnThe Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Managerstring""no
<a name="input_session_pinning_filters"></a> session_pinning_filtersEach item in the list represents a class of SQL operations that normally cause all later statements in a session using a proxy to be pinned to the same underlying database connectionlist(string)[]no
<a name="input_tags"></a> tagsA map of tags to add to all resourcesmap(string){}no
<a name="input_target_db_cluster"></a> target_db_clusterDetermines whether DB cluster is targeted by proxyboolfalseno
<a name="input_target_db_instance"></a> target_db_instanceDetermines whether DB instance is targeted by proxyboolfalseno
<a name="input_use_policy_name_prefix"></a> use_policy_name_prefixWhether to use unique name beginning with the specified iam_policy_nameboolfalseno
<a name="input_use_role_name_prefix"></a> use_role_name_prefixWhether to use unique name beginning with the specified iam_role_nameboolfalseno
<a name="input_vpc_security_group_ids"></a> vpc_security_group_idsOne or more VPC security group IDs to associate with the new proxylist(string)[]no
<a name="input_vpc_subnet_ids"></a> vpc_subnet_idsOne or more VPC subnet IDs to associate with the new proxylist(string)[]no

Outputs

NameDescription
<a name="output_db_proxy_endpoints"></a> db_proxy_endpointsArray containing the full resource object and attributes for all DB proxy endpoints created
<a name="output_iam_role_arn"></a> iam_role_arnThe Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager.
<a name="output_iam_role_name"></a> iam_role_nameIAM role name
<a name="output_iam_role_unique_id"></a> iam_role_unique_idStable and unique string identifying the IAM role
<a name="output_log_group_arn"></a> log_group_arnThe Amazon Resource Name (ARN) of the CloudWatch log group
<a name="output_log_group_name"></a> log_group_nameThe name of the CloudWatch log group
<a name="output_proxy_arn"></a> proxy_arnThe Amazon Resource Name (ARN) for the proxy
<a name="output_proxy_default_target_group_arn"></a> proxy_default_target_group_arnThe Amazon Resource Name (ARN) for the default target group
<a name="output_proxy_default_target_group_id"></a> proxy_default_target_group_idThe ID for the default target group
<a name="output_proxy_default_target_group_name"></a> proxy_default_target_group_nameThe name of the default target group
<a name="output_proxy_endpoint"></a> proxy_endpointThe endpoint that you can use to connect to the proxy
<a name="output_proxy_id"></a> proxy_idThe ID for the proxy
<a name="output_proxy_target_endpoint"></a> proxy_target_endpointHostname for the target RDS DB Instance. Only returned for RDS_INSTANCE type
<a name="output_proxy_target_id"></a> proxy_target_idIdentifier of db_proxy_name, target_group_name, target type (e.g. RDS_INSTANCE or TRACKED_CLUSTER), and resource identifier separated by forward slashes (/)
<a name="output_proxy_target_port"></a> proxy_target_portPort for the target RDS DB Instance or Aurora DB Cluster
<a name="output_proxy_target_rds_resource_id"></a> proxy_target_rds_resource_idIdentifier representing the DB Instance or DB Cluster target
<a name="output_proxy_target_target_arn"></a> proxy_target_target_arnAmazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API
<a name="output_proxy_target_tracked_cluster_id"></a> proxy_target_tracked_cluster_idDB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS_INSTANCE target that is part of a DB Cluster
<a name="output_proxy_target_type"></a> proxy_target_typeType of target. e.g. RDS_INSTANCE or TRACKED_CLUSTER
<!-- END_TF_DOCS -->

License

Apache-2.0 Licensed. See LICENSE.