AWS RDS Proxy Terraform module
Terraform module which creates an AWS RDS Proxy and its supporting resources.
Usage
See examples directory for working examples to reference:
module "rds_proxy" {
source = "clowdhaus/rds-proxy/aws"
name = "rds-proxy"
iam_role_name = "rds-proxy-role"
vpc_subnet_ids = ["subnet-30ef7b3c", "subnet-1ecda77b", "subnet-ca09ddbc"]
vpc_security_group_ids = ["sg-f1d03a88"]
db_proxy_endpoints = {
read_write = {
name = "read-write-endpoint"
vpc_subnet_ids = ["subnet-30ef7b3c", "subnet-1ecda77b", "subnet-ca09ddbc"]
vpc_security_group_ids = ["sg-f1d03a88"]
},
read_only = {
name = "read-only-endpoint"
vpc_subnet_ids = ["subnet-30ef7b3c", "subnet-1ecda77b", "subnet-ca09ddbc"]
vpc_security_group_ids = ["sg-f1d03a88"]
target_role = "READ_ONLY"
}
}
secrets = {
"superuser" = {
description = "Aurora PostgreSQL superuser password"
arn = "arn:aws:secretsmanager:us-east-1:123456789012:secret:superuser-6gsjLD"
kms_key_id = "6ca29066-552a-46c5-a7d7-7bf9a15fc255"
}
}
# Target Aurora cluster
engine_family = "POSTGRESQL"
target_db_cluster = true
db_cluster_identifier = "myendpoint"
tags = {
Terraform = "true"
Environment = "dev"
}
}Examples
Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module(s). If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!
- IAM auth. w/ MySQL Aurora cluster
- IAM auth. w/ MySQL RDS instance
- IAM auth. w/ PostgreSQL Aurora cluster
- IAM auth. w/ PostgreSQL RDS instance
Security & Compliance 
Security scanning results provided by Bridgecrew. Bridgecrew is the leading fully hosted, cloud-native solution providing continuous Terraform security and compliance.
| Benchmark | Description |
|---|---|
| Infrastructure Security Compliance | |
| Center for Internet Security, AWS Compliance | |
| Payment Card Industry Data Security Standards Compliance | |
| National Institute of Standards and Technology Compliance | |
| Information Security Management System, ISO/IEC 27001 Compliance | |
| Service Organization Control 2 Compliance | |
| Health Insurance Portability and Accountability Compliance | |
| FedRAMP Moderate Impact Level |
Requirements
| Name | Version |
|---|---|
| terraform | >= 0.13.1 |
| aws | >= 3.38 |
Providers
| Name | Version |
|---|---|
| aws | >= 3.38 |
Modules
No modules.
Resources
| Name | Type |
|---|---|
| aws_cloudwatch_log_group.this | resource |
| aws_db_proxy.this | resource |
| aws_db_proxy_default_target_group.this | resource |
| aws_db_proxy_endpoint.this | resource |
| aws_db_proxy_target.db_cluster | resource |
| aws_db_proxy_target.db_instance | resource |
| aws_iam_role.this | resource |
| aws_iam_role_policy.this | resource |
| aws_iam_policy_document.assume_role | data source |
| aws_iam_policy_document.this | data source |
| aws_region.current | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| auth_scheme | The type of authentication that the proxy uses for connections from the proxy to the underlying database. One of SECRETS |
string |
"SECRETS" |
no |
| connection_borrow_timeout | The number of seconds for a proxy to wait for a connection to become available in the connection pool | number |
null |
no |
| create_iam_policy | Determines whether an IAM policy is created | bool |
true |
no |
| create_iam_role | Determines whether an IAM role is created | bool |
true |
no |
| create_proxy | Determines whether a proxy and its resources will be created | bool |
true |
no |
| db_cluster_identifier | DB cluster identifier | string |
"" |
no |
| db_instance_identifier | DB instance identifier | string |
"" |
no |
| db_proxy_endpoints | Map of DB proxy endpoints to create and their attributes (see aws_db_proxy_endpoint) |
any |
{} |
no |
| debug_logging | Whether the proxy includes detailed information about SQL statements in its logs | bool |
false |
no |
| engine_family | The kind of database engine that the proxy will connect to. Valid values are MYSQL or POSTGRESQL |
string |
"" |
no |
| iam_auth | Whether to require or disallow AWS Identity and Access Management (IAM) authentication for connections to the proxy. One of DISABLED, REQUIRED |
string |
"REQUIRED" |
no |
| iam_policy_name | The name of the role policy. If omitted, Terraform will assign a random, unique name | string |
"" |
no |
| iam_role_description | The description of the role | string |
"" |
no |
| iam_role_force_detach_policies | Specifies to force detaching any policies the role has before destroying it | bool |
true |
no |
| iam_role_max_session_duration | The maximum session duration (in seconds) that you want to set for the specified role | number |
43200 |
no |
| iam_role_name | The name of the role. If omitted, Terraform will assign a random, unique name | string |
"" |
no |
| iam_role_path | The path to the role | string |
null |
no |
| iam_role_permissions_boundary | The ARN of the policy that is used to set the permissions boundary for the role | string |
null |
no |
| iam_role_tags | A map of tags to apply to the IAM role | map(string) |
{} |
no |
| idle_client_timeout | The number of seconds that a connection to the proxy can be inactive before the proxy disconnects it | number |
1800 |
no |
| init_query | One or more SQL statements for the proxy to run when opening each new database connection | string |
"" |
no |
| log_group_kms_key_id | The ARN of the KMS Key to use when encrypting log data | string |
null |
no |
| log_group_retention_in_days | Specifies the number of days you want to retain log events in the log group | number |
30 |
no |
| log_group_tags | A map of tags to apply to the CloudWatch log group | map(string) |
{} |
no |
| manage_log_group | Determines whether Terraform will create/manage the CloudWatch log group or not. Note - this will fail if set to true after the log group has been created as the resource will already exist | bool |
true |
no |
| max_connections_percent | The maximum size of the connection pool for each target in a target group | number |
90 |
no |
| max_idle_connections_percent | Controls how actively the proxy closes idle database connections in the connection pool | number |
50 |
no |
| name | The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens | string |
"" |
no |
| proxy_tags | A map of tags to apply to the RDS Proxy | map(string) |
{} |
no |
| require_tls | A Boolean parameter that specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy | bool |
true |
no |
| role_arn | The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager | string |
"" |
no |
| secrets | Map of secerets to be used by RDS Proxy for authentication to the database | map(object({ arn = string, description = string, kms_key_id = string })) |
{} |
no |
| session_pinning_filters | Each item in the list represents a class of SQL operations that normally cause all later statements in a session using a proxy to be pinned to the same underlying database connection | list(string) |
[] |
no |
| tags | A map of tags to use on all resources | map(string) |
{} |
no |
| target_db_cluster | Determines whether DB cluster is targetted by proxy | bool |
false |
no |
| target_db_instance | Determines whether DB instance is targetted by proxy | bool |
false |
no |
| use_policy_name_prefix | Whether to use unique name beginning with the specified iam_policy_name |
bool |
false |
no |
| use_role_name_prefix | Whether to use unique name beginning with the specified iam_role_name |
bool |
false |
no |
| vpc_security_group_ids | One or more VPC security group IDs to associate with the new proxy | list(string) |
[] |
no |
| vpc_subnet_ids | One or more VPC subnet IDs to associate with the new proxy | list(string) |
[] |
no |
Outputs
| Name | Description |
|---|---|
| db_proxy_endpoints | Array containing the full resource object and attributes for all DB proxy endpoints created |
| log_group_arn | The Amazon Resource Name (ARN) of the CloudWatch log group |
| proxy_arn | The Amazon Resource Name (ARN) for the proxy |
| proxy_default_target_group_arn | The Amazon Resource Name (ARN) for the default target group |
| proxy_default_target_group_id | The ID for the default target group |
| proxy_default_target_group_name | The name of the default target group |
| proxy_endpoint | The endpoint that you can use to connect to the proxy |
| proxy_id | The ID for the proxy |
| proxy_target_endpoint | Hostname for the target RDS DB Instance. Only returned for RDS_INSTANCE type |
| proxy_target_id | Identifier of db_proxy_name, target_group_name, target type (e.g. RDS_INSTANCE or TRACKED_CLUSTER), and resource identifier separated by forward slashes (/) |
| proxy_target_port | Port for the target RDS DB Instance or Aurora DB Cluster |
| proxy_target_rds_resource_id | Identifier representing the DB Instance or DB Cluster target |
| proxy_target_target_arn | Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API |
| proxy_target_tracked_cluster_id | DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS_INSTANCE target that is part of a DB Cluster |
| proxy_target_type | Type of target. e.g. RDS_INSTANCE or TRACKED_CLUSTER |
License
Apache-2.0 Licensed. See LICENSE.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent