Merge pull request #44309 from tabito-hara/f-aws_rds_proxy-add_default_auth_scheme

ewbankkit · web-flow · commit 89a6e935942e · 2025-09-25T15:23:32.000-04:00
[Enhancement] aws_rds_proxy: Add `default_auth_scheme` argument to support RDS Proxy end-to-end IAM authentication
diff --git a/.changelog/44309.txt b/.changelog/44309.txt
@@ -0,0 +1,11 @@
+```release-note:enhancement
+resource/aws_rds_proxy: Add `default_auth_scheme` argument
+```
+
+```release-note:enhancement
+resource/aws_rds_proxy: Make `auth` configuration block optional
+```
+
+```release-note:enhancement
+data-source/aws_rds_proxy: Add `default_auth_scheme` attribute
+```
diff --git a/internal/service/rds/proxy.go b/internal/service/rds/proxy.go
@@ -54,7 +54,7 @@ func resourceProxy() *schema.Resource {
 			},
 			"auth": {
 				Type:     schema.TypeSet,
-				Required: true,
+				Optional: true,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"auth_scheme": {
@@ -94,6 +94,12 @@ func resourceProxy() *schema.Resource {
 				Type:     schema.TypeBool,
 				Optional: true,
 			},
+			"default_auth_scheme": {
+				Type:             schema.TypeString,
+				Optional:         true,
+				Computed:         true,
+				ValidateDiagFunc: enum.Validate[types.DefaultAuthScheme](),
+			},
 			names.AttrEndpoint: {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -147,18 +153,27 @@ func resourceProxyCreate(ctx context.Context, d *schema.ResourceData, meta any)
 
 	name := d.Get(names.AttrName).(string)
 	input := &rds.CreateDBProxyInput{
-		Auth:         expandUserAuthConfigs(d.Get("auth").(*schema.Set).List()),
 		DBProxyName:  aws.String(name),
 		EngineFamily: types.EngineFamily(d.Get("engine_family").(string)),
 		RoleArn:      aws.String(d.Get(names.AttrRoleARN).(string)),
 		Tags:         getTagsIn(ctx),
 		VpcSubnetIds: flex.ExpandStringValueSet(d.Get("vpc_subnet_ids").(*schema.Set)),
 	}
 
+	if v, ok := d.GetOk("auth"); ok && v.(*schema.Set).Len() > 0 {
+		input.Auth = expandUserAuthConfigs(v.(*schema.Set).List())
+	} else {
+		input.Auth = []types.UserAuthConfig{}
+	}
+
 	if v, ok := d.GetOk("debug_logging"); ok {
 		input.DebugLogging = aws.Bool(v.(bool))
 	}
 
+	if v, ok := d.GetOk("default_auth_scheme"); ok {
+		input.DefaultAuthScheme = types.DefaultAuthScheme(v.(string))
+	}
+
 	if v, ok := d.GetOk("idle_client_timeout"); ok {
 		input.IdleClientTimeout = aws.Int32(int32(v.(int)))
 	}
@@ -206,6 +221,7 @@ func resourceProxyRead(ctx context.Context, d *schema.ResourceData, meta any) di
 	d.Set("auth", flattenUserAuthConfigInfos(dbProxy.Auth))
 	d.Set(names.AttrName, dbProxy.DBProxyName)
 	d.Set("debug_logging", dbProxy.DebugLogging)
+	d.Set("default_auth_scheme", dbProxy.DefaultAuthScheme)
 	d.Set("engine_family", dbProxy.EngineFamily)
 	d.Set("idle_client_timeout", dbProxy.IdleClientTimeout)
 	d.Set("require_tls", dbProxy.RequireTLS)
@@ -224,14 +240,23 @@ func resourceProxyUpdate(ctx context.Context, d *schema.ResourceData, meta any)
 	if d.HasChangesExcept(names.AttrTags, names.AttrTagsAll) {
 		oName, nName := d.GetChange(names.AttrName)
 		input := &rds.ModifyDBProxyInput{
-			Auth:           expandUserAuthConfigs(d.Get("auth").(*schema.Set).List()),
 			DBProxyName:    aws.String(oName.(string)),
 			DebugLogging:   aws.Bool(d.Get("debug_logging").(bool)),
 			NewDBProxyName: aws.String(nName.(string)),
 			RequireTLS:     aws.Bool(d.Get("require_tls").(bool)),
 			RoleArn:        aws.String(d.Get(names.AttrRoleARN).(string)),
 		}
 
+		if v, ok := d.GetOk("auth"); ok && v.(*schema.Set).Len() > 0 {
+			input.Auth = expandUserAuthConfigs(v.(*schema.Set).List())
+		} else {
+			input.Auth = []types.UserAuthConfig{}
+		}
+
+		if v, ok := d.GetOk("default_auth_scheme"); ok {
+			input.DefaultAuthScheme = types.DefaultAuthScheme(v.(string))
+		}
+
 		if v, ok := d.GetOk("idle_client_timeout"); ok {
 			input.IdleClientTimeout = aws.Int32(int32(v.(int)))
 		}
diff --git a/internal/service/rds/proxy_data_source.go b/internal/service/rds/proxy_data_source.go
@@ -59,6 +59,10 @@ func dataSourceProxy() *schema.Resource {
 				Type:     schema.TypeBool,
 				Computed: true,
 			},
+			"default_auth_scheme": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 			names.AttrEndpoint: {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -116,6 +120,7 @@ func dataSourceProxyRead(ctx context.Context, d *schema.ResourceData, meta any)
 	d.Set(names.AttrARN, dbProxy.DBProxyArn)
 	d.Set("auth", flattenUserAuthConfigInfos(dbProxy.Auth))
 	d.Set("debug_logging", dbProxy.DebugLogging)
+	d.Set("default_auth_scheme", dbProxy.DefaultAuthScheme)
 	d.Set(names.AttrEndpoint, dbProxy.Endpoint)
 	d.Set("engine_family", dbProxy.EngineFamily)
 	d.Set("idle_client_timeout", dbProxy.IdleClientTimeout)
diff --git a/internal/service/rds/proxy_data_source_test.go b/internal/service/rds/proxy_data_source_test.go
@@ -33,6 +33,7 @@ func TestAccRDSProxyDataSource_basic(t *testing.T) {
 					resource.TestCheckResourceAttrPair(dataSourceName, names.AttrARN, resourceName, names.AttrARN),
 					resource.TestCheckResourceAttrPair(dataSourceName, "auth.#", resourceName, "auth.#"),
 					resource.TestCheckResourceAttrPair(dataSourceName, "debug_logging", resourceName, "debug_logging"),
+					resource.TestCheckResourceAttrPair(dataSourceName, "default_auth_scheme", resourceName, "default_auth_scheme"),
 					resource.TestCheckResourceAttrPair(dataSourceName, names.AttrEndpoint, resourceName, names.AttrEndpoint),
 					resource.TestCheckResourceAttrPair(dataSourceName, "engine_family", resourceName, "engine_family"),
 					resource.TestCheckResourceAttrPair(dataSourceName, "idle_client_timeout", resourceName, "idle_client_timeout"),
diff --git a/internal/service/rds/proxy_test.go b/internal/service/rds/proxy_test.go
@@ -48,11 +48,12 @@ func TestAccRDSProxy_basic(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "auth.#", "1"),
 					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "auth.*", map[string]string{
 						"auth_scheme":               "SECRETS",
-						"client_password_auth_type": "MYSQL_NATIVE_PASSWORD",
+						"client_password_auth_type": "MYSQL_CACHING_SHA2_PASSWORD",
 						names.AttrDescription:       "test",
 						"iam_auth":                  "DISABLED",
 					}),
 					resource.TestCheckResourceAttr(resourceName, "debug_logging", acctest.CtFalse),
+					resource.TestCheckResourceAttr(resourceName, "default_auth_scheme", string(types.DefaultAuthSchemeNone)),
 					resource.TestMatchResourceAttr(resourceName, names.AttrEndpoint, regexache.MustCompile(`^[\w\-\.]+\.rds\.amazonaws\.com$`)),
 					resource.TestCheckResourceAttr(resourceName, "idle_client_timeout", "1800"),
 					resource.TestCheckResourceAttr(resourceName, "require_tls", acctest.CtTrue),
@@ -446,6 +447,97 @@ func TestAccRDSProxy_authSecretARN(t *testing.T) {
 	})
 }
 
+func TestAccRDSProxy_defaultAuthScheme(t *testing.T) {
+	ctx := acctest.Context(t)
+	if testing.Short() {
+		t.Skip("skipping long-running test in short mode")
+	}
+
+	var v types.DBProxy
+	resourceName := "aws_db_proxy.test"
+	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t); testAccDBProxyPreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.RDSServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckProxyDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccProxyConfig_defaultAuthSchemeIAMAUTH(rName),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckProxyExists(ctx, resourceName, &v),
+					resource.TestCheckResourceAttr(resourceName, names.AttrName, rName),
+					resource.TestCheckResourceAttr(resourceName, "engine_family", "MYSQL"),
+					acctest.MatchResourceAttrRegionalARN(ctx, resourceName, names.AttrARN, "rds", regexache.MustCompile(`db-proxy:.+`)),
+					resource.TestCheckResourceAttr(resourceName, "auth.#", "0"),
+					resource.TestCheckResourceAttr(resourceName, "debug_logging", acctest.CtFalse),
+					resource.TestCheckResourceAttr(resourceName, "default_auth_scheme", string(types.DefaultAuthSchemeIamAuth)),
+					resource.TestMatchResourceAttr(resourceName, names.AttrEndpoint, regexache.MustCompile(`^[\w\-\.]+\.rds\.amazonaws\.com$`)),
+					resource.TestCheckResourceAttr(resourceName, "idle_client_timeout", "1800"),
+					resource.TestCheckResourceAttr(resourceName, "require_tls", acctest.CtTrue),
+					resource.TestCheckResourceAttrPair(resourceName, names.AttrRoleARN, "aws_iam_role.test", names.AttrARN),
+					resource.TestCheckResourceAttr(resourceName, acctest.CtTagsPercent, "0"),
+					resource.TestCheckResourceAttr(resourceName, "vpc_subnet_ids.#", "2"),
+					resource.TestCheckTypeSetElemAttrPair(resourceName, "vpc_subnet_ids.*", "aws_subnet.test.0", names.AttrID),
+					resource.TestCheckTypeSetElemAttrPair(resourceName, "vpc_subnet_ids.*", "aws_subnet.test.1", names.AttrID),
+				),
+			},
+			{
+				ResourceName:      resourceName,
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				Config: testAccProxyConfig_defaultAuthSchemeNONE(rName),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckProxyExists(ctx, resourceName, &v),
+					resource.TestCheckResourceAttr(resourceName, names.AttrName, rName),
+					resource.TestCheckResourceAttr(resourceName, "engine_family", "MYSQL"),
+					acctest.MatchResourceAttrRegionalARN(ctx, resourceName, names.AttrARN, "rds", regexache.MustCompile(`db-proxy:.+`)),
+					resource.TestCheckResourceAttr(resourceName, "auth.#", "1"),
+					resource.TestCheckTypeSetElemNestedAttrs(resourceName, "auth.*", map[string]string{
+						"auth_scheme":               "SECRETS",
+						"client_password_auth_type": "MYSQL_CACHING_SHA2_PASSWORD",
+						names.AttrDescription:       "test",
+						"iam_auth":                  "DISABLED",
+					}),
+					resource.TestCheckResourceAttr(resourceName, "debug_logging", acctest.CtFalse),
+					resource.TestCheckResourceAttr(resourceName, "default_auth_scheme", string(types.DefaultAuthSchemeNone)),
+					resource.TestMatchResourceAttr(resourceName, names.AttrEndpoint, regexache.MustCompile(`^[\w\-\.]+\.rds\.amazonaws\.com$`)),
+					resource.TestCheckResourceAttr(resourceName, "idle_client_timeout", "1800"),
+					resource.TestCheckResourceAttr(resourceName, "require_tls", acctest.CtTrue),
+					resource.TestCheckResourceAttrPair(resourceName, names.AttrRoleARN, "aws_iam_role.test", names.AttrARN),
+					resource.TestCheckResourceAttr(resourceName, acctest.CtTagsPercent, "0"),
+					resource.TestCheckResourceAttr(resourceName, "vpc_subnet_ids.#", "2"),
+					resource.TestCheckTypeSetElemAttrPair(resourceName, "vpc_subnet_ids.*", "aws_subnet.test.0", names.AttrID),
+					resource.TestCheckTypeSetElemAttrPair(resourceName, "vpc_subnet_ids.*", "aws_subnet.test.1", names.AttrID),
+				),
+			},
+			{
+				Config: testAccProxyConfig_defaultAuthSchemeIAMAUTH(rName),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckProxyExists(ctx, resourceName, &v),
+					resource.TestCheckResourceAttr(resourceName, names.AttrName, rName),
+					resource.TestCheckResourceAttr(resourceName, "engine_family", "MYSQL"),
+					acctest.MatchResourceAttrRegionalARN(ctx, resourceName, names.AttrARN, "rds", regexache.MustCompile(`db-proxy:.+`)),
+					resource.TestCheckResourceAttr(resourceName, "auth.#", "0"),
+					resource.TestCheckResourceAttr(resourceName, "debug_logging", acctest.CtFalse),
+					resource.TestCheckResourceAttr(resourceName, "default_auth_scheme", string(types.DefaultAuthSchemeIamAuth)),
+					resource.TestMatchResourceAttr(resourceName, names.AttrEndpoint, regexache.MustCompile(`^[\w\-\.]+\.rds\.amazonaws\.com$`)),
+					resource.TestCheckResourceAttr(resourceName, "idle_client_timeout", "1800"),
+					resource.TestCheckResourceAttr(resourceName, "require_tls", acctest.CtTrue),
+					resource.TestCheckResourceAttrPair(resourceName, names.AttrRoleARN, "aws_iam_role.test", names.AttrARN),
+					resource.TestCheckResourceAttr(resourceName, acctest.CtTagsPercent, "0"),
+					resource.TestCheckResourceAttr(resourceName, "vpc_subnet_ids.#", "2"),
+					resource.TestCheckTypeSetElemAttrPair(resourceName, "vpc_subnet_ids.*", "aws_subnet.test.0", names.AttrID),
+					resource.TestCheckTypeSetElemAttrPair(resourceName, "vpc_subnet_ids.*", "aws_subnet.test.1", names.AttrID),
+				),
+			},
+		},
+	})
+}
+
 func TestAccRDSProxy_tags(t *testing.T) {
 	ctx := acctest.Context(t)
 	if testing.Short() {
@@ -955,6 +1047,57 @@ resource "aws_secretsmanager_secret_version" "test2" {
 `, rName, nName))
 }
 
+func testAccProxyConfig_defaultAuthSchemeIAMAUTH(rName string) string {
+	return acctest.ConfigCompose(testAccProxyConfig_base(rName), fmt.Sprintf(`
+resource "aws_db_proxy" "test" {
+  depends_on = [
+    aws_secretsmanager_secret_version.test,
+    aws_iam_role_policy.test
+  ]
+
+  name                   = %[1]q
+  debug_logging          = false
+  engine_family          = "MYSQL"
+  idle_client_timeout    = 1800
+  require_tls            = true
+  role_arn               = aws_iam_role.test.arn
+  vpc_security_group_ids = [aws_security_group.test.id]
+  vpc_subnet_ids         = aws_subnet.test[*].id
+
+  default_auth_scheme = "IAM_AUTH"
+}
+`, rName))
+}
+
+func testAccProxyConfig_defaultAuthSchemeNONE(rName string) string {
+	return acctest.ConfigCompose(testAccProxyConfig_base(rName), fmt.Sprintf(`
+resource "aws_db_proxy" "test" {
+  depends_on = [
+    aws_secretsmanager_secret_version.test,
+    aws_iam_role_policy.test
+  ]
+
+  name                   = %[1]q
+  debug_logging          = false
+  engine_family          = "MYSQL"
+  idle_client_timeout    = 1800
+  require_tls            = true
+  role_arn               = aws_iam_role.test.arn
+  vpc_security_group_ids = [aws_security_group.test.id]
+  vpc_subnet_ids         = aws_subnet.test[*].id
+
+  auth {
+    auth_scheme = "SECRETS"
+    description = "test"
+    iam_auth    = "DISABLED"
+    secret_arn  = aws_secretsmanager_secret.test.arn
+  }
+
+  default_auth_scheme = "NONE"
+}
+`, rName))
+}
+
 func testAccProxyConfig_tags1(rName, tagKey1, tagValue1 string) string {
 	return acctest.ConfigCompose(testAccProxyConfig_base(rName), fmt.Sprintf(`
 resource "aws_db_proxy" "test" {
diff --git a/website/docs/d/db_proxy.html.markdown b/website/docs/d/db_proxy.html.markdown
@@ -32,6 +32,7 @@ This data source exports the following attributes in addition to the arguments a
 * `arn` - ARN of the DB Proxy.
 * `auth` - Configuration(s) with authorization mechanisms to connect to the associated instance or cluster.
 * `debug_logging` - Whether the proxy includes detailed information about SQL statements in its logs.
+* `default_auth_scheme` - Default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database.
 * `endpoint` - Endpoint that you can use to connect to the DB proxy.
 * `engine_family` - Kinds of databases that the proxy can connect to.
 * `idle_client_timeout` - Number of seconds a connection to the proxy can have no activity before the proxy drops the client connection.
diff --git a/website/docs/r/db_proxy.html.markdown b/website/docs/r/db_proxy.html.markdown
@@ -98,8 +98,9 @@ This resource supports the following arguments:
 
 * `region` - (Optional) Region where this resource will be [managed](https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints). Defaults to the Region set in the [provider configuration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#aws-configuration-reference).
 * `name` - (Required) The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens.
-* `auth` - (Required) Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters. Described below.
+* `auth` - (Optional) Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters. Required when `default_auth_scheme` is `NONE` or unspecified. Described below.
 * `debug_logging` - (Optional) Whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs.
+* `default_auth_scheme` - (Optional) Default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database. Valid values are `NONE` and `IAM_AUTH`. Defaults to `NONE`.
 * `engine_family` - (Required, Forces new resource) The kinds of databases that the proxy can connect to. This value determines which database network protocol the proxy recognizes when it interprets network traffic to and from the database. For Aurora MySQL, RDS for MariaDB, and RDS for MySQL databases, specify `MYSQL`. For Aurora PostgreSQL and RDS for PostgreSQL databases, specify `POSTGRESQL`. For RDS for Microsoft SQL Server, specify `SQLSERVER`. Valid values are `MYSQL`, `POSTGRESQL`, and `SQLSERVER`.
 * `idle_client_timeout` - (Optional) The number of seconds that a connection to the proxy can be inactive before the proxy disconnects it. You can set this value higher or lower than the connection timeout limit for the associated database.
 * `require_tls` - (Optional) A Boolean parameter that specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy. By enabling this setting, you can enforce encrypted TLS connections to the proxy.
