diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index a6cd369..11084f7 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
- rev: v1.96.1
+ rev: v1.100.0
hooks:
- id: terraform_fmt
- id: terraform_docs
@@ -23,7 +23,7 @@ repos:
- '--args=--only=terraform_workspace_remote'
- id: terraform_validate
- repo: https://github.com/pre-commit/pre-commit-hooks
- rev: v5.0.0
+ rev: v6.0.0
hooks:
- id: check-merge-conflict
- id: end-of-file-fixer
diff --git a/README.md b/README.md
index 3825e57..80cb388 100644
--- a/README.md
+++ b/README.md
@@ -62,14 +62,14 @@ Examples codified under the [`examples`](https://github.com/terraform-aws-module
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [terraform](#requirement\_terraform) | >= 1.5.7 |
+| [aws](#requirement\_aws) | >= 6.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 6.0 |
## Modules
@@ -97,7 +97,7 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [auth](#input\_auth) | Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters | `any` | `{}` | no |
+| [auth](#input\_auth) | Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters | map(object({
auth_scheme = optional(string)
client_password_auth_type = optional(string)
description = optional(string)
iam_auth = optional(string)
secret_arn = optional(string)
username = optional(string)
})) | {
"default": {
"auth_scheme": "SECRETS"
}
} | no |
| [connection\_borrow\_timeout](#input\_connection\_borrow\_timeout) | The number of seconds for a proxy to wait for a connection to become available in the connection pool | `number` | `null` | no |
| [create](#input\_create) | Whether cluster should be created (affects nearly all resources) | `bool` | `true` | no |
| [create\_iam\_policy](#input\_create\_iam\_policy) | Determines whether an IAM policy is created | `bool` | `true` | no |
@@ -105,7 +105,7 @@ No modules.
| [db\_cluster\_identifier](#input\_db\_cluster\_identifier) | DB cluster identifier | `string` | `""` | no |
| [db\_instance\_identifier](#input\_db\_instance\_identifier) | DB instance identifier | `string` | `""` | no |
| [debug\_logging](#input\_debug\_logging) | Whether the proxy includes detailed information about SQL statements in its logs | `bool` | `false` | no |
-| [endpoints](#input\_endpoints) | Map of DB proxy endpoints to create and their attributes (see `aws_db_proxy_endpoint`) | `any` | `{}` | no |
+| [endpoints](#input\_endpoints) | Map of DB proxy endpoints to create and their attributes | map(object({
name = optional(string)
vpc_subnet_ids = list(string)
vpc_security_group_ids = optional(list(string))
target_role = optional(string)
tags = optional(map(string), {})
})) | `{}` | no |
| [engine\_family](#input\_engine\_family) | The kind of database engine that the proxy will connect to. Valid values are `MYSQL` or `POSTGRESQL` | `string` | `""` | no |
| [iam\_policy\_name](#input\_iam\_policy\_name) | The name of the role policy. If omitted, Terraform will assign a random, unique name | `string` | `""` | no |
| [iam\_role\_description](#input\_iam\_role\_description) | The description of the role | `string` | `""` | no |
@@ -118,6 +118,7 @@ No modules.
| [idle\_client\_timeout](#input\_idle\_client\_timeout) | The number of seconds that a connection to the proxy can be inactive before the proxy disconnects it | `number` | `1800` | no |
| [init\_query](#input\_init\_query) | One or more SQL statements for the proxy to run when opening each new database connection | `string` | `""` | no |
| [kms\_key\_arns](#input\_kms\_key\_arns) | List of KMS Key ARNs to allow access to decrypt SecretsManager secrets | `list(string)` | `[]` | no |
+| [log\_group\_class](#input\_log\_group\_class) | Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS` | `string` | `null` | no |
| [log\_group\_kms\_key\_id](#input\_log\_group\_kms\_key\_id) | The ARN of the KMS Key to use when encrypting log data | `string` | `null` | no |
| [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the log group | `number` | `30` | no |
| [log\_group\_tags](#input\_log\_group\_tags) | A map of tags to apply to the CloudWatch log group | `map(string)` | `{}` | no |
@@ -126,6 +127,7 @@ No modules.
| [max\_idle\_connections\_percent](#input\_max\_idle\_connections\_percent) | Controls how actively the proxy closes idle database connections in the connection pool | `number` | `50` | no |
| [name](#input\_name) | The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens | `string` | `""` | no |
| [proxy\_tags](#input\_proxy\_tags) | A map of tags to apply to the RDS Proxy | `map(string)` | `{}` | no |
+| [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no |
| [require\_tls](#input\_require\_tls) | A Boolean parameter that specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy | `bool` | `true` | no |
| [role\_arn](#input\_role\_arn) | The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager | `string` | `""` | no |
| [session\_pinning\_filters](#input\_session\_pinning\_filters) | Each item in the list represents a class of SQL operations that normally cause all later statements in a session using a proxy to be pinned to the same underlying database connection | `list(string)` | `[]` | no |
diff --git a/UPGRADE-3.0.md b/docs/UPGRADE-3.0.md
similarity index 100%
rename from UPGRADE-3.0.md
rename to docs/UPGRADE-3.0.md
diff --git a/examples/mysql-iam-cluster/README.md b/examples/mysql-iam-cluster/README.md
index 922a6e4..a3179b0 100644
--- a/examples/mysql-iam-cluster/README.md
+++ b/examples/mysql-iam-cluster/README.md
@@ -30,23 +30,23 @@ An EC2 instance configuration has been provided for use in validating the exampl
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [terraform](#requirement\_terraform) | >= 1.5.7 |
+| [aws](#requirement\_aws) | >= 6.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 6.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 8.0 |
+| [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 9.0 |
| [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
| [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
-| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
+| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
## Resources
diff --git a/examples/mysql-iam-cluster/main.tf b/examples/mysql-iam-cluster/main.tf
index ea10621..491d029 100644
--- a/examples/mysql-iam-cluster/main.tf
+++ b/examples/mysql-iam-cluster/main.tf
@@ -69,7 +69,7 @@ module "rds_proxy" {
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
- version = "~> 5.0"
+ version = "~> 6.0"
name = local.name
cidr = local.vpc_cidr
@@ -84,7 +84,7 @@ module "vpc" {
module "rds" {
source = "terraform-aws-modules/rds-aurora/aws"
- version = "~> 8.0"
+ version = "~> 9.0"
name = local.name
engine = "aurora-mysql"
diff --git a/examples/mysql-iam-cluster/versions.tf b/examples/mysql-iam-cluster/versions.tf
index ddfcb0e..db13b0a 100644
--- a/examples/mysql-iam-cluster/versions.tf
+++ b/examples/mysql-iam-cluster/versions.tf
@@ -1,10 +1,10 @@
terraform {
- required_version = ">= 1.0"
+ required_version = ">= 1.5.7"
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 6.0"
}
}
}
diff --git a/examples/mysql-iam-instance/README.md b/examples/mysql-iam-instance/README.md
index 8f9e2bb..efb56bc 100644
--- a/examples/mysql-iam-instance/README.md
+++ b/examples/mysql-iam-instance/README.md
@@ -30,26 +30,26 @@ An EC2 instance configuration has been provided for use in validating the exampl
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [terraform](#requirement\_terraform) | >= 1.5.7 |
+| [aws](#requirement\_aws) | >= 6.0 |
| [random](#requirement\_random) | >= 2.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 6.0 |
| [random](#provider\_random) | >= 2.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 5.0 |
+| [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 6.0 |
| [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
| [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
| [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
-| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
+| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
## Resources
diff --git a/examples/mysql-iam-instance/main.tf b/examples/mysql-iam-instance/main.tf
index 5fed116..3a09453 100644
--- a/examples/mysql-iam-instance/main.tf
+++ b/examples/mysql-iam-instance/main.tf
@@ -61,7 +61,7 @@ module "rds_proxy" {
# Target RDS instance
target_db_instance = true
- db_instance_identifier = module.rds.db_instance_id
+ db_instance_identifier = module.rds.db_instance_identifier
tags = local.tags
}
@@ -82,7 +82,7 @@ resource "random_password" "password" {
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
- version = "~> 5.0"
+ version = "~> 6.0"
name = local.name
cidr = local.vpc_cidr
@@ -97,7 +97,7 @@ module "vpc" {
module "rds" {
source = "terraform-aws-modules/rds/aws"
- version = "~> 5.0"
+ version = "~> 6.0"
username = local.db_username
password = local.db_password
diff --git a/examples/mysql-iam-instance/versions.tf b/examples/mysql-iam-instance/versions.tf
index b80a85f..d2f4f3e 100644
--- a/examples/mysql-iam-instance/versions.tf
+++ b/examples/mysql-iam-instance/versions.tf
@@ -1,10 +1,10 @@
terraform {
- required_version = ">= 1.0"
+ required_version = ">= 1.5.7"
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 6.0"
}
random = {
source = "hashicorp/random"
diff --git a/examples/postgresql-iam-cluster/README.md b/examples/postgresql-iam-cluster/README.md
index 445c455..7fa3f12 100644
--- a/examples/postgresql-iam-cluster/README.md
+++ b/examples/postgresql-iam-cluster/README.md
@@ -30,23 +30,23 @@ An EC2 instance configuration has been provided for use in validating the exampl
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [terraform](#requirement\_terraform) | >= 1.5.7 |
+| [aws](#requirement\_aws) | >= 6.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 6.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 8.0 |
+| [rds](#module\_rds) | terraform-aws-modules/rds-aurora/aws | ~> 9.0 |
| [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
| [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
-| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
+| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
## Resources
diff --git a/examples/postgresql-iam-cluster/main.tf b/examples/postgresql-iam-cluster/main.tf
index 6347ef6..f858511 100644
--- a/examples/postgresql-iam-cluster/main.tf
+++ b/examples/postgresql-iam-cluster/main.tf
@@ -69,7 +69,7 @@ module "rds_proxy" {
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
- version = "~> 5.0"
+ version = "~> 6.0"
name = local.name
cidr = local.vpc_cidr
@@ -84,7 +84,7 @@ module "vpc" {
module "rds" {
source = "terraform-aws-modules/rds-aurora/aws"
- version = "~> 8.0"
+ version = "~> 9.0"
name = local.name
engine = "aurora-postgresql"
diff --git a/examples/postgresql-iam-cluster/versions.tf b/examples/postgresql-iam-cluster/versions.tf
index ddfcb0e..db13b0a 100644
--- a/examples/postgresql-iam-cluster/versions.tf
+++ b/examples/postgresql-iam-cluster/versions.tf
@@ -1,10 +1,10 @@
terraform {
- required_version = ">= 1.0"
+ required_version = ">= 1.5.7"
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 6.0"
}
}
}
diff --git a/examples/postgresql-iam-instance/README.md b/examples/postgresql-iam-instance/README.md
index 9960340..be5783d 100644
--- a/examples/postgresql-iam-instance/README.md
+++ b/examples/postgresql-iam-instance/README.md
@@ -30,26 +30,26 @@ An EC2 instance configuration has been provided for use in validating the exampl
| Name | Version |
|------|---------|
-| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.0 |
+| [terraform](#requirement\_terraform) | >= 1.5.7 |
+| [aws](#requirement\_aws) | >= 6.0 |
| [random](#requirement\_random) | >= 2.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.0 |
+| [aws](#provider\_aws) | >= 6.0 |
| [random](#provider\_random) | >= 2.0 |
## Modules
| Name | Source | Version |
|------|--------|---------|
-| [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 5.0 |
+| [rds](#module\_rds) | terraform-aws-modules/rds/aws | ~> 6.0 |
| [rds\_proxy](#module\_rds\_proxy) | ../../ | n/a |
| [rds\_proxy\_sg](#module\_rds\_proxy\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
| [rds\_sg](#module\_rds\_sg) | terraform-aws-modules/security-group/aws | ~> 5.0 |
-| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
+| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 6.0 |
## Resources
diff --git a/examples/postgresql-iam-instance/main.tf b/examples/postgresql-iam-instance/main.tf
index 5a0a254..c5a7849 100644
--- a/examples/postgresql-iam-instance/main.tf
+++ b/examples/postgresql-iam-instance/main.tf
@@ -61,7 +61,7 @@ module "rds_proxy" {
# Target RDS instance
target_db_instance = true
- db_instance_identifier = module.rds.db_instance_id
+ db_instance_identifier = module.rds.db_instance_identifier
tags = local.tags
}
@@ -82,7 +82,7 @@ resource "random_password" "password" {
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
- version = "~> 5.0"
+ version = "~> 6.0"
name = local.name
cidr = local.vpc_cidr
@@ -97,7 +97,7 @@ module "vpc" {
module "rds" {
source = "terraform-aws-modules/rds/aws"
- version = "~> 5.0"
+ version = "~> 6.0"
username = local.db_username
password = local.db_password
diff --git a/examples/postgresql-iam-instance/versions.tf b/examples/postgresql-iam-instance/versions.tf
index b80a85f..d2f4f3e 100644
--- a/examples/postgresql-iam-instance/versions.tf
+++ b/examples/postgresql-iam-instance/versions.tf
@@ -1,10 +1,10 @@
terraform {
- required_version = ">= 1.0"
+ required_version = ">= 1.5.7"
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 6.0"
}
random = {
source = "hashicorp/random"
diff --git a/main.tf b/main.tf
index f622a07..0e84fb5 100644
--- a/main.tf
+++ b/main.tf
@@ -1,17 +1,3 @@
-locals {
- role_arn = var.create && var.create_iam_role ? aws_iam_role.this[0].arn : var.role_arn
- role_name = coalesce(var.iam_role_name, var.name)
- policy_name = coalesce(var.iam_policy_name, var.name)
-}
-
-data "aws_region" "current" {}
-data "aws_partition" "current" {}
-data "aws_service_principal" "rds" {
- count = var.create && var.create_iam_role ? 1 : 0
-
- service_name = "rds"
- region = data.aws_region.current.name
-}
################################################################################
# RDS Proxy
################################################################################
@@ -19,16 +5,18 @@ data "aws_service_principal" "rds" {
resource "aws_db_proxy" "this" {
count = var.create ? 1 : 0
+ region = var.region
+
dynamic "auth" {
for_each = var.auth
content {
- auth_scheme = try(auth.value.auth_scheme, "SECRETS")
- client_password_auth_type = try(auth.value.client_password_auth_type, null)
- description = try(auth.value.description, null)
- iam_auth = try(auth.value.iam_auth, null)
- secret_arn = try(auth.value.secret_arn, null)
- username = try(auth.value.username, null)
+ auth_scheme = auth.value.auth_scheme
+ client_password_auth_type = auth.value.client_password_auth_type
+ description = auth.value.description
+ iam_auth = auth.value.iam_auth
+ secret_arn = auth.value.secret_arn
+ username = auth.value.username
}
}
@@ -37,7 +25,7 @@ resource "aws_db_proxy" "this" {
idle_client_timeout = var.idle_client_timeout
name = var.name
require_tls = var.require_tls
- role_arn = local.role_arn
+ role_arn = try(aws_iam_role.this[0].arn, var.role_arn)
vpc_security_group_ids = var.vpc_security_group_ids
vpc_subnet_ids = var.vpc_subnet_ids
@@ -46,9 +34,15 @@ resource "aws_db_proxy" "this" {
depends_on = [aws_cloudwatch_log_group.this]
}
+################################################################################
+# Default Target Group
+################################################################################
+
resource "aws_db_proxy_default_target_group" "this" {
count = var.create ? 1 : 0
+ region = var.region
+
db_proxy_name = aws_db_proxy.this[0].name
connection_pool_config {
@@ -60,9 +54,15 @@ resource "aws_db_proxy_default_target_group" "this" {
}
}
+################################################################################
+# Target(s)
+################################################################################
+
resource "aws_db_proxy_target" "db_instance" {
count = var.create && var.target_db_instance ? 1 : 0
+ region = var.region
+
db_proxy_name = aws_db_proxy.this[0].name
target_group_name = aws_db_proxy_default_target_group.this[0].name
db_instance_identifier = var.db_instance_identifier
@@ -71,33 +71,44 @@ resource "aws_db_proxy_target" "db_instance" {
resource "aws_db_proxy_target" "db_cluster" {
count = var.create && var.target_db_cluster ? 1 : 0
+ region = var.region
+
db_proxy_name = aws_db_proxy.this[0].name
target_group_name = aws_db_proxy_default_target_group.this[0].name
db_cluster_identifier = var.db_cluster_identifier
}
+################################################################################
+# Endpoint(s)
+################################################################################
+
resource "aws_db_proxy_endpoint" "this" {
for_each = { for k, v in var.endpoints : k => v if var.create }
+ region = var.region
+
db_proxy_name = aws_db_proxy.this[0].name
- db_proxy_endpoint_name = each.value.name
+ db_proxy_endpoint_name = coalesce(each.value.name, each.key)
vpc_subnet_ids = each.value.vpc_subnet_ids
- vpc_security_group_ids = lookup(each.value, "vpc_security_group_ids", null)
- target_role = lookup(each.value, "target_role", null)
+ vpc_security_group_ids = each.value.vpc_security_group_ids
+ target_role = each.value.target_role
- tags = lookup(each.value, "tags", var.tags)
+ tags = merge(var.tags, each.value.tags)
}
################################################################################
-# CloudWatch Logs
+# CloudWatch Log Group
################################################################################
resource "aws_cloudwatch_log_group" "this" {
count = var.create && var.manage_log_group ? 1 : 0
+ region = var.region
+
name = "/aws/rds/proxy/${var.name}"
retention_in_days = var.log_group_retention_in_days
kms_key_id = var.log_group_kms_key_id
+ log_group_class = var.log_group_class
tags = merge(var.tags, var.log_group_tags)
}
@@ -106,8 +117,37 @@ resource "aws_cloudwatch_log_group" "this" {
# IAM Role
################################################################################
+locals {
+ create_iam_role = var.create && var.create_iam_role
+
+ role_name = coalesce(var.iam_role_name, var.name)
+ policy_name = coalesce(var.iam_policy_name, var.name)
+
+ partition = try(data.aws_partition.current[0].partition, "aws")
+ dns_suffix = try(data.aws_partition.current[0].dns_suffix, "amazonaws.com")
+ region = try(data.aws_region.current[0].region, var.region)
+}
+
+data "aws_region" "current" {
+ count = local.create_iam_role ? 1 : 0
+
+ region = var.region
+}
+
+data "aws_partition" "current" {
+ count = local.create_iam_role ? 1 : 0
+}
+
+data "aws_service_principal" "rds" {
+ count = local.create_iam_role ? 1 : 0
+
+ service_name = "rds"
+ region = data.aws_region.current[0].region
+}
+
+
data "aws_iam_policy_document" "assume_role" {
- count = var.create && var.create_iam_role ? 1 : 0
+ count = local.create_iam_role ? 1 : 0
statement {
sid = "RDSAssume"
@@ -122,7 +162,7 @@ data "aws_iam_policy_document" "assume_role" {
}
resource "aws_iam_role" "this" {
- count = var.create && var.create_iam_role ? 1 : 0
+ count = local.create_iam_role ? 1 : 0
name = var.use_role_name_prefix ? null : local.role_name
name_prefix = var.use_role_name_prefix ? "${local.role_name}-" : null
@@ -137,8 +177,12 @@ resource "aws_iam_role" "this" {
tags = merge(var.tags, var.iam_role_tags)
}
+################################################################################
+# IAM Role Policy
+################################################################################
+
data "aws_iam_policy_document" "this" {
- count = var.create && var.create_iam_role && var.create_iam_policy ? 1 : 0
+ count = local.create_iam_role && var.create_iam_policy ? 1 : 0
statement {
sid = "DecryptSecrets"
@@ -146,14 +190,14 @@ data "aws_iam_policy_document" "this" {
actions = ["kms:Decrypt"]
resources = coalescelist(
var.kms_key_arns,
- ["arn:${data.aws_partition.current.partition}:kms:*:*:key/*"]
+ ["arn:${local.partition}:kms:*:*:key/*"]
)
condition {
test = "StringEquals"
variable = "kms:ViaService"
values = [
- "secretsmanager.${data.aws_region.current.name}.${data.aws_partition.current.dns_suffix}"
+ "secretsmanager.${local.region}.${local.dns_suffix}"
]
}
}
@@ -183,7 +227,7 @@ data "aws_iam_policy_document" "this" {
}
resource "aws_iam_role_policy" "this" {
- count = var.create && var.create_iam_role && var.create_iam_policy ? 1 : 0
+ count = local.create_iam_role && var.create_iam_policy ? 1 : 0
name = var.use_policy_name_prefix ? null : local.policy_name
name_prefix = var.use_policy_name_prefix ? "${local.policy_name}-" : null
diff --git a/outputs.tf b/outputs.tf
index fce0928..dac0a37 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1,4 +1,7 @@
+################################################################################
# RDS Proxy
+################################################################################
+
output "proxy_id" {
description = "The ID for the proxy"
value = try(aws_db_proxy.this[0].id, null)
@@ -14,7 +17,10 @@ output "proxy_endpoint" {
value = try(aws_db_proxy.this[0].endpoint, null)
}
-# Proxy Default Target Group
+################################################################################
+# Default Target Group
+################################################################################
+
output "proxy_default_target_group_id" {
description = "The ID for the default target group"
value = try(aws_db_proxy_default_target_group.this[0].id, null)
@@ -30,7 +36,10 @@ output "proxy_default_target_group_name" {
value = try(aws_db_proxy_default_target_group.this[0].name, null)
}
-# Proxy Target
+################################################################################
+# Target(s)
+################################################################################
+
output "proxy_target_endpoint" {
description = "Hostname for the target RDS DB Instance. Only returned for `RDS_INSTANCE` type"
value = try(aws_db_proxy_target.db_instance[0].endpoint, aws_db_proxy_target.db_cluster[0].endpoint, null)
@@ -66,13 +75,19 @@ output "proxy_target_type" {
value = try(aws_db_proxy_target.db_instance[0].type, aws_db_proxy_target.db_cluster[0].type, null)
}
-# DB proxy endpoints
+################################################################################
+# Endpoint(s)
+################################################################################
+
output "db_proxy_endpoints" {
description = "Array containing the full resource object and attributes for all DB proxy endpoints created"
value = aws_db_proxy_endpoint.this
}
-# CloudWatch logs
+################################################################################
+# CloudWatch Log Group
+################################################################################
+
output "log_group_arn" {
description = "The Amazon Resource Name (ARN) of the CloudWatch log group"
value = try(aws_cloudwatch_log_group.this[0].arn, null)
@@ -83,7 +98,10 @@ output "log_group_name" {
value = try(aws_cloudwatch_log_group.this[0].name, null)
}
-# IAM role
+################################################################################
+# IAM Role
+################################################################################
+
output "iam_role_arn" {
description = "The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager."
value = try(aws_iam_role.this[0].arn, null)
diff --git a/variables.tf b/variables.tf
index 41657a9..e1a1012 100644
--- a/variables.tf
+++ b/variables.tf
@@ -4,6 +4,12 @@ variable "create" {
default = true
}
+variable "region" {
+ description = "Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration"
+ type = string
+ default = null
+}
+
variable "tags" {
description = "A map of tags to add to all resources"
type = map(string)
@@ -22,8 +28,19 @@ variable "name" {
variable "auth" {
description = "Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters"
- type = any
- default = {}
+ type = map(object({
+ auth_scheme = optional(string)
+ client_password_auth_type = optional(string)
+ description = optional(string)
+ iam_auth = optional(string)
+ secret_arn = optional(string)
+ username = optional(string)
+ }))
+ default = {
+ default = {
+ auth_scheme = "SECRETS"
+ }
+ }
}
variable "debug_logging" {
@@ -74,7 +91,10 @@ variable "proxy_tags" {
default = {}
}
-# Proxy Default Target Group
+################################################################################
+# Default Target Group
+################################################################################
+
variable "connection_borrow_timeout" {
description = "The number of seconds for a proxy to wait for a connection to become available in the connection pool"
type = number
@@ -105,7 +125,10 @@ variable "session_pinning_filters" {
default = []
}
-# Proxy Target
+################################################################################
+# Target(s)
+################################################################################
+
variable "target_db_instance" {
description = "Determines whether DB instance is targeted by proxy"
type = bool
@@ -130,11 +153,20 @@ variable "db_cluster_identifier" {
default = ""
}
-# Proxy endpoints
+################################################################################
+# Endpoint(s)
+################################################################################
+
variable "endpoints" {
- description = "Map of DB proxy endpoints to create and their attributes (see `aws_db_proxy_endpoint`)"
- type = any
- default = {}
+ description = "Map of DB proxy endpoints to create and their attributes"
+ type = map(object({
+ name = optional(string)
+ vpc_subnet_ids = list(string)
+ vpc_security_group_ids = optional(list(string))
+ target_role = optional(string)
+ tags = optional(map(string), {})
+ }))
+ default = {}
}
################################################################################
@@ -159,6 +191,12 @@ variable "log_group_kms_key_id" {
default = null
}
+variable "log_group_class" {
+ description = "Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS`"
+ type = string
+ default = null
+}
+
variable "log_group_tags" {
description = "A map of tags to apply to the CloudWatch log group"
type = map(string)
@@ -223,7 +261,10 @@ variable "iam_role_tags" {
default = {}
}
-# IAM Policy
+################################################################################
+# IAM Role Policy
+################################################################################
+
variable "create_iam_policy" {
description = "Determines whether an IAM policy is created"
type = bool
diff --git a/versions.tf b/versions.tf
index ddfcb0e..db13b0a 100644
--- a/versions.tf
+++ b/versions.tf
@@ -1,10 +1,10 @@
terraform {
- required_version = ">= 1.0"
+ required_version = ">= 1.5.7"
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.0"
+ version = ">= 6.0"
}
}
}