Is your request related to a new offering from AWS?

Not a new offering, unsure if the desired feature is supported by the current module and dependencies.

Is your request related to a problem? Please describe.

Not a problem specific to the module. Need clarification if the module supports my use case.

Describe the solution you'd like.

Ideally, a solution that allows assigning a policy to an AWS SSO role that allows users to authenticate to a database using individual credentials without having to maintain a separate password.

If it isn't feasible to implement the solution with individual database user accounts, then using a shared account on the DB side as long as there is an audit trail back to the user who assumed the role and connected to the proxy.

A hypothetical deployment might look like this:

1. have an Aurora Postgres cluster configured without IAM authentication enabled
2. create a pg user with the appropriate permissions for a dev to have for that environment
3. set this tf module up to create an RDS Proxy that authenticates clients connecting to it with a specific IAM role and if they have the role, connect to the database using the pg user from #2
4. create a policy that grants the ability to assume the role from #3 to any AWS SSO user that has a particular group or tag

Describe alternatives you've considered.

Standard AWS help docs on IAMDBAuth don't really touch on using an SSO assumed role, just plain static IAM accounts.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.DBAccounts.html#UsingWithRDS.IAMDBAuth.DBAccounts.PostgreSQL

This sample seems to be a good fit, but it is using CloudFormation and Lambdas that complicate matters.
https://github.com/aws-samples/sso-sync-to-amazon-rds

Is your request related to a new offering from AWS?

Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.

• Yes ✅

Is your request related to a problem? Please describe.

• To use IAM Authentication against the DB Proxy, the proxy resource ID is required, such as prx-123456 - this is an immutable field, unlike name (which can change and is the typical way of interacting with RDS resources).
• See https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html

DbiResourceId is the identifier for the DB instance. This identifier is unique to an AWS Region and never changes. In the example policy, the identifier is db-ABCDEFGHIJKL01234.
If you are connecting to a database through RDS Proxy, specify the proxy resource ID, such as prx-ABCDEFGHIJKL01234.

• Currently, this ID is not exported, which is most likely a side effect of the Attribute export from the db_proxy resource, where the id seems to return the pretty name and arn contains the ARN.
  https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_proxy#attribute-reference (The documentation appears to be wrong here regarding id)
  And the reasoning: https://github.com/hashicorp/terraform-provider-aws/blob/7f0a73253c273a9ef143189f94890fc66d0dcb9c/internal/service/rds/proxy.go#L243-L245

Describe the solution you'd like.

To make integrations easier into IAM policies, a new output (to remain backwards compatible) could be made:
proxy_resource_id: prx-123456

output "proxy_resource_id" {
  description = "The prx- Resource ID for the proxy, for IAM policies"
  value       = try(split(":", try(aws_db_proxy.this[0].arn, null))[6], null)
}

Describe alternatives you've considered.

The current workaround is to use the above try logic defined as a local, then use the string in the relevant IAM policy document, for example:

locals {
  # The Proxy Module and resource doesn't return the actual prx-id, so we have to parse it out for IAM usage
  proxy_resource_id = try(split(":", try(module.postgresql_proxy.proxy_arn, ""))[6], "unset")
}

...
resources = [
     "arn:aws:rds-db:us-east-1:${data.aws_caller_identity.current.account_id}:dbuser:${local.proxy_resource_id}/a_user"
]

It might be decided that this should live in the provider repo to export the specific value in a standalone fashion; however, it can be derived from the arn.

Is your request related to a new offering from AWS?

No

Is your request related to a problem? Please describe.

RDS Proxy requires a Security Group allowing ingress to the proxy and egress to the target database. Allowing creation of an SG inside this module would greatly simplify many implementations.

Describe the solution you'd like.

A basic security group created by this module.

Describe alternatives you've considered.

Possible alternatives:

• write a wrapper around this module and terraform-aws-security-group to create the necessary Security Group.
• Use the terraform-aws-security-group module separetely to create the necessary SG, then use that as input for the terraform-aws-rds-proxy module.

Additional context

N/A

Can't have more than 1 secret for the input variable secrets.
It errors out with the following:
│ Error: Insufficient auth blocks │ │ on .terraform/modules/rds_proxy/main.tf line 13, in resource "aws_db_proxy" "this": │ 13: resource "aws_db_proxy" "this" { │ │ At least 1 "auth" blocks are required. ╵ ╷ │ Error: Invalid dynamic for_each value │ │ on .terraform/modules/rds_proxy/main.tf line 26, in resource "aws_db_proxy" "this": │ 26: for_each = var.secrets │ │ Cannot use a map of object value in for_each. An iterable collection is required.

Thanks in advance

Describe the bug

  secrets = {
    "${local.db_username_1}" = {
      description = module.creds_1.description
      arn         = module.creds_1.secret_arn
      kms_key_id  = data.aws_kms_alias.secretsmanager.id
    },
    "${local.db_username_2}" = {
      description = module.creds_2.description
      arn         = module.creds_2.secret_arn
      kms_key_id  = data.aws_kms_alias.secretsmanager.id
    }
  }

when I try to attach more than one secrets, the terraform fails to exit after creating the resources. When I try to kill it and start again terraform fails to refresh the state and give below error:

Error: Error reading RDS DB Proxy (): RequestError: send request failed
caused by: Post "https://rds.eu-west-2.amazonaws.com/": net/http: HTTP/1.x transport connection broken: too many transfer encodings: ["chunked" "chunked"]

To Reproduce
Steps to reproduce the behavior:
Just try to attach more than one secret to the same RDS Proxy instance.

Expected behavior
Terraform should be able to refresh the state

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: macOS 11.1
• Terraform Version: 14.4

Is your request related to a problem? Please describe.

Currently iam_auth is set proxy wide and pulled into the dynamic auth loop in the aws_db_proxy resource. With this approach you can't break down different users into IAM and non IAM authentication for the proxy.

Describe the solution you'd like.

Make it so that iam_auth can be pulled from the secrets object into the dynamic auth block instead of being set globally for the whole proxy.

Describe the bug

Running into the issue when creating the IAM role

│ Error: Error putting IAM role policy chapstick-rds-proxy: MalformedPolicyDocument: Resource  must be in ARN format or "*".
│ 	status code: 400, request id: 2cd81d3c-374c-4b97-9243-96eda3afb0db
│
│   with module.chapstick_rds_proxy.aws_iam_role_policy.this[0],
│   on .terraform/modules/chapstick_rds_proxy/main.tf line 176, in resource "aws_iam_role_policy" "this":
│  176: resource "aws_iam_role_policy" "this" {

To Reproduce
Steps to reproduce the behavior:

1. use the default example to create the proxy

Description

• ✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
2. Re-initialize the project root to pull down modules: terraform init
3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

• Module version [Required]: 2.1.0
• Terraform version: 1.1.8
• Provider version(s): 4

Reproduction Code [Required]

module "rds_proxy" {
  name = local.name
  source = "terraform-aws-modules/rds-proxy/aws"
  version = "2.1.0"

  # disable TLS check
  require_tls = false

  name                   = local.name
  iam_role_name          = local.name
  iam_policy_name         = local.name
  use_policy_name_prefix = true
  use_role_name_prefix   = true

  vpc_subnet_ids         = module.vpc.private_subnets
  vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]

  db_proxy_endpoints = {
    read_write = {
      name                   = "read-write-endpoint"
      vpc_subnet_ids         = module.vpc.private_subnets
      vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
      tags                   = local.tags
    }
  }

  secrets = {
    "${local.db_username}" = {
      auth_scheme = "SECRETS"
      iam_auth    = "DISABLED"
      description = aws_secretsmanager_secret.superuser.description
      arn         = aws_secretsmanager_secret.superuser.arn
      kms_key_id  = aws_secretsmanager_secret.superuser.kms_key_id
    }
  }

  engine_family = "MYSQL"

  # Target Aurora cluster
  target_db_cluster     = true
  db_cluster_identifier = module.rds.cluster_id

  tags = local.tags
}

Steps to reproduce the behavior:

Expected behavior

Actual behavior

Error output

│ Error: Error creating DB Proxy: InvalidParameterValue: Must enable TLS, when IAM Auth is required
│ 	status code: 400, request id: de2093bc-e0b0-427c-9683-17d0bb843ece

Terminal Output Screenshot(s)

Additional context

Is your feature request related to a problem? Please describe.
Proxy endpoint support just landed. Could we add this? 😄

The example shows this as a guid. It needs to be an arn, else the creation of the role will fail.

Description

When creating a Proxy that works with a RDS Postgres instance, I receive the following error
╷ │ Error: only lowercase alphanumeric characters and hyphens allowed in "db_instance_identifier" │ │ with module.rds_proxy.aws_db_proxy_target.db_instance[0], │ on ../../main.tf line 63, in resource "aws_db_proxy_target" "db_instance": │ 63: db_instance_identifier = var.db_instance_identifier
I was able to reproduce this both in my configuration and the example configuration provided for postgres-iam-isntance. I was able to resolve this in my configuration by using the identifier attribute instead of the id of the RDS instance resource

Versions

• Module version [Required]:

• Terraform version:
  1.4.5

• Provider version(s):

• provider registry.terraform.io/hashicorp/aws v5.1.0
• provider registry.terraform.io/hashicorp/random v3.5.1

Reproduction Code [Required]

Was able to reproduce by running a terraform plan && terraform apply using the postgres-iam-instance example module provided.

Steps to reproduce the behavior:
Run a terraform plan & apply on the postgres-iam-instance example module provided

Expected behavior

Successful terraform apply

Actual behavior

Terraform failed to apply with an error message.

Terminal Output Screenshot(s)

Description

Small bug in module, an IAM Policy is referencing a secret id instead of the arn.

• main.tf :: line 138

• ✋ I have searched the open/closed issues and my issue is not listed.

Versions

terraform {
  required_version = "=1.4.6"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "4.67.0"
    }
    null = {
      source  = "hashicorp/null"
      version = "3.2.1"
    }
    tls = {
      source  = "hashicorp/tls"
      version = "4.0.4"
    }
  }
}

Reproduction Code

module "rds_proxy" {
  source                  = "terraform-aws-modules/rds-proxy/aws"
  version                 = "~>2.1.2"

  create_proxy            = true

  name                    = "${local.project_name}-rds-proxy"
  iam_role_name           = "${local.project_name}-rds-proxy-role"
  vpc_subnet_ids          = module.subnets.private_subnet_ids
  vpc_security_group_ids  = [module.rds_proxy_sg.security_group_id]

  db_proxy_endpoints      = {
    read_only = {
      name                   = "read-only-endpoint"
      vpc_subnet_ids         = module.subnets.private_subnet_ids
      vpc_security_group_ids = [module.rds_proxy_sg.security_group_id]
      target_role            = "READ_ONLY"
      tags                   = local.rds_proxy_tags
    }
  }

  secrets                 = {
    "rdxproxyadmin" = {
      description = aws_secretsmanager_secret.rds_proxy.description
      arn         = aws_secretsmanager_secret.rds_proxy.arn
      kms_key_id  = aws_secretsmanager_secret.rds_proxy.kms_key_id
    }
  }

  engine_family           = "POSTGRESQL"
  debug_logging           = true
  idle_client_timeout     = 300

  # Target Aurora cluster
  target_db_cluster       = true
  db_cluster_identifier   = module.aurora_postgresql_v2.cluster_id

  tags                    = local.rds_proxy_tags
}

Steps to reproduce the behavior:

• Try running module with IAM role

Expected behavior

• IAM Policy to be created

Actual behavior

• Error: Malformed IAM Policy - Resource must be "*" or ARN

Description

Terraform plan for RDS Proxy consistently detects changes that are false positives,
as it is trying to set value null instead of "DISABLED" for auth.iam_auth.
I am not even using IAM auth for this proxy.

Versions

• Module version [Required]: 3.1.0
• Terraform version: 1.6.2
• Provider version(s): hashicorp/aws v5.25.0

Reproduction Code [Required]

Steps to reproduce the behavior:

I am not using workspaces,
I have cleared the local cache and performed again terraform init and terraform plan,

Sharing steps:

Considering the complexity of the command to create a RDS proxy (many inputs that depends on your own environment and subnets and secrets), I am sharing here an example in my own environment that may not be reproducible as is (need to set your values) in yours

module "aws_rds_proxy" {
  source  = "terraform-aws-modules/rds-proxy/aws"
  version = "3.1.0"

  name            = local.proxy_identifier
  iam_role_name   = "${local.proxy_identifier}-role"
  
  vpc_subnet_ids         = var.subnet_ids
  vpc_security_group_ids = var.security_group_ids
  require_tls            = var.require_tls

  endpoints = {
    read_write = {
      name                    = "read-write-endpoint"
      vpc_subnet_ids          = var.subnet_ids
      vpc_security_group_ids  = var.security_group_ids

    },
    read_only = {
      name                    = "read-only-endpoint"
      vpc_subnet_ids          = var.subnet_ids
      vpc_security_group_ids  = var.security_group_ids
      target_role             = "READ_ONLY"
    }
  }

  auth = {
    "superuser" = {
      description             = "Target database superuser password"
      secret_arn              = var.target_superuser_secret_arn
    }
  }

  # target RDS cluster or instance
  engine_family               = var.target_engine_family
  target_db_cluster           = var.target_type == "cluster"
  db_cluster_identifier       = var.target_identifier
}

Expected behavior

Given a basic configuration of a RDS Proxy as the one reported,
Given a terraform apply was completed successfully before,
When a terraform plan command is executed,
Then the command should result in an empty plan

Actual behavior

Given a basic configuration of a RDS Proxy as the one reported,
Given a terraform apply was completed successfully before,
When a terraform plan command is executed,
the command consistently results in a non-empty plan as follows:

  # module.aurora_cluster_postgres.module.aurora_postgres_aws_rds_proxy[0].module.aws_rds_proxy.aws_db_proxy.this[0] will be updated in-place
  ~ resource "aws_db_proxy" "this" {
        id                     = "pan-dev-aurora-postgres-cluster-proxy"
        name                   = "pan-dev-aurora-postgres-cluster-proxy"
        tags                   = {}
        # (10 unchanged attributes hidden)

      ~ auth {
          - iam_auth                  = "DISABLED" -> null
            # (4 unchanged attributes hidden)
        }
    }

Terminal Output Screenshot(s)

Additional context