mysql_iam_cluster

RDS Proxy - IAM Authentication & MySQL Cluster

Configuration in this directory creates:

• AWS RDS Proxy w/ IAM authentication enabled for an RDS Aurora MySQL cluster

Usage

To run this example you need to execute:

$ terraform init
$ terraform plan
$ terraform apply

Note that this example may create resources which will incur monetary charges on your AWS bill. Run terraform destroy when you no longer need these resources.

Validation

An EC2 instance configuration has been provided for use in validating the example configuration. After provisioning the configuration, there are some outputs that have been provided to aid in validating changes. To perform validation, after the EC2 instance finishes provisioning:

1. Connect to the EC2 instance using Session Manager
2. Copy the output from superuser_proxy_iam_token and paste it into the Session Manager window - this generates the token for connecting to the proxy with IAM auth.
3. Copy the output from superuser_proxy_iam_connect and paste it into the window
4. You should now be connected to the example database in the RDS instance via the AWS Proxy using IAM authentication

Requirements

Name	Version
terraform	>= 0.13.1
aws	>= 3.38

Providers

Name	Version
aws	3.59.0
random	3.1.0

Modules

Name	Source	Version
ec2_instance	terraform-aws-modules/ec2-instance/aws	~> 3
ec2_sg	terraform-aws-modules/security-group/aws	~> 4
rds	terraform-aws-modules/rds-aurora/aws	~> 4
rds_proxy	../../	n/a
rds_proxy_sg	terraform-aws-modules/security-group/aws	~> 4
vpc	terraform-aws-modules/vpc/aws	~> 3

Resources

Name	Type
aws_db_parameter_group.aurora_db_mysql57_parameter_group	resource
aws_iam_instance_profile.ec2_test	resource
aws_iam_role.ec2_test	resource
aws_iam_role_policy.ec2_test	resource
aws_iam_role_policy_attachment.ec2_ssm	resource
aws_rds_cluster_parameter_group.aurora_cluster_mysql57_parameter_group	resource
aws_secretsmanager_secret.superuser	resource
aws_secretsmanager_secret_version.superuser	resource
random_password.password	resource
random_pet.users	resource
aws_ami.ubuntu	data source
aws_caller_identity.current	data source
aws_iam_policy_document.ec2_test	data source
aws_iam_policy_document.ec2_test_assume	data source
aws_kms_alias.secretsmanager	data source
aws_region.current	data source

Inputs

No inputs.

Outputs

Name	Description
db_proxy_endpoints	Array containing the full resource object and attributes for all DB proxy endpoints created
log_group_arn	The Amazon Resource Name (ARN) of the CloudWatch log group
proxy_arn	The Amazon Resource Name (ARN) for the proxy
proxy_default_target_group_arn	The Amazon Resource Name (ARN) for the default target group
proxy_default_target_group_id	The ID for the default target group
proxy_default_target_group_name	The name of the default target group
proxy_endpoint	The endpoint that you can use to connect to the proxy
proxy_id	The ID for the proxy
proxy_target_endpoint	Hostname for the target RDS DB Instance. Only returned for RDS_INSTANCE type
proxy_target_id	Identifier of db_proxy_name, target_group_name, target type (e.g. RDS_INSTANCE or TRACKED_CLUSTER), and resource identifier separated by forward slashes (/)
proxy_target_port	Port for the target RDS DB Instance or Aurora DB Cluster
proxy_target_rds_resource_id	Identifier representing the DB Instance or DB Cluster target
proxy_target_target_arn	Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API
proxy_target_tracked_cluster_id	DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS_INSTANCE target that is part of a DB Cluster
proxy_target_type	Type of target. e.g. RDS_INSTANCE or TRACKED_CLUSTER
superuser_db_password_connect	Connect to database using superuser with username/password directly to database
superuser_proxy_iam_connect	Connect to RDS Proxy using IAM auth via token generated
superuser_proxy_iam_token	Gerate connection token for connecting to RDS Proxy with IAM auth

Apache-2.0 Licensed. See LICENSE.