diff --git a/aws/provider.go b/aws/provider.go index a1b76404f1c..f25813e8821 100644 --- a/aws/provider.go +++ b/aws/provider.go @@ -501,6 +501,7 @@ func Provider() *schema.Provider { "aws_db_instance_role_association": resourceAwsDbInstanceRoleAssociation(), "aws_db_option_group": resourceAwsDbOptionGroup(), "aws_db_parameter_group": resourceAwsDbParameterGroup(), + "aws_db_proxy": resourceAwsDbProxy(), "aws_db_security_group": resourceAwsDbSecurityGroup(), "aws_db_snapshot": resourceAwsDbSnapshot(), "aws_db_subnet_group": resourceAwsDbSubnetGroup(), diff --git a/aws/resource_aws_db_proxy.go b/aws/resource_aws_db_proxy.go new file mode 100644 index 00000000000..8905e8f3627 --- /dev/null +++ b/aws/resource_aws_db_proxy.go @@ -0,0 +1,394 @@ +package aws + +import ( + "fmt" + "log" + "time" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/rds" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" + "github.com/terraform-providers/terraform-provider-aws/aws/internal/keyvaluetags" +) + +func resourceAwsDbProxy() *schema.Resource { + return &schema.Resource{ + Create: resourceAwsDbProxyCreate, + Read: resourceAwsDbProxyRead, + Update: resourceAwsDbProxyUpdate, + Delete: resourceAwsDbProxyDelete, + Importer: &schema.ResourceImporter{ + State: schema.ImportStatePassthrough, + }, + + Timeouts: &schema.ResourceTimeout{ + Create: schema.DefaultTimeout(30 * time.Minute), + Update: schema.DefaultTimeout(30 * time.Minute), + Delete: schema.DefaultTimeout(30 * time.Minute), + }, + + Schema: map[string]*schema.Schema{ + "arn": { + Type: schema.TypeString, + Computed: true, + }, + "name": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validateRdsIdentifier, + }, + "debug_logging": { + Type: schema.TypeBool, + Optional: true, + }, + "engine_family": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + ValidateFunc: validation.StringInSlice(rds.EngineFamily_Values(), false), + }, + "idle_client_timeout": { + Type: schema.TypeInt, + Optional: true, + Computed: true, + }, + "require_tls": { + Type: schema.TypeBool, + Optional: true, + }, + "role_arn": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validateArn, + }, + "vpc_security_group_ids": { + Type: schema.TypeSet, + Optional: true, + Computed: true, + Elem: &schema.Schema{Type: schema.TypeString}, + Set: schema.HashString, + }, + "vpc_subnet_ids": { + Type: schema.TypeSet, + Required: true, + ForceNew: true, + Elem: &schema.Schema{Type: schema.TypeString}, + Set: schema.HashString, + }, + "auth": { + Type: schema.TypeSet, + Required: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "auth_scheme": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice(rds.AuthScheme_Values(), false), + }, + "description": { + Type: schema.TypeString, + Optional: true, + }, + "iam_auth": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice(rds.IAMAuthMode_Values(), false), + }, + "secret_arn": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validateArn, + }, + }, + }, + }, + "endpoint": { + Type: schema.TypeString, + Computed: true, + }, + "tags": tagsSchema(), + }, + } +} + +func resourceAwsDbProxyCreate(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).rdsconn + tags := keyvaluetags.New(d.Get("tags").(map[string]interface{})).IgnoreAws().RdsTags() + + params := rds.CreateDBProxyInput{ + Auth: expandDbProxyAuth(d.Get("auth").(*schema.Set).List()), + DBProxyName: aws.String(d.Get("name").(string)), + EngineFamily: aws.String(d.Get("engine_family").(string)), + RoleArn: aws.String(d.Get("role_arn").(string)), + Tags: tags, + VpcSubnetIds: expandStringSet(d.Get("vpc_subnet_ids").(*schema.Set)), + } + + if v, ok := d.GetOk("debug_logging"); ok { + params.DebugLogging = aws.Bool(v.(bool)) + } + + if v, ok := d.GetOk("idle_client_timeout"); ok { + params.IdleClientTimeout = aws.Int64(int64(v.(int))) + } + + if v, ok := d.GetOk("require_tls"); ok { + params.RequireTLS = aws.Bool(v.(bool)) + } + + if v := d.Get("vpc_security_group_ids").(*schema.Set); v.Len() > 0 { + params.VpcSecurityGroupIds = expandStringSet(v) + } + + log.Printf("[DEBUG] Create DB Proxy: %#v", params) + resp, err := conn.CreateDBProxy(¶ms) + if err != nil { + return fmt.Errorf("Error creating DB Proxy: %s", err) + } + + d.SetId(aws.StringValue(resp.DBProxy.DBProxyName)) + log.Printf("[INFO] DB Proxy ID: %s", d.Id()) + + stateChangeConf := &resource.StateChangeConf{ + Pending: []string{rds.DBProxyStatusCreating}, + Target: []string{rds.DBProxyStatusAvailable}, + Refresh: resourceAwsDbProxyRefreshFunc(conn, d.Id()), + Timeout: d.Timeout(schema.TimeoutCreate), + } + + _, err = stateChangeConf.WaitForState() + if err != nil { + return fmt.Errorf("Error waiting for DB Proxy creation: %s", err) + } + + return resourceAwsDbProxyRead(d, meta) +} + +func resourceAwsDbProxyRefreshFunc(conn *rds.RDS, proxyName string) resource.StateRefreshFunc { + return func() (interface{}, string, error) { + resp, err := conn.DescribeDBProxies(&rds.DescribeDBProxiesInput{ + DBProxyName: aws.String(proxyName), + }) + + if err != nil { + if isAWSErr(err, rds.ErrCodeDBProxyNotFoundFault, "") { + return 42, "", nil + } + return 42, "", err + } + + dbProxy := resp.DBProxies[0] + return dbProxy, *dbProxy.Status, nil + } +} + +func expandDbProxyAuth(l []interface{}) []*rds.UserAuthConfig { + if len(l) == 0 { + return nil + } + + userAuthConfigs := make([]*rds.UserAuthConfig, 0, len(l)) + + for _, mRaw := range l { + m, ok := mRaw.(map[string]interface{}) + + if !ok { + continue + } + + userAuthConfig := &rds.UserAuthConfig{} + + if v, ok := m["auth_scheme"].(string); ok && v != "" { + userAuthConfig.AuthScheme = aws.String(v) + } + + if v, ok := m["description"].(string); ok && v != "" { + userAuthConfig.Description = aws.String(v) + } + + if v, ok := m["iam_auth"].(string); ok && v != "" { + userAuthConfig.IAMAuth = aws.String(v) + } + + if v, ok := m["secret_arn"].(string); ok && v != "" { + userAuthConfig.SecretArn = aws.String(v) + } + + userAuthConfigs = append(userAuthConfigs, userAuthConfig) + } + + return userAuthConfigs +} + +func flattenDbProxyAuth(userAuthConfig *rds.UserAuthConfigInfo) map[string]interface{} { + m := make(map[string]interface{}) + + m["auth_scheme"] = aws.StringValue(userAuthConfig.AuthScheme) + m["description"] = aws.StringValue(userAuthConfig.Description) + m["iam_auth"] = aws.StringValue(userAuthConfig.IAMAuth) + m["secret_arn"] = aws.StringValue(userAuthConfig.SecretArn) + + return m +} + +func flattenDbProxyAuths(userAuthConfigs []*rds.UserAuthConfigInfo) []interface{} { + s := []interface{}{} + for _, v := range userAuthConfigs { + s = append(s, flattenDbProxyAuth(v)) + } + return s +} + +func resourceAwsDbProxyRead(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).rdsconn + ignoreTagsConfig := meta.(*AWSClient).IgnoreTagsConfig + + params := rds.DescribeDBProxiesInput{ + DBProxyName: aws.String(d.Id()), + } + + resp, err := conn.DescribeDBProxies(¶ms) + if err != nil { + if isAWSErr(err, rds.ErrCodeDBProxyNotFoundFault, "") { + log.Printf("[WARN] DB Proxy (%s) not found, removing from state", d.Id()) + d.SetId("") + return nil + } + return fmt.Errorf("Error reading RDS DB Proxy (%s): %w", d.Id(), err) + } + + var dbProxy *rds.DBProxy + for _, proxy := range resp.DBProxies { + if proxy == nil { + continue + } + + if aws.StringValue(proxy.DBProxyName) == d.Id() { + dbProxy = proxy + break + } + } + if dbProxy == nil { + log.Printf("[WARN] DB Proxy (%s) not found, removing from state", d.Id()) + d.SetId("") + return nil + } + + d.Set("arn", dbProxy.DBProxyArn) + d.Set("auth", flattenDbProxyAuths(dbProxy.Auth)) + d.Set("name", dbProxy.DBProxyName) + d.Set("debug_logging", dbProxy.DebugLogging) + d.Set("engine_family", dbProxy.EngineFamily) + d.Set("idle_client_timeout", dbProxy.IdleClientTimeout) + d.Set("require_tls", dbProxy.RequireTLS) + d.Set("role_arn", dbProxy.RoleArn) + d.Set("vpc_subnet_ids", flattenStringSet(dbProxy.VpcSubnetIds)) + d.Set("vpc_security_group_ids", flattenStringSet(dbProxy.VpcSecurityGroupIds)) + d.Set("endpoint", dbProxy.Endpoint) + + tags, err := keyvaluetags.RdsListTags(conn, d.Get("arn").(string)) + + if err != nil { + return fmt.Errorf("Error listing tags for RDS DB Proxy (%s): %s", d.Get("arn").(string), err) + } + + if err := d.Set("tags", tags.IgnoreAws().IgnoreConfig(ignoreTagsConfig).Map()); err != nil { + return fmt.Errorf("Error setting tags: %s", err) + } + + return nil +} + +func resourceAwsDbProxyUpdate(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).rdsconn + + if d.HasChanges( + "auth", + "debug_logging", + "idle_client_timeout", + "name", + "require_tls", + "role_arn", + "vpc_security_group_ids") { + + oName, nName := d.GetChange("name") + + params := rds.ModifyDBProxyInput{ + Auth: expandDbProxyAuth(d.Get("auth").(*schema.Set).List()), + DBProxyName: aws.String(oName.(string)), + NewDBProxyName: aws.String(nName.(string)), + DebugLogging: aws.Bool(d.Get("debug_logging").(bool)), + RequireTLS: aws.Bool(d.Get("require_tls").(bool)), + RoleArn: aws.String(d.Get("role_arn").(string)), + } + + if v, ok := d.GetOk("idle_client_timeout"); ok { + params.IdleClientTimeout = aws.Int64(int64(v.(int))) + } + + if v := d.Get("vpc_security_group_ids").(*schema.Set); v.Len() > 0 { + params.SecurityGroups = expandStringSet(v) + } + + log.Printf("[DEBUG] Update DB Proxy: %#v", params) + _, err := conn.ModifyDBProxy(¶ms) + if err != nil { + return fmt.Errorf("Error updating DB Proxy: %s", err) + } + + // DB Proxy Name is used as an ID as the API doesn't provide a way to read/ + // update/delete DB proxies using the ARN + d.SetId(nName.(string)) + log.Printf("[INFO] Updated DB Proxy ID: %s", d.Id()) + + stateChangeConf := &resource.StateChangeConf{ + Pending: []string{rds.DBProxyStatusModifying}, + Target: []string{rds.DBProxyStatusAvailable}, + Refresh: resourceAwsDbProxyRefreshFunc(conn, d.Id()), + Timeout: d.Timeout(schema.TimeoutUpdate), + } + + _, err = stateChangeConf.WaitForState() + if err != nil { + return fmt.Errorf("Error waiting for DB Proxy update: %s", err) + } + } + + if d.HasChange("tags") { + o, n := d.GetChange("tags") + + if err := keyvaluetags.RdsUpdateTags(conn, d.Get("arn").(string), o, n); err != nil { + return fmt.Errorf("Error updating RDS DB Proxy (%s) tags: %s", d.Get("arn").(string), err) + } + } + + return resourceAwsDbProxyRead(d, meta) +} + +func resourceAwsDbProxyDelete(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).rdsconn + + params := rds.DeleteDBProxyInput{ + DBProxyName: aws.String(d.Id()), + } + _, err := conn.DeleteDBProxy(¶ms) + if err != nil { + return fmt.Errorf("Error deleting DB Proxy: %s", err) + } + + stateChangeConf := &resource.StateChangeConf{ + Pending: []string{rds.DBProxyStatusDeleting}, + Target: []string{""}, + Refresh: resourceAwsDbProxyRefreshFunc(conn, d.Id()), + Timeout: d.Timeout(schema.TimeoutDelete), + } + + _, err = stateChangeConf.WaitForState() + if err != nil { + return fmt.Errorf("Error waiting for DB Proxy deletion: %s", err) + } + + return nil +} diff --git a/aws/resource_aws_db_proxy_test.go b/aws/resource_aws_db_proxy_test.go new file mode 100644 index 00000000000..8cbab8c62bc --- /dev/null +++ b/aws/resource_aws_db_proxy_test.go @@ -0,0 +1,921 @@ +package aws + +import ( + "fmt" + "log" + "regexp" + "testing" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/rds" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/terraform" + "github.com/terraform-providers/terraform-provider-aws/aws/internal/tfawsresource" +) + +func init() { + resource.AddTestSweepers("aws_db_proxy", &resource.Sweeper{ + Name: "aws_db_proxy", + F: testSweepRdsDbProxies, + }) +} + +func testSweepRdsDbProxies(region string) error { + client, err := sharedClientForRegion(region) + if err != nil { + return fmt.Errorf("Error getting client: %s", err) + } + conn := client.(*AWSClient).rdsconn + + err = conn.DescribeDBProxiesPages(&rds.DescribeDBProxiesInput{}, func(out *rds.DescribeDBProxiesOutput, lastPage bool) bool { + for _, dbpg := range out.DBProxies { + if dbpg == nil { + continue + } + + input := &rds.DeleteDBProxyInput{ + DBProxyName: dbpg.DBProxyName, + } + name := aws.StringValue(dbpg.DBProxyName) + + log.Printf("[INFO] Deleting DB Proxy: %s", name) + + _, err := conn.DeleteDBProxy(input) + + if err != nil { + log.Printf("[ERROR] Failed to delete DB Proxy %s: %s", name, err) + continue + } + } + + return !lastPage + }) + + if testSweepSkipSweepError(err) { + log.Printf("[WARN] Skipping RDS DB Proxy sweep for %s: %s", region, err) + return nil + } + + if err != nil { + return fmt.Errorf("Error retrieving DB Proxies: %s", err) + } + + return nil +} + +func TestAccAWSDBProxy_basic(t *testing.T) { + var v rds.DBProxy + resourceName := "aws_db_proxy.test" + rName := acctest.RandomWithPrefix("tf-acc-test") + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSDBProxyDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSDBProxyConfig(rName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSDBProxyExists(resourceName, &v), + resource.TestCheckResourceAttr(resourceName, "name", rName), + resource.TestCheckResourceAttr(resourceName, "engine_family", "MYSQL"), + testAccMatchResourceAttrRegionalARN(resourceName, "arn", "rds", regexp.MustCompile(`db-proxy:.+`)), + resource.TestCheckResourceAttr(resourceName, "auth.#", "1"), + tfawsresource.TestCheckTypeSetElemNestedAttrs(resourceName, "auth.*", map[string]string{ + "auth_scheme": "SECRETS", + "description": "test", + "iam_auth": "DISABLED", + }), + resource.TestCheckResourceAttr(resourceName, "debug_logging", "false"), + resource.TestCheckResourceAttr(resourceName, "idle_client_timeout", "1800"), + resource.TestCheckResourceAttrPair(resourceName, "role_arn", "aws_iam_role.test", "arn"), + resource.TestCheckResourceAttr(resourceName, "require_tls", "true"), + resource.TestCheckResourceAttr(resourceName, "vpc_subnet_ids.#", "2"), + tfawsresource.TestCheckTypeSetElemAttrPair(resourceName, "vpc_subnet_ids.*", "aws_subnet.test.0", "id"), + tfawsresource.TestCheckTypeSetElemAttrPair(resourceName, "vpc_subnet_ids.*", "aws_subnet.test.1", "id"), + resource.TestMatchResourceAttr(resourceName, "endpoint", regexp.MustCompile(`^[\w\-\.]+\.rds\.amazonaws\.com$`))), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func TestAccAWSDBProxy_Name(t *testing.T) { + var dbProxy rds.DBProxy + resourceName := "aws_db_proxy.test" + rName := acctest.RandomWithPrefix("tf-acc-test") + nName := acctest.RandomWithPrefix("tf-acc-test") + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSDBProxyDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSDBProxyConfigName(rName, rName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSDBProxyExists(resourceName, &dbProxy), + resource.TestCheckResourceAttr(resourceName, "name", rName), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccAWSDBProxyConfigName(rName, nName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSDBProxyExists(resourceName, &dbProxy), + resource.TestCheckResourceAttr(resourceName, "name", nName), + ), + }, + }, + }) +} + +func TestAccAWSDBProxy_DebugLogging(t *testing.T) { + var dbProxy rds.DBProxy + resourceName := "aws_db_proxy.test" + rName := acctest.RandomWithPrefix("tf-acc-test") + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSDBProxyDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSDBProxyConfigDebugLogging(rName, true), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSDBProxyExists(resourceName, &dbProxy), + resource.TestCheckResourceAttr(resourceName, "debug_logging", "true"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccAWSDBProxyConfigDebugLogging(rName, false), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSDBProxyExists(resourceName, &dbProxy), + resource.TestCheckResourceAttr(resourceName, "debug_logging", "false"), + ), + }, + }, + }) +} + +func TestAccAWSDBProxy_IdleClientTimeout(t *testing.T) { + var dbProxy rds.DBProxy + resourceName := "aws_db_proxy.test" + rName := acctest.RandomWithPrefix("tf-acc-test") + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSDBProxyDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSDBProxyConfigIdleClientTimeout(rName, 900), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSDBProxyExists(resourceName, &dbProxy), + resource.TestCheckResourceAttr(resourceName, "idle_client_timeout", "900"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccAWSDBProxyConfigIdleClientTimeout(rName, 3600), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSDBProxyExists(resourceName, &dbProxy), + resource.TestCheckResourceAttr(resourceName, "idle_client_timeout", "3600"), + ), + }, + }, + }) +} + +func TestAccAWSDBProxy_RequireTls(t *testing.T) { + var dbProxy rds.DBProxy + resourceName := "aws_db_proxy.test" + rName := acctest.RandomWithPrefix("tf-acc-test") + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSDBProxyDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSDBProxyConfigRequireTls(rName, true), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSDBProxyExists(resourceName, &dbProxy), + resource.TestCheckResourceAttr(resourceName, "require_tls", "true"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccAWSDBProxyConfigRequireTls(rName, false), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSDBProxyExists(resourceName, &dbProxy), + resource.TestCheckResourceAttr(resourceName, "require_tls", "false"), + ), + }, + }, + }) +} + +func TestAccAWSDBProxy_RoleArn(t *testing.T) { + var dbProxy rds.DBProxy + resourceName := "aws_db_proxy.test" + rName := acctest.RandomWithPrefix("tf-acc-test") + nName := acctest.RandomWithPrefix("tf-acc-test") + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSDBProxyDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSDBProxyConfigName(rName, rName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSDBProxyExists(resourceName, &dbProxy), + resource.TestCheckResourceAttrPair(resourceName, "role_arn", "aws_iam_role.test", "arn"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccAWSDBProxyConfigRoleArn(rName, nName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSDBProxyExists(resourceName, &dbProxy), + resource.TestCheckResourceAttrPair(resourceName, "role_arn", "aws_iam_role.test2", "arn"), + ), + }, + }, + }) +} + +func TestAccAWSDBProxy_VpcSecurityGroupIds(t *testing.T) { + var dbProxy rds.DBProxy + resourceName := "aws_db_proxy.test" + rName := acctest.RandomWithPrefix("tf-acc-test") + nName := acctest.RandomWithPrefix("tf-acc-test") + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSDBProxyDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSDBProxyConfigName(rName, rName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSDBProxyExists(resourceName, &dbProxy), + resource.TestCheckResourceAttr(resourceName, "vpc_security_group_ids.#", "1"), + tfawsresource.TestCheckTypeSetElemAttrPair(resourceName, "vpc_security_group_ids.*", "aws_security_group.test", "id"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccAWSDBProxyConfigVpcSecurityGroupIds(rName, nName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSDBProxyExists(resourceName, &dbProxy), + resource.TestCheckResourceAttr(resourceName, "vpc_security_group_ids.#", "1"), + tfawsresource.TestCheckTypeSetElemAttrPair(resourceName, "vpc_security_group_ids.*", "aws_security_group.test2", "id"), + ), + }, + }, + }) +} + +func TestAccAWSDBProxy_AuthDescription(t *testing.T) { + var dbProxy rds.DBProxy + resourceName := "aws_db_proxy.test" + rName := acctest.RandomWithPrefix("tf-acc-test") + description := "foo" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSDBProxyDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSDBProxyConfigName(rName, rName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSDBProxyExists(resourceName, &dbProxy), + resource.TestCheckResourceAttr(resourceName, "auth.0.description", "test"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccAWSDBProxyConfigAuthDescription(rName, description), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSDBProxyExists(resourceName, &dbProxy), + resource.TestCheckResourceAttr(resourceName, "auth.0.description", description), + ), + }, + }, + }) +} + +func TestAccAWSDBProxy_AuthIamAuth(t *testing.T) { + var dbProxy rds.DBProxy + resourceName := "aws_db_proxy.test" + rName := acctest.RandomWithPrefix("tf-acc-test") + iamAuth := "REQUIRED" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSDBProxyDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSDBProxyConfigName(rName, rName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSDBProxyExists(resourceName, &dbProxy), + resource.TestCheckResourceAttr(resourceName, "auth.0.iam_auth", "DISABLED"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccAWSDBProxyConfigAuthIamAuth(rName, iamAuth), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSDBProxyExists(resourceName, &dbProxy), + resource.TestCheckResourceAttr(resourceName, "auth.0.iam_auth", iamAuth), + ), + }, + }, + }) +} + +func TestAccAWSDBProxy_AuthSecretArn(t *testing.T) { + var dbProxy rds.DBProxy + resourceName := "aws_db_proxy.test" + rName := acctest.RandomWithPrefix("tf-acc-test") + nName := acctest.RandomWithPrefix("tf-acc-test") + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSDBProxyDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSDBProxyConfigName(rName, rName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSDBProxyExists(resourceName, &dbProxy), + resource.TestCheckResourceAttrPair(resourceName, "auth.0.secret_arn", "aws_secretsmanager_secret.test", "arn"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccAWSDBProxyConfigAuthSecretArn(rName, nName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSDBProxyExists(resourceName, &dbProxy), + resource.TestCheckResourceAttrPair(resourceName, "auth.0.secret_arn", "aws_secretsmanager_secret.test2", "arn"), + ), + }, + }, + }) +} + +func TestAccAWSDBProxy_Tags(t *testing.T) { + var dbProxy rds.DBProxy + resourceName := "aws_db_proxy.test" + rName := acctest.RandomWithPrefix("tf-acc-test") + key := "foo" + value := "bar" + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSDBProxyDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSDBProxyConfigName(rName, rName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSDBProxyExists(resourceName, &dbProxy), + resource.TestCheckResourceAttr(resourceName, "tags.#", "0"), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + { + Config: testAccAWSDBProxyConfigTags(rName, key, value), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSDBProxyExists(resourceName, &dbProxy), + resource.TestCheckResourceAttr(resourceName, "tags.foo", value), + ), + }, + }, + }) +} + +func TestAccAWSDBProxy_disappears(t *testing.T) { + var v rds.DBProxy + resourceName := "aws_db_proxy.test" + rName := acctest.RandomWithPrefix("tf-acc-test") + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSDBProxyDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSDBProxyConfig(rName), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSDBProxyExists(resourceName, &v), + testAccCheckResourceDisappears(testAccProvider, resourceAwsDbProxy(), resourceName), + ), + ExpectNonEmptyPlan: true, + }, + }, + }) +} + +func testAccCheckAWSDBProxyDestroy(s *terraform.State) error { + conn := testAccProvider.Meta().(*AWSClient).rdsconn + + for _, rs := range s.RootModule().Resources { + if rs.Type != "aws_db_proxy" { + continue + } + + // Try to find the Group + resp, err := conn.DescribeDBProxies( + &rds.DescribeDBProxiesInput{ + DBProxyName: aws.String(rs.Primary.ID), + }) + + if err == nil { + if len(resp.DBProxies) != 0 && + *resp.DBProxies[0].DBProxyName == rs.Primary.ID { + return fmt.Errorf("DB Proxy still exists") + } + } + + if !isAWSErr(err, rds.ErrCodeDBProxyNotFoundFault, "") { + return err + } + } + + return nil +} + +func testAccCheckAWSDBProxyExists(n string, v *rds.DBProxy) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources[n] + if !ok { + return fmt.Errorf("Not found: %s", n) + } + + if rs.Primary.ID == "" { + return fmt.Errorf("No DB Proxy ID is set") + } + + conn := testAccProvider.Meta().(*AWSClient).rdsconn + + opts := rds.DescribeDBProxiesInput{ + DBProxyName: aws.String(rs.Primary.ID), + } + + resp, err := conn.DescribeDBProxies(&opts) + + if err != nil { + return err + } + + if len(resp.DBProxies) != 1 || + *resp.DBProxies[0].DBProxyName != rs.Primary.ID { + return fmt.Errorf("DB Proxy not found") + } + + *v = *resp.DBProxies[0] + + return nil + } +} + +func testAccAWSDBProxyConfigBase(rName string) string { + return fmt.Sprintf(` +# Secrets Manager setup + +resource "aws_secretsmanager_secret" "test" { + name = "%[1]s" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "test" { + secret_id = aws_secretsmanager_secret.test.id + secret_string = "{\"username\":\"db_user\",\"password\":\"db_user_password\"}" +} + +# IAM setup + +resource "aws_iam_role" "test" { + name = "%[1]s" + assume_role_policy = data.aws_iam_policy_document.assume.json +} + +data "aws_iam_policy_document" "assume" { + statement { + actions = ["sts:AssumeRole"] + principals { + type = "Service" + identifiers = ["rds.amazonaws.com"] + } + } +} + +resource "aws_iam_role_policy" "test" { + role = aws_iam_role.test.id + policy = data.aws_iam_policy_document.test.json +} + +data "aws_iam_policy_document" "test" { + statement { + actions = [ + "secretsmanager:GetRandomPassword", + "secretsmanager:CreateSecret", + "secretsmanager:ListSecrets", + ] + resources = ["*"] + } + + statement { + actions = ["secretsmanager:*"] + resources = [aws_secretsmanager_secret.test.arn] + } +} + +# VPC setup + +data "aws_availability_zones" "available" { + state = "available" + + filter { + name = "opt-in-status" + values = ["opt-in-not-required"] + } +} + +resource "aws_vpc" "test" { + cidr_block = "10.0.0.0/16" + + tags = { + Name = "%[1]s" + } +} + +resource "aws_security_group" "test" { + name = "%[1]s" + vpc_id = aws_vpc.test.id +} + +resource "aws_subnet" "test" { + count = 2 + cidr_block = cidrsubnet(aws_vpc.test.cidr_block, 8, count.index) + availability_zone = data.aws_availability_zones.available.names[count.index] + vpc_id = aws_vpc.test.id + + tags = { + Name = "%[1]s-${count.index}" + } +} +`, rName) +} + +func testAccAWSDBProxyConfig(rName string) string { + return testAccAWSDBProxyConfigBase(rName) + fmt.Sprintf(` +resource "aws_db_proxy" "test" { + depends_on = [ + aws_secretsmanager_secret_version.test, + aws_iam_role_policy.test + ] + + name = "%[1]s" + debug_logging = false + engine_family = "MYSQL" + idle_client_timeout = 1800 + require_tls = true + role_arn = aws_iam_role.test.arn + vpc_security_group_ids = [aws_security_group.test.id] + vpc_subnet_ids = aws_subnet.test.*.id + + auth { + auth_scheme = "SECRETS" + description = "test" + iam_auth = "DISABLED" + secret_arn = aws_secretsmanager_secret.test.arn + } + + tags = { + Name = "%[1]s" + } +} +`, rName) +} + +func testAccAWSDBProxyConfigName(rName, nName string) string { + return testAccAWSDBProxyConfigBase(rName) + fmt.Sprintf(` +resource "aws_db_proxy" "test" { + depends_on = [ + aws_secretsmanager_secret_version.test, + aws_iam_role_policy.test + ] + + name = "%[2]s" + engine_family = "MYSQL" + role_arn = aws_iam_role.test.arn + vpc_security_group_ids = [aws_security_group.test.id] + vpc_subnet_ids = aws_subnet.test.*.id + + auth { + auth_scheme = "SECRETS" + description = "test" + iam_auth = "DISABLED" + secret_arn = aws_secretsmanager_secret.test.arn + } +} +`, rName, nName) +} + +func testAccAWSDBProxyConfigDebugLogging(rName string, debugLogging bool) string { + return testAccAWSDBProxyConfigBase(rName) + fmt.Sprintf(` +resource "aws_db_proxy" "test" { + depends_on = [ + aws_secretsmanager_secret_version.test, + aws_iam_role_policy.test + ] + + name = "%[1]s" + debug_logging = %[2]t + engine_family = "MYSQL" + role_arn = aws_iam_role.test.arn + vpc_subnet_ids = aws_subnet.test.*.id + + auth { + auth_scheme = "SECRETS" + description = "test" + iam_auth = "DISABLED" + secret_arn = aws_secretsmanager_secret.test.arn + } +} +`, rName, debugLogging) +} + +func testAccAWSDBProxyConfigIdleClientTimeout(rName string, idleClientTimeout int) string { + return testAccAWSDBProxyConfigBase(rName) + fmt.Sprintf(` +resource "aws_db_proxy" "test" { + depends_on = [ + aws_secretsmanager_secret_version.test, + aws_iam_role_policy.test + ] + + name = "%[1]s" + idle_client_timeout = %[2]d + engine_family = "MYSQL" + role_arn = aws_iam_role.test.arn + vpc_subnet_ids = aws_subnet.test.*.id + + auth { + auth_scheme = "SECRETS" + description = "test" + iam_auth = "DISABLED" + secret_arn = aws_secretsmanager_secret.test.arn + } +} +`, rName, idleClientTimeout) +} + +func testAccAWSDBProxyConfigRequireTls(rName string, requireTls bool) string { + return testAccAWSDBProxyConfigBase(rName) + fmt.Sprintf(` +resource "aws_db_proxy" "test" { + depends_on = [ + aws_secretsmanager_secret_version.test, + aws_iam_role_policy.test + ] + + name = "%[1]s" + require_tls = %[2]t + engine_family = "MYSQL" + role_arn = aws_iam_role.test.arn + vpc_subnet_ids = aws_subnet.test.*.id + + auth { + auth_scheme = "SECRETS" + description = "test" + iam_auth = "DISABLED" + secret_arn = aws_secretsmanager_secret.test.arn + } +} +`, rName, requireTls) +} + +func testAccAWSDBProxyConfigRoleArn(rName, nName string) string { + return testAccAWSDBProxyConfigBase(rName) + fmt.Sprintf(` +resource "aws_db_proxy" "test" { + depends_on = [ + aws_secretsmanager_secret_version.test, + aws_iam_role_policy.test2 + ] + + name = "%[1]s" + engine_family = "MYSQL" + role_arn = aws_iam_role.test2.arn + vpc_subnet_ids = aws_subnet.test.*.id + + auth { + auth_scheme = "SECRETS" + description = "test" + iam_auth = "DISABLED" + secret_arn = aws_secretsmanager_secret.test.arn + } +} + +# IAM setup + +resource "aws_iam_role" "test2" { + name = "%[2]s" + assume_role_policy = data.aws_iam_policy_document.assume.json +} + +resource "aws_iam_role_policy" "test2" { + role = aws_iam_role.test.id + policy = data.aws_iam_policy_document.test.json +} +`, rName, nName) +} + +func testAccAWSDBProxyConfigVpcSecurityGroupIds(rName, nName string) string { + return testAccAWSDBProxyConfigBase(rName) + fmt.Sprintf(` +resource "aws_db_proxy" "test" { + depends_on = [ + aws_secretsmanager_secret_version.test, + aws_iam_role_policy.test + ] + + name = "%[1]s" + engine_family = "MYSQL" + role_arn = aws_iam_role.test.arn + vpc_security_group_ids = [aws_security_group.test2.id] + vpc_subnet_ids = aws_subnet.test.*.id + + auth { + auth_scheme = "SECRETS" + description = "test" + iam_auth = "DISABLED" + secret_arn = aws_secretsmanager_secret.test.arn + } +} + +resource "aws_security_group" "test2" { + name = "%[2]s" + vpc_id = aws_vpc.test.id +} +`, rName, nName) +} + +func testAccAWSDBProxyConfigAuthDescription(rName, description string) string { + return testAccAWSDBProxyConfigBase(rName) + fmt.Sprintf(` +resource "aws_db_proxy" "test" { + depends_on = [ + aws_secretsmanager_secret_version.test, + aws_iam_role_policy.test + ] + + name = "%[1]s" + engine_family = "MYSQL" + role_arn = aws_iam_role.test.arn + vpc_security_group_ids = [aws_security_group.test.id] + vpc_subnet_ids = aws_subnet.test.*.id + + auth { + auth_scheme = "SECRETS" + description = "%[2]s" + iam_auth = "DISABLED" + secret_arn = aws_secretsmanager_secret.test.arn + } +} +`, rName, description) +} + +func testAccAWSDBProxyConfigAuthIamAuth(rName, iamAuth string) string { + return testAccAWSDBProxyConfigBase(rName) + fmt.Sprintf(` +resource "aws_db_proxy" "test" { + depends_on = [ + aws_secretsmanager_secret_version.test, + aws_iam_role_policy.test + ] + + name = "%[1]s" + engine_family = "MYSQL" + role_arn = aws_iam_role.test.arn + require_tls = true + vpc_security_group_ids = [aws_security_group.test.id] + vpc_subnet_ids = aws_subnet.test.*.id + + auth { + auth_scheme = "SECRETS" + description = "test" + iam_auth = "%[2]s" + secret_arn = aws_secretsmanager_secret.test.arn + } +} +`, rName, iamAuth) +} + +func testAccAWSDBProxyConfigAuthSecretArn(rName, nName string) string { + return testAccAWSDBProxyConfigBase(rName) + fmt.Sprintf(` +resource "aws_db_proxy" "test" { + depends_on = [ + aws_secretsmanager_secret_version.test, + aws_iam_role_policy.test + ] + + name = "%[1]s" + engine_family = "MYSQL" + role_arn = aws_iam_role.test.arn + vpc_security_group_ids = [aws_security_group.test.id] + vpc_subnet_ids = aws_subnet.test.*.id + + auth { + auth_scheme = "SECRETS" + description = "test" + iam_auth = "DISABLED" + secret_arn = aws_secretsmanager_secret.test2.arn + } +} + +resource "aws_secretsmanager_secret" "test2" { + name = "%[2]s" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "test2" { + secret_id = aws_secretsmanager_secret.test2.id + secret_string = "{\"username\":\"db_user\",\"password\":\"db_user_password\"}" +} +`, rName, nName) +} + +func testAccAWSDBProxyConfigTags(rName, key, value string) string { + return testAccAWSDBProxyConfigBase(rName) + fmt.Sprintf(` +resource "aws_db_proxy" "test" { + depends_on = [ + aws_secretsmanager_secret_version.test, + aws_iam_role_policy.test + ] + + name = "%[1]s" + engine_family = "MYSQL" + role_arn = aws_iam_role.test.arn + vpc_security_group_ids = [aws_security_group.test.id] + vpc_subnet_ids = aws_subnet.test.*.id + + auth { + auth_scheme = "SECRETS" + description = "test" + iam_auth = "DISABLED" + secret_arn = aws_secretsmanager_secret.test.arn + } + + tags = { + %[2]s = "%[3]s" + } +} +`, rName, key, value) +} diff --git a/website/docs/r/db_proxy.html.markdown b/website/docs/r/db_proxy.html.markdown new file mode 100644 index 00000000000..0253f19ceff --- /dev/null +++ b/website/docs/r/db_proxy.html.markdown @@ -0,0 +1,86 @@ +--- +subcategory: "RDS" +layout: "aws" +page_title: "AWS: aws_db_proxy" +description: |- + Provides an RDS DB proxy resource. +--- + +# Resource: aws_db_proxy + +Provides an RDS DB proxy resource. For additional information, see the [RDS User Guide](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy.html). + +## Example Usage + +```hcl +resource "aws_db_proxy" "example" { + name = "example" + debug_logging = false + engine_family = "MYSQL" + idle_client_timeout = 1800 + require_tls = true + role_arn = aws_iam_role.example.arn + vpc_security_group_ids = [aws_security_group.example.id] + vpc_subnet_ids = [aws_subnet.example.id] + + auth { + auth_scheme = "SECRETS" + description = "example" + iam_auth = "DISABLED" + secret_arn = aws_secretsmanager_secret.example.arn + } + + tags = { + Name = "example" + Key = "value" + } +} +``` + +## Argument Reference + +The following arguments are supported: + +* `name` - (Required) The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens. +* `auth` - (Required) Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters. Described below. +* `debug_logging` - (Optional) Whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs. +* `engine_family` - (Required, Forces new resource) The kinds of databases that the proxy can connect to. This value determines which database network protocol the proxy recognizes when it interprets network traffic to and from the database. Currently, this value is always `MYSQL`. The engine family applies to both RDS MySQL and Aurora MySQL. +* `idle_client_timeout` - (Optional) The number of seconds that a connection to the proxy can be inactive before the proxy disconnects it. You can set this value higher or lower than the connection timeout limit for the associated database. +* `require_tls` - (Optional) A Boolean parameter that specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy. By enabling this setting, you can enforce encrypted TLS connections to the proxy. +* `role_arn` - (Required) The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager. +* `vpc_security_group_ids` - (Optional) One or more VPC security group IDs to associate with the new proxy. +* `vpc_subnet_ids` - (Required) One or more VPC subnet IDs to associate with the new proxy. +describe-db-parameters.html) after initial creation of the group. +* `tags` - (Optional) A mapping of tags to assign to the resource. + +`auth` blocks support the following: + +* `auth_scheme` - (Optional) The type of authentication that the proxy uses for connections from the proxy to the underlying database. One of `SECRETS`. +* `description` - (Optional) A user-specified description about the authentication used by a proxy to log in as a specific database user. +* `iam_auth` - (Optional) Whether to require or disallow AWS Identity and Access Management (IAM) authentication for connections to the proxy. One of `DISABLED`, `REQUIRED`. +* `secret_arn` - (Optional) The Amazon Resource Name (ARN) representing the secret that the proxy uses to authenticate to the RDS DB instance or Aurora DB cluster. These secrets are stored within Amazon Secrets Manager. +* `username` - (Optional) The name of the database user to which the proxy connects. + +## Attributes Reference + +In addition to all arguments above, the following attributes are exported: + +* `id` - The Amazon Resource Name (ARN) for the proxy. +* `arn` - The Amazon Resource Name (ARN) for the proxy. +* `endpoint` - The endpoint that you can use to connect to the proxy. You include the endpoint value in the connection string for a database client application. + +### Timeouts + +`aws_db_proxy` provides the following [Timeouts](/docs/configuration/resources.html#timeouts) configuration options: + +- `create` - (Default `30 minutes`) Used for creating DB proxies. +- `update` - (Default `30 minutes`) Used for modifying DB proxies. +- `delete` - (Default `30 minutes`) Used for destroying DB proxies. + +## Import + +DB proxies can be imported using the `name`, e.g. + +``` +$ terraform import aws_db_proxy.example example +```