AWS Amazon RDS Proxy
This page shows how to write Terraform and CloudFormation for Amazon RDS Proxy and write them securely.
aws_db_proxy (Terraform)
The Proxy in Amazon RDS can be configured in Terraform with the resource name aws_db_proxy. The following sections describe 2 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_db_proxy" "pg-rds" {
name = "pg-rds"
debug_logging = false
engine_family = "MYSQL"
idle_client_timeout = 1800
require_tls = true
resource "aws_db_proxy" "main" {
name = var.name
debug_logging = false
engine_family = "MYSQL"
idle_client_timeout = 1800
require_tls = false
Parameters
-
arnoptional computed - string -
debug_loggingoptional - bool -
endpointoptional computed - string -
engine_familyrequired - string -
idoptional computed - string -
idle_client_timeoutoptional computed - number -
namerequired - string -
require_tlsoptional - bool -
role_arnrequired - string -
tagsoptional - map from string to string -
vpc_security_group_idsoptional computed - set of string -
vpc_subnet_idsrequired - set of string -
authset block-
auth_schemeoptional - string -
descriptionoptional - string -
iam_authoptional - string -
secret_arnoptional - string
-
-
timeoutssingle block
Explanation in Terraform Registry
Provides an RDS DB proxy resource. For additional information, see the RDS User Guide.
Tips: Best Practices for The Other AWS Amazon RDS Resources
In addition to the aws_db_instance, AWS Amazon RDS has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
aws_db_instance
Ensure backup retension of your RDS instance is specified
It's better to set it explicitly to reduce the risk of availability issues.
aws_rds_cluster
Ensure backup retension of your RDS cluster is specified
It's better to set it explicitly to reduce the risk of availability issues.
aws_rds_cluster_instance
Ensure your RDS cluster instance blocks unwanted access
It's better to limit accessibily to the minimum that is required for the application to work.
AWS::RDS::DBProxy (CloudFormation)
The DBProxy in RDS can be configured in CloudFormation with the resource name AWS::RDS::DBProxy. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::RDS::DBProxy
Properties:
DBProxyName: proxytestdb1
EngineFamily: MYSQL
RoleArn: arn:aws:iam::906332056165:role/service-role/rds-proxy-role-1606313663086
Auth:
Type: AWS::RDS::DBProxy
Properties:
DebugLogging: true
DBProxyName: 'test-proxy'
EngineFamily: MYSQL
IdleClientTimeout: 120
Type: AWS::RDS::DBProxy
Properties:
DBProxyName: ${self:custom.PROXY_NAME}
EngineFamily: POSTGRESQL
RoleArn: !GetAtt RDSProxyRole.Arn
Auth:
Type: AWS::RDS::DBProxy
Properties:
Auth:
- AuthScheme: "SECRETS"
Description: "DB SECRET"
IAMAuth: "DISABLED"
Type: AWS::RDS::DBProxy
Properties:
DebugLogging: true
DBProxyName: !Ref ProxyName
EngineFamily: MYSQL
"Type": "AWS::RDS::DBProxy",
"Properties": {
"Auth": [
{
"AuthScheme": "SECRETS",
"IAMAuth": "DISABLED",
"Type": "AWS::RDS::DBProxy",
"Properties": {
"Auth": [
{
"AuthScheme": "SECRETS",
"IAMAuth": "DISABLED",
"Type": "AWS::RDS::DBProxy",
"Properties": {
"Auth": [
{
"AuthScheme": "SECRETS",
"IAMAuth": "DISABLED",
"Type": "AWS::RDS::DBProxy",
"Properties": {
"Auth": [
{
"AuthScheme": "SECRETS",
"IAMAuth": "DISABLED",
"AWS::RDS::DBProxyTargetGroup.ConnectionPoolConfigurationInfoFormat": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbproxytargetgroup-connectionpoolconfigurationinfoformat.html",
"Properties": {
"MaxConnectionsPercent": {
"Documentation": "http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-rds-dbproxytargetgroup-connectionpoolconfigurationinfoformat.html#cfn-rds-dbproxytargetgroup-connectionpoolconfigurationinfoformat-maxconnectionspercent",
"UpdateType": "Mutable",
Parameters
-
Authrequired - List of AuthFormat -
DBProxyNamerequired - String -
DebugLoggingoptional - Boolean -
EngineFamilyrequired - String -
IdleClientTimeoutoptional - Integer -
RequireTLSoptional - Boolean -
RoleArnrequired - String -
Tagsoptional - List of TagFormat -
VpcSecurityGroupIdsoptional - List -
VpcSubnetIdsrequired - List
Explanation in CloudFormation Registry
The
AWS::RDS::DBProxyresource creates or updates a DB proxy.For information about RDS Proxy for Amazon RDS, see Managing Connections with Amazon RDS Proxy in the Amazon RDS User Guide.
For information about RDS Proxy for Amazon Aurora, see Managing Connections with Amazon RDS Proxy in the Amazon Aurora User Guide.
Note Limitations apply to RDS Proxy, including DB engine version limitations and AWS Region limitations. For information about limitations that apply to RDS Proxy for Amazon RDS, see Limitations for RDS Proxy in the Amazon RDS User Guide. For information about that apply to RDS Proxy for Amazon Aurora, see Limitations for RDS Proxy in the Amazon Aurora User Guide.
Frequently asked questions
What is AWS Amazon RDS Proxy?
AWS Amazon RDS Proxy is a resource for Amazon RDS of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Amazon RDS Proxy?
For Terraform, the rraj-gautam/terraform and sapphire-ko/aws-rds-proxy-test source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the hokuto/aws-example, argjentsahiti/RDSProxyServerlessExample and montecha/examples source code examples are useful. See the CloudFormation Example section for further details.
