Skip to content

[New Data Source]: RDS DB Auth Token #28762

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
[New Data Source]: RDS DB Auth Token#28762
Labels
new-data-sourceIntroduces a new data source.service/rdsIssues and PRs that pertain to the rds service.
@n1ngu

Description

@n1ngu
n1ngu
opened on Jan 9, 2023

Description

It would be awesome if the provider offered a datasource matching the https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/generate-db-auth-token.html utility.

Once the feature is enabled in a DB instance with https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#iam_database_authentication_enabled, this new datasource would ease the task of using ephemeral passwords inside terraform.

Right now I need the python aws-cli and an external datasource instead of using the Go's AWS SDK built in this very provider.

data "external" "rds_auth_token" {
  program = [
    "sh",
    "-c",
    "echo {\\\"password\\\": \\\"$(aws rds generate-db-auth-token --hostname ${each.value.hostname} --port ${each.value.port} --username ${each.value.username} )\\\"}",
  ]
  for_each = {
    production = {
      hostname = "asdf.jkl.region.rds.amazonaws.com"
      port     = 5432
      username = "terraform"
    }
  }
}

provider "postgresql" {
  host               = "localhost"
  port               = 5555
  database           = "postgres"
  username           = "terraform"
  password           = data.external.rds_auth_token["production"].result.password
  sslmode            = "require"
  superuser          = false
  aws_rds_iam_auth   = false
}

My main goal would be using the cyrilgdn/postgresql provider across bastion hosts, as its aws_rds_iam_auth = false is useless with such setup. But this could have utility beyond my use-case, e.g. to grant RDS access to edge computers without AWS credentials (mostly for provisioners as these paswords are very ephemeral)

Requested Resource(s) and/or Data Source(s)

aws_rds_iam_auth_token

Potential Terraform Configuration

data "aws_rds_iam_auth_token" "production" {
  hostname = "foo.bar.region.rds.amazonaws.com"
  port     = 5432
  username = "username"
}

provider "postgresql" {
  host               = "localhost"
  port               = 5555
  database           = "postgres"
  username           = "username"
  password           = data.aws_rds_iam_auth_token.production.token
  aws_rds_iam_auth   = false
}

References

Would you like to implement a fix?

No

Metadata

Assignees

No one assigned

    Labels

    new-data-sourceIntroduces a new data source.service/rdsIssues and PRs that pertain to the rds service.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions