AWS RDS Proxy Terraform module

January 15, 2026 · View on GitHub

Terraform module which creates an AWS RDS Proxy and its supporting resources.

Usage

See examples directory for working examples to reference:

module "rds_proxy" {
  source = "terraform-aws-modules/rds-proxy/aws"

  name                   = "rds-proxy"
  iam_role_name          = "rds-proxy-role"
  vpc_subnet_ids         = ["subnet-30ef7b3c", "subnet-1ecda77b", "subnet-ca09ddbc"]
  vpc_security_group_ids = ["sg-f1d03a88"]

  endpoints = {
    read_write = {
      name                   = "read-write-endpoint"
      vpc_subnet_ids         = ["subnet-30ef7b3c", "subnet-1ecda77b", "subnet-ca09ddbc"]
      vpc_security_group_ids = ["sg-f1d03a88"]
    },
    read_only = {
      name                   = "read-only-endpoint"
      vpc_subnet_ids         = ["subnet-30ef7b3c", "subnet-1ecda77b", "subnet-ca09ddbc"]
      vpc_security_group_ids = ["sg-f1d03a88"]
      target_role            = "READ_ONLY"
    }
  }

  auth = {
    "superuser" = {
      description        = "Aurora PostgreSQL superuser password"
      secret_arn         = "arn:aws:secretsmanager:us-east-1:123456789012:secret:superuser-6gsjLD"
    }
  }

  # Target Aurora cluster
  engine_family         = "POSTGRESQL"
  target_db_cluster     = true
  db_cluster_identifier = "my-endpoint"

  tags = {
    Terraform   = "true"
    Environment = "dev"
  }
}

Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module(s). If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!

Requirements

Name	Version
terraform	>= 1.5.7
aws	>= 6.28

Providers

Name	Version
aws	>= 6.28

Modules

No modules.

Resources

Name	Type
aws_cloudwatch_log_group.this	resource
aws_db_proxy.this	resource
aws_db_proxy_default_target_group.this	resource
aws_db_proxy_endpoint.this	resource
aws_db_proxy_target.db_cluster	resource
aws_db_proxy_target.db_instance	resource
aws_iam_role.this	resource
aws_iam_role_policy.this	resource
aws_iam_policy_document.assume_role	data source
aws_iam_policy_document.this	data source
aws_partition.current	data source
aws_region.current	data source
aws_service_principal.rds	data source

Inputs

Name	Description	Type	Default	Required
auth	Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters	map(object({ auth_scheme = optional(string) client_password_auth_type = optional(string) description = optional(string) iam_auth = optional(string) secret_arn = optional(string) username = optional(string) }))	{ "default": { "auth_scheme": "SECRETS" } }	no
connection_borrow_timeout	The number of seconds for a proxy to wait for a connection to become available in the connection pool	`number`	`null`	no
create	Whether cluster should be created (affects nearly all resources)	`bool`	`true`	no
create_iam_policy	Determines whether an IAM policy is created	`bool`	`true`	no
create_iam_role	Determines whether an IAM role is created	`bool`	`true`	no
db_cluster_identifier	DB cluster identifier	`string`	`""`	no
db_instance_identifier	DB instance identifier	`string`	`""`	no
debug_logging	Whether the proxy includes detailed information about SQL statements in its logs	`bool`	`false`	no
default_auth_scheme	Default authentication scheme that the proxy uses for client connections to the proxy and connections from the proxy to the underlying database. Valid values are NONE and IAM_AUTH. Defaults to NONE	`string`	`null`	no
endpoint_network_type	Network type of the DB proxy endpoint. Valid values are IPV4, IPV6 and DUAL. Defaults to IPV4. If IPV6 is specified, the subnets associated with the proxy must be IPv6-only, and target_connection_network_type must be IPV6	`string`	`null`	no
endpoints	Map of DB proxy endpoints to create and their attributes	map(object({ name = optional(string) vpc_subnet_ids = list(string) vpc_security_group_ids = optional(list(string)) target_role = optional(string) tags = optional(map(string), {}) }))	`{}`	no
engine_family	The kind of database engine that the proxy will connect to. Valid values are `MYSQL` or `POSTGRESQL`	`string`	`""`	no
iam_policy_name	The name of the role policy. If omitted, Terraform will assign a random, unique name	`string`	`""`	no
iam_role_description	The description of the role	`string`	`""`	no
iam_role_force_detach_policies	Specifies to force detaching any policies the role has before destroying it	`bool`	`true`	no
iam_role_max_session_duration	The maximum session duration (in seconds) that you want to set for the specified role	`number`	`43200`	no
iam_role_name	The name of the role. If omitted, Terraform will assign a random, unique name	`string`	`""`	no
iam_role_path	The path to the role	`string`	`null`	no
iam_role_permissions_boundary	The ARN of the policy that is used to set the permissions boundary for the role	`string`	`null`	no
iam_role_tags	A map of tags to apply to the IAM role	`map(string)`	`{}`	no
idle_client_timeout	The number of seconds that a connection to the proxy can be inactive before the proxy disconnects it	`number`	`1800`	no
init_query	One or more SQL statements for the proxy to run when opening each new database connection	`string`	`""`	no
kms_key_arns	List of KMS Key ARNs to allow access to decrypt SecretsManager secrets	`list(string)`	`[]`	no
log_group_class	Specified the log class of the log group. Possible values are: `STANDARD` or `INFREQUENT_ACCESS`	`string`	`null`	no
log_group_kms_key_id	The ARN of the KMS Key to use when encrypting log data	`string`	`null`	no
log_group_retention_in_days	Specifies the number of days you want to retain log events in the log group	`number`	`30`	no
log_group_tags	A map of tags to apply to the CloudWatch log group	`map(string)`	`{}`	no
manage_log_group	Determines whether Terraform will create/manage the CloudWatch log group or not. Note - this will fail if set to true after the log group has been created as the resource will already exist	`bool`	`true`	no
max_connections_percent	The maximum size of the connection pool for each target in a target group	`number`	`90`	no
max_idle_connections_percent	Controls how actively the proxy closes idle database connections in the connection pool	`number`	`50`	no
name	The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens	`string`	`""`	no
proxy_tags	A map of tags to apply to the RDS Proxy	`map(string)`	`{}`	no
region	Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration	`string`	`null`	no
require_tls	A Boolean parameter that specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy	`bool`	`true`	no
role_arn	The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager	`string`	`""`	no
session_pinning_filters	Each item in the list represents a class of SQL operations that normally cause all later statements in a session using a proxy to be pinned to the same underlying database connection	`list(string)`	`[]`	no
tags	A map of tags to add to all resources	`map(string)`	`{}`	no
target_connection_network_type	Network type that the proxy uses to connect to the target database. Valid values are IPV4 and IPV6. Defaults to IPV4	`string`	`null`	no
target_db_cluster	Determines whether DB cluster is targeted by proxy	`bool`	`false`	no
target_db_instance	Determines whether DB instance is targeted by proxy	`bool`	`false`	no
use_policy_name_prefix	Whether to use unique name beginning with the specified `iam_policy_name`	`bool`	`false`	no
use_role_name_prefix	Whether to use unique name beginning with the specified `iam_role_name`	`bool`	`false`	no
vpc_security_group_ids	One or more VPC security group IDs to associate with the new proxy	`list(string)`	`[]`	no
vpc_subnet_ids	One or more VPC subnet IDs to associate with the new proxy	`list(string)`	`[]`	no

Outputs

Name	Description
db_proxy_endpoints	Array containing the full resource object and attributes for all DB proxy endpoints created
iam_role_arn	The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager.
iam_role_name	IAM role name
iam_role_unique_id	Stable and unique string identifying the IAM role
log_group_arn	The Amazon Resource Name (ARN) of the CloudWatch log group
log_group_name	The name of the CloudWatch log group
proxy_arn	The Amazon Resource Name (ARN) for the proxy
proxy_default_target_group_arn	The Amazon Resource Name (ARN) for the default target group
proxy_default_target_group_id	The ID for the default target group
proxy_default_target_group_name	The name of the default target group
proxy_endpoint	The endpoint that you can use to connect to the proxy
proxy_id	The ID for the proxy
proxy_target_endpoint	Hostname for the target RDS DB Instance. Only returned for `RDS_INSTANCE` type
proxy_target_id	Identifier of `db_proxy_name`, `target_group_name`, target type (e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER`), and resource identifier separated by forward slashes (/)
proxy_target_port	Port for the target RDS DB Instance or Aurora DB Cluster
proxy_target_rds_resource_id	Identifier representing the DB Instance or DB Cluster target
proxy_target_target_arn	Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API
proxy_target_tracked_cluster_id	DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS_INSTANCE target that is part of a DB Cluster
proxy_target_type	Type of target. e.g. `RDS_INSTANCE` or `TRACKED_CLUSTER`

License

Apache-2.0 Licensed. See LICENSE.