From 84009e88b985802ab692aa1974b872a67198a7a4 Mon Sep 17 00:00:00 2001 From: Gareth Oakley Date: Mon, 6 Apr 2020 22:32:22 +0100 Subject: [PATCH 1/6] resource/aws_db_proxy: Initial resource --- aws/provider.go | 1 + aws/resource_aws_db_proxy.go | 314 ++++++++++++++++++++++++++ website/aws.erb | 3 + website/docs/r/db_proxy.html.markdown | 86 +++++++ 4 files changed, 404 insertions(+) create mode 100644 aws/resource_aws_db_proxy.go create mode 100644 website/docs/r/db_proxy.html.markdown diff --git a/aws/provider.go b/aws/provider.go index be386f16d6b..78bbb4f7c56 100644 --- a/aws/provider.go +++ b/aws/provider.go @@ -449,6 +449,7 @@ func Provider() terraform.ResourceProvider { "aws_db_instance_role_association": resourceAwsDbInstanceRoleAssociation(), "aws_db_option_group": resourceAwsDbOptionGroup(), "aws_db_parameter_group": resourceAwsDbParameterGroup(), + "aws_db_proxy": resourceAwsDbProxy(), "aws_db_security_group": resourceAwsDbSecurityGroup(), "aws_db_snapshot": resourceAwsDbSnapshot(), "aws_db_subnet_group": resourceAwsDbSubnetGroup(), diff --git a/aws/resource_aws_db_proxy.go b/aws/resource_aws_db_proxy.go new file mode 100644 index 00000000000..502512a58a3 --- /dev/null +++ b/aws/resource_aws_db_proxy.go @@ -0,0 +1,314 @@ +package aws + +import ( + "bytes" + "fmt" + "log" + "time" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/rds" + "github.com/hashicorp/terraform-plugin-sdk/helper/hashcode" + "github.com/hashicorp/terraform-plugin-sdk/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/helper/schema" + "github.com/hashicorp/terraform-plugin-sdk/helper/validation" + "github.com/terraform-providers/terraform-provider-aws/aws/internal/keyvaluetags" +) + +func resourceAwsDbProxy() *schema.Resource { + return &schema.Resource{ + Create: resourceAwsDbProxyCreate, + Read: resourceAwsDbProxyRead, + Update: resourceAwsDbProxyUpdate, + Delete: resourceAwsDbProxyDelete, + Importer: &schema.ResourceImporter{ + State: schema.ImportStatePassthrough, + }, + + Timeouts: &schema.ResourceTimeout{ + Create: schema.DefaultTimeout(30 * time.Minute), + Update: schema.DefaultTimeout(30 * time.Minute), + Delete: schema.DefaultTimeout(30 * time.Minute), + }, + + Schema: map[string]*schema.Schema{ + "arn": { + Type: schema.TypeString, + Computed: true, + }, + "name": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validateRdsIdentifier, + }, + "debug_logging": { + Type: schema.TypeBool, + Optional: true, + }, + "engine_family": { + Type: schema.TypeString, + Required: true, + ForceNew: true, + ValidateFunc: validation.StringInSlice([]string{ + rds.EngineFamilyMysql, + }, false), + }, + "idle_client_timeout": { + Type: schema.TypeInt, + Optional: true, + }, + "require_tls": { + Type: schema.TypeBool, + Optional: true, + }, + "role_arn": { + Type: schema.TypeString, + Required: true, + ValidateFunc: validateArn, + }, + "vpc_security_group_ids": { + Type: schema.TypeSet, + Optional: true, + Computed: true, + Elem: &schema.Schema{Type: schema.TypeString}, + Set: schema.HashString, + }, + "vpc_subnet_ids": { + Type: schema.TypeSet, + Required: true, + Elem: &schema.Schema{Type: schema.TypeString}, + Set: schema.HashString, + }, + "auth": { + Type: schema.TypeSet, + Required: true, + ForceNew: false, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + "auth_scheme": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice([]string{ + rds.AuthSchemeSecrets, + }, false), + }, + "description": { + Type: schema.TypeString, + Optional: true, + }, + "iam_auth": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validation.StringInSlice([]string{ + rds.IAMAuthModeDisabled, + rds.IAMAuthModeRequired, + }, false), + }, + "secret_arn": { + Type: schema.TypeString, + Optional: true, + ValidateFunc: validateArn, + }, + "username": { + Type: schema.TypeString, + Optional: true, + }, + }, + }, + Set: resourceAwsDbProxyAuthHash, + }, + + "tags": tagsSchema(), + }, + } +} + +func resourceAwsDbProxyCreate(d *schema.ResourceData, meta interface{}) error { + rdsconn := meta.(*AWSClient).rdsconn + tags := keyvaluetags.New(d.Get("tags").(map[string]interface{})).IgnoreAws().RdsTags() + + params := rds.CreateDBProxyInput{ + Auth: expandDbProxyAuth(d.Get("auth").(*schema.Set).List()), + DBProxyName: aws.String(d.Get("name").(string)), + EngineFamily: aws.String(d.Get("engine_family").(string)), + RoleArn: aws.String(d.Get("role_arn").(string)), + Tags: tags, + VpcSubnetIds: expandStringSet(d.Get("vpc_subnet_ids").(*schema.Set)), + } + + if v, ok := d.GetOk("debug_logging"); ok { + params.DebugLogging = aws.Bool(v.(bool)) + } + + if v, ok := d.GetOk("idle_client_timeout"); ok { + params.IdleClientTimeout = aws.Int64(int64(v.(int))) + } + + if v, ok := d.GetOk("require_tls"); ok { + params.RequireTLS = aws.Bool(v.(bool)) + } + + if v := d.Get("vpc_security_group_ids").(*schema.Set); v.Len() > 0 { + params.VpcSecurityGroupIds = expandStringSet(v) + } + + log.Printf("[DEBUG] Create DB Proxy: %#v", params) + resp, err := rdsconn.CreateDBProxy(¶ms) + if err != nil { + return fmt.Errorf("Error creating DB Proxy: %s", err) + } + + d.SetId(aws.StringValue(resp.DBProxy.DBProxyName)) + d.Set("arn", resp.DBProxy.DBProxyArn) + log.Printf("[INFO] DB Proxy ID: %s", d.Id()) + + return resourceAwsDbProxyRead(d, meta) +} + +func expandDbProxyAuth(l []interface{}) []*rds.UserAuthConfig { + if len(l) == 0 { + return nil + } + + userAuthConfigs := make([]*rds.UserAuthConfig, 0, len(l)) + + for _, mRaw := range l { + m, ok := mRaw.(map[string]interface{}) + + if !ok { + continue + } + + userAuthConfig := &rds.UserAuthConfig{} + + if v, ok := m["auth_scheme"].(string); ok && v != "" { + userAuthConfig.AuthScheme = aws.String(v) + } + + if v, ok := m["description"].(string); ok && v != "" { + userAuthConfig.Description = aws.String(v) + } + + if v, ok := m["iam_auth"].(string); ok && v != "" { + userAuthConfig.IAMAuth = aws.String(v) + } + + if v, ok := m["secret_arn"].(string); ok && v != "" { + userAuthConfig.SecretArn = aws.String(v) + } + + if v, ok := m["username"].(string); ok && v != "" { + userAuthConfig.UserName = aws.String(v) + } + + userAuthConfigs = append(userAuthConfigs, userAuthConfig) + } + + return userAuthConfigs +} + +func resourceAwsDbProxyRead(d *schema.ResourceData, meta interface{}) error { + rdsconn := meta.(*AWSClient).rdsconn + + params := rds.DescribeDBProxiesInput{ + DBProxyName: aws.String(d.Id()), + } + + resp, err := rdsconn.DescribeDBProxies(¶ms) + if err != nil { + if isAWSErr(err, rds.ErrCodeDBProxyNotFoundFault, "") { + log.Printf("[WARN] DB Proxy (%s) not found, removing from state", d.Id()) + d.SetId("") + return nil + } + return err + } + + if len(resp.DBProxies) != 1 || + *resp.DBProxies[0].DBProxyName != d.Id() { + return fmt.Errorf("Unable to find DB Proxy: %#v", resp.DBProxies) + } + + v := resp.DBProxies[0] + + d.Set("arn", aws.StringValue(v.DBProxyArn)) + d.Set("name", v.DBProxyName) + d.Set("debug_logging", v.DebugLogging) + d.Set("engine_family", v.EngineFamily) + d.Set("idle_client_timeout", v.IdleClientTimeout) + d.Set("require_tls", v.RequireTLS) + d.Set("role_arn", v.RoleArn) + d.Set("vpc_subnet_ids", flattenStringSet(v.VpcSubnetIds)) + d.Set("security_group_ids", flattenStringSet(v.VpcSecurityGroupIds)) + + tags, err := keyvaluetags.RdsListTags(rdsconn, d.Get("arn").(string)) + + if err != nil { + return fmt.Errorf("Error listing tags for RDS DB Proxy (%s): %s", d.Get("arn").(string), err) + } + + if err := d.Set("tags", tags.IgnoreAws().Map()); err != nil { + return fmt.Errorf("Error setting tags: %s", err) + } + + return nil +} + +func resourceAwsDbProxyUpdate(d *schema.ResourceData, meta interface{}) error { + rdsconn := meta.(*AWSClient).rdsconn + + if d.HasChange("tags") { + o, n := d.GetChange("tags") + + if err := keyvaluetags.RdsUpdateTags(rdsconn, d.Get("arn").(string), o, n); err != nil { + return fmt.Errorf("Error updating RDS DB Proxy (%s) tags: %s", d.Get("arn").(string), err) + } + } + + return resourceAwsDbProxyRead(d, meta) +} + +func resourceAwsDbProxyDelete(d *schema.ResourceData, meta interface{}) error { + conn := meta.(*AWSClient).rdsconn + params := rds.DeleteDBProxyInput{ + DBProxyName: aws.String(d.Id()), + } + err := resource.Retry(3*time.Minute, func() *resource.RetryError { + _, err := conn.DeleteDBProxy(¶ms) + if err != nil { + if isAWSErr(err, rds.ErrCodeDBProxyNotFoundFault, "") || isAWSErr(err, rds.ErrCodeInvalidDBProxyStateFault, "") { + return resource.RetryableError(err) + } + return resource.NonRetryableError(err) + } + return nil + }) + if isResourceTimeoutError(err) { + _, err = conn.DeleteDBProxy(¶ms) + } + if err != nil { + return fmt.Errorf("Error deleting DB Proxy: %s", err) + } + return nil +} + +func resourceAwsDbProxyAuthHash(v interface{}) int { + var buf bytes.Buffer + m := v.(map[string]interface{}) + if v, ok := m["auth_scheme"].(string); ok { + buf.WriteString(fmt.Sprintf("%s-", v)) + } + if v, ok := m["description"].(string); ok { + buf.WriteString(fmt.Sprintf("%s-", v)) + } + if v, ok := m["iam_auth"].(string); ok { + buf.WriteString(fmt.Sprintf("%s-", v)) + } + if v, ok := m["secret_arn"].(string); ok { + buf.WriteString(fmt.Sprintf("%s-", v)) + } + if v, ok := m["username"].(string); ok { + buf.WriteString(fmt.Sprintf("%s-", v)) + } + return hashcode.String(buf.String()) +} diff --git a/website/aws.erb b/website/aws.erb index b5b8540d4c4..5035745729c 100644 --- a/website/aws.erb +++ b/website/aws.erb @@ -2484,6 +2484,9 @@
  • aws_db_parameter_group
    • +
  • + aws_db_proxy +
  • aws_db_security_group
    • diff --git a/website/docs/r/db_proxy.html.markdown b/website/docs/r/db_proxy.html.markdown new file mode 100644 index 00000000000..5e0c57c03b1 --- /dev/null +++ b/website/docs/r/db_proxy.html.markdown @@ -0,0 +1,86 @@ +--- +subcategory: "RDS" +layout: "aws" +page_title: "AWS: aws_db_proxy" +description: |- + Provides an RDS DB proxy resource. +--- + +# Resource: aws_db_proxy + +Provides an RDS DB proxy resource. + +## Example Usage + +```hcl +resource "aws_db_proxy" "example" { + name = "example" + debug_logging = false + engine_family = "MYSQL" + idle_client_timeout = 1800 + require_tls = true + role_arn = "arn:aws:iam:us-east-1:123456789012:role/example" + vpc_security_group_ids = ["sg-12345678901234567"] + vpc_subnet_ids = ["subnet-12345678901234567"] + + auth { + auth_scheme = "SECRETS" + description = "example" + iam_auth = "DISABLED" + secret_arn = "arn:aws:secretsmanager:us-east-1:123456789012:secret:example" + } + + tags = { + Name = "example" + Key = "value" + } +} +``` + +## Argument Reference + +The following arguments are supported: + +* `name` - (Required) The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens. +* `auth` - (Required) The authorization mechanism that the proxy uses. +* `debug_logging` - (Optional) Whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs. +* `engine_family` - (Required, Forces new resource) The kinds of databases that the proxy can connect to. This value determines which database network protocol the proxy recognizes when it interprets network traffic to and from the database. Currently, this value is always `MYSQL`. The engine family applies to both RDS MySQL and Aurora MySQL. +* `idle_client_timeout` - (Optional) The number of seconds that a connection to the proxy can be inactive before the proxy disconnects it. You can set this value higher or lower than the connection timeout limit for the associated database. +* `require_tls` - (Optional) A Boolean parameter that specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy. By enabling this setting, you can enforce encrypted TLS connections to the proxy. +* `role_arn` - (Required) The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager. +* `vpc_security_group_ids` - (Optional) One or more VPC security group IDs to associate with the new proxy. +* `vpc_subnet_ids` - (Required) One or more VPC subnet IDs to associate with the new proxy. +describe-db-parameters.html) after initial creation of the group. +* `tags` - (Optional) A mapping of tags to assign to the resource. + +`auth` blocks support the following: + +* `auth_scheme` - (Optional) The type of authentication that the proxy uses for connections from the proxy to the underlying database. One of `SECRETS`. +* `description` - (Optional) A user-specified description about the authentication used by a proxy to log in as a specific database user. +* `iam_auth` - (Optional) Whether to require or disallow AWS Identity and Access Management (IAM) authentication for connections to the proxy. One of `DISABLED`, `REQUIRED`. +* `secret_arn` - (Optional) The Amazon Resource Name (ARN) representing the secret that the proxy uses to authenticate to the RDS DB instance or Aurora DB cluster. These secrets are stored within Amazon Secrets Manager. +* `username` - (Optional) The name of the database user to which the proxy connects. + +## Attributes Reference + +In addition to all arguments above, the following attributes are exported: + +* `id` - The Amazon Resource Name (ARN) for the proxy. +* `arn` - The Amazon Resource Name (ARN) for the proxy. +* `endpoint` - The endpoint that you can use to connect to the proxy. You include the endpoint value in the connection string for a database client application. + +### Timeouts + +`aws_db_proxy` provides the following [Timeouts](/docs/configuration/resources.html#timeouts) configuration options: + +- `create` - (Default `30 minutes`) Used for creating DB proxies. +- `update` - (Default `30 minutes`) Used for modifying DB proxies. +- `delete` - (Default `30 minutes`) Used for destroying DB proxies. + +## Import + +DB proxies can be imported using the `name`, e.g. + +``` +$ terraform import aws_db_proxy.example example +``` From f4f95fb5a4df9f1a5ad0ef8f9719ec0adc24c267 Mon Sep 17 00:00:00 2001 From: Gareth Oakley Date: Mon, 6 Apr 2020 23:24:32 +0100 Subject: [PATCH 2/6] resource/aws_db_proxy: Set up WaitForState --- aws/resource_aws_db_proxy.go | 91 ++++++++++++++++++++++++------------ 1 file changed, 61 insertions(+), 30 deletions(-) diff --git a/aws/resource_aws_db_proxy.go b/aws/resource_aws_db_proxy.go index 502512a58a3..959f62aba2d 100644 --- a/aws/resource_aws_db_proxy.go +++ b/aws/resource_aws_db_proxy.go @@ -124,7 +124,7 @@ func resourceAwsDbProxy() *schema.Resource { } func resourceAwsDbProxyCreate(d *schema.ResourceData, meta interface{}) error { - rdsconn := meta.(*AWSClient).rdsconn + conn := meta.(*AWSClient).rdsconn tags := keyvaluetags.New(d.Get("tags").(map[string]interface{})).IgnoreAws().RdsTags() params := rds.CreateDBProxyInput{ @@ -153,7 +153,7 @@ func resourceAwsDbProxyCreate(d *schema.ResourceData, meta interface{}) error { } log.Printf("[DEBUG] Create DB Proxy: %#v", params) - resp, err := rdsconn.CreateDBProxy(¶ms) + resp, err := conn.CreateDBProxy(¶ms) if err != nil { return fmt.Errorf("Error creating DB Proxy: %s", err) } @@ -162,9 +162,39 @@ func resourceAwsDbProxyCreate(d *schema.ResourceData, meta interface{}) error { d.Set("arn", resp.DBProxy.DBProxyArn) log.Printf("[INFO] DB Proxy ID: %s", d.Id()) + stateChangeConf := &resource.StateChangeConf{ + Pending: []string{rds.DBProxyStatusCreating}, + Target: []string{rds.DBProxyStatusAvailable}, + Refresh: resourceAwsDbProxyRefreshFunc(conn, d.Id()), + Timeout: d.Timeout(schema.TimeoutCreate), + } + + _, err = stateChangeConf.WaitForState() + if err != nil { + return fmt.Errorf("Error waiting for DB Proxy creation: %s", err) + } + return resourceAwsDbProxyRead(d, meta) } +func resourceAwsDbProxyRefreshFunc(conn *rds.RDS, proxyName string) resource.StateRefreshFunc { + return func() (interface{}, string, error) { + resp, err := conn.DescribeDBProxies(&rds.DescribeDBProxiesInput{ + DBProxyName: aws.String(proxyName), + }) + + if err != nil { + if isAWSErr(err, rds.ErrCodeDBProxyNotFoundFault, "") { + return 42, "", nil + } + return 42, "", err + } + + dbProxy := resp.DBProxies[0] + return dbProxy, *dbProxy.Status, nil + } +} + func expandDbProxyAuth(l []interface{}) []*rds.UserAuthConfig { if len(l) == 0 { return nil @@ -208,13 +238,13 @@ func expandDbProxyAuth(l []interface{}) []*rds.UserAuthConfig { } func resourceAwsDbProxyRead(d *schema.ResourceData, meta interface{}) error { - rdsconn := meta.(*AWSClient).rdsconn + conn := meta.(*AWSClient).rdsconn params := rds.DescribeDBProxiesInput{ DBProxyName: aws.String(d.Id()), } - resp, err := rdsconn.DescribeDBProxies(¶ms) + resp, err := conn.DescribeDBProxies(¶ms) if err != nil { if isAWSErr(err, rds.ErrCodeDBProxyNotFoundFault, "") { log.Printf("[WARN] DB Proxy (%s) not found, removing from state", d.Id()) @@ -229,19 +259,19 @@ func resourceAwsDbProxyRead(d *schema.ResourceData, meta interface{}) error { return fmt.Errorf("Unable to find DB Proxy: %#v", resp.DBProxies) } - v := resp.DBProxies[0] + dbProxy := resp.DBProxies[0] - d.Set("arn", aws.StringValue(v.DBProxyArn)) - d.Set("name", v.DBProxyName) - d.Set("debug_logging", v.DebugLogging) - d.Set("engine_family", v.EngineFamily) - d.Set("idle_client_timeout", v.IdleClientTimeout) - d.Set("require_tls", v.RequireTLS) - d.Set("role_arn", v.RoleArn) - d.Set("vpc_subnet_ids", flattenStringSet(v.VpcSubnetIds)) - d.Set("security_group_ids", flattenStringSet(v.VpcSecurityGroupIds)) + d.Set("arn", aws.StringValue(dbProxy.DBProxyArn)) + d.Set("name", dbProxy.DBProxyName) + d.Set("debug_logging", dbProxy.DebugLogging) + d.Set("engine_family", dbProxy.EngineFamily) + d.Set("idle_client_timeout", dbProxy.IdleClientTimeout) + d.Set("require_tls", dbProxy.RequireTLS) + d.Set("role_arn", dbProxy.RoleArn) + d.Set("vpc_subnet_ids", flattenStringSet(dbProxy.VpcSubnetIds)) + d.Set("security_group_ids", flattenStringSet(dbProxy.VpcSecurityGroupIds)) - tags, err := keyvaluetags.RdsListTags(rdsconn, d.Get("arn").(string)) + tags, err := keyvaluetags.RdsListTags(conn, d.Get("arn").(string)) if err != nil { return fmt.Errorf("Error listing tags for RDS DB Proxy (%s): %s", d.Get("arn").(string), err) @@ -255,12 +285,12 @@ func resourceAwsDbProxyRead(d *schema.ResourceData, meta interface{}) error { } func resourceAwsDbProxyUpdate(d *schema.ResourceData, meta interface{}) error { - rdsconn := meta.(*AWSClient).rdsconn + conn := meta.(*AWSClient).rdsconn if d.HasChange("tags") { o, n := d.GetChange("tags") - if err := keyvaluetags.RdsUpdateTags(rdsconn, d.Get("arn").(string), o, n); err != nil { + if err := keyvaluetags.RdsUpdateTags(conn, d.Get("arn").(string), o, n); err != nil { return fmt.Errorf("Error updating RDS DB Proxy (%s) tags: %s", d.Get("arn").(string), err) } } @@ -270,25 +300,26 @@ func resourceAwsDbProxyUpdate(d *schema.ResourceData, meta interface{}) error { func resourceAwsDbProxyDelete(d *schema.ResourceData, meta interface{}) error { conn := meta.(*AWSClient).rdsconn + params := rds.DeleteDBProxyInput{ DBProxyName: aws.String(d.Id()), } - err := resource.Retry(3*time.Minute, func() *resource.RetryError { - _, err := conn.DeleteDBProxy(¶ms) - if err != nil { - if isAWSErr(err, rds.ErrCodeDBProxyNotFoundFault, "") || isAWSErr(err, rds.ErrCodeInvalidDBProxyStateFault, "") { - return resource.RetryableError(err) - } - return resource.NonRetryableError(err) - } - return nil - }) - if isResourceTimeoutError(err) { - _, err = conn.DeleteDBProxy(¶ms) - } + _, err := conn.DeleteDBProxy(¶ms) if err != nil { return fmt.Errorf("Error deleting DB Proxy: %s", err) } + + stateChangeConf := &resource.StateChangeConf{ + Pending: []string{rds.DBProxyStatusDeleting}, + Refresh: resourceAwsDbProxyRefreshFunc(conn, d.Id()), + Timeout: d.Timeout(schema.TimeoutDelete), + } + + _, err = stateChangeConf.WaitForState() + if err != nil { + return fmt.Errorf("Error waiting for DB Proxy deletion: %s", err) + } + return nil } From cc02e3a751a30f8807952100bc0e1b36b84b6da3 Mon Sep 17 00:00:00 2001 From: Gareth Oakley Date: Tue, 7 Apr 2020 19:27:46 +0100 Subject: [PATCH 3/6] resource/aws_db_proxy: Initial tests --- aws/resource_aws_db_proxy_test.go | 274 ++++++++++++++++++++++++++++++ 1 file changed, 274 insertions(+) create mode 100644 aws/resource_aws_db_proxy_test.go diff --git a/aws/resource_aws_db_proxy_test.go b/aws/resource_aws_db_proxy_test.go new file mode 100644 index 00000000000..a5396be5213 --- /dev/null +++ b/aws/resource_aws_db_proxy_test.go @@ -0,0 +1,274 @@ +package aws + +import ( + "fmt" + "log" + "regexp" + "testing" + + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/awserr" + "github.com/aws/aws-sdk-go/service/rds" + "github.com/hashicorp/terraform-plugin-sdk/helper/acctest" + "github.com/hashicorp/terraform-plugin-sdk/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/terraform" +) + +func init() { + resource.AddTestSweepers("aws_db_proxy", &resource.Sweeper{ + Name: "aws_db_proxy", + F: testSweepRdsDbProxies, + }) +} + +func testSweepRdsDbProxies(region string) error { + client, err := sharedClientForRegion(region) + if err != nil { + return fmt.Errorf("Error getting client: %s", err) + } + conn := client.(*AWSClient).rdsconn + + err = conn.DescribeDBProxiesPages(&rds.DescribeDBProxiesInput{}, func(out *rds.DescribeDBProxiesOutput, lastPage bool) bool { + for _, dbpg := range out.DBProxies { + if dbpg == nil { + continue + } + + input := &rds.DeleteDBProxyInput{ + DBProxyName: dbpg.DBProxyName, + } + name := aws.StringValue(dbpg.DBProxyName) + + log.Printf("[INFO] Deleting DB Proxy: %s", name) + + _, err := conn.DeleteDBProxy(input) + + if err != nil { + log.Printf("[ERROR] Failed to delete DB Proxy %s: %s", name, err) + continue + } + } + + return !lastPage + }) + + if testSweepSkipSweepError(err) { + log.Printf("[WARN] Skipping RDS DB Proxy sweep for %s: %s", region, err) + return nil + } + + if err != nil { + return fmt.Errorf("Error retrieving DB Proxies: %s", err) + } + + return nil +} + +func TestAccAWSDBProxy_basic(t *testing.T) { + var v rds.DBProxy + resourceName := "aws_db_proxy.test" + name := fmt.Sprintf("tf-acc-db-proxy-%d", acctest.RandInt()) + + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckAWSDBProxyDestroy, + Steps: []resource.TestStep{ + { + Config: testAccAWSDBProxyConfig(name), + Check: resource.ComposeTestCheckFunc( + testAccCheckAWSDBProxyExists(resourceName, &v), + resource.TestCheckResourceAttr( + resourceName, "name", name), + resource.TestCheckResourceAttr( + resourceName, "engine_family", "MYSQL"), + resource.TestMatchResourceAttr( + resourceName, "arn", regexp.MustCompile(`^arn:[^:]+:rds:[^:]+:\d{12}:db-proxy:.+`)), + ), + }, + { + ResourceName: resourceName, + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + +func testAccCheckAWSDBProxyDestroy(s *terraform.State) error { + conn := testAccProvider.Meta().(*AWSClient).rdsconn + + for _, rs := range s.RootModule().Resources { + if rs.Type != "aws_db_proxy" { + continue + } + + // Try to find the Group + resp, err := conn.DescribeDBProxies( + &rds.DescribeDBProxiesInput{ + DBProxyName: aws.String(rs.Primary.ID), + }) + + if err == nil { + if len(resp.DBProxies) != 0 && + *resp.DBProxies[0].DBProxyName == rs.Primary.ID { + return fmt.Errorf("DB Proxy still exists") + } + } + + // Verify the error + newerr, ok := err.(awserr.Error) + if !ok { + return err + } + if newerr.Code() != rds.ErrCodeDBProxyNotFoundFault { + return err + } + } + + return nil +} + +func testAccCheckAWSDBProxyExists(n string, v *rds.DBProxy) resource.TestCheckFunc { + return func(s *terraform.State) error { + rs, ok := s.RootModule().Resources[n] + if !ok { + return fmt.Errorf("Not found: %s", n) + } + + if rs.Primary.ID == "" { + return fmt.Errorf("No DB Proxy ID is set") + } + + conn := testAccProvider.Meta().(*AWSClient).rdsconn + + opts := rds.DescribeDBProxiesInput{ + DBProxyName: aws.String(rs.Primary.ID), + } + + resp, err := conn.DescribeDBProxies(&opts) + + if err != nil { + return err + } + + if len(resp.DBProxies) != 1 || + *resp.DBProxies[0].DBProxyName != rs.Primary.ID { + return fmt.Errorf("DB Proxy not found") + } + + *v = *resp.DBProxies[0] + + return nil + } +} + +func testAccAWSDBProxyConfig(n string) string { + return fmt.Sprintf(` +resource "aws_db_proxy" "test" { + depends_on = [ + aws_secretsmanager_secret_version.test, + aws_iam_role_policy.test + ] + + name = "%s" + debug_logging = false + engine_family = "MYSQL" + idle_client_timeout = 1800 + require_tls = true + role_arn = aws_iam_role.test.arn + vpc_security_group_ids = [] + vpc_subnet_ids = aws_subnet.test.*.id + + auth { + auth_scheme = "SECRETS" + description = "test" + iam_auth = "DISABLED" + secret_arn = aws_secretsmanager_secret.test.arn + } + + tags = { + Name = "%s" + } +} + +# Secrets Manager setup + +resource "aws_secretsmanager_secret" "test" { + name = "%s" +} + +resource "aws_secretsmanager_secret_version" "test" { + secret_id = aws_secretsmanager_secret.test.id + secret_string = "{\"username\":\"db_user\",\"password\":\"db_user_password\"}" +} + +# IAM setup + +resource "aws_iam_role" "test" { + name = "%s" + assume_role_policy = data.aws_iam_policy_document.assume.json +} + +data "aws_iam_policy_document" "assume" { + statement { + actions = ["sts:AssumeRole"] + principals { + type = "Service" + identifiers = ["rds.amazonaws.com"] + } + } +} + +resource "aws_iam_role_policy" "test" { + role = aws_iam_role.test.id + policy = data.aws_iam_policy_document.test.json +} + +data "aws_iam_policy_document" "test" { + statement { + actions = [ + "secretsmanager:GetRandomPassword", + "secretsmanager:CreateSecret", + "secretsmanager:ListSecrets", + ] + resources = ["*"] + } + + statement { + actions = ["secretsmanager:*"] + resources = [aws_secretsmanager_secret.test.arn] + } +} + +# VPC setup + +data "aws_availability_zones" "available" { + state = "available" + + filter { + name = "opt-in-status" + values = ["opt-in-not-required"] + } +} + +resource "aws_vpc" "test" { + cidr_block = "10.0.0.0/16" + + tags = { + Name = "%s" + } +} + +resource "aws_subnet" "test" { + count = 2 + cidr_block = cidrsubnet(aws_vpc.test.cidr_block, 8, count.index) + availability_zone = data.aws_availability_zones.available.names[count.index] + vpc_id = aws_vpc.test.id + + tags = { + Name = "%s-${count.index}" + } +} +`, n, n, n, n, n, n) +} From b118809f294470ca31b4bf3e1d9722237e4c5ed3 Mon Sep 17 00:00:00 2001 From: Gareth Oakley Date: Tue, 7 Apr 2020 22:05:03 +0100 Subject: [PATCH 4/6] resource/aws_db_proxy: Read UserAuthInfo back, handle updates --- aws/resource_aws_db_proxy.go | 65 ++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/aws/resource_aws_db_proxy.go b/aws/resource_aws_db_proxy.go index 959f62aba2d..e65234760dc 100644 --- a/aws/resource_aws_db_proxy.go +++ b/aws/resource_aws_db_proxy.go @@ -76,6 +76,7 @@ func resourceAwsDbProxy() *schema.Resource { "vpc_subnet_ids": { Type: schema.TypeSet, Required: true, + ForceNew: true, Elem: &schema.Schema{Type: schema.TypeString}, Set: schema.HashString, }, @@ -237,6 +238,26 @@ func expandDbProxyAuth(l []interface{}) []*rds.UserAuthConfig { return userAuthConfigs } +func flattenDbProxyAuth(userAuthConfig *rds.UserAuthConfigInfo) map[string]interface{} { + m := make(map[string]interface{}) + + m["auth_scheme"] = aws.StringValue(userAuthConfig.AuthScheme) + m["description"] = aws.StringValue(userAuthConfig.Description) + m["iam_auth"] = aws.StringValue(userAuthConfig.IAMAuth) + m["secret_arn"] = aws.StringValue(userAuthConfig.SecretArn) + m["username"] = aws.StringValue(userAuthConfig.UserName) + + return m +} + +func flattenDbProxyAuths(userAuthConfigs []*rds.UserAuthConfigInfo) *schema.Set { + s := []interface{}{} + for _, v := range userAuthConfigs { + s = append(s, flattenDbProxyAuth(v)) + } + return schema.NewSet(resourceAwsDbProxyAuthHash, s) +} + func resourceAwsDbProxyRead(d *schema.ResourceData, meta interface{}) error { conn := meta.(*AWSClient).rdsconn @@ -262,6 +283,7 @@ func resourceAwsDbProxyRead(d *schema.ResourceData, meta interface{}) error { dbProxy := resp.DBProxies[0] d.Set("arn", aws.StringValue(dbProxy.DBProxyArn)) + d.Set("auth", flattenDbProxyAuths(dbProxy.Auth)) d.Set("name", dbProxy.DBProxyName) d.Set("debug_logging", dbProxy.DebugLogging) d.Set("engine_family", dbProxy.EngineFamily) @@ -287,6 +309,49 @@ func resourceAwsDbProxyRead(d *schema.ResourceData, meta interface{}) error { func resourceAwsDbProxyUpdate(d *schema.ResourceData, meta interface{}) error { conn := meta.(*AWSClient).rdsconn + oName, nName := d.GetChange("name") + + params := rds.ModifyDBProxyInput{ + Auth: expandDbProxyAuth(d.Get("auth").(*schema.Set).List()), + DBProxyName: aws.String(oName.(string)), + NewDBProxyName: aws.String(nName.(string)), + RoleArn: aws.String(d.Get("role_arn").(string)), + } + + if v, ok := d.GetOk("debug_logging"); ok { + params.DebugLogging = aws.Bool(v.(bool)) + } + + if v, ok := d.GetOk("idle_client_timeout"); ok { + params.IdleClientTimeout = aws.Int64(int64(v.(int))) + } + + if v, ok := d.GetOk("require_tls"); ok { + params.RequireTLS = aws.Bool(v.(bool)) + } + + if v := d.Get("vpc_security_group_ids").(*schema.Set); v.Len() > 0 { + params.SecurityGroups = expandStringSet(v) + } + + log.Printf("[DEBUG] Update DB Proxy: %#v", params) + _, err := conn.ModifyDBProxy(¶ms) + if err != nil { + return fmt.Errorf("Error updating DB Proxy: %s", err) + } + + stateChangeConf := &resource.StateChangeConf{ + Pending: []string{rds.DBProxyStatusModifying}, + Target: []string{rds.DBProxyStatusAvailable}, + Refresh: resourceAwsDbProxyRefreshFunc(conn, d.Id()), + Timeout: d.Timeout(schema.TimeoutCreate), + } + + _, err = stateChangeConf.WaitForState() + if err != nil { + return fmt.Errorf("Error waiting for DB Proxy update: %s", err) + } + if d.HasChange("tags") { o, n := d.GetChange("tags") From b656527cac3502105b149ae0265d65ebd123375d Mon Sep 17 00:00:00 2001 From: Gareth Oakley Date: Tue, 7 Apr 2020 23:33:23 +0100 Subject: [PATCH 5/6] resource/aws_db_proxy: Fix attributes, fix deletion WaitForState --- aws/resource_aws_db_proxy.go | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/aws/resource_aws_db_proxy.go b/aws/resource_aws_db_proxy.go index e65234760dc..70b386970d3 100644 --- a/aws/resource_aws_db_proxy.go +++ b/aws/resource_aws_db_proxy.go @@ -131,7 +131,9 @@ func resourceAwsDbProxyCreate(d *schema.ResourceData, meta interface{}) error { params := rds.CreateDBProxyInput{ Auth: expandDbProxyAuth(d.Get("auth").(*schema.Set).List()), DBProxyName: aws.String(d.Get("name").(string)), + DebugLogging: aws.Bool(d.Get("debug_logging").(bool)), EngineFamily: aws.String(d.Get("engine_family").(string)), + RequireTLS: aws.Bool(d.Get("require_tls").(bool)), RoleArn: aws.String(d.Get("role_arn").(string)), Tags: tags, VpcSubnetIds: expandStringSet(d.Get("vpc_subnet_ids").(*schema.Set)), @@ -315,21 +317,15 @@ func resourceAwsDbProxyUpdate(d *schema.ResourceData, meta interface{}) error { Auth: expandDbProxyAuth(d.Get("auth").(*schema.Set).List()), DBProxyName: aws.String(oName.(string)), NewDBProxyName: aws.String(nName.(string)), + DebugLogging: aws.Bool(d.Get("debug_logging").(bool)), + RequireTLS: aws.Bool(d.Get("require_tls").(bool)), RoleArn: aws.String(d.Get("role_arn").(string)), } - if v, ok := d.GetOk("debug_logging"); ok { - params.DebugLogging = aws.Bool(v.(bool)) - } - if v, ok := d.GetOk("idle_client_timeout"); ok { params.IdleClientTimeout = aws.Int64(int64(v.(int))) } - if v, ok := d.GetOk("require_tls"); ok { - params.RequireTLS = aws.Bool(v.(bool)) - } - if v := d.Get("vpc_security_group_ids").(*schema.Set); v.Len() > 0 { params.SecurityGroups = expandStringSet(v) } @@ -376,6 +372,7 @@ func resourceAwsDbProxyDelete(d *schema.ResourceData, meta interface{}) error { stateChangeConf := &resource.StateChangeConf{ Pending: []string{rds.DBProxyStatusDeleting}, + Target: []string{""}, Refresh: resourceAwsDbProxyRefreshFunc(conn, d.Id()), Timeout: d.Timeout(schema.TimeoutDelete), } From 1c92e9bde4df84e4c81f7b024ca8fb1d1b4dd967 Mon Sep 17 00:00:00 2001 From: Gareth Oakley Date: Fri, 10 Apr 2020 18:12:12 +0100 Subject: [PATCH 6/6] resource/aws_db_proxy: Add support for Postgres, immediately remove secrets created by tests --- aws/resource_aws_db_proxy.go | 1 + aws/resource_aws_db_proxy_test.go | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/aws/resource_aws_db_proxy.go b/aws/resource_aws_db_proxy.go index 70b386970d3..4884a9a6ce0 100644 --- a/aws/resource_aws_db_proxy.go +++ b/aws/resource_aws_db_proxy.go @@ -51,6 +51,7 @@ func resourceAwsDbProxy() *schema.Resource { ForceNew: true, ValidateFunc: validation.StringInSlice([]string{ rds.EngineFamilyMysql, + "POSTGRESQL", }, false), }, "idle_client_timeout": { diff --git a/aws/resource_aws_db_proxy_test.go b/aws/resource_aws_db_proxy_test.go index a5396be5213..862a8275575 100644 --- a/aws/resource_aws_db_proxy_test.go +++ b/aws/resource_aws_db_proxy_test.go @@ -195,7 +195,8 @@ resource "aws_db_proxy" "test" { # Secrets Manager setup resource "aws_secretsmanager_secret" "test" { - name = "%s" + name = "%s" + recovery_window_in_days = 0 } resource "aws_secretsmanager_secret_version" "test" {