search

cyrilgdn / terraform-provider-postgresql

Terraform PostgreSQL provider
https://www.terraform.io/docs/providers/postgresql/
Mozilla Public License 2.0
359 stars 182 forks source link

Feature Request: Support assume AWS role to get AWS RDS IAM credentials #263

Open keymon opened 1 year ago

keymon commented 1 year ago

Feature request:

We recently added the feature or RDS IAM https://github.com/cyrilgdn/terraform-provider-postgresql/pull/134 which is great :partying_face:

But this requires the AWS user or role loaded in the environment (or the profile passed as aws_rds_iam_profile) to have the capability to get the RDS credentials.

In our use case, we run this in conjunction with the AWS provider. We do not configure the AWS role running terraform to get the RDS password, but instead, we have a intermediate role that can be assumed for that.

In order to support this use-case, the prostgres provider should support assuming a role before generating the RDS password.

Terraform Version

n/a

Affected Resource(s)

All resources, this is provider auth

Expected Behavior

I propose this configuration:

provider "postgresql" {
  aws_rds_iam_auth = true
  aws_rds_iam_assume_role = 'arn:aws:iam::123456789:role/my_rds_instance_master_role'
}

On execution, the provider will:

  1. Assume the AWS role my_rds_instance_master_role
  2. generate the AWS password

Alternatively, pass a list of roles:

provider "postgresql" {
  aws_rds_iam_auth = true
  aws_rds_iam_assume_role_arns = [ 
    'arn:aws:iam::123456789:role/account_admin',
    'arn:aws:iam::123456789:role/my_rds_instance_master_role'
  ] 
}

On execution, the provider will:

  1. Assume the AWS roles in order, arn:aws:iam::123456789:role/account_admin, then my_rds_instance_master_role
  2. generate the AWS password

This is really handy if you have a umbrella account/user and want to first assume some intermediate admin role, then the role that can connect to the RDS instance.