search

cyrilgdn / terraform-provider-postgresql

Terraform PostgreSQL provider
https://www.terraform.io/docs/providers/postgresql/
Mozilla Public License 2.0
356 stars 182 forks source link

Add support for AWS IAM database authentication #328

Closed toadjaune closed 11 months ago

toadjaune commented 11 months ago

Terraform Version

Should affect all verisons, but there you go :

Terraform v1.5.4
on linux_amd64

Affected Resource(s)

This issue affects the provider configuration itself, when connecting to AWS. You may therefore consider it affects all resources.

Terraform Configuration Files

The following configuration is a workaround leveraging the AWS cli to achieve the expected goal.

resource "aws_db_instance" "app" {
  iam_database_authentication_enabled = true
  # configure the rest pretty much how you want
}

data "external" "rds_auth_token" {
  program = [
    "bash", "-c", replace(
      <<-EOF
        aws rds generate-db-auth-token
          --hostname  ${aws_db_instance.app.address}
          --port      ${aws_db_instance.app.port}
          --region    ${replace(aws_db_instance.app.availability_zone, "/[[:lower:]]$/", "")}
          --username  <your_username>
          --profile   <awscli_profile_name>
        | jq --raw-input '{ password: . }'
      EOF
    , "\n", " ")
  ]
}

# Please note that for this provider to work, you need direct network access to the RDS instance
provider "postgresql" {
  scheme    = "awspostgres"
  host      = aws_db_instance.app.address
  port      = aws_db_instance.app.port
  sslmode   = "verify-full" # NB : the "awspostgres" scheme takes care of finding the CA by itself
  username  = <your_username>
  password  = data.external.rds_auth_token.result.password
  superuser = false
}

Here is a more complete example, with more context.

Debug Output

Not relevant

Panic Output

N/A

Expected Behavior

I would have hoped to be able to connect through AWS IAM database authentication natively, without resorting to using the AWS cli.

Actual Behavior

I had to find the workaround mentioned above.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. Create a RDS instance with iam_database_authentication_enabled = true
  2. Create a postgresql role named <your_username> on it, with LOGIN, rds_iam role, and no password.
  3. Use the above configuration to successfully connect
  4. Try to achieve the same without using the cli and the external provider, fail to do so.

Important Factoids

None

References

AWS docs on IAM database authentication

toadjaune commented 11 months ago

Also, I'm wondering if maybe it would be more relevant to implement this directly in gocloud ?

toadjaune commented 11 months ago

This approach could work too, maybe that's the cleanest one : https://github.com/hashicorp/terraform-provider-aws/issues/28762

toadjaune commented 11 months ago

I just realized that this feature was already supported, with the following configuration options :

I have no idea how I missed them when first searching through this documentation.

Sorry about that, and thanks again for the great work !