hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.87k stars 9.21k forks source link

Allow multiple secrets for RDS Proxy #17713

Open ghost opened 3 years ago

ghost commented 3 years ago

This issue was originally opened by @cisnerosk as hashicorp/terraform#27833. It was migrated here as a result of the provider split. The original body of the issue is below.


Current Terraform Version

0.13.3

I did take a quick look at the Changelog for newer versions, and I didn't see where this is implemented in newer versions yet.

Use-cases

In the console you can add many secrets to the RDS proxy. Additionally the AWS CDK supports this, while trying to do this with Terraform it fails. It seems as though auth.secrets_arn can't take an array of values.

Attempted Solutions

N/A

Proposal

I'm not sure of how to fix this, although I suspect this block needs to be changed to support sets of hashes. I'm not familiar with Go, so this may be the wrong starting point.

References

https://github.com/aws/aws-cdk/issues/9098

trevorrea commented 3 years ago

@cisnerosk - you can define multiple auth blocks like below although it's not immediately obvious from the docs you can do this it works.

  auth {
    auth_scheme = "SECRETS"
    description = "1"
    iam_auth    = "DISABLED"
    secret_arn  = aws_secretsmanager_secret.rds_proxy["1"].arn
  }
  auth {
    auth_scheme = "SECRETS"
    description = "2"
    iam_auth    = "DISABLED"
    secret_arn  = aws_secretsmanager_secret.rds_proxy["2"].arn
  }
  auth {
    auth_scheme = "SECRETS"
    description = "3"
    iam_auth    = "DISABLED"
    secret_arn  = aws_secretsmanager_secret.rds_proxy["3"].arn
  }
msusta commented 2 years ago

Just passing through - this definitely works so this issue should be closed.

karthik-twilio commented 1 year ago

Same issue, I want to have wildcard and get all ARN to applied for that db_proxy. Then, I need secret_arn to support list

secret_arn = data.aws_secretsmanager_secret_version.this[*].arn

The above solution might not work, because we can't predict the number of secrets attached.