Add support for "Babelfish" to aws_rds_cluster for Aurora PostgreSQL clusters

[gclough]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

For Aurora PostgreSQL clusters, there is a new "Babelfish" option to allow them to emulate a SQL Server database. It would be nice if we could deploy them using Terraform aws_rds_cluster, as presently this can only be done via the console:

New or Affected Resource(s)

• aws_rds_cluster

Potential Terraform Configuration

babelfish = true    (default to false)

References

• https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/babelfish-create.html

[marco-carvalho]

any news?

[egnwd]

I was recently looking at this, and I'm not sure I found a good approach, but I used the following as a sort of work around. You can go a little further and have a flag var.babelfish to conditionally create the ingress rules and the parameter using a dynamic block, however for the sake of simplicity I've omitted that from the below example. I use this with the "terraform-aws-modules/rds-aurora/aws" module and pass in the vpc_security_group_ids and the db_cluster_parameter_group_name, but I think it should be easy enough to integrate with the vanilla resources.

Might be worth still having some support in the provider, but perhaps this example will help people in the meantime (and please if you have any feedback on simplifying the below, I'd welcome it)

locals {
  babelfish_cidr_ingress_rules = length(var.private_subnets_cidr_blocks) > 0 ? [{
    rule        = "mssql-tcp"
    cidr_blocks = join(",", var.cidr_blocks)
  }] : []

  postgres_cidr_ingress_rules = length(var.private_subnets_cidr_blocks) > 0 ? [{
    rule        = "postgresql-tcp"
    cidr_blocks = join(",", var.cidr_blocks)
  }] : []

  cidr_ingress_rules = concat(local.postgres_cidr_ingress_rules, local.babelfish_cidr_ingress_rules)

  babelfish_sg_ingress_rules = [for sg in var.allowed_security_groups : {
    rule                     = "mssql-tcp"
    source_security_group_id = sg
  }] 

  postgres_sg_ingress_rules = [for sg in var.allowed_security_groups : {
    rule                     = "postgresql-tcp"
    source_security_group_id = sg
  }]

  sg_ingress_rules = concat(local.postgres_sg_ingress_rules, local.babelfish_sg_ingress_rules)
}

resource "aws_rds_cluster_parameter_group" "postgres14_cluster_parameter_group" {
  name        = "example-aurora-postgres14-cluster-parameter-group"
  family      = "aurora-postgresql14"
  description = "example-aurora-postgres14-cluster-parameter-group"

  parameter {
      name         = "rds.babelfish_status"
      value        = "on"
      apply_method = "pending-reboot"
  }
}

module "allow_db_access" {
  source  = "terraform-aws-modules/security-group/aws"
  version = "~> 4.13.0"

  name                                           = "example-access"
  vpc_id                                         = var.vpc_id
  computed_ingress_with_cidr_blocks              = local.cidr_ingress_rules
  computed_ingress_with_source_security_group_id = local.sg_ingress_rules

  number_of_computed_ingress_with_cidr_blocks              = length(local.cidr_ingress_rules)
  number_of_computed_ingress_with_source_security_group_id = length(local.sg_ingress_rules)
}

[gclough]

From what we've now seen, you just need to set a couple of cluster parameters:

  "rds.babelfish_status"            = ["on", "pending-reboot"]
  "babelfishpg_tds.tds_ssl_encrypt" = ["1", "immediate"]

We can successfully turn this on/off/on by toggling these, so I don't believe this is actually required. I'll leave it open for another week, just in case someone finds a problem with that solution.

[rfink]

From what we've now seen, you just need to set a couple of cluster parameters:

  "rds.babelfish_status"            = ["on", "pending-reboot"]
  "babelfishpg_tds.tds_ssl_encrypt" = ["1", "immediate"]

We can successfully turn this on/off/on by toggling these, so I don't believe this is actually required. I'll leave it open for another week, just in case someone finds a problem with that solution.

This seems to have worked for us.

[github-actions[bot]]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!