[New Data Source]: RDS DB Auth Token

[n1ngu]

Description

It would be awesome if the provider offered a datasource matching the https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/generate-db-auth-token.html utility.

Once the feature is enabled in a DB instance with https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#iam_database_authentication_enabled, this new datasource would ease the task of using ephemeral passwords inside terraform.

Right now I need the python aws-cli and an external datasource instead of using the Go's AWS SDK built in this very provider.

data "external" "rds_auth_token" {
  program = [
    "sh",
    "-c",
    "echo {\\\"password\\\": \\\"$(aws rds generate-db-auth-token --hostname ${each.value.hostname} --port ${each.value.port} --username ${each.value.username} )\\\"}",
  ]
  for_each = {
    production = {
      hostname = "asdf.jkl.region.rds.amazonaws.com"
      port     = 5432
      username = "terraform"
    }
  }
}

provider "postgresql" {
  host               = "localhost"
  port               = 5555
  database           = "postgres"
  username           = "terraform"
  password           = data.external.rds_auth_token["production"].result.password
  sslmode            = "require"
  superuser          = false
  aws_rds_iam_auth   = false
}

My main goal would be using the cyrilgdn/postgresql provider across bastion hosts, as its aws_rds_iam_auth = false is useless with such setup. But this could have utility beyond my use-case, e.g. to grant RDS access to edge computers without AWS credentials (mostly for provisioners as these paswords are very ephemeral)

Requested Resource(s) and/or Data Source(s)

aws_rds_iam_auth_token

Potential Terraform Configuration

data "aws_rds_iam_auth_token" "production" {
  hostname = "foo.bar.region.rds.amazonaws.com"
  port     = 5432
  username = "username"
}

provider "postgresql" {
  host               = "localhost"
  port               = 5555
  database           = "postgres"
  username           = "username"
  password           = data.aws_rds_iam_auth_token.production.token
  aws_rds_iam_auth   = false
}

References

• https://github.com/cyrilgdn/terraform-provider-postgresql/issues/81#issuecomment-1371067284

• https://registry.terraform.io/modules/calidae/rds-iam-token-generator/external/latest

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[bobdoah]

I'm interested in working on this as my first contribution.