[Bug]: POSTGRES_MD5 not a valid authentication type for aws_rds_proxy

[sabaimran]

Terraform Core Version

1.5.2

AWS Provider Version

5.42.0

Affected Resource(s)

When using the aws_db_proxy resource (link to documentation), I get this error when trying to use POSTGRES_MD5 as the authentication type.

Expected Behavior

Expect to be able to use POSTGRES_MD5, as described in the documentation.

Actual Behavior

I get this error:

When expanding the plan for aws_db_proxy.test_db_proxy to include new values learned so far during apply, provider "registry.terraform.io/hashicorp/aws" produced an invalid new value for .auth: planned set element cty.ObjectVal(map[string]cty.Value{"auth_scheme":cty.StringVal("SECRETS"), "client_password_auth_type":cty.StringVal("POSTGRES_MD5"), "description":cty.StringVal("test-db-proxy-auth"), "iam_auth":cty.StringVal("DISABLED"), "secret_arn":cty.UnknownVal(cty.String), "username":cty.StringVal("")}) does not correlate with any element in actual. This is a bug in the provider, which should be reported in the provider's own issue tracker.

Relevant Error/Panic Output Snippet

> When expanding the plan for aws_db_proxy.test_db_proxy to include new values learned so far during apply, provider "registry.terraform.io/hashicorp/aws" produced an invalid new value for .auth: planned set element cty.ObjectVal(map[string]cty.Value{"auth_scheme":cty.StringVal("SECRETS"), "client_password_auth_type":cty.StringVal("POSTGRES_MD5"), "description":cty.StringVal("test-db-proxy-auth"), "iam_auth":cty.StringVal("DISABLED"), "secret_arn":cty.UnknownVal(cty.String), "username":cty.StringVal("")}) does not correlate with any element in actual.
>
> This is a bug in the provider, which should be reported in the provider's own issue tracker.

Terraform Configuration Files

With a DB as test_db,

resource "aws_db_proxy" "test_db_proxy" {
    name                   = "test-db-proxy"
    debug_logging          = false
    engine_family          = "POSTGRESQL"
    idle_client_timeout    = 1800
    require_tls            = true
    role_arn               = aws_iam_role.test_db_proxy_role.arn
    vpc_security_group_ids = [aws_security_group.rds.id, aws_security_group.ecs_security_group.id, "sg-096d47e911af57bf2"]
    vpc_subnet_ids         = [
        aws_subnet.subnet.id,
        aws_subnet.subnet_1.id,
        aws_subnet.subnet_2.id,
    ]

    auth {
        auth_scheme     = "SECRETS"
        description     = "test-db-proxy-auth"
        iam_auth        = "DISABLED"

        secret_arn                  = aws_secretsmanager_secret_version.test_db_secret.arn
        client_password_auth_type   = "POSTGRES_MD5"
    }

    tags = {
        Name        = "test-db-proxy"
        Environment = "production"
    }
}

resource "aws_db_proxy_default_target_group" "test_db_proxy_default_target_group" {
    db_proxy_name = aws_db_proxy.test_db_proxy.name

    connection_pool_config {
        connection_borrow_timeout    = 120
        init_query                   = "SET x=1, y=2"
        max_connections_percent      = 100
        max_idle_connections_percent = 50
        session_pinning_filters      = ["EXCLUDE_VARIABLE_SETS"]
    }
}

resource "aws_db_proxy_target" "test_db_proxy_target" {
    db_instance_identifier = data.aws_db_instance.test_db.id
    db_proxy_name          = aws_db_proxy.test_db_proxy.name
    target_group_name      = aws_db_proxy_default_target_group.test_db_proxy_default_target_group.name
}

resource "aws_secretsmanager_secret" "test_db_secret" {
    name = "test_db_secret"
}

resource "aws_secretsmanager_secret_version" "test_db_secret" {
    secret_id     = aws_secretsmanager_secret.test_db_secret.id
    secret_string = jsonencode({
        password    = "hellopassword"
        username    = "postgres"
    })
}

Steps to Reproduce

Use a Postgres 11+ DB with name test_db and apply the terraform above.

Debug Output

n/a

Panic Output

n/a

Important Factoids

n/a

References

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_proxy#client_password_auth_type

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[trevorrea]

Probably a stupid suggestion but have you tried:-

resource "aws_secretsmanager_secret_version" "test_db_secret" {
    secret_id     = aws_secretsmanager_secret.test_db_secret.id
    secret_string = jsonencode({
        username    = "postgres"
        password    = "hellopassword"
    })
}