[Enhancement]: aws_rds_cluster doesn't expose publicly_accessible

[colemickens]

Description

AWS makes it confusing enough to understand clusters and their public accessibility.

1. If you don't specify it via the API, it is implicitly determined based on if the VPC has a IG.
2. The docs say NOTHING about changing the public accessibility of cluster endpoints after creation.
3. The dashboard just... doesn't show the same option for public access after creation

So:

• I have no idea if a cluster can retro-actively be made publicly-accessible. It seems like quite an odd limitaiton if not.
• I can't... try it and see, because the AWS Terraform module doesn't expose this option for the cluster, only for cluster instances.

Ask:

• Someone to check my understanding - why does AWS make this so opaque and hard to change after creation?
• Please support publicly_available for the cluster, so I can set/change it as needed.

Affected Resource(s) and/or Data Source(s)

• aws_rds_cluster

Potential Terraform Configuration

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[colemickens]

To further elaborate on my confusion, ModifyClusterRequest doesn't let you change PubliclyAvailable, yet I can make the individual under-lying instances public still?

[colemickens]

Actually, much more concerningly, this seems to mean there's no way to preclude public access if you happen to be creating the RDS cluster attached to a VPC that happens to have an IG enabled...

[colemickens]

Oh, the cluster endpoint appears to CNAME to the instance anyway. Why oh why can't AWS just document things like this?

[dreid]

• If you don't specify it via the API, it is implicitly determined based on if the VPC has a IG.

I do not believe the AWS docs are correct here, (if they are then the configuration is more nuanced than the AWS docs say) afaict it is only possible to get a publicly accessible multi-az rds cluster by specifying PubliclyAccessible at create time.

I can confirm that it does not appear to be possible to specify this at modify time, and at least when you have a Multi-AZ/non-aurora cluster it is not possible to directly modify the db instances.