terraform-provider-postgresql
terraform-provider-postgresql copied to clipboard
cyrilgdn
Feature Request: Support assume AWS role to get AWS RDS IAM credentials
Feature request:
We recently added the feature or RDS IAM https://github.com/cyrilgdn/terraform-provider-postgresql/pull/134 which is great :partying_face:
But this requires the AWS user or role loaded in the environment (or the profile passed as aws_rds_iam_profile) to have the capability to get the RDS credentials.
In our use case, we run this in conjunction with the AWS provider. We do not configure the AWS role running terraform to get the RDS password, but instead, we have a intermediate role that can be assumed for that.
In order to support this use-case, the prostgres provider should support assuming a role before generating the RDS password.
Terraform Version
n/a
Affected Resource(s)
All resources, this is provider auth
Expected Behavior
I propose this configuration:
provider "postgresql" {
aws_rds_iam_auth = true
aws_rds_iam_assume_role = 'arn:aws:iam::123456789:role/my_rds_instance_master_role'
}
On execution, the provider will:
- Assume the AWS role
my_rds_instance_master_role - generate the AWS password
Alternatively, pass a list of roles:
provider "postgresql" {
aws_rds_iam_auth = true
aws_rds_iam_assume_role_arns = [
'arn:aws:iam::123456789:role/account_admin',
'arn:aws:iam::123456789:role/my_rds_instance_master_role'
]
}
On execution, the provider will:
- Assume the AWS roles in order,
arn:aws:iam::123456789:role/account_admin, thenmy_rds_instance_master_role - generate the AWS password
This is really handy if you have a umbrella account/user and want to first assume some intermediate admin role, then the role that can connect to the RDS instance.
