terraformでRDS PROXYの設定

ホーム
BLOG
技術ブログ
terraformでRDS PROXYの設定

技術ブログ
2021.11.18

terraformでRDS PROXYの設定を実施してみます。

特にLambdaからRDSに接続する場合などRDS PROXYは必須となるので設定を実施してみます。

今回はEC2環境からの接続で確認してみてとなります。

まずは前回設定した「terraformでVPC+EC2+RDS（aurora-mysql）の設定」までを前提としています。

2021.11.18

terraformでRDS PROXYの設定

terraformでRDS PROXYの設定を実施してみます。特にLambdaからRDSに接続する場合などRDS PROXYは必須となるので設定を実施してみます。今回はEC2環境からの接続で確認してみてとなります。まずは前回設定した「terraformでVPC+EC...

terraformでRDS PROXYの設定

設定は以下で行います。


#########################
## RDS Proxy
#########################
resource "aws_secretsmanager_secret" "default" {
  name = "test"

  recovery_window_in_days = 0
}

resource "aws_secretsmanager_secret_version" "default" {
  secret_id = aws_secretsmanager_secret.default.id

  secret_string = jsonencode({
    username : aws_rds_cluster.default.master_username
    password : aws_rds_cluster.default.master_password
    engine : aws_rds_cluster.default.engine
    host : aws_rds_cluster.default.endpoint
    port : aws_rds_cluster.default.port
    dbInstanceIdentifier : aws_rds_cluster.default.id
  })
}


resource "aws_iam_role" "dbproxy" {
  name               = "db-proxy-role"
  assume_role_policy = data.aws_iam_policy_document.dbproxy_assume.json
}

data "aws_iam_policy_document" "dbproxy_assume" {
  statement {
    effect = "Allow"

    actions = [
      "sts:AssumeRole",
    ]

    principals {
      type = "Service"
      identifiers = [
        "rds.amazonaws.com",
      ]
    }
  }
}

resource "aws_iam_role_policy" "dbproxy" {
  name   = "db-proxy-policy"
  role   = aws_iam_role.dbproxy.id
  policy = data.aws_iam_policy_document.dbproxy_custom.json
}

data "aws_iam_policy_document" "dbproxy_custom" {
  statement {
    effect = "Allow"

    actions = [
      "secretsmanager:GetResourcePolicy",
      "secretsmanager:GetSecretValue",
      "secretsmanager:DescribeSecret",
      "secretsmanager:ListSecretVersionIds"
    ]

    resources = [
      "arn:aws:secretsmanager:*:*:*",
    ]
  }
  statement {
    effect = "Allow"

    actions = [
      "kms:Decrypt",
    ]

    resources = [
      "*",
    ]
  }
}


resource "aws_db_proxy" "default" {

  name                   = "test"
  engine_family          = "MYSQL"
  idle_client_timeout    = 60
  require_tls            = false
  role_arn               = aws_iam_role.dbproxy.arn
  vpc_security_group_ids = [aws_security_group.mysql.id]
  vpc_subnet_ids         = ["${aws_subnet.subnet_1a.id}", "${aws_subnet.subnet_1c.id}"]

  auth {
    auth_scheme = "SECRETS"
    iam_auth    = "DISABLED"
    secret_arn  = aws_secretsmanager_secret.default.arn
  }
}

resource "aws_db_proxy_default_target_group" "default" {
  db_proxy_name = aws_db_proxy.default.name

  connection_pool_config {
    connection_borrow_timeout    = 120
    max_connections_percent      = 100
    max_idle_connections_percent = 50
  }
}

resource "aws_db_proxy_target" "avex_charege_db_proxy_target" {
  db_proxy_name         = aws_db_proxy.default.name
  db_cluster_identifier = aws_rds_cluster.default.id
  target_group_name     = aws_db_proxy_default_target_group.default.name
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

#########################

## RDS Proxy

#########################

resource "aws_secretsmanager_secret" "default" {

name = "test"

recovery_window_in_days = 0

}

resource "aws_secretsmanager_secret_version" "default" {

secret_id = aws_secretsmanager_secret.default.id

secret_string = jsonencode({

username : aws_rds_cluster.default.master_username

password : aws_rds_cluster.default.master_password

engine : aws_rds_cluster.default.engine

host : aws_rds_cluster.default.endpoint

port : aws_rds_cluster.default.port

dbInstanceIdentifier : aws_rds_cluster.default.id

})

}

resource "aws_iam_role" "dbproxy" {

name = "db-proxy-role"

assume_role_policy = data.aws_iam_policy_document.dbproxy_assume.json

}

data "aws_iam_policy_document" "dbproxy_assume" {

statement {

effect = "Allow"

actions = [

"sts:AssumeRole",

]

principals {

type = "Service"

identifiers = [

"rds.amazonaws.com",

]

}

resource "aws_iam_role_policy" "dbproxy" {

name = "db-proxy-policy"

role = aws_iam_role.dbproxy.id

policy = data.aws_iam_policy_document.dbproxy_custom.json

}

data "aws_iam_policy_document" "dbproxy_custom" {

statement {

effect = "Allow"

actions = [

"secretsmanager:GetResourcePolicy",

"secretsmanager:GetSecretValue",

"secretsmanager:DescribeSecret",

"secretsmanager:ListSecretVersionIds"

]

resources = [

"arn:aws:secretsmanager:*:*:*",

]

}

statement {

effect = "Allow"

actions = [

"kms:Decrypt",

]

resources = [

"*",

]

}

resource "aws_db_proxy" "default" {

name = "test"

engine_family = "MYSQL"

idle_client_timeout = 60

require_tls = false

role_arn = aws_iam_role.dbproxy.arn

vpc_security_group_ids = [aws_security_group.mysql.id]

vpc_subnet_ids = ["${aws_subnet.subnet_1a.id}", "${aws_subnet.subnet_1c.id}"]

auth {

auth_scheme = "SECRETS"

iam_auth = "DISABLED"

secret_arn = aws_secretsmanager_secret.default.arn

}

resource "aws_db_proxy_default_target_group" "default" {

db_proxy_name = aws_db_proxy.default.name

connection_pool_config {

connection_borrow_timeout = 120

max_connections_percent = 100

max_idle_connections_percent = 50

}

resource "aws_db_proxy_target" "avex_charege_db_proxy_target" {

db_proxy_name = aws_db_proxy.default.name

db_cluster_identifier = aws_rds_cluster.default.id

target_group_name = aws_db_proxy_default_target_group.default.name

}

接続の管理は「AWS Secrets Manager」で行います。

設定前にセキュリティ関連の設定を行うので少し手間がかかります。

RDX PROXYのエンドポイントに対してEC2から接続の実施の確認が行えます。


$ mysql -u root -p -h test.proxy-xxxx.ap-northeast-1.rds.amazonaws.com
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3108147067
Server version: 5.7.12 MySQL Community Server (GPL)

Copyright (c) 2000, 2021, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>