'How do I use Terraform to add an existing RDS proxy to my AWS Lambda Function?

In the AWS Lambda service's console, there is a Configuration tab called Database proxies, shown here:

lambda

However, in the Terraform registry's entry for an AWS Lambda Function, there does not seem to be a place to define this relationship for my lambda. It's easy enough to add manually after I deploy the Lambda, but for obvious reasons this isn't optimal. It seems like using a DB proxy is a common enough use case for serverless architectures that there would be a way to do this with the resources I've referenced.

What am I missing?

EDIT: As of 9 months ago, this feature was not included in the AWS Provider, but I'm unsure of how to search upcoming nightly or perhaps dev releases of Terraform for this feature...

EDIT EDIT (from my comment below): the RDS, its proxy, the roles they use, the lambdas, and the vpc in which they sit all work as expected. if I go to the above screenshot in the lambdas I am deploying, I can Add database proxy just fine using the proxy I deployed with Terraform. There are no issues with the code, nor any errors. The problem is that having to manually add the Database Proxy to each Lambda I deploy defeats the purpose of using Terraform.

aws-lambdaterraformterraform-provider-awsamazon-rds-proxy


Solution 1:[1]

A database proxy is an RDS feature rather than a Lambda feature. The terraform AWS provider supports proxies, with documentation available here: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_proxy

Creating a proxy requires management of several sub resources, including IAM policies and roles, as well as an endpoint. There are third party modules that support that. Here's an example you can use as a template, or import as a whole module: https://github.com/clowdhaus/terraform-aws-rds-proxy

After creating your proxy and endpoint, you will need to ensure that your lambda is in a security group that grants permission to access that endpoint.

Edit:

The policy to connect your endpoint to your lambda will look like this:

data "aws_iam_policy_document" "my_proxy_policy" {
    statement {    
        
        actions = [
            "rds-db:connect"
        ]
    
        resources = [
            aws_db_proxy_endpoint.my_proxy_endpoint.arn
        ]
    }
}

This can be added to the lambda's role - the method will depend on how your lambda's role is configured.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

Why my cloudformation template is over 1 MB?

Aws step functions - Resume from failed step function activity instead of starting a new execution

node-lambda - TypeError: handler is not a function

AWS X-Ray Crossacount data collection

Using python Logging with AWS Lambda

How to scale Lambda when /tmp is reused?

How to scale Lambda when /tmp is reused?

Occasional 'temporary failure in name resolution' while connecting to AWS Aurora cluster

Using an API key in Amazon API Gateway

How to execute a lambda function which copies objects from one S3 bucket to another via Step functions?

Mount EFS to Lambda Container

How to install external modules in a Python Lambda Function created by AWS CDK?

Pass multiple inputs into Map State in AWS Step Function

AWS API Gateway with proxy Lambda: Invalid permissions on Lambda function

Configure DynamoDB stream trigger with insert only