feat: update db_proxy module with latest AWS provider arguments (#46)

* Update db_proxy module with latest AWS provider arguments

Add new auth block fields (client_password_auth_type, username), support SQL Server engine family, and update version constraints to Terraform 1.3+ and AWS provider 5.0+. These changes align the module with the latest Terraform AWS provider capabilities and prepare for wider database engine support.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* docs: Update README with latest module changes

Auto-generated documentation reflecting updated auth block fields, version constraints, and SQL Server support.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: Use dynamic client_password_auth_type based on engine_family

The client_password_auth_type must match the engine_family - MySQL uses MYSQL_NATIVE_PASSWORD, PostgreSQL uses POSTGRES_SCRAM_SHA_256, and SQL Server uses SQL_SERVER_AUTHENTICATION.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

Author: johncblandii

README.md

@@ -2,8 +2,11 @@
 
 <!-- markdownlint-disable -->
 <a href="https://cpco.io/homepage"><img src="https://github.com/cloudposse/terraform-aws-rds-db-proxy/blob/main/.github/banner.png?raw=true" alt="Project Banner"/></a><br/>
-    <p align="right">
-<a href="https://github.com/cloudposse/terraform-aws-rds-db-proxy/releases/latest"><img src="https://img.shields.io/github/release/cloudposse/terraform-aws-rds-db-proxy.svg?style=for-the-badge" alt="Latest Release"/></a><a href="https://github.com/cloudposse/terraform-aws-rds-db-proxy/commits"><img src="https://img.shields.io/github/last-commit/cloudposse/terraform-aws-rds-db-proxy.svg?style=for-the-badge" alt="Last Updated"/></a><a href="https://cloudposse.com/slack"><img src="https://slack.cloudposse.com/for-the-badge.svg" alt="Slack Community"/></a></p>
+
+
+<p align="right"><a href="https://github.com/cloudposse/terraform-aws-rds-db-proxy/releases/latest"><img src="https://img.shields.io/github/release/cloudposse/terraform-aws-rds-db-proxy.svg?style=for-the-badge" alt="Latest Release"/></a><a href="https://github.com/cloudposse/terraform-aws-rds-db-proxy/commits"><img src="https://img.shields.io/github/last-commit/cloudposse/terraform-aws-rds-db-proxy.svg?style=for-the-badge" alt="Last Updated"/></a><a href="https://cloudposse.com/slack"><img src="https://slack.cloudposse.com/for-the-badge.svg" alt="Slack Community"/></a><a href="https://cloudposse.com/support/"><img src="https://img.shields.io/badge/Get_Support-success.svg?style=for-the-badge" alt="Get Support"/></a>
+
+</p>
 <!-- markdownlint-restore -->
 
 <!--
@@ -15,8 +18,8 @@
   **
   ** This file was automatically generated by the `cloudposse/build-harness`.
   ** 1) Make all changes to `README.yaml`
-  ** 2) Run `make init` (you only need to do this once)
-  ** 3) Run`make readme` to rebuild this file.
+  ** 2) Install [atmos](https://atmos.tools/install/) (you only need to do this once)
+  ** 3) Run`atmos readme` to rebuild this file.
   **
   ** (We maintain HUNDREDS of open source projects. This is how we maintain our sanity.)
   **
@@ -47,6 +50,7 @@ Terraform module to provision an Amazon [RDS Proxy](https://docs.aws.amazon.com/
 
 ## Usage
 
+
 For a complete example, see [examples/complete](examples/complete).
 
 For automated tests of the complete example using [bats](https://github.com/bats-core/bats-core) and [Terratest](https://github.com/gruntwork-io/terratest)
@@ -187,14 +191,14 @@ Review the [complete example](examples/complete) to see how to use this module.
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.1.15 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.1.15 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.27.0 |
 
 ## Modules
 
@@ -224,7 +228,7 @@ Review the [complete example](examples/complete) to see how to use this module.
 |------|-------------|------|---------|:--------:|
 | <a name="input_additional_tag_map"></a> [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.<br/>This is for some rare cases where resources want additional configuration of tags<br/>and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
 | <a name="input_attributes"></a> [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,<br/>in the order they appear in the list. New attributes are appended to the<br/>end of the list. The elements of the list are joined by the `delimiter`<br/>and treated as a single ID element. | `list(string)` | `[]` | no |
-| <a name="input_auth"></a> [auth](#input\_auth) | Configuration blocks with authorization mechanisms to connect to the associated database instances or clusters | <pre>list(object({<br/>    auth_scheme = string<br/>    description = string<br/>    iam_auth    = string<br/>    secret_arn  = string<br/>  }))</pre> | n/a | yes |
+| <a name="input_auth"></a> [auth](#input\_auth) | Configuration blocks with authorization mechanisms to connect to the associated database instances or clusters.<br/>- `auth_scheme` - The type of authentication that the proxy uses for connections from the proxy to the underlying database. Valid values are `SECRETS`.<br/>- `client_password_auth_type` - The type of authentication the proxy uses for connections from clients. Valid values are `MYSQL_NATIVE_PASSWORD`, `POSTGRES_SCRAM_SHA_256`, `POSTGRES_MD5`, and `SQL_SERVER_AUTHENTICATION`.<br/>- `description` - A user-specified description about the authentication used by a proxy to log in as a specific database user.<br/>- `iam_auth` - Whether to require or disallow AWS Identity and Access Management (IAM) authentication for connections to the proxy. Valid values are `DISABLED`, `REQUIRED`.<br/>- `secret_arn` - The Amazon Resource Name (ARN) representing the secret that the proxy uses to authenticate to the RDS DB instance or Aurora DB cluster.<br/>- `username` - The name of the database user to which the proxy connects. Note: `username` must NOT be set when `auth_scheme` is `SECRETS`. | <pre>list(object({<br/>    auth_scheme               = optional(string, "SECRETS")<br/>    client_password_auth_type = optional(string)<br/>    description               = optional(string)<br/>    iam_auth                  = optional(string, "DISABLED")<br/>    secret_arn                = optional(string)<br/>    username                  = optional(string)<br/>  }))</pre> | n/a | yes |
 | <a name="input_connection_borrow_timeout"></a> [connection\_borrow\_timeout](#input\_connection\_borrow\_timeout) | The number of seconds for a proxy to wait for a connection to become available in the connection pool. Only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions | `number` | `120` | no |
 | <a name="input_context"></a> [context](#input\_context) | Single object for setting entire context at once.<br/>See description of individual variables for details.<br/>Leave string and numeric variables as `null` to use default value.<br/>Individual variable settings (non-null) override settings in context object,<br/>except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | <pre>{<br/>  "additional_tag_map": {},<br/>  "attributes": [],<br/>  "delimiter": null,<br/>  "descriptor_formats": {},<br/>  "enabled": true,<br/>  "environment": null,<br/>  "id_length_limit": null,<br/>  "label_key_case": null,<br/>  "label_order": [],<br/>  "label_value_case": null,<br/>  "labels_as_tags": [<br/>    "unset"<br/>  ],<br/>  "name": null,<br/>  "namespace": null,<br/>  "regex_replace_chars": null,<br/>  "stage": null,<br/>  "tags": {},<br/>  "tenant": null<br/>}</pre> | no |
 | <a name="input_db_cluster_identifier"></a> [db\_cluster\_identifier](#input\_db\_cluster\_identifier) | DB cluster identifier. Either `db_instance_identifier` or `db_cluster_identifier` should be specified and both should not be specified together | `string` | `null` | no |
@@ -233,7 +237,7 @@ Review the [complete example](examples/complete) to see how to use this module.
 | <a name="input_delimiter"></a> [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.<br/>Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
 | <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br/>Map of maps. Keys are names of descriptors. Values are maps of the form<br/>`{<br/>   format = string<br/>   labels = list(string)<br/>}`<br/>(Type is `any` so the map values can later be enhanced to provide additional options.)<br/>`format` is a Terraform format string to be passed to the `format()` function.<br/>`labels` is a list of labels, in order, to pass to `format()` function.<br/>Label values will be normalized before being passed to `format()` so they will be<br/>identical to how they appear in `id`.<br/>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
-| <a name="input_engine_family"></a> [engine\_family](#input\_engine\_family) | The kinds of databases that the proxy can connect to. This value determines which database network protocol the proxy recognizes when it interprets network traffic to and from the database. The engine family applies to MySQL and PostgreSQL for both RDS and Aurora. Valid values are MYSQL and POSTGRESQL | `string` | `"MYSQL"` | no |
+| <a name="input_engine_family"></a> [engine\_family](#input\_engine\_family) | The kinds of databases that the proxy can connect to. This value determines which database network protocol the proxy recognizes when it interprets network traffic to and from the database. Valid values are `MYSQL`, `POSTGRESQL`, and `SQLSERVER` | `string` | `"MYSQL"` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
 | <a name="input_existing_iam_role_arn"></a> [existing\_iam\_role\_arn](#input\_existing\_iam\_role\_arn) | The ARN of an existing IAM role that the proxy can use to access secrets in AWS Secrets Manager. If not provided, the module will create a role to access secrets in Secrets Manager | `string` | `null` | no |
 | <a name="input_iam_role_attributes"></a> [iam\_role\_attributes](#input\_iam\_role\_attributes) | Additional attributes to add to the ID of the IAM role that the proxy uses to access secrets in AWS Secrets Manager | `list(string)` | `null` | no |
@@ -335,7 +339,8 @@ Check out these related projects.
 > - **Customer Workshops.** Engage with our team in weekly workshops, gaining insights and strategies to continuously improve and innovate.
 >
 > <a href="https://cpco.io/commercial-support?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-rds-db-proxy&utm_content=commercial_support"><img alt="Request Quote" src="https://img.shields.io/badge/request%20quote-success.svg?style=for-the-badge"/></a>
-> </details>
+> 
+</details>
 
 ## ✨ Contributing
 
@@ -361,6 +366,38 @@ In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
 
 **NOTE:** Be sure to merge the latest changes from "upstream" before making a pull request!
 
+
+## Running Terraform Tests
+
+We use [Atmos](https://atmos.tools) to streamline how Terraform tests are run. It centralizes configuration and wraps common test workflows with easy-to-use commands.
+
+All tests are located in the [`test/`](test) folder.
+
+Under the hood, tests are powered by Terratest together with our internal [Test Helpers](https://github.com/cloudposse/test-helpers) library, providing robust infrastructure validation.
+
+Setup dependencies:
+- Install Atmos ([installation guide](https://atmos.tools/install/))
+- Install Go [1.24+ or newer](https://go.dev/doc/install)
+- Install Terraform or OpenTofu
+
+To run tests:
+
+- Run all tests:  
+  ```sh
+  atmos test run
+  ```
+- Clean up test artifacts:  
+  ```sh
+  atmos test clean
+  ```
+- Explore additional test options:  
+  ```sh
+  atmos test --help
+  ```
+The configuration for test commands is centrally managed. To review what's being imported, see the [`atmos.yaml`](https://raw.githubusercontent.com/cloudposse/.github/refs/heads/main/.github/atmos/terraform-module.yaml) file.
+
+Learn more about our [automated testing in our documentation](https://docs.cloudposse.com/community/contribute/automated-testing/) or implementing [custom commands](https://atmos.tools/core-concepts/custom-commands/) with atmos.
+
 ### 🌎 Slack Community
 
 Join our [Open Source Community](https://cpco.io/slack?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-rds-db-proxy&utm_content=slack) on Slack. It's **FREE** for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally *sweet* infrastructure.

examples/complete/main.tf

@@ -19,12 +19,20 @@ locals {
     password = local.database_password
   }
 
+  # Map engine family to appropriate client password auth type
+  client_password_auth_type = {
+    MYSQL      = "MYSQL_NATIVE_PASSWORD"
+    POSTGRESQL = "POSTGRES_SCRAM_SHA_256"
+    SQLSERVER  = "SQL_SERVER_AUTHENTICATION"
+  }
+
   auth = [
     {
-      auth_scheme = "SECRETS"
-      description = "Access the database instance using username and password from AWS Secrets Manager"
-      iam_auth    = "DISABLED"
-      secret_arn  = aws_secretsmanager_secret.rds_username_and_password.arn
+      auth_scheme               = "SECRETS"
+      client_password_auth_type = local.client_password_auth_type[var.engine_family]
+      description               = "Access the database instance using username and password from AWS Secrets Manager"
+      iam_auth                  = "DISABLED"
+      secret_arn                = aws_secretsmanager_secret.rds_username_and_password.arn
     }
   ]
 

examples/complete/variables.tf

@@ -100,7 +100,7 @@ variable "debug_logging" {
 variable "engine_family" {
   type        = string
   default     = "MYSQL"
-  description = "The kinds of databases that the proxy can connect to. This value determines which database network protocol the proxy recognizes when it interprets network traffic to and from the database. The engine family applies to MySQL and PostgreSQL for both RDS and Aurora. Valid values are MYSQL and POSTGRESQL"
+  description = "The kinds of databases that the proxy can connect to. This value determines which database network protocol the proxy recognizes when it interprets network traffic to and from the database. Valid values are `MYSQL`, `POSTGRESQL`, and `SQLSERVER`"
 }
 
 variable "idle_client_timeout" {

examples/complete/versions.tf

@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1"
+  required_version = ">= 1.3"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.1.15"
+      version = ">= 5.0"
     }
   }
 }

main.tf

@@ -18,10 +18,12 @@ resource "aws_db_proxy" "this" {
     for_each = var.auth
 
     content {
-      auth_scheme = auth.value.auth_scheme
-      description = auth.value.description
-      iam_auth    = auth.value.iam_auth
-      secret_arn  = auth.value.secret_arn
+      auth_scheme               = auth.value.auth_scheme
+      client_password_auth_type = auth.value.client_password_auth_type
+      description               = auth.value.description
+      iam_auth                  = auth.value.iam_auth
+      secret_arn                = auth.value.secret_arn
+      username                  = auth.value.username
     }
   }
 

variables.tf

@@ -7,7 +7,12 @@ variable "debug_logging" {
 variable "engine_family" {
   type        = string
   default     = "MYSQL"
-  description = "The kinds of databases that the proxy can connect to. This value determines which database network protocol the proxy recognizes when it interprets network traffic to and from the database. The engine family applies to MySQL and PostgreSQL for both RDS and Aurora. Valid values are MYSQL and POSTGRESQL"
+  description = "The kinds of databases that the proxy can connect to. This value determines which database network protocol the proxy recognizes when it interprets network traffic to and from the database. Valid values are `MYSQL`, `POSTGRESQL`, and `SQLSERVER`"
+
+  validation {
+    condition     = contains(["MYSQL", "POSTGRESQL", "SQLSERVER"], var.engine_family)
+    error_message = "Valid values for engine_family are MYSQL, POSTGRESQL, and SQLSERVER."
+  }
 }
 
 variable "idle_client_timeout" {
@@ -34,12 +39,22 @@ variable "vpc_subnet_ids" {
 
 variable "auth" {
   type = list(object({
-    auth_scheme = string
-    description = string
-    iam_auth    = string
-    secret_arn  = string
+    auth_scheme               = optional(string, "SECRETS")
+    client_password_auth_type = optional(string)
+    description               = optional(string)
+    iam_auth                  = optional(string, "DISABLED")
+    secret_arn                = optional(string)
+    username                  = optional(string)
   }))
-  description = "Configuration blocks with authorization mechanisms to connect to the associated database instances or clusters"
+  description = <<-EOT
+    Configuration blocks with authorization mechanisms to connect to the associated database instances or clusters.
+    - `auth_scheme` - The type of authentication that the proxy uses for connections from the proxy to the underlying database. Valid values are `SECRETS`.
+    - `client_password_auth_type` - The type of authentication the proxy uses for connections from clients. Valid values are `MYSQL_NATIVE_PASSWORD`, `POSTGRES_SCRAM_SHA_256`, `POSTGRES_MD5`, and `SQL_SERVER_AUTHENTICATION`.
+    - `description` - A user-specified description about the authentication used by a proxy to log in as a specific database user.
+    - `iam_auth` - Whether to require or disallow AWS Identity and Access Management (IAM) authentication for connections to the proxy. Valid values are `DISABLED`, `REQUIRED`.
+    - `secret_arn` - The Amazon Resource Name (ARN) representing the secret that the proxy uses to authenticate to the RDS DB instance or Aurora DB cluster.
+    - `username` - The name of the database user to which the proxy connects. Note: `username` must NOT be set when `auth_scheme` is `SECRETS`.
+  EOT
 }
 
 variable "db_instance_identifier" {

versions.tf

@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 0.13.0"
+  required_version = ">= 1.3"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.1.15"
+      version = ">= 5.0"
     }
   }
 }