AWS::RDS::DBProxy
The AWS::RDS::DBProxy resource creates or updates a DB proxy.
For information about RDS Proxy for Amazon RDS, see Managing Connections with Amazon RDS Proxy in the Amazon RDS User Guide.
For information about RDS Proxy for Amazon Aurora, see Managing Connections with Amazon RDS Proxy in the Amazon Aurora User Guide.
Note
Limitations apply to RDS Proxy, including DB engine version limitations and Amazon Region limitations.
For information about limitations that apply to RDS Proxy for Amazon RDS, see Limitations for RDS Proxy in the Amazon RDS User Guide.
For information about that apply to RDS Proxy for Amazon Aurora, see Limitations for RDS Proxy in the Amazon Aurora User Guide.
Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::RDS::DBProxy", "Properties" : { "Auth" :[ AuthFormat, ... ], "DBProxyName" :String, "DebugLogging" :Boolean, "EngineFamily" :String, "IdleClientTimeout" :Integer, "RequireTLS" :Boolean, "RoleArn" :String, "Tags" :[ TagFormat, ... ], "VpcSecurityGroupIds" :[ String, ... ], "VpcSubnetIds" :[ String, ... ]} }
YAML
Type: AWS::RDS::DBProxy Properties: Auth:- AuthFormatDBProxyName:StringDebugLogging:BooleanEngineFamily:StringIdleClientTimeout:IntegerRequireTLS:BooleanRoleArn:StringTags:- TagFormatVpcSecurityGroupIds:- StringVpcSubnetIds:- String
Properties
Auth-
The authorization mechanism that the proxy uses.
Required: Yes
Type: Array of AuthFormat
Minimum:
1Update requires: No interruption
DBProxyName-
The identifier for the proxy. This name must be unique for all proxies owned by your Amazon Web Services account in the specified Amazon Web Services Region. An identifier must begin with a letter and must contain only ASCII letters, digits, and hyphens; it can't end with a hyphen or contain two consecutive hyphens.
Required: Yes
Type: String
Pattern:
[0-z]*Maximum:
64Update requires: Replacement
DebugLogging-
Specifies whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs.
Required: No
Type: Boolean
Update requires: No interruption
EngineFamily-
The kinds of databases that the proxy can connect to. This value determines which database network protocol the proxy recognizes when it interprets network traffic to and from the database. For Aurora MySQL, RDS for MariaDB, and RDS for MySQL databases, specify
MYSQL. For Aurora PostgreSQL and RDS for PostgreSQL databases, specifyPOSTGRESQL. For RDS for Microsoft SQL Server, specifySQLSERVER.Valid Values:
MYSQL|POSTGRESQL|SQLSERVERRequired: Yes
Type: String
Allowed values:
MYSQL | POSTGRESQL | SQLSERVERUpdate requires: Replacement
IdleClientTimeout-
The number of seconds that a connection to the proxy can be inactive before the proxy disconnects it. You can set this value higher or lower than the connection timeout limit for the associated database.
Required: No
Type: Integer
Update requires: No interruption
RequireTLS-
Specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy. By enabling this setting, you can enforce encrypted TLS connections to the proxy.
Required: No
Type: Boolean
Update requires: No interruption
RoleArn-
The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in Amazon Secrets Manager.
Required: Yes
Type: String
Update requires: No interruption
-
An optional set of key-value pairs to associate arbitrary data of your choosing with the proxy.
Required: No
Type: Array of TagFormat
Update requires: No interruption
VpcSecurityGroupIds-
One or more VPC security group IDs to associate with the new proxy.
If you plan to update the resource, don't specify VPC security groups in a shared VPC.
Required: No
Type: Array of String
Minimum:
1Update requires: No interruption
VpcSubnetIds-
One or more VPC subnet IDs to associate with the new proxy.
Required: Yes
Type: Array of String
Minimum:
2Update requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the name of the DB proxy.
For more information about using the Ref function, see Ref.
Fn::GetAtt
DBProxyArn-
The Amazon Resource Name (ARN) representing the target group.
Endpoint-
The writer endpoint for the RDS DB instance or Aurora DB cluster.
VpcId-
The VPC ID to associate with the DB proxy.
Examples
Creating a DB proxy and registering a DB instance
The following example creates a DB proxy and registers a DB instance.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Parameters": { "ProxyName": { "Type": "String", "Default": "exampleProxy" }, "InstanceName": { "Type": "String", "Default": "database-1" }, "BootstrapSecretReaderRoleArn": { "Type": "String", "Default": "arn:aws:iam::123456789012:role/RDSSecretReaderRoleForDBProxy" }, "BootstrapProxySecretArn": { "Type": "String", "Default": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecretForDBProxy" }, "SubnetIds": { "Type": "String", "Default": "subnet-01b761b31fb498f20,subnet-012b9a958ef0f9949,subnet-05e8e263052025378" } }, "Resources": { "TestDBProxy": { "Type": "AWS::RDS::DBProxy", "Properties": { "DebugLogging": true, "DBProxyName": { "Ref": "ProxyName" }, "EngineFamily": "MYSQL", "IdleClientTimeout": 120, "RequireTLS": true, "RoleArn": { "Ref": "BootstrapSecretReaderRoleArn" }, "Auth": [ { "AuthScheme": "SECRETS", "SecretArn": { "Ref": "BootstrapProxySecretArn" }, "IAMAuth": "DISABLED" } ], "VpcSubnetIds": { "Fn::Split": [ ",", { "Ref": "SubnetIds" } ] } } }, "ProxyTargetGroup": { "Type": "AWS::RDS::DBProxyTargetGroup", "Properties": { "DBProxyName": { "Ref": "TestDBProxy" }, "DBInstanceIdentifiers": [ { "Ref": "InstanceName" } ], "TargetGroupName": "default", "ConnectionPoolConfigurationInfo": { "MaxConnectionsPercent": 100, "MaxIdleConnectionsPercent": 50, "ConnectionBorrowTimeout": 120 } } } } }
YAML
AWSTemplateFormatVersion: 2010-09-09 Parameters: ProxyName: Type: String Default: exampleProxy InstanceName: Type: String Default: database-1 BootstrapSecretReaderRoleArn: Type: String Default: arn:aws:iam::123456789012:role/RDSSecretReaderRoleForDBProxy BootstrapProxySecretArn: Type: String Default: arn:aws:secretsmanager:us-west-2:123456789012:secret:MySecretForDBProxy SubnetIds: Type: String Default: subnet-01b761b31fb498f20,subnet-012b9a958ef0f9949,subnet-05e8e263052025378 Resources: TestDBProxy: Type: AWS::RDS::DBProxy Properties: DebugLogging: true DBProxyName: !Ref ProxyName EngineFamily: MYSQL IdleClientTimeout: 120 RequireTLS: true RoleArn: !Ref BootstrapSecretReaderRoleArn Auth: - {AuthScheme: SECRETS, SecretArn: !Ref BootstrapProxySecretArn, IAMAuth: DISABLED} VpcSubnetIds: Fn::Split: [",", !Ref SubnetIds] ProxyTargetGroup: Type: AWS::RDS::DBProxyTargetGroup Properties: DBProxyName: !Ref TestDBProxy DBInstanceIdentifiers: [!Ref InstanceName] TargetGroupName: default ConnectionPoolConfigurationInfo: MaxConnectionsPercent: 100 MaxIdleConnectionsPercent: 50 ConnectionBorrowTimeout: 120