amazon-web-servicesterraformamazon-rds

RDS Proxy: PENDING_PROXY_CAPACITY and "DBProxy Target unavailable due to an internal error"


When deploying an RDS database via Terraform, my Default target is unavailable. Running the following command: aws rds describe-db-proxy-targets --db-proxy-name <my_proxy_name_here>

I get two errors: initially its in state: PENDING_PROXY_CAPACITY eventually that times out with the following error: DBProxy Target unavailable due to an internal error


Solution

  • Following extensive research, a two hour call with AWS support and very few search results for the error: PENDING_PROXY_CAPACITY

    I stumbled across the following discussion: https://github.com/hashicorp/terraform-provider-aws/issues/16379

    I had a couple of issues with my config:

    1. Outbound rules for my RDS proxy security group was limited to internal traffic only. This causes problems as you need public internet access to access AWS Secrets manager!

    2. At the time of writing the Terraform documentation here suggests you can pass a "username" option to the Auth block for the rds_proxy resource (see: https://registry.terraform.io/providers/hashicorp/aws/4.26.0/docs/resources/db_proxy). This does not work, and returns an error stating the username option is not expected. This is because the rds_proxy expects all the information for Auth to be contained in one json object within the secret arn provided. For this reason I created a 2nd secret containing all the auth information like so:

    resource "aws_secretsmanager_secret_version" "lambda_rds_test_proxy_creds" {
      secret_id     = aws_secretsmanager_secret.lambda_rds_test_proxy_creds.id
      secret_string = jsonencode({
        "username"             = aws_db_instance.lambda_rds_test.username
        "password"             = module.lambda_rds_secret.secret
        "engine"               = "postgres"
        "host"                 = aws_db_instance.lambda_rds_test.address
        "port"                 = 5432
        "dbInstanceIdentifier" = aws_db_instance.lambda_rds_test.id
      })
    }
    
    1. Fixing both issues still gave me an Auth error for credentials, this required the IAM permissions fixing (this is discussed in the above github issue). But by creating the new Secret to contain all the info required both the proxy, It no longer had access to the new secret so I updated my IAM role for the newly created resource

    I am posting this here as the Github issue is archived and I am unable to update the comments to include some of my search terms to assist those searching for the same issue to come across the issue quicker as there is very little info out there regarding RDS_PROXY errors experienced here.