I am trying to provision an architecture with Terraform and ensure that applications have as little knowledge about anything going around them as possible.
My goal is to have an app that uses Amazon's SDK to ask which RDS instances are available for it and then to connect to one of them. This way, no outside information(db-instance-identifier or Tag) is required.
The application would just describe the RDS instances, and since EC2 on which it runs would have been given permissions by Terraform only to specific RDS, it would have gotten just one result from the describe-db-instances. Then, by using RDS IAM auth mechanism, the application would connect to the DB and serve its purpose.
Though from what I have seen e.g. in this SO question and AWS RDS documentation describe-db-instances is "all or nothing" type of command. IAM Policy given to IAM Role on the EC2 Instance Profile must have Resource: "*". But then, the description contains all the RDS instances, not just the one EC2 should be allowed to connect to. The application has no way to distinguish which of the n results from instances list should it use.
On the other hand, when you limit describe-db-instances to specific resource, then the only way to describe without failure is to add the db-instance-identifier to the request:
aws rds describe-db-instances --db-instance-identifier databasename
But then, the application needs to retrieve the db-instance-identifier from the "outside", and that fails to meet my requirements too.
Perhaps I am mistaken in some parts of my reasoning, but is it even possible to achieve?
