I’m using the terraform module https://registry.terraform.io/modules/terraform-aws-modules/rds-proxy/aws/2.1.2 to create an RDS proxy, like so:

module "my-rds-proxy" {
  source = "terraform-aws-modules/rds-proxy/aws"
  version = "2.1.2"
  name                   = "my-rds-proxy"
  create_iam_policy      = false
  create_iam_role        = false
  role_arn               = "arn:aws:iam::XXXX:role/my-role"
  vpc_subnet_ids         = ["subnet-XXXX"]
  vpc_security_group_ids = ["securitygroup-XXXX"]

  db_proxy_endpoints = {
    read_write = {
      name                   = "read-write-endpoint"
      vpc_subnet_ids         = ["subnet-XXXX"]
      vpc_security_group_ids = ["securitygroup-XXXX"]
    },
    read_only = {
      name                   = "read-only-endpoint"
      vpc_subnet_ids         = ["subnet-XXXX"]
      vpc_security_group_ids = ["securitygroup-XXXX"]
      target_role            = "READ_ONLY"
    }
  }
  target_db_cluster     = true
  db_cluster_identifier = "rds-cluster-XXXX"
  ...
}

However, on the deploy step, I get the following error:

│ Error: creating RDS DB Proxy: InvalidSubnet: The subnet ID 'subnet-XXXX' does not exist
│   status code: 400, request id: XXXX
│ 
│   with module.rds-proxy.module.my-rds-proxy.aws_db_proxy.this[0],
│   on .terraform/modules/rds-proxy.my-rds-proxy/main.tf line 13, in resource "aws_db_proxy" "this":
│   13: resource "aws_db_proxy" "this" {

The subnet subnet-XXXX does in fact exist in us-east-2, and I can go look at it in the console.

The role arn:aws:iam::XXXX:role/my-role has a policy that allows access to that subnet:

{
  [
    {
      "Sid": "AllowPassRDSProxyRole",
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": "arn:aws:iam::XXXX:role/my-role"
    },
    {
      "Sid": "Ec2LimitedResourceAccess",
      "Effect": "Allow",
      "Action": "ec2:*VpcEndpoint*",
      "Resource": [
        "arn:aws:ec2:*:*:route-table/*",
        "arn:aws:ec2:*:*:security-group/*",
        "arn:aws:ec2:*:*:subnet/*",
        "arn:aws:ec2:*:*:vpc/*"
      ]
    },
    ...
  ]
}

The RDS cluster rds-cluster-XXXX also exists in us-east-2, and I can go view it in the console.

I find it odd that the terraform RDS proxy doesn’t allow a provider input. How does it know which region to check for the subnets? Does it assume that it’s the same provider as the one specified in the cluster rds-cluster-XXXX that the proxy connects to? Even if that were true, how does it know that the cluster is in us-east-2? Does it check all of the regions for it? I bring this up because creating the proxy in us-east-1 with reference a subnet in us-east-1 works just fine. As soon as I try to do the same in us-east-2, it causes the error indicating that the subnet does not exist.