RDS Proxy IAM Authentication

I've been playing around with RDS Proxy with IAM authentication required. I deploy my resources entirely with Terraform. There's not a lot of documentation around how to formulate an IAM policy to allow users/roles the ability to authenticate with the proxy instead of the database directly. Only thing I can find is this: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-proxy-setup.html.

Anyway, to create the policy, you need to essentially create it as if you are granting access directly to RDS but swap out the DB ID with the proxy ID. This is vague in the documentation but also quite confusing because there is no proxy ID exposed in the console or API. There is a proxy identifier but this is just the name - not what we need. You have to get it from the ARN. This is how my Terraform IAM policy resource argument now looks:

"resource": "arn:aws:rds-db:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:dbuser:${replace(aws_db_proxy.example.arn, "arn:aws:rds:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:db-proxy:", "")}/rds_proxy_user",

Notice the complex replace function. Really, the Terraform resource will output an attribute called "proxy_id" as well as the ARN to allow for simpler interpolation. But it can't do that until AWS expose this information in the API.