terraform-aws-rds-cluster icon indicating copy to clipboard operation
terraform-aws-rds-cluster copied to clipboard

Published 20 hours ago verified publisher icon cloudposse

Add Support for Reading Credentials from KMS Secrets

Open osterman opened this issue 7 years ago • 4 comments

what

resource "aws_rds_cluster" "example" {
  # ... other configuration ...
  master_password = "${data.aws_kms_secrets.example.plaintext["master_password"]}"
  master_username = "${data.aws_kms_secrets.example.plaintext["master_username"]}"
}

why

  • More secure. No passwords in terraform statefile.

references

https://www.terraform.io/docs/providers/aws/d/kms_secrets.html

osterman avatar Aug 03 '18 21:08 osterman

I think we can also add support for SecretsManager or ParameterStore. If the maintainers agree I could make a PR to support 2 new parameters: admin_user_ssm_path and admin_password_ssm_path

sebastianmacarescu avatar Sep 30 '20 12:09 sebastianmacarescu

Even if you just allowed the master password to be managed separately (as though it were in a lifecycle ignore_changes) block that would be sufficient for my use case. As it stands this seems terribly insecure.

zwass avatar Dec 01 '20 01:12 zwass

At the moment, we use random provider to create the master password which is stored in SSM and then the value is fed to this module.

nitrocode avatar Dec 28 '21 23:12 nitrocode

This is now natively supported by RDS and Terraform provider. I think this issue can be closed in favour of #166

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#rdsaurora-managed-master-passwords-via-secrets-manager-default-kms-key

rstml avatar Aug 24 '23 23:08 rstml