Providing password parameters should raise error while create_random_password = true

[filip-danieluk]

trafficstars

Description

Default value of parameter create_random_password is true, I have provided my password and yet it was ignored and I found random password in state file. I agree that by default password should be random however it should not be possible to at same time generate random password and provide your own password without raising an error.

Versions

• Module version [Required]:

• Terraform version: Terraform v1.0.0

• Provider version(s):

• provider registry.terraform.io/hashicorp/aws v4.15.1
• provider registry.terraform.io/hashicorp/random v3.2.0

Reproduction Code [Required]

module "rds" {
  source                       = "terraform-aws-modules/rds/aws"
  identifier                   = var.postgres_database_name
  engine                       = "postgres"
  engine_version               = "13.3"
  instance_class               = var.postgres_instance_class
  allocated_storage            = "5"
  max_allocated_storage        = "100"
  storage_encrypted            = true
  performance_insights_enabled = true
  publicly_accessible          = false
  db_name                      = var.postgres_database_name
  username                     = var.postgres_database_user
  create_random_password       = false
  password                     = var.postgres_database_password
  port                         = "5432"
  vpc_security_group_ids       = ["${aws_security_group.sec_grp_rds.id}"]
  maintenance_window           = "Mon:00:00-Mon:03:00"
  backup_window                = "03:00-06:00"
  backup_retention_period      = 30
  create_db_subnet_group       = true
  subnet_ids                   = data.aws_subnet_ids.rds_data_subnets.ids
  family                       = "postgres13"
  copy_tags_to_snapshot        = true
  tags                         = local.tags

  parameters = [
    {
      name  = "rds.force_ssl"
      value = "1"
  }]

  monitoring_interval    = "30"
  create_monitoring_role = true
}

Expected behavior

While password parameter is set and create_random_password = true terraform should raise error or user's password should be used.

Actual behavior

While password parameter is set and create_random_password = true terraform uses random password instead of user's provided one.

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[PowerShellPat]

+1

Commenting to remove stale label.

This should certainly be looked into.

Ran into this after deploying RDS a few times, and noticing a discrepancy between the state's password vs what was set in the implementation.

[ravindrasinghh]

I have tried to create random password from our admin db, please refer below terraform code Example: resource "random_password" "root_password" { length = 16 special = false min_numeric = 5 } resource "aws_db_instance" "db" { depends_on = ["aws_db_subnet_group.default_rds_mssql"] identifier = "${var.environment}-${var.instance_name}" allocated_storage = var.allocated_storage license_model = "license-included" storage_type = var.storage_type engine = var.engine engine_version = var.engine_version instance_class = "${var.instance_class}" multi_az = "${var.multi_az}" username = "${var.mssql_admin_username}" password = aws_ssm_parameter.db_password.value storage_encrypted = var.storage_encrypted kms_key_id = var.storage_encrypted == true ? data.aws_kms_key.db_kms_key.arn : null vpc_security_group_ids = ["${aws_security_group.rds_mssql_security_group.id}"] db_subnet_group_name = "${aws_db_subnet_group.default_rds_mssql.id}" publicly_accessible = var.publicly_accessible backup_retention_period = var.backup_retention_period skip_final_snapshot = "${var.skip_final_snapshot}" final_snapshot_identifier = "${var.environment}-${var.instance_name}-mssql-snapshot" } link: RDS Terraform code LINK

[Blobonat]

It took me quite a while to realize that a password other than the one set via password was being created. For future users, a warning/error message could save some time in troubleshooting.

[bryantbiggs]

Terraform is not a dynamic language - there isn't a way to raise a custom error for something like this

[Blobonat]

At least a hint in the parameter documentation of password would help a lot.

[filip-danieluk]

Or change default value of create_random_password to False?

[dddevis]

I strongly agree that this is incredibly confusing and frustrating behavior. It also took me way too long to realize that my SecretsManager secret wasn't being used for the DB password.

This behavior also apparently diverges from an older version of the provider (version = "~> 3.0" does not exhibit this).

[labkey-stuartm]

Echo'ing other comments here. A simple note on the input description for password would be helpful to remind users of this module that if you plan to supply your own password, that you need to set the create_random_password to False !

[antonbabenko]

This issue has been resolved in version 5.1.0 :tada:

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.