terraform-aws-rds
terraform-aws-rds copied to clipboard
cloudposse
Optional user and password
what
- Optional user and password
- Added some of the ssm params from https://github.com/cloudposse/terraform-aws-components/blob/master/deprecated/aws/backing-services/rds.tf
why
- This will allow the user and password to be autogenerated and optionally saved as an SSM parameter
references
- Closes https://github.com/cloudposse/terraform-aws-rds/issues/118
notes
- SSM
- Should this even use SSM ? I thought it should if we made the module generate a random password.
- [x] SSM param creation is disabled by default
- [x] Should
ssm_enabledbe renamed tossm_parameters_enabledto be more explicit ? - [x] Should there also be a
ssm_key_prefixinstead of having to modify thessm_key_format? - [x] Should I also save the
module.rds_instance.hostnameandvar.database_portto ssm ? - [x] Should all the SSM logic be put into its own
systems-manager.tffile ? - [ ] Should the SSM logic require its own aws provider passed in so it can use its own region ? or should it use its own provider in the module itself via
var.ssm_regionand if one isn't passed in, it could use the current region ?
- If the
database_name = ""ornull, should the name of the database be themodule.this.id?- This could be done in a follow up PR
- The issue is with SQL server which requires the
database_name = nullso that means the ssm key itself would have the termnullin there. Perhaps for ssm, if thedatabase_name == nullthen we can use the uniquemodule.this.idormodule.this.name? - [x] Decided to use
module.this.name
- Bridgecrew fixes
- This could be done in a follow up PR
output
enable ssm with defaults
With ssm_parameters_enabled = true
$ terraform plan
Terraform will perform the following actions:
# module.rds_instance.aws_ssm_parameter.rds_database["hostname"] will be created
+ resource "aws_ssm_parameter" "rds_database" {
+ arn = (known after apply)
+ data_type = (known after apply)
+ description = "RDS DB hostname"
+ id = (known after apply)
+ key_id = (known after apply)
+ name = "/rds/mydb/admin/db_hostname"
+ overwrite = true
+ tags_all = (known after apply)
+ tier = "Standard"
+ type = "String"
+ value = (sensitive value)
+ version = (known after apply)
}
# module.rds_instance.aws_ssm_parameter.rds_database["password"] will be created
+ resource "aws_ssm_parameter" "rds_database" {
+ arn = (known after apply)
+ data_type = (known after apply)
+ description = "RDS DB password"
+ id = (known after apply)
+ key_id = "alias/aws/ssm"
+ name = "/rds/mydb/admin/db_password"
+ overwrite = true
+ tags_all = (known after apply)
+ tier = "Standard"
+ type = "SecureString"
+ value = (sensitive value)
+ version = (known after apply)
}
# module.rds_instance.aws_ssm_parameter.rds_database["port"] will be created
+ resource "aws_ssm_parameter" "rds_database" {
+ arn = (known after apply)
+ data_type = (known after apply)
+ description = "RDS DB port"
+ id = (known after apply)
+ key_id = (known after apply)
+ name = "/rds/mydb/admin/db_port"
+ overwrite = true
+ tags_all = (known after apply)
+ tier = "Standard"
+ type = "String"
+ value = (sensitive value)
+ version = (known after apply)
}
# module.rds_instance.aws_ssm_parameter.rds_database["user"] will be created
+ resource "aws_ssm_parameter" "rds_database" {
+ arn = (known after apply)
+ data_type = (known after apply)
+ description = "RDS DB user"
+ id = (known after apply)
+ key_id = (known after apply)
+ name = "/rds/mydb/admin/db_user"
+ overwrite = true
+ tags_all = (known after apply)
+ tier = "Standard"
+ type = "String"
+ value = (sensitive value)
+ version = (known after apply)
}
Plan: 4 to add, 0 to change, 0 to destroy.
enable ssm with merge defaults
With ssm_parameters_enabled = true and
save_parameter_ssm_map_merge = {
user = {
suffix = "admin/db_user_hello"
description = "RDS DB user hihi"
}
}
$ terraform plan
# hide previous 3 as seen above and only show the 1 difference
# module.rds_instance.aws_ssm_parameter.rds_database["user"] will be created
+ resource "aws_ssm_parameter" "rds_database" {
+ arn = (known after apply)
+ data_type = (known after apply)
+ description = "RDS DB user hihi"
+ id = (known after apply)
+ key_id = (known after apply)
+ name = "/rds/mydb/admin/db_user_hello"
+ overwrite = true
+ tags_all = (known after apply)
+ tier = "Standard"
+ type = "String"
+ value = (sensitive value)
+ version = (known after apply)
}
I think we need a separated module for SSM / Secrets Manager like @jamengual mentioned. Then we can easily turn it on and off and have the variables located in the upstream module instead of here.
We can do some of it by using https://github.com/cloudposse/terraform-aws-ssm-parameter-store but not the password creation.
I was thinking about doing that later but maybe it should be a prerequisite for this PR.
![mergify[bot] avatar](https://avatars.githubusercontent.com/in/10562?v=4 "Published by a pub.dev verified publisher"){kind=small}
@nitrocode It would be great if you could make database_name optional as well by specifying an empty string default value in variables.tf.
Possible scenario would be I would like to do some modifications after I created the db instance from a snapshot and if database_name is required and then it would force a replacement.
Thanks!
@arischow thanks for the suggestion. This PR is only for generating password credentials. Could you write that into a separate issue so we can track it?