terraform-provider-aws
terraform-provider-aws copied to clipboard
hashicorp
[Bug]: aws_rds_cluster resource does not allow master_secret_arn to be exported as an attribute
Terraform Core Version
1.2.9
AWS Provider Version
4.64.0
Affected Resource(s)
aws_rds_cluster resource
Expected Behavior
According to the following doc: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#secret_arn the value for the attribute is exportable
Actual Behavior
Attribute can't be exported
Relevant Error/Panic Output Snippet
No response
Terraform Configuration Files
resource "aws_rds_cluster" "default" {
cluster_identifier = "aurora-cluster-demo"
engine = "aurora-mysql"
engine_version = "8.0.mysql_aurora.3.02.3"
manage_master_user_password = true
master_user_secret_kms_key_id = ""
master_username = "foo"
backup_retention_period = 5
preferred_backup_window = "07:00-09:00"
provider = aws.africa
db_subnet_group_name = aws_db_subnet_group.default.name
skip_final_snapshot = true
serverlessv2_scaling_configuration {
max_capacity = 12.0
min_capacity = 0.5
}
}
resource "aws_rds_cluster_instance" "default" {
cluster_identifier = aws_rds_cluster.default.id
instance_class = "db.serverless"
engine = aws_rds_cluster.default.engine
engine_version = aws_rds_cluster.default.engine_version
db_subnet_group_name = aws_db_subnet_group.default.name
}
resource "aws_db_subnet_group" "default" {
name = join("-",["rds", "sg"])
subnet_ids = [ "subnet_ids"] --> Replace with list of subnets in VPC
}
An example of the output we are trying to use is the following:
output "arn_of_mater_password_secret" {
value = aws_rds_cluster.default.master_secret.secret_arn"
}
Steps to Reproduce
Create Terraform template with aws_rds_cluster resource. Add secret_arn as output value
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
No response
Would you like to implement a fix?
No
Community Note
Voting for Prioritization
- Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
- Please see our prioritization guide for information on how we prioritize.
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
Volunteering to Work on This Issue
- If you are interested in working on this issue, please leave a comment.
- If this would be your first contribution, please review the contribution guide.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hey @anacronxinetd 👋 Thank you for taking the time to raise this! So that we have the necessary information in order to look into this, can you supply a sample Terraform configuration as well as debug logs (redacted as needed)?
Hey @justinretzolk
This is an example of the template we use:
resource "aws_rds_cluster" "default" {
cluster_identifier = "aurora-cluster-demo"
engine = "aurora-mysql"
engine_version = "8.0.mysql_aurora.3.02.3"
manage_master_user_password = true
master_user_secret_kms_key_id = ""
master_username = "foo"
backup_retention_period = 5
preferred_backup_window = "07:00-09:00"
provider = aws.africa
db_subnet_group_name = aws_db_subnet_group.default.name
skip_final_snapshot = true
serverlessv2_scaling_configuration {
max_capacity = 12.0
min_capacity = 0.5
}
}
resource "aws_rds_cluster_instance" "default" {
cluster_identifier = aws_rds_cluster.default.id
instance_class = "db.serverless"
engine = aws_rds_cluster.default.engine
engine_version = aws_rds_cluster.default.engine_version
db_subnet_group_name = aws_db_subnet_group.default.name
}
resource "aws_db_subnet_group" "default" {
name = join("-",["rds", "sg"])
subnet_ids = [ "subnet_ids"] --> Replace with list of subnets in VPC
}
An example of the output we are trying to use is the following:
output "arn_of_mater_password_secret" {
value = aws_rds_cluster.default.master_secret.secret_arn"
}
There are no logs as the above mentioned error is reported when running Terraform plan. I also tested with version 4.67.0 of the AWS provider but I'm also not able to reference the ARN of the secret using it
Tested with the aws_db_instance_resource, but same results: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
The following doc states: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#secret_arn
The master_user_secret configuration block supports the following attributes:
kms_key_id - The Amazon Web Services KMS key identifier that is used to encrypt the secret. secret_arn - The Amazon Resource Name (ARN) of the secret. secret_status - The status of the secret. Valid Values: creating | active | rotating | impaired.
However, the configuration block can't be specified as part of the aws_rds_cluster resource, the values for the configuration block can be specified as output values either
I ran into the same, an existing aws_db_instance with a admin password is changed to use the secretmanager. I added the arn of the secret as an output of the module. The plan step will fail.
To get it done, I made a workaround:
- Manual change the setting in the AWS console from a password to the secretsmanager option
- Run the terraform plan step without any issue
- Run the terraform apply step without any issue
- Access the ouput of the secret_arn without any issue
It does require some clickops work to be done, but it works ;-)
Hey @anacronxinetd 👋 I just took a look over your description again, and something caught my eye:
output "arn_of_mater_password_secret" {
value = aws_rds_cluster.default.master_secret.secret_arn"
}
The aws_rds_cluster resource doesn't have a master_secret attribute; based on the documentation you linked to, I believe you're looking for master_user_secret.secret_arn (you're missing the user bit in the middle).
I resolved this using:
output "master_user_secret_arn" {
value = (var.manage_password_secret_manager && length(aws_rds_cluster.master.master_user_secret) == 1 ) ? lookup(aws_rds_cluster.master.master_user_secret[0], "secret_arn") : ""
}
NOTE: The variable manage_password_secret_manager decides to use secret_manager or set the passwords mannually.
I've just spent ... a while ... trying to work out why ...
output "master_user_secret_arns" {
description = "The RDS Cluster Master User Secret Username and Password ARNs"
value = {
password_arn = try(
data.aws_ssm_parameter.master_password[var.service].arn,
aws_rds_cluster.rds.master_user_secret.secret_arn
)
username_arn = aws_ssm_parameter.rds_master_username.arn
}
}
is outputting the error
╷
│ Error: Unsupported attribute
│
│ on modules/rds/outputs.tf line 6, in output "master_user_secret_arns":
│ 6: aws_rds_cluster.rds.master_user_secret.secret_arn
│
│ Can't access attributes on a list of objects. Did you mean to access attribute "secret_arn" for a specific element of the list, or across all elements of the list?
╵
And the documentation DOES give the reason (https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_user_secret) ...
The master_user_secret configuration **block** supports the following attributes:
I added a small highlight.
As blocks are potentially multiple in a resource, you need to check that the set has one to read.
I don't think/know if blocks can be just an object and not a set/list of objects.
But, thank you @matiri132 for confirming what I eventually found.
If possible, a smaller update to the documentation would have solved this very easily!
I was able to get the arn using:
output "aws_secretsmanager_secret" "master_user_secret" {
arn = aws_rds_cluster.aurora_cluster.master_user_secret[0].secret_arn
}
for some reason the master user secret is returned as a list, so you have to fetch the arn from the [0] index.
I was able to get the arn using:
output "aws_secretsmanager_secret" "master_user_secret" { arn = aws_rds_cluster.aurora_cluster.master_user_secret[0].secret_arn }for some reason the master user secret is returned as a list, so you have to fetch the arn from the [0] index.
This worked for me as well
