Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Secretsmanager secret rotation for master user password #537

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -210,7 +210,7 @@ Users have the ability to:
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.25 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.33 |

## Providers

Expand Down Expand Up @@ -282,6 +282,11 @@ No resources.
| <a name="input_maintenance_window"></a> [maintenance\_window](#input\_maintenance\_window) | The window to perform maintenance in. Syntax: 'ddd:hh24:mi-ddd:hh24:mi'. Eg: 'Mon:00:00-Mon:03:00' | `string` | `null` | no |
| <a name="input_major_engine_version"></a> [major\_engine\_version](#input\_major\_engine\_version) | Specifies the major version of the engine that this option group should be associated with | `string` | `null` | no |
| <a name="input_manage_master_user_password"></a> [manage\_master\_user\_password](#input\_manage\_master\_user\_password) | Set to true to allow RDS to manage the master user password in Secrets Manager | `bool` | `true` | no |
| <a name="input_manage_master_user_password_rotation"></a> [manage\_master\_user\_password\_rotation](#input\_manage\_master\_user\_password\_rotation) | Whether to manage the master user password rotation. Setting this value to false after previously having been set to true will disable automatic rotation. | `bool` | `false` | no |
| <a name="input_master_user_password_rotate_immediately"></a> [master\_user\_password\_rotate\_immediately](#input\_master\_user\_password\_rotate\_immediately) | Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window. | `bool` | `null` | no |
| <a name="input_master_user_password_rotation_automatically_after_days"></a> [master\_user\_password\_rotation\_automatically\_after\_days](#input\_master\_user\_password\_rotation\_automatically\_after\_days) | Specifies the number of days between automatic scheduled rotations of the secret. Either automatically\_after\_days or schedule\_expression must be specified. | `number` | `null` | no |
| <a name="input_master_user_password_rotation_duration"></a> [master\_user\_password\_rotation\_duration](#input\_master\_user\_password\_rotation\_duration) | The length of the rotation window in hours. For example, 3h for a three hour window. | `string` | `null` | no |
| <a name="input_master_user_password_rotation_schedule_expression"></a> [master\_user\_password\_rotation\_schedule\_expression](#input\_master\_user\_password\_rotation\_schedule\_expression) | A cron() or rate() expression that defines the schedule for rotating your secret. Either automatically\_after\_days or schedule\_expression must be specified. | `string` | `null` | no |
| <a name="input_master_user_secret_kms_key_id"></a> [master\_user\_secret\_kms\_key\_id](#input\_master\_user\_secret\_kms\_key\_id) | The key ARN, key ID, alias ARN or alias name for the KMS key to encrypt the master user password secret in Secrets Manager.<br> If not specified, the default KMS key for your Amazon Web Services account is used. | `string` | `null` | no |
| <a name="input_max_allocated_storage"></a> [max\_allocated\_storage](#input\_max\_allocated\_storage) | Specifies the value for Storage Autoscaling | `number` | `0` | no |
| <a name="input_monitoring_interval"></a> [monitoring\_interval](#input\_monitoring\_interval) | The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. The default is 0. Valid Values: 0, 1, 5, 10, 15, 30, 60 | `number` | `0` | no |
Expand Down Expand Up @@ -346,6 +351,7 @@ No resources.
| <a name="output_db_instance_port"></a> [db\_instance\_port](#output\_db\_instance\_port) | The database port |
| <a name="output_db_instance_resource_id"></a> [db\_instance\_resource\_id](#output\_db\_instance\_resource\_id) | The RDS Resource ID of this instance |
| <a name="output_db_instance_role_associations"></a> [db\_instance\_role\_associations](#output\_db\_instance\_role\_associations) | A map of DB Instance Identifiers and IAM Role ARNs separated by a comma |
| <a name="output_db_instance_secretsmanager_secret_rotation_enabled"></a> [db\_instance\_secretsmanager\_secret\_rotation\_enabled](#output\_db\_instance\_secretsmanager\_secret\_rotation\_enabled) | Specifies whether automatic rotation is enabled for the secret |
| <a name="output_db_instance_status"></a> [db\_instance\_status](#output\_db\_instance\_status) | The RDS instance status |
| <a name="output_db_instance_username"></a> [db\_instance\_username](#output\_db\_instance\_username) | The master username for the database |
| <a name="output_db_listener_endpoint"></a> [db\_listener\_endpoint](#output\_db\_listener\_endpoint) | Specifies the listener connection endpoint for SQL Server Always On |
Expand Down
4 changes: 2 additions & 2 deletions examples/blue-green-deployment/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,13 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.25 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.33 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.25 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.33 |

## Modules

Expand Down
2 changes: 1 addition & 1 deletion examples/blue-green-deployment/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.25"
version = ">= 5.33"
}
}
}
4 changes: 2 additions & 2 deletions examples/complete-mssql/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.25 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.33 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.25 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.33 |

## Modules

Expand Down
2 changes: 1 addition & 1 deletion examples/complete-mssql/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.25"
version = ">= 5.33"
}
}
}
4 changes: 2 additions & 2 deletions examples/complete-mysql/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.25 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.33 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.25 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.33 |

## Modules

Expand Down
2 changes: 1 addition & 1 deletion examples/complete-mysql/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.25"
version = ">= 5.33"
}
}
}
4 changes: 2 additions & 2 deletions examples/complete-oracle/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.25 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.33 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.25 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.33 |

## Modules

Expand Down
2 changes: 1 addition & 1 deletion examples/complete-oracle/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.25"
version = ">= 5.33"
}
}
}
6 changes: 4 additions & 2 deletions examples/complete-postgres/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.25 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.33 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.25 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.33 |

## Modules

Expand Down Expand Up @@ -72,6 +72,7 @@ No inputs.
| <a name="output_db_default_master_user_secret_arn"></a> [db\_default\_master\_user\_secret\_arn](#output\_db\_default\_master\_user\_secret\_arn) | The ARN of the master user secret (Only available when manage\_master\_user\_password is set to true) |
| <a name="output_db_default_parameter_group_arn"></a> [db\_default\_parameter\_group\_arn](#output\_db\_default\_parameter\_group\_arn) | The ARN of the db parameter group |
| <a name="output_db_default_parameter_group_id"></a> [db\_default\_parameter\_group\_id](#output\_db\_default\_parameter\_group\_id) | The db parameter group id |
| <a name="output_db_default_secretsmanager_secret_rotation_enabled"></a> [db\_default\_secretsmanager\_secret\_rotation\_enabled](#output\_db\_default\_secretsmanager\_secret\_rotation\_enabled) | Specifies whether automatic rotation is enabled for the secret |
| <a name="output_db_default_subnet_group_arn"></a> [db\_default\_subnet\_group\_arn](#output\_db\_default\_subnet\_group\_arn) | The ARN of the db subnet group |
| <a name="output_db_default_subnet_group_id"></a> [db\_default\_subnet\_group\_id](#output\_db\_default\_subnet\_group\_id) | The db subnet group name |
| <a name="output_db_enhanced_monitoring_iam_role_arn"></a> [db\_enhanced\_monitoring\_iam\_role\_arn](#output\_db\_enhanced\_monitoring\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the monitoring role |
Expand All @@ -88,6 +89,7 @@ No inputs.
| <a name="output_db_instance_name"></a> [db\_instance\_name](#output\_db\_instance\_name) | The database name |
| <a name="output_db_instance_port"></a> [db\_instance\_port](#output\_db\_instance\_port) | The database port |
| <a name="output_db_instance_resource_id"></a> [db\_instance\_resource\_id](#output\_db\_instance\_resource\_id) | The RDS Resource ID of this instance |
| <a name="output_db_instance_secretsmanager_secret_rotation_enabled"></a> [db\_instance\_secretsmanager\_secret\_rotation\_enabled](#output\_db\_instance\_secretsmanager\_secret\_rotation\_enabled) | Specifies whether automatic rotation is enabled for the secret |
| <a name="output_db_instance_status"></a> [db\_instance\_status](#output\_db\_instance\_status) | The RDS instance status |
| <a name="output_db_instance_username"></a> [db\_instance\_username](#output\_db\_instance\_username) | The master username for the database |
| <a name="output_db_parameter_group_arn"></a> [db\_parameter\_group\_arn](#output\_db\_parameter\_group\_arn) | The ARN of the db parameter group |
Expand Down
6 changes: 6 additions & 0 deletions examples/complete-postgres/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,12 @@ module "db" {
username = "complete_postgresql"
port = 5432

# setting manage_master_user_password_rotation to false after it
# has been set to true previously disables automatic rotation
manage_master_user_password_rotation = true
master_user_password_rotate_immediately = false
master_user_password_rotation_schedule_expression = "rate(15 days)"

multi_az = true
db_subnet_group_name = module.vpc.database_subnet_group
vpc_security_group_ids = [module.security_group.security_group_id]
Expand Down
10 changes: 10 additions & 0 deletions examples/complete-postgres/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,11 @@ output "db_instance_master_user_secret_arn" {
value = module.db.db_instance_master_user_secret_arn
}

output "db_instance_secretsmanager_secret_rotation_enabled" {
description = "Specifies whether automatic rotation is enabled for the secret"
value = module.db.db_instance_secretsmanager_secret_rotation_enabled
}

# Default
output "db_default_instance_address" {
description = "The address of the RDS instance"
Expand Down Expand Up @@ -195,3 +200,8 @@ output "db_default_master_user_secret_arn" {
description = "The ARN of the master user secret (Only available when manage_master_user_password is set to true)"
value = module.db_default.db_instance_master_user_secret_arn
}

output "db_default_secretsmanager_secret_rotation_enabled" {
description = "Specifies whether automatic rotation is enabled for the secret"
value = module.db_default.db_instance_secretsmanager_secret_rotation_enabled
}
2 changes: 1 addition & 1 deletion examples/complete-postgres/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.25"
version = ">= 5.33"
}
}
}
4 changes: 2 additions & 2 deletions examples/cross-region-replica-postgres/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.25 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.33 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.25 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.33 |

## Modules

Expand Down
2 changes: 1 addition & 1 deletion examples/cross-region-replica-postgres/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.25"
version = ">= 5.33"
}
}
}
4 changes: 2 additions & 2 deletions examples/enhanced-monitoring/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,13 +22,13 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.25 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.33 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.25 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.33 |

## Modules

Expand Down
2 changes: 1 addition & 1 deletion examples/enhanced-monitoring/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.25"
version = ">= 5.33"
}
}
}
2 changes: 1 addition & 1 deletion examples/groups/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.25 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.33 |

## Providers

Expand Down
2 changes: 1 addition & 1 deletion examples/groups/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.25"
version = ">= 5.33"
}
}
}
4 changes: 2 additions & 2 deletions examples/replica-mysql/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.25 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.33 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.25 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.33 |

## Modules

Expand Down
2 changes: 1 addition & 1 deletion examples/replica-mysql/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.25"
version = ">= 5.33"
}
}
}
4 changes: 2 additions & 2 deletions examples/replica-postgres/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.25 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.33 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.25 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.33 |

## Modules

Expand Down
2 changes: 1 addition & 1 deletion examples/replica-postgres/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.25"
version = ">= 5.33"
}
}
}
4 changes: 2 additions & 2 deletions examples/role-association-postgres/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,13 @@ Further database configurations for creating extension and invoking from postgre
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.25 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.33 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.25 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.33 |

## Modules

Expand Down
2 changes: 1 addition & 1 deletion examples/role-association-postgres/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.25"
version = ">= 5.33"
}
}
}
4 changes: 2 additions & 2 deletions examples/s3-import-mysql/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -49,13 +49,13 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.25 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.33 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.25 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.33 |

## Modules

Expand Down
2 changes: 1 addition & 1 deletion examples/s3-import-mysql/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.25"
version = ">= 5.33"
}
}
}
6 changes: 6 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,12 @@ module "db_instance" {
manage_master_user_password = var.manage_master_user_password
master_user_secret_kms_key_id = var.master_user_secret_kms_key_id

manage_master_user_password_rotation = var.manage_master_user_password_rotation
master_user_password_rotate_immediately = var.master_user_password_rotate_immediately
master_user_password_rotation_automatically_after_days = var.master_user_password_rotation_automatically_after_days
master_user_password_rotation_duration = var.master_user_password_rotation_duration
master_user_password_rotation_schedule_expression = var.master_user_password_rotation_schedule_expression

vpc_security_group_ids = var.vpc_security_group_ids
db_subnet_group_name = local.db_subnet_group_name
parameter_group_name = local.parameter_group_name_id
Expand Down
Loading
Loading