Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Add upgrade doc and fix variable description #548

Merged
Show file tree
Hide file tree
Changes from 4 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -285,7 +285,7 @@ No resources.
| <a name="input_maintenance_window"></a> [maintenance\_window](#input\_maintenance\_window) | The window to perform maintenance in. Syntax: 'ddd:hh24:mi-ddd:hh24:mi'. Eg: 'Mon:00:00-Mon:03:00' | `string` | `null` | no |
| <a name="input_major_engine_version"></a> [major\_engine\_version](#input\_major\_engine\_version) | Specifies the major version of the engine that this option group should be associated with | `string` | `null` | no |
| <a name="input_manage_master_user_password"></a> [manage\_master\_user\_password](#input\_manage\_master\_user\_password) | Set to true to allow RDS to manage the master user password in Secrets Manager | `bool` | `true` | no |
| <a name="input_manage_master_user_password_rotation"></a> [manage\_master\_user\_password\_rotation](#input\_manage\_master\_user\_password\_rotation) | Whether to manage the master user password rotation. Setting this value to false after previously having been set to true will disable automatic rotation. | `bool` | `false` | no |
| <a name="input_manage_master_user_password_rotation"></a> [manage\_master\_user\_password\_rotation](#input\_manage\_master\_user\_password\_rotation) | Whether to manage the master user password rotation. By default, false on creation, rotation is managed by RDS. Setting this value to false after previously having been set to true will disable automatic rotation. | `bool` | `false` | no |
| <a name="input_master_user_password_rotate_immediately"></a> [master\_user\_password\_rotate\_immediately](#input\_master\_user\_password\_rotate\_immediately) | Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window. | `bool` | `null` | no |
| <a name="input_master_user_password_rotation_automatically_after_days"></a> [master\_user\_password\_rotation\_automatically\_after\_days](#input\_master\_user\_password\_rotation\_automatically\_after\_days) | Specifies the number of days between automatic scheduled rotations of the secret. Either automatically\_after\_days or schedule\_expression must be specified. | `number` | `null` | no |
| <a name="input_master_user_password_rotation_duration"></a> [master\_user\_password\_rotation\_duration](#input\_master\_user\_password\_rotation\_duration) | The length of the rotation window in hours. For example, 3h for a three hour window. | `string` | `null` | no |
Expand Down
115 changes: 115 additions & 0 deletions UPGRADE-6.0.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,115 @@
# Upgrade from v5.x to v6.x

If you have any questions regarding this upgrade process, please consult the [`examples/`](https://github.com/terraform-aws-modules/terraform-aws-rds/tree/master/examples) projects:

If you find a bug, please open an issue with supporting configuration to reproduce.

## List of backwards incompatible changes

With RDS now supporting the integration with SecretsManager to manage the master user password, the ability to generate a random password has been removed from this module. This is the preferred and strongly recommended route to mange the password since it keeps the password out of the Terraform state and allows for the password to be rotated automatically.

## Variable and output changes

1. Removed variables:

- `create_random_password` -> support for random password generation has been removed
- `random_password_length` -> support for random password generation has been removed

2. Renamed variables:

- None

3. Added variables:

- `manage_master_user_password`
- `master_user_secret_kms_key_id`

4. Removed outputs:

- `db_instance_password` -> support for random password generation has been removed


5. Renamed outputs:

- `db_instance_id` -> `db_instance_identifier`

6. Added outputs:

- None


## Upgrade Migrations

### Before 5.x Example

```hcl
module "rds_before" {
magreenbaum marked this conversation as resolved.
Show resolved Hide resolved
source = "terraform-aws-modules/rds/aws"
version = "~> 5.0"

# Only the affected attributes are shown
create_db_instance = true

create_random_password = true
random_password_length = 16

tags = {
Environment = "dev"
Terraform = "true"
}
}
```

### After 6.x Example

```hcl
module "rds_after" {
magreenbaum marked this conversation as resolved.
Show resolved Hide resolved
source = "terraform-aws-modules/rds/aws"
version = "~> 6.0"

create_db_instance = true

manage_master_user_password = true

tags = {
Environment = "dev"
Terraform = "true"
}
}
```

### Retaining use of random password

The following example demonstrates the changes that users can elect to make to avoid any potential disruptions when upgrading if electing not to use RDS password management with SecretsManager `manage_master_user_password` when previously using `create_random_password`.

In this example, the `random_password` resource is added alongside the existing module to preserve the existing password.

```hcl
resource "random_password" "master_password" {
length = 16
special = false
}

module "rds_after" {
magreenbaum marked this conversation as resolved.
Show resolved Hide resolved
source = "terraform-aws-modules/rds/aws"
version = "~> 5.0"

# Only the affected attributes are shown
create_db_instance = true

manage_master_user_password = false

password = random_password.master_password.result

tags = {
Environment = "dev"
Terraform = "true"
}
}
```

A state move must be done to preserve the previously used random password. Example:

```
terraform state mv 'module.db.random_password.master_password[0]' random_password.master_password
magreenbaum marked this conversation as resolved.
Show resolved Hide resolved
```
9 changes: 7 additions & 2 deletions examples/complete-postgres/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,13 @@ module "db" {
username = "complete_postgresql"
port = 5432

# setting manage_master_user_password_rotation to false after it
# has been set to true previously disables automatic rotation
# Setting manage_master_user_password_rotation to false after it
# has previously been set to true disables automatic rotation
# however using an initial value of false (default) does not disable
# automatic rotation and rotation will be handled by RDS.
# manage_master_user_password_rotation allows users to configure
# a non-default schedule and is not meant to disable rotation
# when initially creating / enabling the password management feature
manage_master_user_password_rotation = true
master_user_password_rotate_immediately = false
master_user_password_rotation_schedule_expression = "rate(15 days)"
Expand Down
2 changes: 1 addition & 1 deletion modules/db_instance/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ No modules.
| <a name="input_license_model"></a> [license\_model](#input\_license\_model) | License model information for this DB instance. Optional, but required for some DB engines, i.e. Oracle SE1 | `string` | `null` | no |
| <a name="input_maintenance_window"></a> [maintenance\_window](#input\_maintenance\_window) | The window to perform maintenance in. Syntax: 'ddd:hh24:mi-ddd:hh24:mi'. Eg: 'Mon:00:00-Mon:03:00' | `string` | `null` | no |
| <a name="input_manage_master_user_password"></a> [manage\_master\_user\_password](#input\_manage\_master\_user\_password) | Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if password is provided | `bool` | `true` | no |
| <a name="input_manage_master_user_password_rotation"></a> [manage\_master\_user\_password\_rotation](#input\_manage\_master\_user\_password\_rotation) | Whether to manage the master user password rotation. Setting this value to false after previously having been set to true will disable automatic rotation. | `bool` | `false` | no |
| <a name="input_manage_master_user_password_rotation"></a> [manage\_master\_user\_password\_rotation](#input\_manage\_master\_user\_password\_rotation) | Whether to manage the master user password rotation. By default, false on creation, rotation is managed by RDS. Setting this value to false after previously having been set to true will disable automatic rotation. | `bool` | `false` | no |
| <a name="input_master_user_password_rotate_immediately"></a> [master\_user\_password\_rotate\_immediately](#input\_master\_user\_password\_rotate\_immediately) | Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window. | `bool` | `null` | no |
| <a name="input_master_user_password_rotation_automatically_after_days"></a> [master\_user\_password\_rotation\_automatically\_after\_days](#input\_master\_user\_password\_rotation\_automatically\_after\_days) | Specifies the number of days between automatic scheduled rotations of the secret. Either automatically\_after\_days or schedule\_expression must be specified. | `number` | `null` | no |
| <a name="input_master_user_password_rotation_duration"></a> [master\_user\_password\_rotation\_duration](#input\_master\_user\_password\_rotation\_duration) | The length of the rotation window in hours. For example, 3h for a three hour window. | `string` | `null` | no |
Expand Down
2 changes: 1 addition & 1 deletion modules/db_instance/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -447,7 +447,7 @@ variable "cloudwatch_log_group_kms_key_id" {
################################################################################

variable "manage_master_user_password_rotation" {
description = "Whether to manage the master user password rotation. Setting this value to false after previously having been set to true will disable automatic rotation."
description = "Whether to manage the master user password rotation. By default, false on creation, rotation is managed by RDS. Setting this value to false after previously having been set to true will disable automatic rotation."
type = bool
default = false
}
Expand Down
2 changes: 1 addition & 1 deletion variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -584,7 +584,7 @@ variable "db_instance_role_associations" {
################################################################################

variable "manage_master_user_password_rotation" {
description = "Whether to manage the master user password rotation. Setting this value to false after previously having been set to true will disable automatic rotation."
description = "Whether to manage the master user password rotation. By default, false on creation, rotation is managed by RDS. Setting this value to false after previously having been set to true will disable automatic rotation."
type = bool
default = false
}
Expand Down