Terraform RDS database credentials
I am trying to use AWS secrets manager to declare RDS admin credentials.
- Declared credentials in rds.tf in variable RdsAdminCred as key/value pair
- Declared secret as well in the same tf file
variable "RdsAminCred" {
default = {
username = "dbadmin"
password = "dbadmin#02avia"
}
type = map(string)
}
resource "aws_secretsmanager_secret" "RdsAminCred" {
name = "RdsAminCred"
}
resource "aws_secretsmanager_secret_version" "RdsAminCred" {
secret_id = aws_secretsmanager_secret.RdsAminCred.id
secret_string = jsonencode(var.RdsAminCred)
}
- I am not sure how to use the secret string in the declaration below, to replace the hardcoded value for username and password.
resource "aws_db_instance" "default" {
identifier = "testdb"
allocated_storage = 20
storage_type = "gp2"
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t2.medium"
name = "mydb"
username = "dbadmin"
password = "dbadmin#01avia"
Any help is appreciated..
Answer
I'd recommend using the random_password resource instead. Then you can reference that in the cluster configuration and secrets manager.
Example:
resource "random_password" "master_password" {
length = 16
special = false
}
resource "aws_rds_cluster" "default" {
cluster_identifier = "my-cluster"
master_username = "admin"
master_password = random_password.default_master_password.result
# other configurations
# .
# .
# .
}
resource "aws_secretsmanager_secret" "rds_credentials" {
name = "credentials"
}
resource "aws_secretsmanager_secret_version" "rds_credentials" {
secret_id = aws_secretsmanager_secret.rds_credentials.id
secret_string = <<EOF
{
"username": "${aws_rds_cluster.default.master_username}",
"password": "${random_password.master_password.result}",
"engine": "mysql",
"host": "${aws_rds_cluster.default.endpoint}",
"port": ${aws_rds_cluster.default.port},
"dbClusterIdentifier": "${aws_rds_cluster.default.cluster_identifier}"
}
EOF
}