Enhanced Password Validation, Import Toggle, and Output Standardization for Datastore Modules

datastore/mongo/aws-documentdb/1.0/facets.yaml

@@ -103,6 +103,12 @@ spec:
           type: string
           title: Subnet Group Name
           description: Name of existing DocumentDB subnet group to import
+        master_password:
+          type: string
+          title: Master Password
+          description: Master password for the imported cluster (8+ characters)
+          minLength: 8
+          x-ui-secret-ref: true
   required:
   - version_config
   - sizing

datastore/mongo/aws-documentdb/1.0/locals.tf

@@ -13,9 +13,11 @@ locals {
   cluster_port     = aws_docdb_cluster.main.port
   master_username  = aws_docdb_cluster.main.master_username
 
-  # Handle password for imported vs new clusters
-  # For imported clusters, we can't access the actual password
-  master_password = local.is_import ? "*** IMPORTED - PASSWORD NOT ACCESSIBLE ***" : (try(var.instance.spec.restore_config.restore_from_snapshot, false) ? var.instance.spec.restore_config.master_password : random_password.master[0].result)
+  # Handle password logic:
+  # - restore_from_snapshot → use restore password
+  # - import → use imported master password
+  # - new cluster → use generated random password
+  master_password = (var.instance.spec.restore_config.restore_from_snapshot ? var.instance.spec.restore_config.master_password : local.is_import ? var.instance.spec.imports.master_password : random_password.master[0].result)
 
   # Connection string for MongoDB
   connection_string = "mongodb://${local.master_username}:${local.master_password}@${local.cluster_endpoint}:${local.cluster_port}/?tls=true&replicaSet=rs0&readPreference=secondaryPreferred&retryWrites=false"

datastore/mongo/aws-documentdb/1.0/main.tf

@@ -80,8 +80,7 @@ resource "aws_docdb_cluster" "main" {
   engine                    = "docdb"
   engine_version            = var.instance.spec.version_config.engine_version == "6.0.0" ? "5.0.0" : var.instance.spec.version_config.engine_version
   master_username           = var.instance.spec.restore_config.restore_from_snapshot ? var.instance.spec.restore_config.master_username : "docdbadmin"
-  master_password           = local.is_import ? null : (var.instance.spec.restore_config.restore_from_snapshot ? var.instance.spec.restore_config.master_password : random_password.master[0].result)
-  port                      = var.instance.spec.version_config.port
+  master_password           = local.master_password
   backup_retention_period   = 7
   preferred_backup_window   = "07:00-09:00"
   skip_final_snapshot       = false

datastore/mongo/aws-documentdb/1.0/variables.tf

@@ -23,6 +23,7 @@ variable "instance" {
         cluster_identifier = optional(string)
         security_group_id  = optional(string)
         subnet_group_name  = optional(string)
+        master_password    = optional(string)
       }), {})
     })
   })

datastore/mysql/aws-aurora/1.0/facets.yaml

@@ -135,6 +135,12 @@ spec:
           type: string
           title: Reader Instance Identifiers
           description: Existing reader instance identifiers to import (comma-separated)
+        master_password:
+          type: string
+          title: Master Password
+          description: Master password for the imported cluster (8+ characters)
+          minLength: 8
+          x-ui-secret-ref: true
   required:
   - version_config
   - sizing

datastore/mysql/aws-aurora/1.0/main.tf

@@ -21,8 +21,8 @@ locals {
   imported_writer_id = try(var.instance.spec.imports.writer_instance_identifier, null)
 
   # Handle password - don't create for restore or import
-  master_password = local.restore_from_backup ? var.instance.spec.restore_config.master_password : (local.is_import ? null : random_password.master_password[0].result)
-  master_username = local.restore_from_backup ? var.instance.spec.restore_config.master_username : (local.is_import ? null : "admin")
+  master_password = (local.restore_from_backup ? var.instance.spec.restore_config.master_password : local.is_import ? var.instance.spec.imports.master_password : random_password.master_password[0].result)
+  master_username = local.restore_from_backup ? var.instance.spec.restore_config.master_username : "admin"
 
   # Split reader instance identifiers if provided for import
   reader_instance_ids = try(var.instance.spec.imports.reader_instance_identifiers, null) != null && var.instance.spec.imports.reader_instance_identifiers != "" ? split(",", trimspace(var.instance.spec.imports.reader_instance_identifiers)) : []
@@ -83,10 +83,10 @@ resource "aws_rds_cluster" "aurora" {
   engine             = "aurora-mysql"
 
   # When restoring from snapshot or importing, these fields must be omitted or ignored
-  engine_version  = (local.restore_from_backup || local.is_import) ? null : var.instance.spec.version_config.engine_version
-  database_name   = (local.restore_from_backup || local.is_import) ? null : var.instance.spec.version_config.database_name
-  master_username = (local.restore_from_backup || local.is_import) ? null : local.master_username
-  master_password = (local.restore_from_backup || local.is_import) ? null : local.master_password
+  engine_version  = var.instance.spec.version_config.engine_version
+  database_name   = var.instance.spec.version_config.database_name
+  master_username = local.master_username
+  master_password = local.master_password
 
   # Backup configuration
   backup_retention_period      = 7 # Hardcoded - 7 days retention

datastore/mysql/aws-aurora/1.0/outputs.tf

@@ -5,18 +5,9 @@ locals {
       host     = aws_rds_cluster.aurora.reader_endpoint
       username = aws_rds_cluster.aurora.master_username
       port     = tostring(aws_rds_cluster.aurora.port)
-      password = local.is_import ? "<imported-password-not-available>" : (
-        local.restore_from_backup ? var.instance.spec.restore_config.master_password : local.master_password
-      )
+      password = local.restore_from_backup ? var.instance.spec.restore_config.master_password : local.master_password
       database = aws_rds_cluster.aurora.database_name
-
-      connection_string = local.is_import ? format(
-        "mysql://%s:<password>@%s:%d/%s",
-        aws_rds_cluster.aurora.master_username,
-        aws_rds_cluster.aurora.reader_endpoint,
-        aws_rds_cluster.aurora.port,
-        coalesce(aws_rds_cluster.aurora.database_name, "")
-        ) : format(
+      connection_string = format(
         "mysql://%s:%s@%s:%d/%s",
         aws_rds_cluster.aurora.master_username,
         local.restore_from_backup ? var.instance.spec.restore_config.master_password : local.master_password,
@@ -31,17 +22,9 @@ locals {
       host     = aws_rds_cluster.aurora.endpoint
       port     = tostring(aws_rds_cluster.aurora.port)
       username = aws_rds_cluster.aurora.master_username
-      password = local.is_import ? "<imported-password-not-available>" : (
-        local.restore_from_backup ? var.instance.spec.restore_config.master_password : local.master_password
-      )
+      password = local.restore_from_backup ? var.instance.spec.restore_config.master_password : local.master_password
       database = aws_rds_cluster.aurora.database_name
-      connection_string = local.is_import ? format(
-        "mysql://%s:<password>@%s:%d/%s",
-        aws_rds_cluster.aurora.master_username,
-        aws_rds_cluster.aurora.endpoint,
-        aws_rds_cluster.aurora.port,
-        coalesce(aws_rds_cluster.aurora.database_name, "")
-        ) : format(
+      connection_string = format(
         "mysql://%s:%s@%s:%d/%s",
         aws_rds_cluster.aurora.master_username,
         local.restore_from_backup ? var.instance.spec.restore_config.master_password : local.master_password,

datastore/mysql/aws-aurora/1.0/variables.tf

@@ -25,6 +25,7 @@ variable "instance" {
         cluster_identifier          = optional(string)
         writer_instance_identifier  = optional(string)
         reader_instance_identifiers = optional(string)
+        master_password             = optional(string)
       }), {})
     })
   })

datastore/mysql/aws-rds/1.0/facets.yaml

@@ -144,6 +144,12 @@ spec:
           type: string
           title: Security Group ID
           description: ID of existing security group to import
+        master_password:
+          type: string
+          title: Master Password
+          description: Master password for the imported resource (8+ characters)
+          minLength: 8
+          x-ui-secret-ref: true
   required:
   - version_config
 imports:

datastore/mysql/aws-rds/1.0/locals.tf

@@ -25,13 +25,12 @@ locals {
   # Database configuration
   is_restore_operation = var.instance.spec.restore_config.restore_from_backup
 
-  # Master credentials - don't set when importing (set to null)
-  # When importing, username and password should be null to avoid overriding existing values
-  master_username = local.is_db_instance_import ? null : (local.is_restore_operation ? var.instance.spec.restore_config.restore_master_username : var.instance.spec.version_config.master_username)
-  master_password = local.is_db_instance_import ? null : (local.is_restore_operation ? var.instance.spec.restore_config.restore_master_password : (length(random_password.master_password) > 0 ? random_password.master_password[0].result : ""))
+  # When importing, username and password should be same as the original to avoid overriding existing values
+  master_username = (local.is_restore_operation ? var.instance.spec.restore_config.restore_master_username : var.instance.spec.version_config.master_username)
+  master_password = (local.is_db_instance_import ? var.instance.spec.imports.master_password : local.is_restore_operation ? var.instance.spec.restore_config.restore_master_password : random_password.master_password[0].result)
 
-  # Database name - don't set when importing
-  database_name = local.is_db_instance_import ? null : var.instance.spec.version_config.database_name
+  # Database name - should be same when importing
+  database_name = var.instance.spec.version_config.database_name
 
   # Max allocated storage (0 means disabled)
   max_allocated_storage = var.instance.spec.sizing.max_allocated_storage > 0 ? var.instance.spec.sizing.max_allocated_storage : null

datastore/mysql/aws-rds/1.0/outputs.tf

@@ -5,21 +5,22 @@ locals {
       host     = length(aws_db_instance.read_replicas) > 0 ? aws_db_instance.read_replicas[0].address : aws_db_instance.mysql.address
       username = aws_db_instance.mysql.username
       port     = aws_db_instance.mysql.port
-      password = local.is_db_instance_import ? "[IMPORTED-NOT-AVAILABLE]" : local.master_password
+      password = local.master_password
       database = aws_db_instance.mysql.db_name
-
       connection_string = local.is_db_instance_import ? (
         length(aws_db_instance.read_replicas) > 0 ?
         format(
-          "mysql://%s:[PASSWORD]@%s:%d/%s",
+          "mysql://%s:%s@%s:%d/%s",
           aws_db_instance.mysql.username,
+          local.master_password,
           aws_db_instance.read_replicas[0].address,
           aws_db_instance.read_replicas[0].port,
           aws_db_instance.mysql.db_name
         ) :
         format(
-          "mysql://%s:[PASSWORD]@%s:%d/%s",
+          "mysql://%s:%s@%s:%d/%s",
           aws_db_instance.mysql.username,
+          local.master_password,
           aws_db_instance.mysql.address,
           aws_db_instance.mysql.port,
           aws_db_instance.mysql.db_name
@@ -50,9 +51,9 @@ locals {
       host              = aws_db_instance.mysql.address
       port              = aws_db_instance.mysql.port
       username          = aws_db_instance.mysql.username
-      password          = local.is_db_instance_import ? "[IMPORTED-NOT-AVAILABLE]" : local.master_password
+      password          = local.master_password
       database          = aws_db_instance.mysql.db_name
-      connection_string = local.is_db_instance_import ? "mysql://${aws_db_instance.mysql.username}:[PASSWORD]@${aws_db_instance.mysql.address}:${aws_db_instance.mysql.port}/${aws_db_instance.mysql.db_name}" : "mysql://${aws_db_instance.mysql.username}:${local.master_password}@${aws_db_instance.mysql.address}:${aws_db_instance.mysql.port}/${aws_db_instance.mysql.db_name}"
+      connection_string = "mysql://${aws_db_instance.mysql.username}:${local.master_password}@${aws_db_instance.mysql.address}:${aws_db_instance.mysql.port}/${aws_db_instance.mysql.db_name}"
       secrets           = ["password", "connection_string"]
     }
   }

datastore/mysql/aws-rds/1.0/variables.tf

@@ -27,6 +27,7 @@ variable "instance" {
         db_instance_identifier = optional(string)
         db_subnet_group_name   = optional(string)
         security_group_id      = optional(string)
+        master_password        = optional(string)
       }))
     })
   })

datastore/mysql/gcp-cloudsql/1.0/facets.yaml

@@ -156,6 +156,12 @@ spec:
           pattern: ^[a-z0-9/_-]+$
           minLength: 1
           maxLength: 200
+        master_password:
+          type: string
+          title: Master Password
+          description: Master password for the imported resource (8+ characters)
+          minLength: 8
+          x-ui-secret-ref: true
   required:
   - version_config
   - sizing

datastore/mysql/gcp-cloudsql/1.0/locals.tf

@@ -4,7 +4,7 @@ locals {
   master_endpoint = google_sql_database_instance.mysql_instance.private_ip_address
   mysql_port      = 3306
   master_username = google_sql_user.mysql_root_user.name
-  master_password = try(google_sql_user.mysql_root_user.password, null)
+  master_password = var.instance.spec.imports.master_password != null ? var.instance.spec.imports.master_password : google_sql_user.mysql_root_user.password
   database_name   = google_sql_database.initial_database.name
 
   # Read replica endpoints (if any)

datastore/mysql/gcp-cloudsql/1.0/main.tf

@@ -138,7 +138,7 @@ resource "google_sql_user" "mysql_root_user" {
   name     = var.instance.spec.restore_config.restore_from_backup ? var.instance.spec.restore_config.master_username : "root"
   instance = google_sql_database_instance.mysql_instance.name
   password = var.instance.spec.restore_config.restore_from_backup ? var.instance.spec.restore_config.master_password : (
-    try(var.instance.spec.imports.root_user, "") != "" ? "imported-password-unchanged" : random_password.mysql_password[0].result
+    try(var.instance.spec.imports.root_user, "") != "" ? var.instance.spec.imports.master_password : random_password.mysql_password[0].result
   )
 
   lifecycle {

datastore/mysql/gcp-cloudsql/1.0/outputs.tf

@@ -4,17 +4,17 @@ locals {
     reader = {
       host              = local.reader_endpoint
       username          = local.master_username
-      password          = local.master_password != null ? local.master_password : "imported-password-managed-externally"
-      connection_string = local.master_password != null ? "mysql://${local.master_username}:${local.master_password}@${local.reader_endpoint}:${local.mysql_port}/${local.database_name}" : "mysql://${local.master_username}:PASSWORD_MANAGED_EXTERNALLY@${local.reader_endpoint}:${local.mysql_port}/${local.database_name}"
+      password          = var.instance.spec.imports.master_password != null ? var.instance.spec.imports.master_password : local.master_password
+      connection_string = "mysql://${local.master_username}:${local.master_password}@${local.reader_endpoint}:${local.mysql_port}/${local.database_name}"
       port              = local.mysql_port
       database          = local.database_name
       secrets           = ["password", "connection_string"]
     }
     writer = {
       host              = local.master_endpoint
       username          = local.master_username
-      password          = local.master_password != null ? local.master_password : "imported-password-managed-externally"
-      connection_string = local.master_password != null ? "mysql://${local.master_username}:${local.master_password}@${local.master_endpoint}:${local.mysql_port}/${local.database_name}" : "mysql://${local.master_username}:PASSWORD_MANAGED_EXTERNALLY@${local.master_endpoint}:${local.mysql_port}/${local.database_name}"
+      password          = var.instance.spec.imports.master_password != null ? var.instance.spec.imports.master_password : local.master_password
+      connection_string = "mysql://${local.master_username}:${local.master_password}@${local.master_endpoint}:${local.mysql_port}/${local.database_name}"
       port              = local.mysql_port
       database          = local.database_name
       secrets           = ["password", "connection_string"]

datastore/mysql/gcp-cloudsql/1.0/variables.tf

@@ -22,6 +22,7 @@ variable "instance" {
       })
       imports = optional(object({
         instance_name = optional(string)
+        master_password = optional(string)
       }))
     })
   })

datastore/postgres/aws-aurora/1.0/facets.yaml

@@ -139,6 +139,12 @@ spec:
           type: string
           title: Reader Instance Identifiers
           description: Existing reader instance identifiers to import (comma-separated)
+        master_password:
+          type: string
+          title: Master Password
+          description: Master password for the imported cluster (8+ characters)
+          minLength: 8
+          x-ui-secret-ref: true
   required:
   - version_config
   - sizing

datastore/postgres/aws-aurora/1.0/main.tf

@@ -21,7 +21,7 @@ locals {
   imported_writer_id = try(var.instance.spec.imports.writer_instance_identifier, null)
 
   # Handle password - don't create for restore or import
-  master_password = local.restore_from_backup ? var.instance.spec.restore_config.master_password : (local.is_import ? null : random_password.master_password[0].result)
+  master_password = local.restore_from_backup ? var.instance.spec.restore_config.master_password : (local.is_import ? var.instance.spec.imports.master_password : random_password.master_password[0].result)
   master_username = local.restore_from_backup ? var.instance.spec.restore_config.master_username : (local.is_import ? null : "postgres")
 
   # Split reader instance identifiers if provided for import
@@ -82,11 +82,11 @@ resource "aws_rds_cluster" "aurora" {
   cluster_identifier = local.cluster_identifier
   engine             = "aurora-postgresql"
 
-  # When restoring from snapshot or importing, these fields must be omitted or ignored
-  engine_version  = (local.restore_from_backup || local.is_import) ? null : var.instance.spec.version_config.engine_version
-  database_name   = (local.restore_from_backup || local.is_import) ? null : var.instance.spec.version_config.database_name
-  master_username = (local.restore_from_backup || local.is_import) ? null : local.master_username
-  master_password = (local.restore_from_backup || local.is_import) ? null : local.master_password
+  # When restoring from snapshot or importing, these fields must be same or ignored
+  engine_version  = var.instance.spec.version_config.engine_version
+  database_name   = var.instance.spec.version_config.database_name
+  master_username = local.master_username
+  master_password = local.master_password
 
   # Backup configuration
   backup_retention_period      = 7 # Hardcoded - 7 days retention