feat: Replace master_password with write-only master_password_wo/master_password_wo_version

Author: bryantbiggs

README.md

@@ -369,9 +369,10 @@ No modules.
 | <a name="input_iops"></a> [iops](#input\_iops) | The amount of Provisioned IOPS (input/output operations per second) to be initially allocated for each DB instance in the Multi-AZ DB cluster | `number` | `null` | no |
 | <a name="input_is_primary_cluster"></a> [is\_primary\_cluster](#input\_is\_primary\_cluster) | Determines whether cluster is primary cluster with writer instance (set to `false` for global cluster and replica clusters) | `bool` | `true` | no |
 | <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | The ARN for the KMS encryption key. When specifying `kms_key_id`, `storage_encrypted` needs to be set to `true` | `string` | `null` | no |
-| <a name="input_manage_master_user_password"></a> [manage\_master\_user\_password](#input\_manage\_master\_user\_password) | Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if `master_password` is provided | `bool` | `true` | no |
+| <a name="input_manage_master_user_password"></a> [manage\_master\_user\_password](#input\_manage\_master\_user\_password) | Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if `master_password_wo` is provided | `bool` | `true` | no |
 | <a name="input_manage_master_user_password_rotation"></a> [manage\_master\_user\_password\_rotation](#input\_manage\_master\_user\_password\_rotation) | Whether to manage the master user password rotation. By default, false on creation, rotation is managed by RDS. There is not currently a way to disable this on initial creation even when set to false. Setting this value to false after previously having been set to true will disable automatic rotation | `bool` | `false` | no |
-| <a name="input_master_password"></a> [master\_password](#input\_master\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Required unless `manage_master_user_password` is set to `true` or unless `snapshot_identifier` or `replication_source_identifier` is provided or unless a `global_cluster_identifier` is provided when the cluster is the secondary cluster of a global database | `string` | `null` | no |
+| <a name="input_master_password_wo"></a> [master\_password\_wo](#input\_master\_password\_wo) | Write-Only required unless `manage_master_user_password` is set to `true`, a `snapshot_identifier`, `replication_source_identifier`, or unless a `global_cluster_identifier` is provided when the cluster is the "secondary" cluster of a global database) Password for the master DB user | `string` | `null` | no |
+| <a name="input_master_password_wo_version"></a> [master\_password\_wo\_version](#input\_master\_password\_wo\_version) | Used together with `master_password_wo` to trigger an update. Increment this value when an update to the `master_password_wo` is required | `string` | `null` | no |
 | <a name="input_master_user_password_rotate_immediately"></a> [master\_user\_password\_rotate\_immediately](#input\_master\_user\_password\_rotate\_immediately) | Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window | `bool` | `null` | no |
 | <a name="input_master_user_password_rotation_automatically_after_days"></a> [master\_user\_password\_rotation\_automatically\_after\_days](#input\_master\_user\_password\_rotation\_automatically\_after\_days) | Specifies the number of days between automatic scheduled rotations of the secret. Either `master_user_password_rotation_automatically_after_days` or `master_user_password_rotation_schedule_expression` must be specified | `number` | `null` | no |
 | <a name="input_master_user_password_rotation_duration"></a> [master\_user\_password\_rotation\_duration](#input\_master\_user\_password\_rotation\_duration) | The length of the rotation window in hours. For example, 3h for a three hour window | `string` | `null` | no |

docs/UPGRADE-10.0.md

@@ -8,6 +8,7 @@ If you find a bug, please open an issue with supporting configuration to reprodu
 - Terraform `v1.11` is now minimum supported version to support write-only (`wo_*`) attributes.
 - AWS provider `v6.18` is now minimum supported version
 - The underlying `aws_security_group_rule` resources has been replaced with `aws_vpc_security_group_ingress_rule` and `aws_vpc_security_group_egress_rule` to allow for more flexibility in defining security group rules.
+- `master_password` is no longer supported and only the write-only equivalent is supported (`master_password_wo` and `master_password_wo_version`).
 
 ## Additional changes
 
@@ -45,6 +46,7 @@ If you find a bug, please open an issue with supporting configuration to reprodu
     - `endpoints.cluster_endpoint_identifier` was previously `endpoints.identifier`
     - `endpoints.custom_endpoint_type` was previously `endpoints.type`
     - `role_associations` was previously `iam_roles`
+    - `master_password` replaced with `master_password_wo` and `master_password_wo_version`
     - The variables for DB shard group have been nested under a single, top-level `shard_group` variable:
       - `create_shard_group` removed - set `shard_group` to `null` to disable or provide an object to enable
       - `compute_redundancy` -> `shard_group.compute_redundancy`

examples/global-cluster/main.tf

@@ -62,8 +62,8 @@ module "aurora_primary" {
   }
 
   # Global clusters do not support managed master user password
-  manage_master_user_password = false
-  master_password             = random_password.master.result
+  master_password_wo         = random_password.master.result
+  master_password_wo_version = 1
 
   skip_final_snapshot = true
 
@@ -95,7 +95,8 @@ module "aurora_secondary" {
   }
 
   # Global clusters do not support managed master user password
-  master_password = random_password.master.result
+  master_password_wo         = random_password.master.result
+  master_password_wo_version = 1
 
   skip_final_snapshot = true
 

examples/limitless/main.tf

@@ -43,9 +43,9 @@ module "aurora" {
   }
 
   # aurora limitless clusters do not support managed master user password
-  master_username             = "root"
-  manage_master_user_password = false
-  master_password             = random_password.master.result
+  master_username            = "root"
+  master_password_wo         = random_password.master.result
+  master_password_wo_version = 1
 
   vpc_id               = module.vpc.vpc_id
   db_subnet_group_name = module.vpc.database_subnet_group_name

examples/serverless/main.tf

@@ -41,8 +41,8 @@ module "aurora_postgresql" {
   }
 
   # Serverless v1 clusters do not support managed master user password
-  manage_master_user_password = false
-  master_password             = random_password.master.result
+  master_password_wo         = random_password.master.result
+  master_password_wo_version = 1
 
   cluster_monitoring_interval = 60
 
@@ -85,8 +85,8 @@ module "aurora_mysql" {
   }
 
   # Serverless v1 clusters do not support managed master user password
-  manage_master_user_password = false
-  master_password             = random_password.master.result
+  master_password_wo         = random_password.master.result
+  master_password_wo_version = 1
 
   cluster_monitoring_interval = 60
 

main.tf

@@ -35,6 +35,11 @@ resource "aws_db_subnet_group" "this" {
 # Cluster
 ################################################################################
 
+locals {
+  use_master_password         = var.is_primary_cluster && !var.manage_master_user_password && var.global_cluster_identifier == null
+  use_managed_master_password = var.manage_master_user_password && var.global_cluster_identifier == null
+}
+
 resource "aws_rds_cluster" "this" {
   count = local.create ? 1 : 0
 
@@ -76,9 +81,10 @@ resource "aws_rds_cluster" "this" {
   # iam_roles has been removed from this resource and instead will be used with aws_rds_cluster_role_association below to avoid conflicts per docs
   iops                                  = var.iops
   kms_key_id                            = var.kms_key_id
-  manage_master_user_password           = var.global_cluster_identifier == null && var.manage_master_user_password ? var.manage_master_user_password : null
-  master_user_secret_kms_key_id         = var.global_cluster_identifier == null && var.manage_master_user_password ? var.master_user_secret_kms_key_id : null
-  master_password                       = var.is_primary_cluster && !var.manage_master_user_password ? var.master_password : null
+  manage_master_user_password           = local.use_managed_master_password ? var.manage_master_user_password : null
+  master_user_secret_kms_key_id         = local.use_managed_master_password ? var.master_user_secret_kms_key_id : null
+  master_password_wo                    = local.use_master_password ? var.master_password_wo : null
+  master_password_wo_version            = local.use_master_password ? var.master_password_wo_version : null
   master_username                       = var.is_primary_cluster ? var.master_username : null
   monitoring_interval                   = var.cluster_monitoring_interval
   monitoring_role_arn                   = var.create_monitoring_role && var.cluster_monitoring_interval > 0 ? try(aws_iam_role.rds_enhanced_monitoring[0].arn, null) : var.monitoring_role_arn

variables.tf

@@ -271,7 +271,7 @@ variable "kms_key_id" {
 }
 
 variable "manage_master_user_password" {
-  description = "Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if `master_password` is provided"
+  description = "Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if `master_password_wo` is provided"
   type        = bool
   default     = true
 }
@@ -282,8 +282,14 @@ variable "master_user_secret_kms_key_id" {
   default     = null
 }
 
-variable "master_password" {
-  description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Required unless `manage_master_user_password` is set to `true` or unless `snapshot_identifier` or `replication_source_identifier` is provided or unless a `global_cluster_identifier` is provided when the cluster is the secondary cluster of a global database"
+variable "master_password_wo" {
+  description = "Write-Only required unless `manage_master_user_password` is set to `true`, a `snapshot_identifier`, `replication_source_identifier`, or unless a `global_cluster_identifier` is provided when the cluster is the \"secondary\" cluster of a global database) Password for the master DB user"
+  type        = string
+  default     = null
+}
+
+variable "master_password_wo_version" {
+  description = "Used together with `master_password_wo` to trigger an update. Increment this value when an update to the `master_password_wo` is required"
   type        = string
   default     = null
 }

wrappers/main.tf

@@ -77,7 +77,8 @@ module "wrapper" {
   kms_key_id                                             = try(each.value.kms_key_id, var.defaults.kms_key_id, null)
   manage_master_user_password                            = try(each.value.manage_master_user_password, var.defaults.manage_master_user_password, true)
   manage_master_user_password_rotation                   = try(each.value.manage_master_user_password_rotation, var.defaults.manage_master_user_password_rotation, false)
-  master_password                                        = try(each.value.master_password, var.defaults.master_password, null)
+  master_password_wo                                     = try(each.value.master_password_wo, var.defaults.master_password_wo, null)
+  master_password_wo_version                             = try(each.value.master_password_wo_version, var.defaults.master_password_wo_version, null)
   master_user_password_rotate_immediately                = try(each.value.master_user_password_rotate_immediately, var.defaults.master_user_password_rotate_immediately, null)
   master_user_password_rotation_automatically_after_days = try(each.value.master_user_password_rotation_automatically_after_days, var.defaults.master_user_password_rotation_automatically_after_days, null)
   master_user_password_rotation_duration                 = try(each.value.master_user_password_rotation_duration, var.defaults.master_user_password_rotation_duration, null)