feat: Add support for write-only password

jvanbrunschot · jvanbrunschot · commit 88b65466b806 · 2025-03-05T13:43:50.000+01:00
diff --git a/examples/complete-postgres/main.tf b/examples/complete-postgres/main.tf
@@ -147,6 +147,54 @@ module "db_disabled" {
   create_db_option_group    = false
 }
 
+ephemeral "random_password" "db_password" {
+  length           = 16
+  override_special = "!#$%&*()-_=+[]{}<>:?"
+}
+
+resource "aws_secretsmanager_secret" "db_password" {
+  name = "db_password"
+}
+
+resource "aws_secretsmanager_secret_version" "db_password" {
+  secret_id                = aws_secretsmanager_secret.db_password.id
+  secret_string_wo         = ephemeral.random_password.db_password.result
+  secret_string_wo_version = 1
+}
+
+ephemeral "aws_secretsmanager_secret_version" "db_password" {
+  secret_id = aws_secretsmanager_secret_version.db_password.secret_id
+}
+
+module "db_write_only" {
+  source = "../../"
+
+  identifier = local.name
+
+  # All available versions: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html#PostgreSQL.Concepts
+  engine                   = "postgres"
+  engine_version           = "14"
+  engine_lifecycle_support = "open-source-rds-extended-support-disabled"
+  family                   = "postgres14" # DB parameter group
+  major_engine_version     = "14"         # DB option group
+  instance_class           = "db.t4g.large"
+
+  # NOTE: Do NOT use 'user' as the value for 'username' as it throws:
+  # "Error creating DB Instance: InvalidParameterValue: MasterUsername
+  # user cannot be used as it is a reserved word used by the engine"
+  db_name  = "writeOnlyPostgresql"
+  username = "write_only_postgresql"
+  port     = 5432
+
+  password_wo                 = ephemeral.aws_secretsmanager_secret_version.db_password.secret_string
+  password_wo_version         = aws_secretsmanager_secret_version.db_password.secret_string_wo_version
+  manage_master_user_password = false
+
+  multi_az               = false
+  db_subnet_group_name   = module.vpc.database_subnet_group
+  vpc_security_group_ids = [module.security_group.security_group_id]
+}
+
 ################################################################################
 # RDS Automated Backups Replication Module
 ################################################################################
diff --git a/main.tf b/main.tf
@@ -78,6 +78,8 @@ module "db_instance" {
   db_name                             = var.db_name
   username                            = var.username
   password                            = var.manage_master_user_password ? null : var.password
+  password_wo                         = !var.manage_master_user_password && var.password == null ? var.password_wo : null
+  password_wo_version                 = var.password_wo_version
   port                                = var.port
   domain                              = var.domain
   domain_auth_secret_arn              = var.domain_auth_secret_arn
diff --git a/modules/db_instance/main.tf b/modules/db_instance/main.tf
@@ -45,6 +45,8 @@ resource "aws_db_instance" "this" {
   db_name                             = var.db_name
   username                            = !local.is_replica ? var.username : null
   password                            = !local.is_replica && var.manage_master_user_password ? null : var.password
+  password_wo                         = !local.is_replica && !var.manage_master_user_password && var.password == null ? var.password_wo : null
+  password_wo_version                 = var.password_wo_version
   port                                = var.port
   domain                              = var.domain
   domain_auth_secret_arn              = var.domain_auth_secret_arn
diff --git a/modules/db_instance/variables.tf b/modules/db_instance/variables.tf
@@ -152,6 +152,19 @@ variable "password" {
   default     = null
 }
 
+variable "password_wo" {
+  description = "Write-Only password for the master DB user."
+  type        = string
+  default     = null
+  ephemeral   = true
+}
+
+variable "password_wo_version" {
+  description = "Used together with password_wo to trigger an update. Increment this value when an update to password_wo is required."
+  type        = number
+  default     = null
+}
+
 variable "manage_master_user_password" {
   description = "Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if password is provided"
   type        = bool
diff --git a/modules/db_instance/versions.tf b/modules/db_instance/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.11"
 
   required_providers {
     aws = {
diff --git a/variables.tf b/variables.tf
@@ -175,6 +175,19 @@ variable "password" {
   sensitive   = true
 }
 
+variable "password_wo" {
+  description = "Write-Only password for the master DB user. Password will only be used when `manage_master_user_password` is not set to true and `password` is not set."
+  type        = string
+  default     = null
+  ephemeral   = true
+}
+
+variable "password_wo_version" {
+  description = "Used together with password_wo to trigger an update. Increment this value when an update to password_wo is required."
+  type        = number
+  default     = null
+}
+
 variable "manage_master_user_password" {
   description = "Set to true to allow RDS to manage the master user password in Secrets Manager"
   type        = bool
diff --git a/versions.tf b/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.11"
 
   required_providers {
     aws = {
