diff --git a/README.md b/README.md
index ce209478..059d39c6 100644
--- a/README.md
+++ b/README.md
@@ -289,13 +289,13 @@ No resources.
| [license\_model](#input\_license\_model) | License model information for this DB instance. Optional, but required for some DB engines, i.e. Oracle SE1 | `string` | `null` | no |
| [maintenance\_window](#input\_maintenance\_window) | The window to perform maintenance in. Syntax: 'ddd:hh24:mi-ddd:hh24:mi'. Eg: 'Mon:00:00-Mon:03:00' | `string` | `null` | no |
| [major\_engine\_version](#input\_major\_engine\_version) | Specifies the major version of the engine that this option group should be associated with | `string` | `null` | no |
-| [manage\_master\_user\_password](#input\_manage\_master\_user\_password) | Set to true to allow RDS to manage the master user password in Secrets Manager | `bool` | `true` | no |
+| [manage\_master\_user\_password](#input\_manage\_master\_user\_password) | Set to true to allow RDS to manage the master user password in Secrets Manager. If a password is provided in the `password` variable, this value will be automatically set to false to allow the provided password to be used. | `bool` | `true` | no |
| [manage\_master\_user\_password\_rotation](#input\_manage\_master\_user\_password\_rotation) | Whether to manage the master user password rotation. By default, false on creation, rotation is managed by RDS. Setting this value to false after previously having been set to true will disable automatic rotation. | `bool` | `false` | no |
| [master\_user\_password\_rotate\_immediately](#input\_master\_user\_password\_rotate\_immediately) | Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window. | `bool` | `null` | no |
| [master\_user\_password\_rotation\_automatically\_after\_days](#input\_master\_user\_password\_rotation\_automatically\_after\_days) | Specifies the number of days between automatic scheduled rotations of the secret. Either automatically\_after\_days or schedule\_expression must be specified. | `number` | `null` | no |
| [master\_user\_password\_rotation\_duration](#input\_master\_user\_password\_rotation\_duration) | The length of the rotation window in hours. For example, 3h for a three hour window. | `string` | `null` | no |
| [master\_user\_password\_rotation\_schedule\_expression](#input\_master\_user\_password\_rotation\_schedule\_expression) | A cron() or rate() expression that defines the schedule for rotating your secret. Either automatically\_after\_days or schedule\_expression must be specified. | `string` | `null` | no |
-| [master\_user\_secret\_kms\_key\_id](#input\_master\_user\_secret\_kms\_key\_id) | The key ARN, key ID, alias ARN or alias name for the KMS key to encrypt the master user password secret in Secrets Manager.
If not specified, the default KMS key for your Amazon Web Services account is used. | `string` | `null` | no |
+| [master\_user\_secret\_kms\_key\_id](#input\_master\_user\_secret\_kms\_key\_id) | The key ARN, key ID, alias ARN or alias name for the KMS key to encrypt the master user password secret in Secrets Manager.
If not specified, the default KMS key for your Amazon Web Services account is used. | `string` | `null` | no |
| [max\_allocated\_storage](#input\_max\_allocated\_storage) | Specifies the value for Storage Autoscaling | `number` | `0` | no |
| [monitoring\_interval](#input\_monitoring\_interval) | The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. The default is 0. Valid Values: 0, 1, 5, 10, 15, 30, 60 | `number` | `0` | no |
| [monitoring\_role\_arn](#input\_monitoring\_role\_arn) | The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to CloudWatch Logs. Must be specified if monitoring\_interval is non-zero | `string` | `null` | no |
@@ -317,7 +317,7 @@ No resources.
| [parameter\_group\_skip\_destroy](#input\_parameter\_group\_skip\_destroy) | Set to true if you do not wish the parameter group to be deleted at destroy time, and instead just remove the parameter group from the Terraform state | `bool` | `null` | no |
| [parameter\_group\_use\_name\_prefix](#input\_parameter\_group\_use\_name\_prefix) | Determines whether to use `parameter_group_name` as is or create a unique name beginning with the `parameter_group_name` as the prefix | `bool` | `true` | no |
| [parameters](#input\_parameters) | A list of DB parameters (map) to apply | `list(map(string))` | `[]` | no |
-| [password](#input\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file.
The password provided will not be used if `manage_master_user_password` is set to true. | `string` | `null` | no |
+| [password](#input\_password) | Password for the master DB user. If a password is provided, `manage_master_user_password` will be automatically set to false, and the password will be used.
Note that this may show up in logs, and it will be stored in the state file. | `string` | `null` | no |
| [performance\_insights\_enabled](#input\_performance\_insights\_enabled) | Specifies whether Performance Insights are enabled | `bool` | `false` | no |
| [performance\_insights\_kms\_key\_id](#input\_performance\_insights\_kms\_key\_id) | The ARN for the KMS key to encrypt Performance Insights data | `string` | `null` | no |
| [performance\_insights\_retention\_period](#input\_performance\_insights\_retention\_period) | The amount of time in days to retain Performance Insights data. Valid values are `7`, `731` (2 years) or a multiple of `31` | `number` | `7` | no |
diff --git a/main.tf b/main.tf
index b9897a98..23c334eb 100644
--- a/main.tf
+++ b/main.tf
@@ -6,8 +6,9 @@ locals {
db_subnet_group_name = var.create_db_subnet_group ? module.db_subnet_group.db_subnet_group_id : var.db_subnet_group_name
parameter_group_name_id = var.create_db_parameter_group ? module.db_parameter_group.db_parameter_group_id : var.parameter_group_name
- create_db_option_group = var.create_db_option_group && var.engine != "postgres"
- option_group = local.create_db_option_group ? module.db_option_group.db_option_group_id : var.option_group_name
+ create_db_option_group = var.create_db_option_group && var.engine != "postgres"
+ option_group = local.create_db_option_group ? module.db_option_group.db_option_group_id : var.option_group_name
+ should_manage_master_user_password = var.password != null ? false : var.manage_master_user_password
}
module "db_subnet_group" {
@@ -77,7 +78,7 @@ module "db_instance" {
db_name = var.db_name
username = var.username
- password = var.manage_master_user_password ? null : var.password
+ password = local.should_manage_master_user_password ? null : var.password
port = var.port
domain = var.domain
domain_auth_secret_arn = var.domain_auth_secret_arn
@@ -87,7 +88,7 @@ module "db_instance" {
domain_ou = var.domain_ou
iam_database_authentication_enabled = var.iam_database_authentication_enabled
custom_iam_instance_profile = var.custom_iam_instance_profile
- manage_master_user_password = var.manage_master_user_password
+ manage_master_user_password = local.should_manage_master_user_password
master_user_secret_kms_key_id = var.master_user_secret_kms_key_id
manage_master_user_password_rotation = var.manage_master_user_password_rotation
diff --git a/modules/db_instance/README.md b/modules/db_instance/README.md
index 78815666..a34d1705 100644
--- a/modules/db_instance/README.md
+++ b/modules/db_instance/README.md
@@ -86,7 +86,7 @@ No modules.
| [master\_user\_password\_rotation\_automatically\_after\_days](#input\_master\_user\_password\_rotation\_automatically\_after\_days) | Specifies the number of days between automatic scheduled rotations of the secret. Either automatically\_after\_days or schedule\_expression must be specified. | `number` | `null` | no |
| [master\_user\_password\_rotation\_duration](#input\_master\_user\_password\_rotation\_duration) | The length of the rotation window in hours. For example, 3h for a three hour window. | `string` | `null` | no |
| [master\_user\_password\_rotation\_schedule\_expression](#input\_master\_user\_password\_rotation\_schedule\_expression) | A cron() or rate() expression that defines the schedule for rotating your secret. Either automatically\_after\_days or schedule\_expression must be specified. | `string` | `null` | no |
-| [master\_user\_secret\_kms\_key\_id](#input\_master\_user\_secret\_kms\_key\_id) | The key ARN, key ID, alias ARN or alias name for the KMS key to encrypt the master user password secret in Secrets Manager.
If not specified, the default KMS key for your Amazon Web Services account is used. | `string` | `null` | no |
+| [master\_user\_secret\_kms\_key\_id](#input\_master\_user\_secret\_kms\_key\_id) | The key ARN, key ID, alias ARN or alias name for the KMS key to encrypt the master user password secret in Secrets Manager.
If not specified, the default KMS key for your Amazon Web Services account is used. | `string` | `null` | no |
| [max\_allocated\_storage](#input\_max\_allocated\_storage) | Specifies the value for Storage Autoscaling | `number` | `0` | no |
| [monitoring\_interval](#input\_monitoring\_interval) | The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. The default is 0. Valid Values: 0, 1, 5, 10, 15, 30, 60. | `number` | `0` | no |
| [monitoring\_role\_arn](#input\_monitoring\_role\_arn) | The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to CloudWatch Logs. Must be specified if monitoring\_interval is non-zero. | `string` | `null` | no |
diff --git a/variables.tf b/variables.tf
index 76475c31..058fa1f6 100644
--- a/variables.tf
+++ b/variables.tf
@@ -167,8 +167,8 @@ variable "username" {
variable "password" {
description = <