The psql password passed to the module is overridden by the one aws creates in Secret Manager
Closed this issue · 7 comments
Description
When creating a PostgreSQL RDS instance using the terraform-aws-rds module, I encountered an unexpected behavior where AWS auto-generates a password in the Secret Manager, even though I explicitly provided a username and password. This occurs despite the documentation stating that the manage_master_user_password input is false by default.
If I explicitly set manage_master_user_password = false then my password is actually used for the master user.
Versions
-
Module version [Required]:
-
Terraform version:
Terraform v1.5.7
on darwin_arm64
- Provider version(s):
Terraform v1.5.7
on darwin_arm64
+ provider registry.terraform.io/carlpett/sops v1.0.0
+ provider registry.terraform.io/hashicorp/aws v5.31.0
+ provider registry.terraform.io/hashicorp/random v3.6.0
Reproduction Code [Required]
module "db" {
source = "terraform-aws-modules/rds/aws"
identifier = local.id
engine = "postgres"
engine_version = "12.14"
major_engine_version = "12"
family = "postgres12" # DB parameter group
create_db_parameter_group = false
# DB option group
instance_class = "db.t3.small"
allocated_storage = 20
username = "postgres"
password = data.sops_file.db_credentials.data["secrets.db_password"]
#manage_master_user_password = false
port = 5432
multi_az = false
vpc_security_group_ids = [module.security_group.security_group_id]
create_db_subnet_group = true
db_subnet_group_name = "${local.short_name}-${data.aws_vpc.eks.id}"
db_subnet_group_description = "Database subnet group accociated with ${local.environment} eks cluster for ${local.short_name}"
subnet_ids = [for subnet in data.aws_subnets.eks.ids : subnet if !(contains(data.aws_subnets.eks_public.ids, subnet))]
iam_database_authentication_enabled = false
publicly_accessible = false
auto_minor_version_upgrade = true
maintenance_window = "Mon:00:00-Mon:03:00"
backup_window = "03:00-06:00"
backup_retention_period = 0
skip_final_snapshot = true
deletion_protection = false
performance_insights_enabled = false
tags = local.tags
}Steps to reproduce the behavior:
Just spin up an RDS instance with set username and password and check that the password you set doesn't work.
Expected behavior
I expect that if manage_master_user_password is not set, then aws does not override my own password.
Actual behavior
AWS auto-generates a password in the Secret Manager, even though I explicitly provided a username and password.
I expect that if
manage_master_user_passwordis not set, then aws does not override my own password.
But it is set, its set to true by default since this is the recommended practice. If you want to opt out of the recommended practice, you will need to specify manage_master_user_password = false - this will mean that your password is in plaintext within your terraform statefile when using this route
@bryantbiggs
I don't know how I missed it.
I double checked and I see here that this variable is set to false by default:
- https://github.com/terraform-aws-modules/terraform-aws-rds/tree/master/modules/db_instance#input_manage_master_user_password
- https://github.com/terraform-aws-modules/terraform-aws-rds/blob/master/modules/db_instance/variables.tf#L125
Why the discrepancy?
Why the discrepancy?
Just an oversight - it should be true in the sub-module as well. Most users don't use the sub-modules directly and instead use the root module which is why I suspect this wasn't caught before
Ok, I was probably looking at that for some reason.
Thank you!
If you feel like opening a PR to fix that issue, I'd be happy to merge that in 😬
Sure!
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.