Description of changes:
Added a new template named SecretsManagerRDSMySQLRotationSingleUserRetainPassword.
This template uses superuser secret to login to the MySQL (RDS) server and rotates a single user's password, while retaining its previous password, so that there is no time window where the secret's current version does not work for connecting to the database, hence no downtime without the need to clone users.
Since APPLICATION_PASSWORD_ADMIN permission is required to be able to use the RETAIN CURRENT PASSWORD clause (even when it is for the user's own password), using superuser secret sounded better for this flow. So this template is kind of a mix of MultiUser and SingleUser templates.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Issue #, if available: Kind of #108
Description of changes: Added a new template named
SecretsManagerRDSMySQLRotationSingleUserRetainPassword.This template uses superuser secret to login to the MySQL (RDS) server and rotates a single user's password, while retaining its previous password, so that there is no time window where the secret's current version does not work for connecting to the database, hence no downtime without the need to clone users.
MySQL Dual Passwords documentation can be seen here: https://dev.mysql.com/doc/refman/8.0/en/password-management.html#dual-passwords
Since APPLICATION_PASSWORD_ADMIN permission is required to be able to use the
RETAIN CURRENT PASSWORDclause (even when it is for the user's own password), using superuser secret sounded better for this flow. So this template is kind of a mix of MultiUser and SingleUser templates.By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.