Add Support for Reading Credentials from KMS Secrets

cloudposse / terraform-aws-rds-cluster

Terraform module to provision an RDS Aurora cluster for MySQL or Postgres

https://cloudposse.com/accelerate

Apache License 2.0

144 stars 173 forks source link

Add Support for Reading Credentials from KMS Secrets #26

Open osterman opened 6 years ago

osterman commented 6 years ago

what

resource "aws_rds_cluster" "example" {
  # ... other configuration ...
  master_password = "${data.aws_kms_secrets.example.plaintext["master_password"]}"
  master_username = "${data.aws_kms_secrets.example.plaintext["master_username"]}"
}

why

More secure. No passwords in terraform statefile.

references

https://www.terraform.io/docs/providers/aws/d/kms_secrets.html

sebastianmacarescu commented 4 years ago

I think we can also add support for SecretsManager or ParameterStore. If the maintainers agree I could make a PR to support 2 new parameters: admin_user_ssm_path and admin_password_ssm_path

zwass commented 3 years ago

Even if you just allowed the master password to be managed separately (as though it were in a lifecycle ignore_changes) block that would be sufficient for my use case. As it stands this seems terribly insecure.

nitrocode commented 2 years ago

At the moment, we use random provider to create the master password which is stored in SSM and then the value is fed to this module.

rstml commented 1 year ago

This is now natively supported by RDS and Terraform provider. I think this issue can be closed in favour of #166

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#rdsaurora-managed-master-passwords-via-secrets-manager-default-kms-key