Optional user and password

[nitrocode]

what

• Optional user and password
• Added some of the ssm params from https://github.com/cloudposse/terraform-aws-components/blob/master/deprecated/aws/backing-services/rds.tf

why

• This will allow the user and password to be autogenerated and optionally saved as an SSM parameter

references

• Closes https://github.com/cloudposse/terraform-aws-rds/issues/118

notes

• SSM
  1. Should this even use SSM ? I thought it should if we made the module generate a random password.
  2. [x] SSM param creation is disabled by default
  3. [x] Should ssm_enabled be renamed to ssm_parameters_enabled to be more explicit ?
  4. [x] Should there also be a ssm_key_prefix instead of having to modify the ssm_key_format ?
  5. [x] Should I also save the module.rds_instance.hostname and var.database_port to ssm ?
  6. [x] Should all the SSM logic be put into its own systems-manager.tf file ?
  7. [ ] Should the SSM logic require its own aws provider passed in so it can use its own region ? or should it use its own provider in the module itself via var.ssm_region and if one isn't passed in, it could use the current region ?
• If the database_name = "" or null, should the name of the database be the module.this.id ?
  • This could be done in a follow up PR
  • The issue is with SQL server which requires the database_name = null so that means the ssm key itself would have the term null in there. Perhaps for ssm, if the database_name == null then we can use the unique module.this.id or module.this.name ?
  • [x] Decided to use module.this.name
• Bridgecrew fixes
  • This could be done in a follow up PR

output

enable ssm with defaults

With `ssm_parameters_enabled = true` ```shell $ terraform plan Terraform will perform the following actions: # module.rds_instance.aws_ssm_parameter.rds_database["hostname"] will be created + resource "aws_ssm_parameter" "rds_database" { + arn = (known after apply) + data_type = (known after apply) + description = "RDS DB hostname" + id = (known after apply) + key_id = (known after apply) + name = "/rds/mydb/admin/db_hostname" + overwrite = true + tags_all = (known after apply) + tier = "Standard" + type = "String" + value = (sensitive value) + version = (known after apply) } # module.rds_instance.aws_ssm_parameter.rds_database["password"] will be created + resource "aws_ssm_parameter" "rds_database" { + arn = (known after apply) + data_type = (known after apply) + description = "RDS DB password" + id = (known after apply) + key_id = "alias/aws/ssm" + name = "/rds/mydb/admin/db_password" + overwrite = true + tags_all = (known after apply) + tier = "Standard" + type = "SecureString" + value = (sensitive value) + version = (known after apply) } # module.rds_instance.aws_ssm_parameter.rds_database["port"] will be created + resource "aws_ssm_parameter" "rds_database" { + arn = (known after apply) + data_type = (known after apply) + description = "RDS DB port" + id = (known after apply) + key_id = (known after apply) + name = "/rds/mydb/admin/db_port" + overwrite = true + tags_all = (known after apply) + tier = "Standard" + type = "String" + value = (sensitive value) + version = (known after apply) } # module.rds_instance.aws_ssm_parameter.rds_database["user"] will be created + resource "aws_ssm_parameter" "rds_database" { + arn = (known after apply) + data_type = (known after apply) + description = "RDS DB user" + id = (known after apply) + key_id = (known after apply) + name = "/rds/mydb/admin/db_user" + overwrite = true + tags_all = (known after apply) + tier = "Standard" + type = "String" + value = (sensitive value) + version = (known after apply) } Plan: 4 to add, 0 to change, 0 to destroy. ```

enable ssm with merge defaults

With `ssm_parameters_enabled = true` and ```hcl save_parameter_ssm_map_merge = { user = { suffix = "admin/db_user_hello" description = "RDS DB user hihi" } } ``` ```shell $ terraform plan # hide previous 3 as seen above and only show the 1 difference # module.rds_instance.aws_ssm_parameter.rds_database["user"] will be created + resource "aws_ssm_parameter" "rds_database" { + arn = (known after apply) + data_type = (known after apply) + description = "RDS DB user hihi" + id = (known after apply) + key_id = (known after apply) + name = "/rds/mydb/admin/db_user_hello" + overwrite = true + tags_all = (known after apply) + tier = "Standard" + type = "String" + value = (sensitive value) + version = (known after apply) } ```

[nitrocode]

/test terratest

[nitrocode]

/test all

[nitrocode]

I think we need a separated module for SSM / Secrets Manager like @jamengual mentioned. Then we can easily turn it on and off and have the variables located in the upstream module instead of here.

We can do some of it by using https://github.com/cloudposse/terraform-aws-ssm-parameter-store but not the password creation.

I was thinking about doing that later but maybe it should be a prerequisite for this PR.

[mergify[bot]]

This pull request is now in conflict. Could you fix it @nitrocode? 🙏

[arischow]

@nitrocode It would be great if you could make database_name optional as well by specifying an empty string default value in variables.tf.

Possible scenario would be I would like to do some modifications after I created the db instance from a snapshot and if database_name is required and then it would force a replacement.

Thanks!

[nitrocode]

@arischow thanks for the suggestion. This PR is only for generating password credentials. Could you write that into a separate issue so we can track it?

[mergify[bot]]

This pull request is now in conflict. Could you fix it @nitrocode? 🙏