[Bug]: aws_rds_cluster resource does not allow master_secret_arn to be exported as an attribute

[anacronxinetd]

Terraform Core Version

1.2.9

AWS Provider Version

4.64.0

Affected Resource(s)

aws_rds_cluster resource

Expected Behavior

According to the following doc: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#secret_arn the value for the attribute is exportable

Actual Behavior

Attribute can't be exported

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_rds_cluster" "default" {
  cluster_identifier = "aurora-cluster-demo"
  engine = "aurora-mysql"
  engine_version = "8.0.mysql_aurora.3.02.3"
  manage_master_user_password = true
  master_user_secret_kms_key_id = ""
  master_username = "foo"
  backup_retention_period = 5
  preferred_backup_window = "07:00-09:00"
  provider = aws.africa
  db_subnet_group_name = aws_db_subnet_group.default.name
  skip_final_snapshot = true

  serverlessv2_scaling_configuration {
    max_capacity = 12.0
    min_capacity = 0.5
  }
}

resource "aws_rds_cluster_instance" "default" {
  cluster_identifier = aws_rds_cluster.default.id
  instance_class = "db.serverless"
  engine = aws_rds_cluster.default.engine
  engine_version = aws_rds_cluster.default.engine_version
  db_subnet_group_name = aws_db_subnet_group.default.name
}

resource "aws_db_subnet_group" "default" {
  name = join("-",["rds", "sg"])
  subnet_ids = [ "subnet_ids"] --> Replace with list of subnets in VPC
}

An example of the output we are trying to use is the following:

output "arn_of_mater_password_secret" {
  value = aws_rds_cluster.default.master_secret.secret_arn"
}

Steps to Reproduce

Create Terraform template with aws_rds_cluster resource. Add secret_arn as output value

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @anacronxinetd 👋 Thank you for taking the time to raise this! So that we have the necessary information in order to look into this, can you supply a sample Terraform configuration as well as debug logs (redacted as needed)?

[anacronxinetd]

Hey @justinretzolk

This is an example of the template we use:

resource "aws_rds_cluster" "default" {
  cluster_identifier            = "aurora-cluster-demo"
  engine                        = "aurora-mysql"
  engine_version                = "8.0.mysql_aurora.3.02.3"
  manage_master_user_password   = true
  master_user_secret_kms_key_id = ""
  master_username               = "foo"
  backup_retention_period       = 5
  preferred_backup_window       = "07:00-09:00"
  provider                      = aws.africa
  db_subnet_group_name          = aws_db_subnet_group.default.name
  skip_final_snapshot           = true

  serverlessv2_scaling_configuration {
    max_capacity = 12.0
    min_capacity = 0.5
  }
}

resource "aws_rds_cluster_instance" "default" {
  cluster_identifier = aws_rds_cluster.default.id
  instance_class     = "db.serverless"
  engine             = aws_rds_cluster.default.engine
  engine_version     = aws_rds_cluster.default.engine_version
  db_subnet_group_name = aws_db_subnet_group.default.name
}

resource "aws_db_subnet_group" "default" {
  name       = join("-",["rds", "sg"])
  subnet_ids = [ "subnet_ids"] --> Replace with list of subnets in VPC
}

An example of the output we are trying to use is the following:

output "arn_of_mater_password_secret" {
  value = aws_rds_cluster.default.master_secret.secret_arn"
}

There are no logs as the above mentioned error is reported when running Terraform plan. I also tested with version 4.67.0 of the AWS provider but I'm also not able to reference the ARN of the secret using it

[anacronxinetd]

Tested with the aws_db_instance_resource, but same results: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance

The following doc states: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#secret_arn

The master_user_secret configuration block supports the following attributes:

kms_key_id - The Amazon Web Services KMS key identifier that is used to encrypt the secret. secret_arn - The Amazon Resource Name (ARN) of the secret. secret_status - The status of the secret. Valid Values: creating | active | rotating | impaired.

However, the configuration block can't be specified as part of the aws_rds_cluster resource, the values for the configuration block can be specified as output values either

[ericrichtert]

I ran into the same, an existing aws_db_instance with a admin password is changed to use the secretmanager. I added the arn of the secret as an output of the module. The plan step will fail.

To get it done, I made a workaround:

• Manual change the setting in the AWS console from a password to the secretsmanager option
• Run the terraform plan step without any issue
• Run the terraform apply step without any issue
• Access the ouput of the secret_arn without any issue

It does require some clickops work to be done, but it works ;-)

[justinretzolk]

Hey @anacronxinetd 👋 I just took a look over your description again, and something caught my eye:

output "arn_of_mater_password_secret" {
  value = aws_rds_cluster.default.master_secret.secret_arn"
}

The aws_rds_cluster resource doesn't have a master_secret attribute; based on the documentation you linked to, I believe you're looking for master_user_secret.secret_arn (you're missing the user bit in the middle).

[matiri132]

I resolved this using:

output "master_user_secret_arn" {
  value = (var.manage_password_secret_manager && length(aws_rds_cluster.master.master_user_secret) == 1 ) ? lookup(aws_rds_cluster.master.master_user_secret[0], "secret_arn") : ""
}

NOTE: The variable manage_password_secret_manager decides to use secret_manager or set the passwords mannually.

[rquadling]

I've just spent ... a while ... trying to work out why ...

output "master_user_secret_arns" {
  description = "The RDS Cluster Master User Secret Username and Password ARNs"
  value = {
    password_arn = try(
      data.aws_ssm_parameter.master_password[var.service].arn,
      aws_rds_cluster.rds.master_user_secret.secret_arn
    )
    username_arn = aws_ssm_parameter.rds_master_username.arn
  }
}

is outputting the error

╷
│ Error: Unsupported attribute
│ 
│   on modules/rds/outputs.tf line 6, in output "master_user_secret_arns":
│    6:       aws_rds_cluster.rds.master_user_secret.secret_arn
│ 
│ Can't access attributes on a list of objects. Did you mean to access attribute "secret_arn" for a specific element of the list, or across all elements of the list?
╵

And the documentation DOES give the reason (https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_user_secret) ...

The master_user_secret configuration **block** supports the following attributes:

I added a small highlight.

As blocks are potentially multiple in a resource, you need to check that the set has one to read.

I don't think/know if blocks can be just an object and not a set/list of objects.

But, thank you @matiri132 for confirming what I eventually found.

If possible, a smaller update to the documentation would have solved this very easily!

[anuj-upadhyay-hah]

I was able to get the arn using:

output "aws_secretsmanager_secret" "master_user_secret" {
  arn = aws_rds_cluster.aurora_cluster.master_user_secret[0].secret_arn
}

for some reason the master user secret is returned as a list, so you have to fetch the arn from the [0] index.

[greg-anetac]

I was able to get the arn using:

output "aws_secretsmanager_secret" "master_user_secret" {
  arn = aws_rds_cluster.aurora_cluster.master_user_secret[0].secret_arn
}

for some reason the master user secret is returned as a list, so you have to fetch the arn from the [0] index.

This worked for me as well