Open anacronxinetd opened 1 year ago
Voting for Prioritization
Volunteering to Work on This Issue
Hey @anacronxinetd 👋 Thank you for taking the time to raise this! So that we have the necessary information in order to look into this, can you supply a sample Terraform configuration as well as debug logs (redacted as needed)?
Hey @justinretzolk
This is an example of the template we use:
resource "aws_rds_cluster" "default" {
cluster_identifier = "aurora-cluster-demo"
engine = "aurora-mysql"
engine_version = "8.0.mysql_aurora.3.02.3"
manage_master_user_password = true
master_user_secret_kms_key_id = ""
master_username = "foo"
backup_retention_period = 5
preferred_backup_window = "07:00-09:00"
provider = aws.africa
db_subnet_group_name = aws_db_subnet_group.default.name
skip_final_snapshot = true
serverlessv2_scaling_configuration {
max_capacity = 12.0
min_capacity = 0.5
}
}
resource "aws_rds_cluster_instance" "default" {
cluster_identifier = aws_rds_cluster.default.id
instance_class = "db.serverless"
engine = aws_rds_cluster.default.engine
engine_version = aws_rds_cluster.default.engine_version
db_subnet_group_name = aws_db_subnet_group.default.name
}
resource "aws_db_subnet_group" "default" {
name = join("-",["rds", "sg"])
subnet_ids = [ "subnet_ids"] --> Replace with list of subnets in VPC
}
An example of the output we are trying to use is the following:
output "arn_of_mater_password_secret" {
value = aws_rds_cluster.default.master_secret.secret_arn"
}
There are no logs as the above mentioned error is reported when running Terraform plan. I also tested with version 4.67.0 of the AWS provider but I'm also not able to reference the ARN of the secret using it
Tested with the aws_db_instance_resource, but same results: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
The following doc states: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#secret_arn
The master_user_secret configuration block supports the following attributes:
kms_key_id - The Amazon Web Services KMS key identifier that is used to encrypt the secret. secret_arn - The Amazon Resource Name (ARN) of the secret. secret_status - The status of the secret. Valid Values: creating | active | rotating | impaired.
However, the configuration block can't be specified as part of the aws_rds_cluster resource, the values for the configuration block can be specified as output values either
I ran into the same, an existing aws_db_instance with a admin password is changed to use the secretmanager. I added the arn of the secret as an output of the module. The plan step will fail.
To get it done, I made a workaround:
It does require some clickops work to be done, but it works ;-)
Hey @anacronxinetd 👋 I just took a look over your description again, and something caught my eye:
output "arn_of_mater_password_secret" {
value = aws_rds_cluster.default.master_secret.secret_arn"
}
The aws_rds_cluster
resource doesn't have a master_secret
attribute; based on the documentation you linked to, I believe you're looking for master_user_secret.secret_arn
(you're missing the user
bit in the middle).
I resolved this using:
output "master_user_secret_arn" {
value = (var.manage_password_secret_manager && length(aws_rds_cluster.master.master_user_secret) == 1 ) ? lookup(aws_rds_cluster.master.master_user_secret[0], "secret_arn") : ""
}
NOTE: The variable manage_password_secret_manager decides to use secret_manager or set the passwords mannually.
I've just spent ... a while ... trying to work out why ...
output "master_user_secret_arns" {
description = "The RDS Cluster Master User Secret Username and Password ARNs"
value = {
password_arn = try(
data.aws_ssm_parameter.master_password[var.service].arn,
aws_rds_cluster.rds.master_user_secret.secret_arn
)
username_arn = aws_ssm_parameter.rds_master_username.arn
}
}
is outputting the error
╷
│ Error: Unsupported attribute
│
│ on modules/rds/outputs.tf line 6, in output "master_user_secret_arns":
│ 6: aws_rds_cluster.rds.master_user_secret.secret_arn
│
│ Can't access attributes on a list of objects. Did you mean to access attribute "secret_arn" for a specific element of the list, or across all elements of the list?
╵
And the documentation DOES give the reason (https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_user_secret) ...
The master_user_secret configuration **block** supports the following attributes:
I added a small highlight.
As blocks are potentially multiple in a resource, you need to check that the set has one to read.
I don't think/know if blocks can be just an object and not a set/list of objects.
But, thank you @matiri132 for confirming what I eventually found.
If possible, a smaller update to the documentation would have solved this very easily!
I was able to get the arn using:
output "aws_secretsmanager_secret" "master_user_secret" {
arn = aws_rds_cluster.aurora_cluster.master_user_secret[0].secret_arn
}
for some reason the master user secret is returned as a list, so you have to fetch the arn from the [0] index.
I was able to get the arn using:
output "aws_secretsmanager_secret" "master_user_secret" { arn = aws_rds_cluster.aurora_cluster.master_user_secret[0].secret_arn }
for some reason the master user secret is returned as a list, so you have to fetch the arn from the [0] index.
This worked for me as well
Terraform Core Version
1.2.9
AWS Provider Version
4.64.0
Affected Resource(s)
aws_rds_cluster resource
Expected Behavior
According to the following doc: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#secret_arn the value for the attribute is exportable
Actual Behavior
Attribute can't be exported
Relevant Error/Panic Output Snippet
No response
Terraform Configuration Files
An example of the output we are trying to use is the following:
Steps to Reproduce
Create Terraform template with aws_rds_cluster resource. Add secret_arn as output value
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
No response
Would you like to implement a fix?
No