[Enhancement]: Disable Secret Manager's Rotation Schedule by Default When Enabling manage_master_user_password for RDS

[morisekntr]

Description

Hello,

I have learned that when creating RDS instances with Terraform and enabling manage_master_user_password, the master password is automatically managed by Secret Manager without being stored in the tfstate file.

However, the password in Secret Manager has its rotation schedule automatically enabled. This automatic rotation schedule is critical for us, as we handle a PHP-based monolithic web application, and we would prefer to have it disabled by default.

Thank you for your consideration.

Affected Resource(s) and/or Data Source(s)

• aws_db_instance
• aws_rds_cluster
• aws_secretsmanager_secret_rotation

Potential Terraform Configuration

resource "aws_db_instance" "example" {
  manage_master_user_password = true
  secretsmanager_secret_rotation = false   ## default: true
}

OR

resource "aws_db_instance" "example" {
  manage_master_user_password = true
}

resource "aws_secretsmanager_secret_rotation" "example" {
  secret_id = aws_db_instance.example.master_user_secret[0].secret_arn
  automatically_secret_rotation = false  ## default: true
}

### References

_No response_

### Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[aristosvo]

Hi @morisekntr 👋!

Fellow DevOps engineer here, I understand your use case.

Unfortunately this is not something the AWS provider for Terraform can help you with, as the provider is just using the APIs of AWS, and they don't offer the functionality to stop the rotation.

At the same time it is a best practice to have a specific user for your application, instead of using the root user directly. In your case I'd look into that and how to solve that instead of expecting the functionality from the AWS provider.

[justinretzolk]

With the above in mind, and that it looks like there's already an existing issue tracking this request (#33462), I'm going to close this issue. If you have any additional requests in the future, please do reach out and let us know!

[github-actions[bot]]

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.