Use secrets manager to manage db master password

[lorenyu]

Currently the rds database cluster uses a randomly generated master password. However AWS offers a way to manage the rds master password with AWS Secrets Manager. This has a number of advantages:

• The master password won't be visible in the terraform tfstate file
• AWS will regularly rotate the master password automatically

References

See article: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html

Implementation note

After we change the master password to use Secrets Manager, the role_manager Lambda function will also need to be updated. Currently the role_manager fetches the db master password from ssm parameter store using the DB_PASSWORD_PARAM_NAME environment variable, which is defined in infra/modules/database/main.tf as

DB_PASSWORD_PARAM_NAME = aws_ssm_parameter.random_db_password.name

we will need to update the param name to /aws/reference/secretsmanager/[secret id] (see https://docs.aws.amazon.com/systems-manager/latest/userguide/integration-ps-secretsmanager.html)

Migration notes

Not entirely sure if this is a breaking change – ideally we can do this in a way that is not a breaking change, but if it is, we should include migration notes for projects on how to upgrade

[lorenyu]

@jamesbursa also called this out in this PR comment: https://github.com/navapbc/template-infra/pull/282#discussion_r1219923100