Add option to refer to Secrets Manager secrets from endpoints

[varianytsia]

Is your request related to a new offering from AWS?

Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.

• Yes ✅: please list the AWS provider version which introduced this functionality This feature was added to AWS provider in 3.70.0 https://github.com/hashicorp/terraform-provider-aws/pull/19040

  Is your request related to a problem? Please describe.

  Would be nice to have a possibility to refer to secrets_manager_arn and secrets_manager_access_role_arn from an endpoint within a "database_migration_service" module as is allowed in aws_dms_endpoint of AWS provider.

When I comment out username, password, port, server_name within modules' endpoint, and try to pass secrets_manager_arn and secrets_manager_access_role_arn instead I get the next error: InvalidParameterValueException: The parameter Password must be provided and must not be blank.

If I leave username, password, port, server_name populated, infrastructure is deployed successfully but the values for secrets_manager_arn and secrets_manager_access_role_arn are ignored and are not present in remote state file on s3 bucket.

Also there is no way for DMS instance to assume a role for getting a secret protected by policy, which is not secure.

Describe the solution you'd like.

Would like to have a possibility to use secrets_manager_access_role_arn to be able to refer to a secret protected by some policy. Would like to use secrets_manager_arn instead of username, password, port, server_name which refer Secrets Manager in much more verbose way:

`data "aws_secretsmanager_secret" "aurora_password_secret" { arn = var.aurora_secret_arn }

data "aws_secretsmanager_secret_version" "aurora_password_secret_version" { secret_id = data.aws_secretsmanager_secret.aurora_password_secret.id }

locals { db_creds = jsondecode(data.aws_secretsmanager_secret_version.aurora_password_secret_version.secret_string) }

module "database_migration_service" { ... endpoints = { source = { ... username = local.db_creds.username password = local.db_creds.password port = local.db_creds.port server_name = local.db_creds.host } } }`

Describe alternatives you've considered.

Also tried to provide "secretsManagerSecretId=my_secret_arn; secretsManagerAccessRoleArn=my_secret_access_role_arn" via extra_connection_attributes with commenting out username, password, port, server_name but had the same error as above.

Additional context

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions[bot]]

This issue was automatically closed because of stale in 10 days

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.