feat: Allow for passwords to be in secrets manager

terraform-aws-modules / terraform-aws-dms

Terraform module to create AWS DMS (Database Migration Service) resources 🇺🇦

https://registry.terraform.io/modules/terraform-aws-modules/dms/aws

Apache License 2.0

62 stars 94 forks source link

feat: Allow for passwords to be in secrets manager #8

Closed henworth closed 2 years ago

henworth commented 2 years ago

Description

I used this module to setup DMS using existing database instances, but did not want to store plaintext credentials in git (for obvious reasons). These details were in Secrets Manager, so I added a new endpoint config entry password_secret_path that takes a Secret Manager path. When this entry is non-null, the module will read that path for the password value.

This expects the secret value to be a plaintext secret type.

When password_secret_path is set secret is ignored.

Motivation and Context

To allow the use of existing instances whose authentication details are in Secret Manager.

How Has This Been Tested?

Used to deploy DMS to replicate between two MSSQL instances.

Screenshots (if appropriate):

bryantbiggs commented 2 years ago

Unfortunately, I don't think this addition makes a lot of sense - its sort of embedding in a reference of something that you need to also provide a reference to instead of just accessing it directly

Instead of baking it into the module, I would recommend just accessing it like:

    ...
    postgresql-source = {
      database_name               = local.db_name
      endpoint_id                 = "${local.name}-postgresql-source"
      endpoint_type               = "source"
      engine_name                 = "aurora-postgresql"
      extra_connection_attributes = "heartbeatFrequency=1;"
      username                    = local.db_username
    ~ password                    = data.aws_secretsmanager_secret_version.your_password.secret_string # <- this
      port                        = 5432
      server_name                 = module.rds_aurora["postgresql-source"].cluster_endpoint
      ssl_mode                    = "none"
      tags                        = { EndpointType = "postgresql-source" }
    }
    ...

github-actions[bot] commented 1 year ago

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.