Unable to stop automatic key rotation in secret manager when we enable manage master master password using secret manager

[Aaketk17]

module "rds-pg" {
  source  = "terraform-aws-modules/rds/aws"
  version = "6.4.0"

  identifier                           = "pg"
  availability_zone                    = "ap-south-1a"
  allocated_storage                    = 20
  max_allocated_storage                = 100
  db_name                              = "name"
  manage_master_user_password          = true
  manage_master_user_password_rotation = false
  publicly_accessible                  = true
  username                             = "name"
  engine                               = "postgres"
  major_engine_version                 = 15.5
  engine_version                       = "15.5"
  family                               = "postgres15"
  create_cloudwatch_log_group          = true
  create_monitoring_role               = true
  network_type                         = "IPV4"
  storage_type                         = "gp2"
  subnet_ids                           = module.vpc.public_subnets
  instance_class                       = "db.t3.micro"
  create_db_subnet_group               = true
  vpc_security_group_ids               = [aws_security_group.rds_sg.id]
}

This is the code I am currently using to provision the RDS instance. But even the manage_master_user_password_rotation is set to false it is enabling the automatic ket rotation. I need to manage the master password in the secret manager but without enabling automatic key rotation.

[tomsozolins]

Experiencing same problem. RDS was brought up with module version 6.3.1. Then the module version was bumped to 6.4.0 and configuration was added to the module inputs: manage_master_user_password_rotation = false

Terraform plan results in No changes and password rotation is still enabled.

Note: Terraform plan shows No changes if secrets rotation is set to disabled manually via aws console.

[magreenbaum]

The provider doesn't currently have a way to disable automatic password rotation when using RDS password management with Secretsmanager that I know of. The manage_master_user_password_rotation parameter is just a way to manage the rotation schedule outside the default schedule (7 days I believe) and isn't for enabling or disabling rotation outright.

But if you create the aws_secretsmanager_secret_rotation resource by configuring manage_master_user_password_rotation to true (master_user_password_rotation_automatically_after_days or master_user_password_rotation_schedule_expression will also need to be set), apply, then set to false and apply again (it will then destroy the aws_secretsmanager_secret_rotation), that will disable rotation on the secretsmanager secret. When configuring, note that master_user_password_rotate_immediately should be set to false to prevent immediate rotation of the secret on an apply (example).

This is a workaround though and I would recommend testing prior to use.

Related provider issue comments: https://github.com/hashicorp/terraform-provider-aws/issues/33462#issuecomment-1830849144

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions[bot]]

This issue was automatically closed because of stale in 10 days

[antonbabenko]

This issue has been resolved in version 6.5.5 :tada:

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.