search

terraform-aws-modules / terraform-aws-rds

Terraform module to create AWS RDS resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/rds/aws
Apache License 2.0
891 stars 1.34k forks source link

manage_master_user_password_rotation does not disable rotation #572

Open tsonev7 opened 1 month ago

tsonev7 commented 1 month ago

Description

It seems that the manage_master_user_password_rotation = false option does not disable the rotation.

Here's my RDS setup:

module "rds" {
  source  = "terraform-aws-modules/rds/aws"
  version = "6.9.0"

  identifier     = "my-rds"
  family         = "postgres16"
  engine         = "postgres"
  engine_version = "16.4"
  instance_class = var.rds_instance_class

  db_name  = local.db_name
  port     = local.db_port
  username = local.db_user
  manage_master_user_password          = true
  manage_master_user_password_rotation = false
  iam_database_authentication_enabled = false

  vpc_security_group_ids = [module.rds_sg.security_group_id]
  db_subnet_group_name   = aws_db_subnet_group.database.name

  allocated_storage = 20
  storage_encrypted = var.rds_storage_encrypted
}

After the RDS is created, the secret has the default rotation of 7 days.

The issue was reported in the past (#547 , #538), but it seems that it doesn't work with the latest version. Also, I tried to fall-back to 6.5.5 since the comments in those issues suggested that it was fixed in there, but still no success.

Versions

Reproduction Code [Required]

module "rds" {
  source  = "terraform-aws-modules/rds/aws"
  version = "6.9.0"

  identifier     = "my-rds"
  family         = "postgres16"
  engine         = "postgres"
  engine_version = "16.4"
  instance_class = var.rds_instance_class

  db_name  = local.db_name
  port     = local.db_port
  username = local.db_user
  manage_master_user_password          = true
  manage_master_user_password_rotation = false
  # password                            = var.rds_master_user_password
  iam_database_authentication_enabled = false

  vpc_security_group_ids = [module.rds_sg.security_group_id]
  db_subnet_group_name   = aws_db_subnet_group.database.name

  allocated_storage = 20
  storage_encrypted = var.rds_storage_encrypted
}

Steps to reproduce the behavior:

No

Yes

Expected behavior

The secret created by RDS does not have rotation set

Actual behavior

The secret that is created has the default rotation of 7 days

Terminal Output Screenshot(s)

Additional context

magreenbaum commented 5 days ago

This comment is applicable here I believe: https://github.com/terraform-aws-modules/terraform-aws-rds/issues/538#issuecomment-1965606613