Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Support for Reading Credentials from KMS Secrets #26

Open
osterman opened this issue Aug 3, 2018 · 4 comments
Open

Add Support for Reading Credentials from KMS Secrets #26

osterman opened this issue Aug 3, 2018 · 4 comments
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@osterman
Copy link
Member

osterman commented Aug 3, 2018

what

resource "aws_rds_cluster" "example" {
  # ... other configuration ...
  master_password = "${data.aws_kms_secrets.example.plaintext["master_password"]}"
  master_username = "${data.aws_kms_secrets.example.plaintext["master_username"]}"
}

why

  • More secure. No passwords in terraform statefile.

references

https://www.terraform.io/docs/providers/aws/d/kms_secrets.html
@osterman osterman added the enhancement New feature or request label Aug 3, 2018
@sebastianmacarescu
Copy link

sebastianmacarescu commented Sep 30, 2020
edited
Loading

I think we can also add support for SecretsManager or ParameterStore.
If the maintainers agree I could make a PR to support 2 new parameters: admin_user_ssm_path and admin_password_ssm_path

@osterman osterman added the help wanted Extra attention is needed label Sep 30, 2020
@zwass
Copy link

zwass commented Dec 1, 2020

Even if you just allowed the master password to be managed separately (as though it were in a lifecycle ignore_changes) block that would be sufficient for my use case. As it stands this seems terribly insecure.

@nitrocode
Copy link
Member

At the moment, we use random provider to create the master password which is stored in SSM and then the value is fed to this module.

@rstml
Copy link

rstml commented Aug 24, 2023

This is now natively supported by RDS and Terraform provider. I think this issue can be closed in favour of #166

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#rdsaurora-managed-master-passwords-via-secrets-manager-default-kms-key

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@osterman @zwass @rstml @sebastianmacarescu @nitrocode