Managed Admin Password for DocumentDb (#124)

* feat: add support for managed master credentials

Added one additional nullable variable that will allow users to manage
their master credentials using AWS Secrets Manager. This is a native
feature of the core resource.

* chore: update `manage_master_user_password` documentation

Updated the documentation to be a bit more clear and aligned with
the actual documentation.

* fix: ssm logic corrected

Was originally set to check whether `manage_master_user_password` is
null, which is not the correct test.

* (feat) Update create_password logic

* fix: Set master_password output to null when password is managed

* feat: Refactor conditional expressions

* chore: fix documentation

Co-authored-by: Copilot <[email protected]>

* fix: Update faulty conditional

Co-authored-by: Ben <[email protected]>

* Revert "fix: Update faulty conditional"

This reverts commit 876b50b.

* fix: correct logic for manage_master_user_password variable

* fix: Remove validation block

* refactor: master password handling

- Simplify logic for managing master password and Secrets Manager - Set
default for manage_master_user_password to false - Clarify variable
description and output behavior

* refactor: improve master password management logic and validation in DocumentDB cluster

* Update variables to be proper order - forget if TF short ciruits at this low version

* fix: update SSM parameter store condition to handle null master password values

* update outputs.tf

---------

Co-authored-by: Jan Costandius <[email protected]>
Co-authored-by: Copilot <[email protected]>

Author: 3 people

main.tf

@@ -1,7 +1,9 @@
 locals {
   enabled         = module.this.enabled
-  create_password = local.enabled && var.master_password == null
-
+  create_password = local.enabled && var.master_password == null && var.manage_master_user_password == null
+  // If both `var.master_password` and `var.manage_master_user_password` are set to null, the module will create a random password
+  // else if `var.master_password` is set to null - master_password is set to null as `manage_master_user_password` is set to true
+  // else `local.master_password` is set to the value provided in `var.master_password`
   master_password = local.create_password ? one(random_password.password[*].result) : var.master_password
 }
 
@@ -64,10 +66,12 @@ resource "random_password" "password" {
 }
 
 resource "aws_docdb_cluster" "default" {
-  count                           = local.enabled ? 1 : 0
-  cluster_identifier              = module.this.id
-  master_username                 = var.master_username
+  count              = local.enabled ? 1 : 0
+  cluster_identifier = module.this.id
+  master_username    = var.master_username
+  # If `master_password` or `manage_master_user_password` is set, the other MUST be set to null, otherwise it will cause an error.
   master_password                 = local.master_password
+  manage_master_user_password     = var.manage_master_user_password
   backup_retention_period         = var.retention_period
   preferred_backup_window         = var.preferred_backup_window
   preferred_maintenance_window    = var.preferred_maintenance_window
@@ -142,7 +146,7 @@ module "dns_master" {
   source  = "cloudposse/route53-cluster-hostname/aws"
   version = "0.13.0"
 
-  enabled  = local.enabled && var.zone_id != "" ? true : false
+  enabled  = local.enabled && var.zone_id != ""
   dns_name = local.cluster_dns_name
   zone_id  = var.zone_id
   records  = coalescelist(aws_docdb_cluster.default[*].endpoint, [""])
@@ -154,7 +158,7 @@ module "dns_replicas" {
   source  = "cloudposse/route53-cluster-hostname/aws"
   version = "0.13.0"
 
-  enabled  = local.enabled && var.zone_id != "" ? true : false
+  enabled  = local.enabled && var.zone_id != ""
   dns_name = local.replicas_dns_name
   zone_id  = var.zone_id
   records  = coalescelist(aws_docdb_cluster.default[*].reader_endpoint, [""])
@@ -166,7 +170,7 @@ module "ssm_write_db_password" {
   source  = "cloudposse/ssm-parameter-store/aws"
   version = "0.13.0"
 
-  enabled = local.enabled && var.ssm_parameter_enabled == true ? true : false
+  enabled = local.enabled && var.ssm_parameter_enabled && var.manage_master_user_password != null
   parameter_write = [
     {
       name        = format("%s%s", var.ssm_parameter_path_prefix, module.this.id)

outputs.tf

@@ -4,8 +4,8 @@ output "master_username" {
 }
 
 output "master_password" {
-  value       = join("", aws_docdb_cluster.default[*].master_password)
-  description = "Password for the master DB user"
+  value       = var.manage_master_user_password != null ? join("", aws_docdb_cluster.default[*].master_password) : null
+  description = "Password for the master DB user. If `manage_master_user_password` is set to true, this will be set to null."
   sensitive   = true
 }
 

variables.tf

@@ -99,6 +99,16 @@ variable "master_password" {
   description = "(Required unless a snapshot_identifier is provided) Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Please refer to the DocumentDB Naming Constraints"
 }
 
+variable "manage_master_user_password" {
+  type        = bool
+  description = "Whether to manage the master user password using AWS Secrets Manager."
+  default     = null
+  validation {
+    condition     = var.manage_master_user_password == null || var.manage_master_user_password == true
+    error_message = "Error: `manage_master_user_password` must be set to `true` or `null`"
+  }
+}
+
 variable "retention_period" {
   type        = number
   default     = 5
@@ -239,3 +249,4 @@ variable "allow_major_version_upgrade" {
   description = "Specifies whether major version upgrades are allowed. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#allow_major_version_upgrade"
   default     = false
 }
+