Skip to content

feat: Ephemeral password support #513

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: Ephemeral password support #513

wants to merge 1 commit into from

Conversation

artem-hatchenko
Copy link

Description

This update adds support for ephemeral master passwords (master_password_wo) in RDS/Aurora clusters.
With this option, the master password is write-only and never stored in the Terraform state.

Motivation

Since "manage_master_user_password" has annoying behavior with enabled rotation by default, and "master_password" stores the value in state, this solution provides an alternative.

How Has This Been Tested?

Tested with a few options:

Option 1

manage_master_user_password = false
master_password = false
master_password_wo = true

Result: Deploy successful and connection with "wo" password works

Option 2

manage_master_user_password = false
master_password = true
master_password_wo = true

Result: Conflicting configuration arguments (expected)

Option 3

manage_master_user_password = true
master_password = false
master_password_wo = true

Result: Conflicting configuration arguments (expected)

Usage

Generate a password via ephemeral, put result into Secret Manager, and retrieve version of the secret.

ephemeral "random_password" "db_password" {
  length           = 16
  override_special = "!#$%&*()-_=+[]{}<>:?"
}

resource "aws_secretsmanager_secret" "db_password" {
  name = "db_password"
}

resource "aws_secretsmanager_secret_version" "db_password" {
  secret_id                = aws_secretsmanager_secret.db_password.id
  secret_string_wo         = ephemeral.random_password.db_password.result
  secret_string_wo_version = 1
}

ephemeral "aws_secretsmanager_secret_version" "db_password" {
  secret_id = aws_secretsmanager_secret_version.db_password.secret_id
}

Pass necessary variables into module:

manage_master_user_password = false
master_password_wo          = ephemeral.aws_secretsmanager_secret_version.db_password.secret_string
master_password_wo_version  = aws_secretsmanager_secret_version.db_password.secret_string_wo_version

@artem-hatchenko artem-hatchenko changed the title Added ephemeral password support feat: Ephemeral password support Aug 8, 2025
@bryantbiggs
Copy link
Member

see #509 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
breaking change
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@artem-hatchenko @bryantbiggs