feat: support RDS-managed admin password via Secrets Manager

[RoseSecurity]

what

This pull request introduces support for allowing AWS RDS to manage the admin user password for Aurora PostgreSQL clusters via Secrets Manager, while maintaining backward compatibility with the existing manual password management. The changes clarify and enforce the logic for how admin passwords are set, ensuring only one method is used at a time, and update the relevant variables and local values accordingly.

Password management enhancements:

• Added a new variable manage_admin_user_password to enable AWS-managed admin passwords via Secrets Manager, with validation to prevent conflicts if admin_password is also provided. (src/variables.tf src/variables.tfR125-R131)
• Updated local logic to ensure only one password management method is active: AWS-managed, user-provided, or auto-generated, and set admin_password accordingly. (src/main.tf src/main.tfR17-L18)
• Modified the Aurora cluster module configuration to pass the correct values for admin_password and the new manage_admin_user_password parameter, ensuring compatibility with the new logic. (src/cluster-regional.tf src/cluster-regional.tfL19-R20)

why

• Add manage_admin_user_password variable to allow AWS RDS to manage the master user password in Secrets Manager. Adjust logic to ensure admin_password and manage_admin_user_password are mutually exclusive, and update module and locals to support this new option. This enhances security and flexibility for password management.

references

• TF Docs

Summary by CodeRabbit

• New Features

  • Added an option to let the database service manage the admin password in Secrets Manager; when enabled the admin password may be left unset.
  • Admin username, password, and database name can be auto-generated when not provided.

• Documentation

  • Clarified password-management rules and evaluation order: service-managed, user-provided, or auto-generated.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Exposes a new boolean input manage_admin_user_password, wires it through module calls, and updates local password logic to choose between RDS-managed (null), a generated random password, or a provided password based on enabled, admin_password, and the new flag.

Changes

Cohort / File(s)	Summary of changes
Variable addition src/variables.tf	Adds variable "manage_admin_user_password" (type = bool, default = false) with description: allow RDS to manage the master user password; cannot be set if admin_password is provided.
Password selection logic & defaults src/main.tf	Adds local.create_password and recomputes local.admin_password as: if var.manage_admin_user_password then null, else if local.create_password then use a generated random_password, else use var.admin_password. Also updates admin_user and database_name defaults to one(random_pet(...)) and reorders locals.
Module invocation wiring src/cluster-regional.tf	Wires manage_admin_user_password = var.manage_admin_user_password into the aurora_postgres_cluster module call and passes the computed admin_password (possibly null) to the module.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor User
  participant TF as Terraform module
  participant RP as random_password
  participant RDS as AWS RDS
  participant SM as SecretsManager

  User->>TF: provide inputs (manage_admin_user_password, admin_password, enabled)
  alt manage_admin_user_password == true
    Note right of TF #DDEEDF: admin_password set to null (RDS-managed)
    TF->>RDS: create cluster (admin_password = null)
    RDS->>SM: store/rotate secret
  else admin_password provided
    Note right of TF #FFF2CC: use provided admin_password
    TF->>RDS: create cluster (admin_password = var.admin_password)
  else neither set
    Note right of TF #F2E6FF: generate random password locally
    TF->>RP: create random_password
    RP-->>TF: generated value
    TF->>RDS: create cluster (admin_password = generated)
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• Support RDS managed DB password in Secrets Manager #21 — Adds and wires manage_admin_user_password and makes admin_password nullable when that flag is true, matching the issue's intent.

Poem

A rabbit nibbles at terraform lines,
toggles a flag where the secret hides.
RDS can guard or we can spin,
a random key plucked from a bin.
Hop safe, deploy — the cluster aligns. 🐇🔐

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title clearly and concisely summarizes the primary change by indicating support for RDS-managed admin passwords via AWS Secrets Manager. It directly reflects the main objectives of the pull request and avoids extraneous detail or ambiguous phrasing. As a short, specific sentence, it enables teammates to understand the key feature being introduced at a glance.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-manage-admin-password-ability

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bc42f25 and 8eedabd.

📒 Files selected for processing (1)

• src/cluster-regional.tf (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• src/cluster-regional.tf

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Summary

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull Request Overview

This PR adds support for RDS-managed admin passwords via AWS Secrets Manager while maintaining backward compatibility with existing password management approaches. It introduces a new variable to control AWS-managed passwords and updates the local logic to handle three distinct password management scenarios.

• Added manage_admin_user_password variable to enable AWS Secrets Manager password management
• Refactored password logic to support AWS-managed, user-provided, or auto-generated passwords exclusively
• Updated cluster configuration to pass appropriate password values based on the selected management method

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
src/variables.tf	Adds new boolean variable for enabling AWS-managed password via Secrets Manager
src/main.tf	Updates local password logic to handle three mutually exclusive password management methods
src/cluster-regional.tf	Modifies cluster module calls to conditionally set admin_password and manage_admin_user_password

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

src/main.tf (1)

79-80: Skip random_password when AWS manages the secret.

Even when manage_admin_user_password is true, this resource still gets created because it only checks for an empty var.admin_password. That leaves an unused password resource in state. Please gate the count on the new flag as well.

-resource "random_password" "admin_password" {
-  count = local.enabled && length(var.admin_password) == 0 ? 1 : 0
+resource "random_password" "admin_password" {
+  count = local.enabled && length(var.admin_password) == 0 && !var.manage_admin_user_password ? 1 : 0

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2f321f4 and 9a1a445.

📒 Files selected for processing (3)

• src/cluster-regional.tf (1 hunks)
• src/main.tf (1 hunks)
• src/variables.tf (1 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

src/@(main|variables|outputs|providers|versions|context).tf

📄 CodeRabbit inference engine (AGENTS.md)

Keep the Terraform component source of truth under src/ with canonical files: main.tf, variables.tf, outputs.tf, providers.tf, versions.tf, context.tf

Files:

• src/variables.tf
• src/main.tf

src/**/*.tf

📄 CodeRabbit inference engine (AGENTS.md)

src/**/*.tf: Terraform code must be formatted (terraform fmt -recursive) and free of lint violations (TFLint rules)
Use lower_snake_case for Terraform variables and locals; keep resource and data source names descriptive and aligned with Cloud Posse null-label patterns
Use 2-space indentation for Terraform files

Files:

• src/variables.tf
• src/main.tf
• src/cluster-regional.tf

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Summary

[RoseSecurity]

Apologies, the original documentation was vendored from the DocumentDB implementation of this code

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/cluster-regional.tf (1)

6-21: Add a precondition to enforce exclusivity between manage flag and admin_password.

Prevents accidental configuration drift and aligns with the variable’s contract.

 module "aurora_postgres_cluster" {
   source  = "cloudposse/rds-cluster/aws"
   version = "2.1.1"
   ...
+  precondition {
+    condition     = !(var.manage_admin_user_password && var.admin_password != "")
+    error_message = "admin_password must be empty when manage_admin_user_password is true."
+  }
   ...
 }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2f321f4 and 90511a9.

📒 Files selected for processing (3)

• src/cluster-regional.tf (1 hunks)
• src/main.tf (1 hunks)
• src/variables.tf (1 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

src/@(main|variables|outputs|providers|versions|context).tf

📄 CodeRabbit inference engine (AGENTS.md)

Keep the Terraform component source of truth under src/ with canonical files: main.tf, variables.tf, outputs.tf, providers.tf, versions.tf, context.tf

Files:

• src/variables.tf
• src/main.tf

src/**/*.tf

📄 CodeRabbit inference engine (AGENTS.md)

src/**/*.tf: Terraform code must be formatted (terraform fmt -recursive) and free of lint violations (TFLint rules)
Use lower_snake_case for Terraform variables and locals; keep resource and data source names descriptive and aligned with Cloud Posse null-label patterns
Use 2-space indentation for Terraform files

Files:

• src/variables.tf
• src/cluster-regional.tf
• src/main.tf

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Summary

🔇 Additional comments (1)

src/cluster-regional.tf (1)

18-21: admin_password wiring correct; no rename needed. The child module v2.1.1 expects manage_admin_user_password, so the existing argument is already correct.

[Copilot]

Pull Request Overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (2)

src/variables.tf (1)

125-130: Add plan-time validation to enforce mutual exclusivity.

Configuration currently allows manage_admin_user_password = true while admin_password is non-empty, which leads to provider errors. Please add a validation block here so plans fail fast when both are set.

 variable "manage_admin_user_password" {
   type        = bool
   default     = false
   description = "Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if admin_password is provided"
   nullable    = false
+
+  validation {
+    condition     = !(var.manage_admin_user_password && length(trimspace(var.admin_password)) > 0)
+    error_message = "manage_admin_user_password cannot be true when admin_password is provided. Leave admin_password empty to delegate password management to RDS."
+  }
 }

src/main.tf (1)

17-22: Null out admin_password when AWS manages it.

When manage_admin_user_password is true and no password is supplied, this local still returns "", so the module sends an empty string to AWS instead of null, causing apply-time failures. Please return null when the manage flag is enabled.

-  create_password = local.enabled && var.admin_password == "" && !var.manage_admin_user_password
-  admin_password  = local.create_password ? one(random_password.admin_password[*].result) : var.admin_password
+  create_password = local.enabled && var.admin_password == "" && !var.manage_admin_user_password
+  admin_password  = var.manage_admin_user_password ? null : (local.create_password ? one(random_password.admin_password[*].result) : var.admin_password)

🧹 Nitpick comments (1)

src/main.tf (1)

78-80: Only allocate random_password when actually needed.

With the current count, Terraform still creates a random password even when RDS should manage it. Tie the resource to local.create_password so it is skipped in that case.

-resource "random_password" "admin_password" {
-  count = local.enabled && length(var.admin_password) == 0 ? 1 : 0
+resource "random_password" "admin_password" {
+  count = local.create_password ? 1 : 0

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 90511a9 and 45171ec.

📒 Files selected for processing (2)

• src/main.tf (1 hunks)
• src/variables.tf (1 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

src/@(main|variables|outputs|providers|versions|context).tf

📄 CodeRabbit inference engine (AGENTS.md)

Keep the Terraform component source of truth under src/ with canonical files: main.tf, variables.tf, outputs.tf, providers.tf, versions.tf, context.tf

Files:

• src/variables.tf
• src/main.tf

src/**/*.tf

📄 CodeRabbit inference engine (AGENTS.md)

src/**/*.tf: Terraform code must be formatted (terraform fmt -recursive) and free of lint violations (TFLint rules)
Use lower_snake_case for Terraform variables and locals; keep resource and data source names descriptive and aligned with Cloud Posse null-label patterns
Use 2-space indentation for Terraform files

Files:

• src/variables.tf
• src/main.tf

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Summary

[Copilot]

Pull Request Overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[RoseSecurity]

/terratest

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

src/main.tf (1)

78-91: Don’t create random password when RDS manages it.

The random_password still gets created when manage_admin_user_password=true (admin_password empty). This leaks an unnecessary secret into state and diverges from the chosen management mode.

Apply:

 resource "random_password" "admin_password" {
-  count = local.enabled && length(var.admin_password) == 0 ? 1 : 0
+  # Only generate when this module is responsible for creating the password
+  count = local.create_password ? 1 : 0

🧹 Nitpick comments (1)

src/main.tf (1)

17-24: Minor consistency: use one style for “empty” checks.

You mix == "" and length(...) == 0. Pick one for readability; suggest length(...) == 0 everywhere.

-  create_password = local.enabled && var.admin_password == "" && !var.manage_admin_user_password
+  create_password = local.enabled && length(var.admin_password) == 0 && !var.manage_admin_user_password

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 45171ec and 6b38df4.

📒 Files selected for processing (1)

• src/main.tf (1 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

src/@(main|variables|outputs|providers|versions|context).tf

📄 CodeRabbit inference engine (AGENTS.md)

Keep the Terraform component source of truth under src/ with canonical files: main.tf, variables.tf, outputs.tf, providers.tf, versions.tf, context.tf

Files:

• src/main.tf

src/**/*.tf

📄 CodeRabbit inference engine (AGENTS.md)

src/**/*.tf: Terraform code must be formatted (terraform fmt -recursive) and free of lint violations (TFLint rules)
Use lower_snake_case for Terraform variables and locals; keep resource and data source names descriptive and aligned with Cloud Posse null-label patterns
Use 2-space indentation for Terraform files

Files:

• src/main.tf

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Summary

[RoseSecurity]

/terratest

[RoseSecurity]

Thanks!

[github-actions]

These changes were released in v1.540.3.