Allow database user and password to be optional

cloudposse · Jul 7, 2021 · 1ea1d29 · 1ea1d29
1 parent cb41a4c
commit 1ea1d29
Show file tree

Hide file tree

Showing 4 changed files with 135 additions and 13 deletions.
diff --git a/main.tf b/main.tf
@@ -6,6 +6,8 @@ module "final_snapshot_label" {
 }
 
 locals {
+  enabled = module.this.enabled
+
   computed_major_engine_version = var.engine == "postgres" ? join(".", slice(split(".", var.engine_version), 0, 1)) : join(".", slice(split(".", var.engine_version), 0, 2))
   major_engine_version          = var.major_engine_version == "" ? local.computed_major_engine_version : var.major_engine_version
 
@@ -17,15 +19,76 @@ locals {
   )
 
   availability_zone = var.multi_az ? null : var.availability_zone
+
+  create_user     = local.enabled && length(var.database_user) == 0
+  create_password = local.enabled && length(var.database_password) == 0
+
+  ssm_enabled           = local.enabled && var.ssm_enabled
+  ssm_key_prefix        = format("/%v/%v", var.ssm_path_prefix, var.database_name)
+  ssm_key_user          = format("%s/%s", local.ssm_key_prefix, "admin/db_user")
+  ssm_key_user_desc     = "RDS Username for the master DB user"
+  ssm_key_password      = format("%s/%s", local.ssm_key_prefix, "admin/db_password")
+  ssm_key_password_desc = "RDS Password for the master DB user"
+
+  database_user     = local.create_user ? join("", random_pet.database_user.*.id) : var.database_user
+  database_password = local.create_password ? join("", random_password.database_password.*.result) : var.database_password
 }
 
+resource "random_pet" "database_user" {
+  count = local.create_user ? 1 : 0
+
+  # word length
+  length = 3
+
+  keepers = {
+    db_name = var.database_name
+  }
+}
+
+resource "random_password" "database_password" {
+  count = local.create_password ? 1 : 0
+
+  # character length
+  length = 33
+
+  # Leave special characters out to avoid quoting and other issues.
+  # Special characters have no additional security compared to increasing length.
+  special          = false
+  override_special = "!#$%^&*()<>-_"
+
+  keepers = {
+    db_name = var.database_name
+  }
+}
+
+resource "aws_ssm_parameter" "database_user" {
+  count = local.ssm_enabled ? 1 : 0
+
+  name        = local.ssm_key_user
+  value       = local.database_user
+  description = local.ssm_key_user_desc
+  type        = "String"
+  overwrite   = true
+}
+
+resource "aws_ssm_parameter" "database_password" {
+  count = local.ssm_enabled ? 1 : 0
+
+  name        = local.ssm_key_password
+  value       = local.database_password
+  description = local.ssm_key_password_desc
+  type        = "SecureString"
+  key_id      = var.kms_key_arn
+  overwrite   = true
+}
+
 resource "aws_db_instance" "default" {
-  count = module.this.enabled ? 1 : 0
+  count = local.enabled ? 1 : 0
 
   identifier            = module.this.id
   name                  = var.database_name
-  username              = var.database_user
-  password              = var.database_password
+  username              = local.database_user
+  password              = local.database_password
   port                  = var.database_port
   engine                = var.engine
   engine_version        = var.engine_version
@@ -91,7 +154,7 @@ resource "aws_db_instance" "default" {
 }
 
 resource "aws_db_parameter_group" "default" {
-  count = length(var.parameter_group_name) == 0 && module.this.enabled ? 1 : 0
+  count = length(var.parameter_group_name) == 0 && local.enabled ? 1 : 0
 
   name_prefix = "${module.this.id}${module.this.delimiter}"
   family      = var.db_parameter_group
@@ -112,7 +175,7 @@ resource "aws_db_parameter_group" "default" {
 }
 
 resource "aws_db_option_group" "default" {
-  count = length(var.option_group_name) == 0 && module.this.enabled ? 1 : 0
+  count = length(var.option_group_name) == 0 && local.enabled ? 1 : 0
 
   name_prefix          = "${module.this.id}${module.this.delimiter}"
   engine_name          = var.engine
@@ -144,15 +207,15 @@ resource "aws_db_option_group" "default" {
 }
 
 resource "aws_db_subnet_group" "default" {
-  count = module.this.enabled && local.subnet_ids_provided && ! local.db_subnet_group_name_provided ? 1 : 0
+  count = local.enabled && local.subnet_ids_provided && ! local.db_subnet_group_name_provided ? 1 : 0
 
   name       = module.this.id
   subnet_ids = var.subnet_ids
   tags       = module.this.tags
 }
 
 resource "aws_security_group" "default" {
-  count = module.this.enabled ? 1 : 0
+  count = local.enabled ? 1 : 0
 
   name        = module.this.id
   description = "Allow inbound traffic from the security groups"
@@ -161,7 +224,7 @@ resource "aws_security_group" "default" {
 }
 
 resource "aws_security_group_rule" "ingress_security_groups" {
-  count = module.this.enabled ? length(var.security_group_ids) : 0
+  count = local.enabled ? length(var.security_group_ids) : 0
 
   description              = "Allow inbound traffic from existing Security Groups"
   type                     = "ingress"
@@ -173,7 +236,7 @@ resource "aws_security_group_rule" "ingress_security_groups" {
 }
 
 resource "aws_security_group_rule" "ingress_cidr_blocks" {
-  count = module.this.enabled && length(var.allowed_cidr_blocks) > 0 ? 1 : 0
+  count = local.enabled && length(var.allowed_cidr_blocks) > 0 ? 1 : 0
 
   description       = "Allow inbound traffic from CIDR blocks"
   type              = "ingress"
@@ -185,7 +248,7 @@ resource "aws_security_group_rule" "ingress_cidr_blocks" {
 }
 
 resource "aws_security_group_rule" "egress" {
-  count             = module.this.enabled ? 1 : 0
+  count             = local.enabled ? 1 : 0
   description       = "Allow all egress traffic"
   type              = "egress"
   from_port         = 0
@@ -199,7 +262,7 @@ module "dns_host_name" {
   source  = "cloudposse/route53-cluster-hostname/aws"
   version = "0.12.0"
 
-  enabled  = length(var.dns_zone_id) > 0 && module.this.enabled
+  enabled  = length(var.dns_zone_id) > 0 && local.enabled
   dns_name = var.host_name
   zone_id  = var.dns_zone_id
   records  = coalescelist(aws_db_instance.default.*.address, [""])

diff --git a/outputs.tf b/outputs.tf
@@ -47,3 +47,18 @@ output "resource_id" {
   value       = join("", aws_db_instance.default.*.resource_id)
   description = "The RDS Resource ID of this instance."
 }
+
+output "instance_user" {
+  value       = local.database_user
+  description = "RDS Username for the master DB user"
+}
+
+output "instance_password_ssm_key" {
+  value       = local.ssm_enabled ? local.ssm_key_password : null
+  description = "SSM key of RDS password for the master DB user"
+}
+
+output "instance_ssm_key_prefix" {
+  value       = local.ssm_enabled ? local.ssm_key_prefix : null
+  description = "SSM key prefix of all parameters stored for this instance"
+}
diff --git a/variables.tf b/variables.tf
@@ -33,16 +33,44 @@ variable "database_name" {
   description = "The name of the database to create when the DB instance is created"
 }
 
+# Don't use `admin`
+# Read more: <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Limits.html>
+# ("MasterUsername admin cannot be used as it is a reserved word used by the engine")
 variable "database_user" {
   type        = string
-  default     = ""
   description = "(Required unless a `snapshot_identifier` or `replicate_source_db` is provided) Username for the master DB user"
+  default     = ""
+
+  validation {
+    condition = (
+      length(var.database_user) == 0 ||
+      (var.database_user != "admin" &&
+        length(var.database_user) >= 1 &&
+      length(var.database_user) <= 16)
+    )
+    error_message = "Per the RDS API, admin cannot be used as it is a reserved word used by the engine. Master username must be between 1 and 16 characters. If null is provided then a random string will be used."
+  }
 }
 
+# Must be longer than 8 chars
+# Read more: <https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Limits.html>
+# ("The parameter MasterUserPassword is not a valid password because it is shorter than 8 characters")
 variable "database_password" {
   type        = string
-  default     = ""
   description = "(Required unless a snapshot_identifier or replicate_source_db is provided) Password for the master DB user"
+  default     = ""
+
+  # "sensitive" required Terraform 0.14 or later
+  #  sensitive   = true
+
+  validation {
+    condition = (
+      length(var.database_password) == 0 ||
+      (length(var.database_password) >= 8 &&
+      length(var.database_password) <= 128)
+    )
+    error_message = "Per the RDS API, master password must be between 8 and 128 characters. If null is provided then a random password will be used."
+  }
 }
 
 variable "database_port" {
@@ -321,3 +349,15 @@ variable "iam_database_authentication_enabled" {
   description = "Specifies whether or mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled"
   default     = false
 }
+
+variable "ssm_enabled" {
+  type        = bool
+  default     = false
+  description = "If `true` create SSM keys for the database user and password."
+}
+
+variable "ssm_path_prefix" {
+  type        = string
+  default     = "rds"
+  description = "SSM path prefix (without leading or trailing slash)"
+}
diff --git a/versions.tf b/versions.tf
@@ -14,5 +14,9 @@ terraform {
       source  = "hashicorp/null"
       version = ">= 2.0"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.0"
+    }
   }
 }