[Enhancement]: RDS support for storing master user password in Secrets Manager

[kevinmehall]

Description

Today AWS announced a new integration between RDS and Secrets Manager:

Amazon RDS now supports integration with AWS Secrets Manager to streamline how you manage your master user password for your RDS database instances. With this feature, RDS fully manages the master user password and stores it in AWS Secrets Manager whenever your RDS database instances are created, modified, or restored. The new feature supports the entire lifecycle maintenance for your RDS master user password including regular and automatic password rotations; removing the need for you to manage rotations using custom Lambda functions.

RDS integration with AWS Secrets Manager improves your database security by ensuring your RDS master user password is not visible in plaintext to administrators or engineers during your database creation workflow. Furthermore, you have flexibility in encrypting the secrets using your own managed key or by using a KMS key provided by AWS Secrets Manager. RDS and AWS Secrets Manager provide you the ease and security in managing your master user password for your database instances, relieving you from complex credential management activities such as setting up custom Lambda functions to manage password rotations.

This would allow keeping the password out of the Terraform state.

Affected Resource(s) and/or Data Source(s)

• aws_db_instance
• aws_rds_cluster

Potential Terraform Configuration

resource "aws_db_instance" "default" {
  ...
  manage_master_user_password = true
  master_user_secret_password_kms_key_id = "..."
  ...
}

References

https://aws.amazon.com/about-aws/whats-new/2022/12/amazon-rds-integration-aws-secrets-manager/
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html

Would you like to implement a fix?

No

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[fergoid]

I would be happy to pick this up. The documentation also refers to being able to control the password rotation period although I cannot see that in the Go API docs.

[williamlord-wise]

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-secrets-manager.html

RDS manages the settings for the secret and rotates the secret every seven days by default. You can modify some of the settings, such as the rotation schedule. If you delete a DB instance that manages a secret in Secrets Manager, the secret and its associated metadata are also deleted.

It's not completely clear but perhaps this means you can modify the rotation schedule within AWS Secrets Manager as opposed to RDS as it's not in the RDS API either https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html.

[fergoid]

I am starting work on this today

[fergoid]

Have a question. If I do this

			"manage_master_user_password": {
				Type:          schema.TypeBool,
				Optional:      true,
				Default:       false,
				ConflictsWith: []string{"password"},
			},
			"password": {
				Type:          schema.TypeString,
				Optional:      true,
				Sensitive:     true,
				ConflictsWith: []string{"manage_master_user_password"},
			},

Can I safely assume in the code that these two parameters are now mutually exclusive ?
I can also see a couple of occasions where password is being validated as being present (for example on an S3 restore; line 803 in instance.go). I guess the validation should now be
if manage_master_user_password == false AND password is not set then error
and also set the manage_master_user_password variable & KMS key id if they are set

[larstobi]

This has been supported in the aws go-sdk since v1.44.166.

[github-actions]

This functionality has been released in v4.61.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.