Release feature for adding custom user password.

README.md

@@ -53,6 +53,7 @@ module "rds-pg" {
   slack_username                   = "John"
   slack_channel                    = "skaf-dev"
   slack_webhook_url                = "https://hooks/xxxxxxxx"
+  custom_user_password             = "postgresqlpasswd"
 }
 ```
 Refer [examples](https://github.com/squareops/terraform-aws-rds-postgresql/tree/main/examples) for more details.
@@ -121,6 +122,7 @@ The required IAM permissions to create resources from this module can be found [
 | <a name="input_cloudwatch_metric_alarms_enabled"></a> [cloudwatch\_metric\_alarms\_enabled](#input\_cloudwatch\_metric\_alarms\_enabled) | Boolean flag to enable/disable CloudWatch metrics alarms | `bool` | `false` | no |
 | <a name="input_create_db_subnet_group"></a> [create\_db\_subnet\_group](#input\_create\_db\_subnet\_group) | Whether to create a database subnet group | `bool` | `true` | no |
 | <a name="input_create_security_group"></a> [create\_security\_group](#input\_create\_security\_group) | Whether to create a security group for the database | `bool` | `true` | no |
+| <a name="input_custom_user_password"></a> [custom\_user\_password](#input\_custom\_user\_password) | Custom password for the RDS master user | `string` | `""` | no |
 | <a name="input_cw_sns_topic_arn"></a> [cw\_sns\_topic\_arn](#input\_cw\_sns\_topic\_arn) | The username to use when sending notifications to Slack. | `string` | `""` | no |
 | <a name="input_db_name"></a> [db\_name](#input\_db\_name) | The name of the automatically created database on cluster creation | `string` | `""` | no |
 | <a name="input_deletion_protection"></a> [deletion\_protection](#input\_deletion\_protection) | Specifies whether accidental deletion protection is enabled | `bool` | `true` | no |

examples/complete-psql-replica/main.tf

@@ -10,6 +10,7 @@ locals {
   replica_enable          = true
   replica_count           = 1
   current_identity        = data.aws_caller_identity.current.arn
+  custom_user_password    = ""
   allowed_security_groups = ["sg-0a680afd35"]
   additional_tags = {
     Owner      = "Organization_Name"
@@ -111,4 +112,5 @@ module "rds-pg" {
   slack_username                   = "Admin"
   slack_channel                    = "postgresql-notification"
   slack_webhook_url                = "https://hooks/xxxxxxxx"
+  custom_user_password             = local.custom_user_password
 }

examples/complete/README.md

@@ -27,7 +27,7 @@ This example will be very useful for users who are new to a module and want to q
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_kms"></a> [kms](#module\_kms) | terraform-aws-modules/kms/aws | n/a |
-| <a name="module_rds-pg"></a> [rds-pg](#module\_rds-pg) | squareops/rds-postgresql/aws | n/a |
+| <a name="module_rds-pg"></a> [rds-pg](#module\_rds-pg) | ../../ | n/a |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | squareops/vpc/aws | n/a |
 
 ## Resources

examples/complete/main.tf

@@ -9,6 +9,7 @@ locals {
   storage_type            = "gp3"
   current_identity        = data.aws_caller_identity.current.arn
   allowed_security_groups = ["sg-0a680afd35"]
+  custom_user_password    = ""
   additional_tags = {
     Owner      = "Organization_Name"
     Expires    = "Never"
@@ -125,4 +126,5 @@ module "rds-pg" {
   slack_username                   = "Admin"
   slack_channel                    = "postgresql-notification"
   slack_webhook_url                = "https://hooks/xxxxxxxx"
+  custom_user_password             = local.custom_user_password
 }

main.tf

@@ -16,7 +16,7 @@ module "db" {
   port                                  = var.port
   engine                                = var.engine
   username                              = var.master_username
-  password                              = var.manage_master_user_password ? null : random_password.master[0].result
+  password                              = var.custom_user_password != "" ? var.custom_user_password : var.manage_master_user_password ? null : length(random_password.master) > 0 ? random_password.master[0].result : null
   multi_az                              = var.multi_az
   subnet_ids                            = var.subnet_ids
   kms_key_id                            = var.kms_key_arn
@@ -152,6 +152,33 @@ module "security_group_rds" {
   )
 }
 
+resource "aws_secretsmanager_secret" "secret_master_db" {
+  name = format("%s/%s/%s", var.environment, var.name, "rds-postgresql-pass")
+  tags = merge(
+    { "Name" = format("%s/%s/%s", var.environment, var.name, "rds-mysql-pass") },
+    local.tags,
+  )
+}
+
+resource "random_password" "master" {
+  count   = var.manage_master_user_password ? 0 : var.custom_user_password == "" ? 1 : 0
+  length  = var.random_password_length
+  special = false
+}
+
+resource "aws_secretsmanager_secret_version" "rds_credentials" {
+  count         = length(random_password.master) > 0 ? 1 : 0
+  secret_id     = aws_secretsmanager_secret.secret_master_db.id
+  secret_string = <<EOF
+{
+  "username": "${module.db.db_instance_username}",
+  "password": length(random_password.master) > 0 ? element(random_password.master, 0).result : var.custom_password,
+  "engine": "${var.engine}",
+  "host": "${module.db.db_instance_endpoint}"
+}
+EOF
+}
+
 # Cloudwatch alarms
 resource "aws_cloudwatch_metric_alarm" "cache_cpu" {
   count               = var.cloudwatch_metric_alarms_enabled ? 1 : 0
@@ -290,31 +317,3 @@ resource "aws_lambda_permission" "sns_lambda_slack_invoke" {
   principal     = "sns.amazonaws.com"
   source_arn    = aws_sns_topic.slack_topic[0].arn
 }
-
-
-resource "aws_secretsmanager_secret" "secret_master_db" {
-  name = format("%s/%s/%s", var.environment, var.name, "rds-postgresql-pass")
-  tags = merge(
-    { "Name" = format("%s/%s/%s", var.environment, var.name, "rds-mysql-pass") },
-    local.tags,
-  )
-}
-
-resource "random_password" "master" {
-  count   = var.manage_master_user_password ? 0 : 1
-  length  = var.random_password_length
-  special = false
-}
-
-resource "aws_secretsmanager_secret_version" "rds_credentials" {
-  count         = var.manage_master_user_password ? 0 : 1
-  secret_id     = aws_secretsmanager_secret.secret_master_db.id
-  secret_string = <<EOF
-{
-  "username": "${module.db.db_instance_username}",
-  "password": "${random_password.master[0].result}",
-  "engine": "${var.engine}",
-  "host": "${module.db.db_instance_endpoint}"
-}
-EOF
-}

outputs.tf

@@ -25,7 +25,7 @@ output "db_instance_username" {
 
 output "db_instance_password" {
   description = "Password for accessing the database."
-  value       = nonsensitive(random_password.master[0].result)
+  value       = var.custom_user_password != "" ? var.custom_user_password : nonsensitive(random_password.master[0].result)
 }
 
 output "master_credential_secret_arn" {

variables.tf

@@ -305,3 +305,9 @@ variable "performance_insights_retention_period" {
   type        = number
   default     = 7
 }
+
+variable "custom_user_password" {
+  description = "Custom password for the RDS master user"
+  default     = ""
+  type        = string
+}