Skip to content

Add support for managed master credentials #123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

Add support for managed master credentials #123

wants to merge 12 commits into from
+22 −11

Conversation

tionichm
Copy link

what

  • Added one additional variable that will allow users to manage their master credentials using AWS Secrets Manager.

why

  • This is a native feature of the core DocumentDB resource that should be supported by this module.

references

@tionichm tionichm requested review from a team as code owners June 13, 2025 08:40
@tionichm tionichm requested review from kevcube and jamengual June 13, 2025 08:40
@mergify mergify bot added the triage Needs triage label Jun 13, 2025
@tionichm
feat: add support for managed master credentials
7dd154c 
Added one additional nullable variable that will allow users to manage
their master credentials using AWS Secrets Manager. This is a native
feature of the core resource.
tionichm added 5 commits June 13, 2025 10:42
@tionichm
chore: update manage_master_user_password documentation
3faefbd 
Updated the documentation to be a bit more clear and aligned with
the actual documentation.
@tionichm
fix: ssm logic corrected
9058d1e 
Was originally set to check whether `manage_master_user_password` is
null, which is not the correct test.
@tionichm
(feat) Update create_password logic
817ae91
@tionichm
fix: Set master_password output to null when password is managed
4b41039
@tionichm
feat: Refactor conditional expressions
6b904e4
@Benbentwo Benbentwo requested a review from Copilot July 1, 2025 14:50
Copilot
Copilot AI reviewed Jul 1, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for managing master credentials using AWS Secrets Manager within the DocumentDB module.

  • Added a new variable "manage_master_user_password" to allow toggling credential management.
  • Updated outputs and main resource logic to account for this new feature.
  • Modified module enablement conditions for DNS and SSM modules accordingly.

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
variables.tf New variable introduced to allow managed master user password handling.
outputs.tf Updated master_password output to return null when managed externally.
main.tf Added a parameter to the DNS and SSM modules and updated password creation logic.

Benbentwo
Benbentwo previously approved these changes Jul 1, 2025
View reviewed changes
@mergify mergify bot removed the triage Needs triage label Jul 1, 2025
@tionichm @Copilot
chore: fix documentation
1974ed1 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@mergify mergify bot added the triage Needs triage label Jul 1, 2025
@tionichm tionichm requested a review from Benbentwo July 1, 2025 15:02
@Benbentwo Benbentwo enabled auto-merge (squash) July 1, 2025 15:10
@mergify mergify bot removed the triage Needs triage label Jul 1, 2025
@Benbentwo
Copy link
Member

/terratest

Benbentwo
Benbentwo requested changes Jul 1, 2025
View reviewed changes
Copy link
Member

@Benbentwo Benbentwo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like tests fail because the conditional statement cannot execute on null.

e.g. enabled = local.enabled && var.ssm_parameter_enabled && !var.manage_master_user_password fails because && null is invalid

@mergify mergify bot added the triage Needs triage label Jul 1, 2025
@tionichm @Benbentwo
fix: Update faulty conditional
876b50b 
Co-authored-by: Ben <ben.smith.developer@gmail.com>
auto-merge was automatically disabled July 1, 2025 16:12

Head branch was pushed to by a user without write access

@Benbentwo
Copy link
Member

/terratest

Benbentwo
Benbentwo previously approved these changes Jul 1, 2025
View reviewed changes
@mergify mergify bot removed the triage Needs triage label Jul 1, 2025
@mergify mergify bot added the triage Needs triage label Jul 1, 2025
@Benbentwo
Copy link
Member

/terratest

@Benbentwo
Copy link
Member

/terratest

Benbentwo
Benbentwo previously approved these changes Jul 1, 2025
View reviewed changes
@mergify mergify bot removed the triage Needs triage label Jul 1, 2025
@tionichm
refactor: master password handling
8747889 
- Simplify logic for managing master password and Secrets Manager - Set
default for manage_master_user_password to false - Clarify variable
description and output behavior
@mergify mergify bot added the triage Needs triage label Jul 1, 2025
@Benbentwo
Copy link
Member

/terratest

tionichm
tionichm commented Jul 1, 2025
View reviewed changes
main.tf
Comment on lines +69 to +71
# If `master_password` or `manage_master_user_password` is set, the other MUST be set to null, otherwise it will cause an error.
master_password = var.manage_master_user_password ? null : local.master_password
manage_master_user_password = var.manage_master_user_password ? true : null
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Benbentwo I've altered the approach here a bit.

manage_master_user_password is now a bool with a default value of false from the get-go. This simplifies the logic that needs to be used throughout the module.

The major change here, is that one of manage_password and manage_master_user_password will be null.

The sacrifice that I needed to make for this to work, however, is that one of the two parameters will need to take priority over the other.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, I'm thinking over if this is the right approach.

My concern with this pattern is as you described - the manage_master_user_password variable takes priority which can make it confusing why master_password isn't being used. The hard part here is the resource essentially wants a boolean value that is either true or null. I'm wondering if it's better to leave both as null, or alternatively, error out as terraform does if both are provided rather than switching it for the user so that it's less confusing why something isn't working.

Can I open a PR into your PR and see if I can get something to work, then perhaps you can test on your side if it works for you?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Benbentwo Benbentwo Benbentwo left review comments

Copilot code review Copilot Copilot left review comments

@kevcube kevcube Awaiting requested review from kevcube kevcube is a code owner automatically assigned from cloudposse/contributors

@jamengual jamengual Awaiting requested review from jamengual jamengual is a code owner automatically assigned from cloudposse/contributors

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
triage Needs triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tionichm @Benbentwo