diff --git a/.gitignore b/.gitignore
index 1fef4ab..8f21985 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,6 @@
# Local .terraform directories
**/.terraform/*
+.terraform.lock*
# .tfstate files
*.tfstate
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..0b342d4
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,8 @@
+---
+- repo: git://github.com/antonbabenko/pre-commit-terraform
+ rev: v1.44.0
+ hooks:
+ - id: terraform_fmt
+ - id: terraform_docs
+ - id: terraform_tflint
+ - id: terraform_validate
diff --git a/README.md b/README.md
index c755eeb..590d047 100644
--- a/README.md
+++ b/README.md
@@ -98,6 +98,8 @@ No modules.
| [aws_route53_record.reader](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
| [aws_security_group.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group_rule.default_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_ssm_parameter.superuser_name](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
+| [aws_ssm_parameter.superuser_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
| [random_id.master_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
| [random_id.snapshot_identifier](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
| [aws_iam_policy_document.monitoring_rds_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -146,6 +148,7 @@ No modules.
| [preferred\_backup\_window\_instance](#input\_preferred\_backup\_window\_instance) | When to perform DB backups for instances | `string` | `""` | no |
| [preferred\_maintenance\_window](#input\_preferred\_maintenance\_window) | When to perform DB maintenance for the cluster | `string` | `"sun:05:00-sun:06:00"` | no |
| [preferred\_maintenance\_window\_instance](#input\_preferred\_maintenance\_window\_instance) | When to perform DB maintenance for instances | `string` | `""` | no |
+| [prefix\_master\_creds\_ssm](#input\_prefix\_master\_creds\_ssm) | SSM parameter prefix for master user credentials | `string` | `"/database-controller"` | no |
| [publicly\_accessible](#input\_publicly\_accessible) | Whether the DB should have a public IP address | `bool` | `false` | no |
| [reader\_endpoint\_suffix](#input\_reader\_endpoint\_suffix) | Suffix for the Route53 record pointing to the cluster reader endpoint. Only used if route53\_zone\_id is passed also | `string` | `"-ro"` | no |
| [replica\_autoscaling](#input\_replica\_autoscaling) | Whether to enable autoscaling for RDS Aurora (MySQL) read replicas | `string` | `false` | no |
@@ -162,6 +165,7 @@ No modules.
| [skip\_final\_snapshot](#input\_skip\_final\_snapshot) | Should a final snapshot be created on cluster destroy | `bool` | `false` | no |
| [snapshot\_identifier](#input\_snapshot\_identifier) | DB snapshot to create this database from | `string` | `""` | no |
| [storage\_encrypted](#input\_storage\_encrypted) | Specifies whether the underlying storage layer should be encrypted | `bool` | `false` | no |
+| [store\_master\_creds\_ssm](#input\_store\_master\_creds\_ssm) | Whether to store master user and password in SSM | `bool` | `false` | no |
| [subnet\_ids](#input\_subnet\_ids) | List of subnet IDs to use | `list(string)` | n/a | yes |
| [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no |
| [update\_timeout](#input\_update\_timeout) | Timeout used for Cluster modifications | `string` | `"120m"` | no |
diff --git a/main.tf b/main.tf
index ddc567a..16b3f40 100644
--- a/main.tf
+++ b/main.tf
@@ -10,6 +10,22 @@ resource "random_id" "master_password" {
byte_length = 10
}
+resource "aws_ssm_parameter" "superuser_password" {
+ count = var.create_resources && var.store_master_creds_ssm ? 1 : 0
+ name = "${var.prefix_master_creds_ssm}/${aws_rds_cluster.main[0].endpoint}/superuser/password"
+ type = "SecureString"
+ value = local.master_password
+ overwrite = true
+}
+
+resource "aws_ssm_parameter" "superuser_name" {
+ count = var.create_resources && var.store_master_creds_ssm ? 1 : 0
+ name = "${var.prefix_master_creds_ssm}/${aws_rds_cluster.main[0].endpoint}/superuser/name"
+ type = "SecureString"
+ value = var.username
+ overwrite = true
+}
+
resource "aws_db_subnet_group" "main" {
count = var.create_resources ? 1 : 0
name = var.name
diff --git a/variables.tf b/variables.tf
index de39af8..dab594d 100644
--- a/variables.tf
+++ b/variables.tf
@@ -79,6 +79,18 @@ variable "password" {
default = ""
}
+variable "store_master_creds_ssm" {
+ description = "Whether to store master user and password in SSM"
+ default = false
+ type = bool
+}
+
+variable "prefix_master_creds_ssm" {
+ description = "SSM parameter prefix for master user credentials"
+ default = "/database-controller"
+ type = string
+}
+
variable "final_snapshot_identifier_prefix" {
description = "The prefix name to use when creating a final snapshot on cluster destroy, appends a random 8 digits to name to ensure it's unique too."
default = "final-"
diff --git a/versions.tf b/versions.tf
new file mode 100644
index 0000000..851b378
--- /dev/null
+++ b/versions.tf
@@ -0,0 +1,8 @@
+terraform {
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 3.63.0"
+ }
+ }
+}