[TDRD 512] Add variable to toggle RDS instance password management by…

… secret manager integration
nationalarchives · Oct 11, 2024 · b5e2f2b · b5e2f2b
1 parent 711d719
commit b5e2f2b
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 1 deletion.
diff --git a/rds_instance/main.tf b/rds_instance/main.tf
@@ -32,7 +32,7 @@ resource "aws_db_instance" "db_instance" {
   engine                                = "postgres"
   engine_version                        = var.database_version
   username                              = var.admin_username
-  password                              = random_password.password.result
+  password                              = var.manage_master_credentials_with_secrets_manager ? null : random_password.password.result
   vpc_security_group_ids                = var.security_group_ids
   db_subnet_group_name                  = aws_db_subnet_group.user_subnet_group.name
   multi_az                              = var.multi_az
@@ -47,6 +47,7 @@ resource "aws_db_instance" "db_instance" {
   backup_retention_period               = var.backup_retention_period
   ca_cert_identifier                    = var.ca_cert_identifier
   apply_immediately                     = var.apply_immediately
+  manage_master_user_password           = var.manage_master_credentials_with_secrets_manager ? var.manage_master_credentials_with_secrets_manager : null
 }
 
 resource "aws_ssm_parameter" "database_username" {

diff --git a/rds_instance/outputs.tf b/rds_instance/outputs.tf
@@ -13,3 +13,7 @@ output "database_url" {
 output "resource_id" {
   value = aws_db_instance.db_instance.resource_id
 }
+
+output "database_master_user_secret_arn" {
+  value = var.manage_master_credentials_with_secrets_manager ? aws_db_instance.db_instance.master_user_secret[0].secret_arn : null
+}
diff --git a/rds_instance/variables.tf b/rds_instance/variables.tf
@@ -37,3 +37,8 @@ variable "apply_immediately" {
   default     = false
   description = "Apply modifications immediately or wait for next maintenance window"
 }
+
+variable "manage_master_credentials_with_secrets_manager" {
+  default = false
+  description = "Whether master database credentials should be managed using the RDS Secrets Manager integration"
+}