feat: support RDS-managed admin password via Secrets Manager (#64)

RoseSecurity · Copilot · goruha · web-flow · commit 78b208c2b5f3 · 2025-10-14T18:52:45.000Z
* feat: support RDS-managed admin password via Secrets Manager

Add `manage_admin_user_password` variable to allow AWS RDS to manage
the master user password in Secrets Manager. Adjust logic to ensure
`admin_password` and `manage_admin_user_password` are mutually
exclusive, and update module and locals to support this new option.
This enhances security and flexibility for password management.

* fix: adjust logic for admin password

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* fix: update documentation

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* chore: update logic

* fix: update logic

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;

* fix(terraform): use one() instead of join() for pet IDs

Replaces join() with one() for random_pet admin_user and database_name IDs
to ensure correct value selection. This prevents potential issues with
unexpected list handling and aligns with Terraform's best practices for
single value extraction.

* fix: deduplicate logic

Co-authored-by: Igor Rodionov  &lt;goruha@gmail.com&gt;

---------

Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
Co-authored-by: Igor Rodionov &lt;goruha@gmail.com&gt;
diff --git a/src/cluster-regional.tf b/src/cluster-regional.tf
@@ -7,16 +7,17 @@ module "aurora_postgres_cluster" {
   source  = "cloudposse/rds-cluster/aws"
   version = "2.2.0"
 
-  cluster_type   = "regional"
-  engine         = var.engine
-  engine_version = var.engine_version
-  engine_mode    = var.engine_mode
-  cluster_family = var.cluster_family
-  instance_type  = var.instance_type
-  cluster_size   = var.cluster_size
-  promotion_tier = var.promotion_tier
-  admin_user     = local.admin_user
-  admin_password = local.admin_password
+  cluster_type               = "regional"
+  engine                     = var.engine
+  engine_version             = var.engine_version
+  engine_mode                = var.engine_mode
+  cluster_family             = var.cluster_family
+  instance_type              = var.instance_type
+  cluster_size               = var.cluster_size
+  promotion_tier             = var.promotion_tier
+  admin_user                 = local.admin_user
+  admin_password             = local.admin_password
+  manage_admin_user_password = var.manage_admin_user_password
 
   db_name                              = local.database_name
   publicly_accessible                  = var.publicly_accessible
diff --git a/src/main.tf b/src/main.tf
@@ -14,9 +14,14 @@ locals {
 
   zone_id = module.dns_gbl_delegated.outputs.default_dns_zone_id
 
-  admin_user     = length(var.admin_user) > 0 ? var.admin_user : join("", random_pet.admin_user[*].id)
-  admin_password = length(var.admin_password) > 0 ? var.admin_password : join("", random_password.admin_password[*].result)
-  database_name  = length(var.database_name) > 0 ? var.database_name : join("", random_pet.database_name[*].id)
+  # 1. If manage_admin_user_password is true, AWS manages the password (admin_password must be empty)
+  # 2. If admin_password is provided, that value is used (manage_admin_user_password must be false)
+  # 3. If both are unset/false/empty, the module creates a random password
+  create_password = local.enabled && var.admin_password == "" && !var.manage_admin_user_password
+  admin_password  = var.manage_admin_user_password ? null : (local.create_password ? one(random_password.admin_password[*].result) : var.admin_password)
+
+  admin_user    = length(var.admin_user) > 0 ? var.admin_user : one(random_pet.admin_user[*].id)
+  database_name = length(var.database_name) > 0 ? var.database_name : one(random_pet.database_name[*].id)
 
   cluster_dns_name_prefix = format("%v%v%v%v", module.this.name, module.this.delimiter, var.cluster_name, module.this.delimiter)
   cluster_dns_name        = format("%v%v", local.cluster_dns_name_prefix, var.cluster_dns_name_part)
diff --git a/src/variables.tf b/src/variables.tf
@@ -122,6 +122,13 @@ variable "admin_password" {
   }
 }
 
+variable "manage_admin_user_password" {
+  type        = bool
+  default     = false
+  description = "Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if admin_password is provided"
+  nullable    = false
+}
+
 # https://aws.amazon.com/rds/aurora/pricing
 variable "instance_type" {
   type        = string

Original file line number	Diff line number	Diff line change
`@@ -122,6 +122,13 @@ variable "admin_password" {`
`122`	`122`	`}`
`123`	`123`	`}`
`124`	`124`
	`125`	`+variable "manage_admin_user_password" {`
	`126`	`+ type = bool`
	`127`	`+ default = false`
	`128`	`+ description = "Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if admin_password is provided"`
	`129`	`+ nullable = false`
	`130`	`+}`
	`131`	`+`
`125`	`132`	`# https://aws.amazon.com/rds/aurora/pricing`
`126`	`133`	`variable "instance_type" {`
`127`	`134`	`type = string`