diff --git a/README.md b/README.md
index 680d95ae..5f9b7b7a 100644
--- a/README.md
+++ b/README.md
@@ -372,6 +372,7 @@ Available targets:
| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
| [admin\_password](#input\_admin\_password) | Password for the master DB user. Ignored if snapshot\_identifier or replication\_source\_identifier is provided | `string` | `""` | no |
| [admin\_user](#input\_admin\_user) | Username for the master DB user. Ignored if snapshot\_identifier or replication\_source\_identifier is provided | `string` | `"admin"` | no |
+| [admin\_user\_secret\_kms\_key\_id](#input\_admin\_user\_secret\_kms\_key\_id) | Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.
To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.
If not specified, the default KMS key for your Amazon Web Services account is used. | `string` | `null` | no |
| [allocated\_storage](#input\_allocated\_storage) | The allocated storage in GBs | `number` | `null` | no |
| [allow\_major\_version\_upgrade](#input\_allow\_major\_version\_upgrade) | Enable to allow major engine version upgrades when changing engine versions. Defaults to false. | `bool` | `false` | no |
| [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | List of CIDR blocks allowed to access the cluster | `list(string)` | `[]` | no |
@@ -429,6 +430,7 @@ Available targets:
| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no |
| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | [
"default"
]
| no |
| [maintenance\_window](#input\_maintenance\_window) | Weekly time range during which system maintenance can occur, in UTC | `string` | `"wed:03:00-wed:04:00"` | no |
+| [manage\_admin\_user\_password](#input\_manage\_admin\_user\_password) | Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if master\_password is provided | `bool` | `false` | no |
| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
| [parameter\_group\_name\_prefix\_enabled](#input\_parameter\_group\_name\_prefix\_enabled) | Set to `true` to use `name_prefix` to name the cluster and database parameter groups. Set to `false` to use `name` instead | `bool` | `true` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index a518b7ff..e6dd2592 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -58,6 +58,7 @@
| [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
| [admin\_password](#input\_admin\_password) | Password for the master DB user. Ignored if snapshot\_identifier or replication\_source\_identifier is provided | `string` | `""` | no |
| [admin\_user](#input\_admin\_user) | Username for the master DB user. Ignored if snapshot\_identifier or replication\_source\_identifier is provided | `string` | `"admin"` | no |
+| [admin\_user\_secret\_kms\_key\_id](#input\_admin\_user\_secret\_kms\_key\_id) | Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.
To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.
If not specified, the default KMS key for your Amazon Web Services account is used. | `string` | `null` | no |
| [allocated\_storage](#input\_allocated\_storage) | The allocated storage in GBs | `number` | `null` | no |
| [allow\_major\_version\_upgrade](#input\_allow\_major\_version\_upgrade) | Enable to allow major engine version upgrades when changing engine versions. Defaults to false. | `bool` | `false` | no |
| [allowed\_cidr\_blocks](#input\_allowed\_cidr\_blocks) | List of CIDR blocks allowed to access the cluster | `list(string)` | `[]` | no |
@@ -115,6 +116,7 @@
| [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no |
| [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | [
"default"
]
| no |
| [maintenance\_window](#input\_maintenance\_window) | Weekly time range during which system maintenance can occur, in UTC | `string` | `"wed:03:00-wed:04:00"` | no |
+| [manage\_admin\_user\_password](#input\_manage\_admin\_user\_password) | Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if master\_password is provided | `bool` | `false` | no |
| [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
| [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
| [parameter\_group\_name\_prefix\_enabled](#input\_parameter\_group\_name\_prefix\_enabled) | Set to `true` to use `name_prefix` to name the cluster and database parameter groups. Set to `false` to use `name` instead | `bool` | `true` | no |
@@ -127,7 +129,7 @@
| [reader\_dns\_name](#input\_reader\_dns\_name) | Name of the reader endpoint CNAME record to create in the parent DNS zone specified by `zone_id`. If left empty, the name will be auto-asigned using the format `replicas.var.name` | `string` | `""` | no |
| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
| [replication\_source\_identifier](#input\_replication\_source\_identifier) | ARN of a source DB cluster or DB instance if this DB cluster is to be created as a Read Replica | `string` | `""` | no |
-| [restore\_to\_point\_in\_time](#input\_restore\_to\_point\_in\_time) | List of point-in-time recovery options. Valid parameters are:
`source_cluster_identifier`
Identifier of the source database cluster from which to restore.
default: "120m"
`restore_type`:
Type of restore to be performed. Valid options are "full-copy" and "copy-on-write".
default: "copy-on-write"
`use_latest_restorable_time`:
Set to true to restore the database cluster to the latest restorable backup time. Conflicts with `restore_to_time`.
default: true
`restore_to_time`:
Date and time in UTC format to restore the database cluster to. Conflicts with `use_latest_restorable_time`.
default: null | list(object({
source_cluster_identifier = string
restore_type = string
use_latest_restorable_time = bool
restore_to_time = string
})) | `[]` | no |
+| [restore\_to\_point\_in\_time](#input\_restore\_to\_point\_in\_time) | List of point-in-time recovery options. Valid parameters are:
`source_cluster_identifier`
Identifier of the source database cluster from which to restore.
`restore_type`:
Type of restore to be performed. Valid options are "full-copy" and "copy-on-write".
`use_latest_restorable_time`:
Set to true to restore the database cluster to the latest restorable backup time. Conflicts with `restore_to_time`.
`restore_to_time`:
Date and time in UTC format to restore the database cluster to. Conflicts with `use_latest_restorable_time`. | list(object({
source_cluster_identifier = string
restore_type = optional(string, "copy-on-write")
use_latest_restorable_time = optional(bool, true)
restore_to_time = optional(string, null)
})) | `[]` | no |
| [retention\_period](#input\_retention\_period) | Number of days to retain backups for | `number` | `5` | no |
| [s3\_import](#input\_s3\_import) | Restore from a Percona Xtrabackup in S3. The `bucket_name` is required to be in the same region as the resource. | object({
bucket_name = string
bucket_prefix = string
ingestion_role = string
source_engine = string
source_engine_version = string
}) | `null` | no |
| [scaling\_configuration](#input\_scaling\_configuration) | List of nested attributes with scaling properties. Only valid when `engine_mode` is set to `serverless` | list(object({
auto_pause = bool
max_capacity = number
min_capacity = number
seconds_until_auto_pause = number
timeout_action = string
})) | `[]` | no |
diff --git a/main.tf b/main.tf
index d9845747..024d7ba7 100644
--- a/main.tf
+++ b/main.tf
@@ -69,11 +69,14 @@ resource "aws_security_group_rule" "egress" {
# The name "primary" is poorly chosen. We actually mean standalone or regional.
# The primary cluster of a global database is actually created with the "secondary" cluster resource below.
resource "aws_rds_cluster" "primary" {
- count = local.enabled && local.is_regional_cluster ? 1 : 0
- cluster_identifier = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
- database_name = var.db_name
+ count = local.enabled && local.is_regional_cluster ? 1 : 0
+ cluster_identifier = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
+ database_name = var.db_name
+ # manage_master_user_password must be `null` or `true`. If it is `false`, and `master_password` is not `null`, a conflict occurs.
+ manage_master_user_password = var.manage_admin_user_password ? var.manage_admin_user_password : null
+ master_user_secret_kms_key_id = var.admin_user_secret_kms_key_id
master_username = local.ignore_admin_credentials ? null : var.admin_user
- master_password = local.ignore_admin_credentials ? null : var.admin_password
+ master_password = local.ignore_admin_credentials || var.manage_admin_user_password ? null : var.admin_password
backup_retention_period = var.retention_period
preferred_backup_window = var.backup_window
copy_tags_to_snapshot = var.copy_tags_to_snapshot
@@ -169,11 +172,14 @@ resource "aws_rds_cluster" "primary" {
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#replication_source_identifier
resource "aws_rds_cluster" "secondary" {
- count = local.enabled && !local.is_regional_cluster ? 1 : 0
- cluster_identifier = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
- database_name = var.db_name
+ count = local.enabled && !local.is_regional_cluster ? 1 : 0
+ cluster_identifier = var.cluster_identifier == "" ? module.this.id : var.cluster_identifier
+ database_name = var.db_name
+ # manage_master_user_password must be `null` or `true`. If it is `false`, and `master_password` is not `null`, a conflict occurs.
+ manage_master_user_password = var.manage_admin_user_password ? var.manage_admin_user_password : null
+ master_user_secret_kms_key_id = var.admin_user_secret_kms_key_id
master_username = local.ignore_admin_credentials ? null : var.admin_user
- master_password = local.ignore_admin_credentials ? null : var.admin_password
+ master_password = local.ignore_admin_credentials || var.manage_admin_user_password ? null : var.admin_password
backup_retention_period = var.retention_period
preferred_backup_window = var.backup_window
copy_tags_to_snapshot = var.copy_tags_to_snapshot
diff --git a/variables.tf b/variables.tf
index f32950ed..1cf1b9be 100644
--- a/variables.tf
+++ b/variables.tf
@@ -60,6 +60,23 @@ variable "db_port" {
description = "Database port"
}
+variable "manage_admin_user_password" {
+ type = bool
+ default = false
+ nullable = false
+ description = "Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if master_password is provided"
+}
+
+variable "admin_user_secret_kms_key_id" {
+ type = string
+ default = null
+ description = <<-EOT
+ Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.
+ To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.
+ If not specified, the default KMS key for your Amazon Web Services account is used.
+ EOT
+}
+
variable "admin_user" {
type = string
default = "admin"