feat: support for random password (#306)

README.md

@@ -215,11 +215,13 @@ Users have the ability to:
 |------|---------|
 | terraform | >= 0.12.26 |
 | aws | >= 2.49 |
-| random | >= 2.2 |
+| random | >= 3.1 |
 
 ## Providers
 
-No provider.
+| Name | Version |
+|------|---------|
+| random | >= 3.1 |
 
 ## Modules
 
@@ -232,7 +234,9 @@ No provider.
 
 ## Resources
 
-No resources.
+| Name |
+|------|
+| [random_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) |
 
 ## Inputs
 
@@ -253,6 +257,7 @@ No resources.
 | create\_db\_parameter\_group | Whether to create a database parameter group | `bool` | `true` | no |
 | create\_db\_subnet\_group | Whether to create a database subnet group | `bool` | `true` | no |
 | create\_monitoring\_role | Create IAM role with a defined name that permits RDS to send enhanced monitoring metrics to CloudWatch Logs. | `bool` | `false` | no |
+| create\_random\_password | Whether to create random password for RDS primary cluster | `bool` | `false` | no |
 | db\_subnet\_group\_description | Description of the DB subnet group to create | `string` | `""` | no |
 | db\_subnet\_group\_name | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC | `string` | `null` | no |
 | db\_subnet\_group\_use\_name\_prefix | Determines whether to use `subnet_group_name` as is or create a unique name beginning with the `subnet_group_name` as the prefix | `bool` | `true` | no |
@@ -289,12 +294,13 @@ No resources.
 | parameter\_group\_name | Name of the DB parameter group to associate or create | `string` | `null` | no |
 | parameter\_group\_use\_name\_prefix | Determines whether to use `parameter_group_name` as is or create a unique name beginning with the `parameter_group_name` as the prefix | `bool` | `true` | no |
 | parameters | A list of DB parameters (map) to apply | `list(map(string))` | `[]` | no |
-| password | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file | `string` | n/a | yes |
+| password | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file | `string` | `""` | no |
 | performance\_insights\_enabled | Specifies whether Performance Insights are enabled | `bool` | `false` | no |
 | performance\_insights\_kms\_key\_id | The ARN for the KMS key to encrypt Performance Insights data. | `string` | `null` | no |
 | performance\_insights\_retention\_period | The amount of time in days to retain Performance Insights data. Either 7 (7 days) or 731 (2 years). | `number` | `7` | no |
 | port | The port on which the DB accepts connections | `string` | n/a | yes |
 | publicly\_accessible | Bool to control if instance is publicly accessible | `bool` | `false` | no |
+| random\_password\_length | (Optional) Length of random password to create. (default: 10) | `number` | `10` | no |
 | replicate\_source\_db | Specifies that this resource is a Replicate database, and to use this value as the source database. This correlates to the identifier of another Amazon RDS Database to replicate. | `string` | `null` | no |
 | s3\_import | Restore from a Percona Xtrabackup in S3 (only MySQL is supported) | `map(string)` | `null` | no |
 | skip\_final\_snapshot | Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted, using the value from final\_snapshot\_identifier | `bool` | `false` | no |
@@ -329,6 +335,7 @@ No resources.
 | this\_db\_instance\_resource\_id | The RDS Resource ID of this instance |
 | this\_db\_instance\_status | The RDS instance status |
 | this\_db\_instance\_username | The master username for the database |
+| this\_db\_master\_password | The master password |
 | this\_db\_option\_group\_arn | The ARN of the db option group |
 | this\_db\_option\_group\_id | The db option group id |
 | this\_db\_parameter\_group\_arn | The ARN of the db parameter group |

examples/complete-mssql/main.tf

@@ -125,10 +125,11 @@ module "db" {
   max_allocated_storage = 100
   storage_encrypted     = false
 
-  name     = null
-  username = "complete_mssql"
-  password = "YourPwdShouldBeLongAndSecure!"
-  port     = 1433
+  name                   = null
+  username               = "complete_mssql"
+  create_random_password = true
+  random_password_length = 12
+  port                   = 1433
 
   domain               = aws_directory_service_directory.demo.id
   domain_iam_role_name = aws_iam_role.rds_ad_auth.name
@@ -156,4 +157,4 @@ module "db" {
   character_set_name        = "Latin1_General_CI_AS"
 
   tags = local.tags
-}
+}
\ No newline at end of file

examples/complete-mysql/main.tf

@@ -126,10 +126,11 @@ module "db_default" {
 
   allocated_storage = 20
 
-  name     = "completeMysql"
-  username = "complete_mysql"
-  password = "YourPwdShouldBeLongAndSecure!"
-  port     = 3306
+  name                   = "completeMysql"
+  username               = "complete_mysql"
+  create_random_password = true
+  random_password_length = 12
+  port                   = 3306
 
   subnet_ids             = module.vpc.database_subnets
   vpc_security_group_ids = [module.security_group.this_security_group_id]
@@ -140,4 +141,4 @@ module "db_default" {
   backup_retention_period = 0
 
   tags = local.tags
-}
+}
\ No newline at end of file

examples/complete-oracle/main.tf

@@ -75,10 +75,11 @@ module "db" {
   storage_encrypted     = false
 
   # Make sure that database name is capitalized, otherwise RDS will try to recreate RDS instance every time
-  name     = "COMPLETEORACLE"
-  username = "complete_oracle"
-  password = "YourPwdShouldBeLongAndSecure!"
-  port     = 1521
+  name                   = "COMPLETEORACLE"
+  username               = "complete_oracle"
+  create_random_password = true
+  random_password_length = 12
+  port                   = 1521
 
   multi_az               = true
   subnet_ids             = module.vpc.database_subnets
@@ -100,4 +101,4 @@ module "db" {
   character_set_name = "AL32UTF8"
 
   tags = local.tags
-}
+}
\ No newline at end of file

examples/complete-postgres/main.tf

@@ -133,10 +133,11 @@ module "db_default" {
   # NOTE: Do NOT use 'user' as the value for 'username' as it throws:
   # "Error creating DB Instance: InvalidParameterValue: MasterUsername
   # user cannot be used as it is a reserved word used by the engine"
-  name     = "completePostgresql"
-  username = "complete_postgresql"
-  password = "YourPwdShouldBeLongAndSecure!"
-  port     = 5432
+  name                   = "completePostgresql"
+  username               = "complete_postgresql"
+  create_random_password = true
+  random_password_length = 12
+  port                   = 5432
 
   subnet_ids             = module.vpc.database_subnets
   vpc_security_group_ids = [module.security_group.this_security_group_id]
@@ -147,4 +148,4 @@ module "db_default" {
   backup_retention_period = 0
 
   tags = local.tags
-}
+}
\ No newline at end of file

main.tf

 locals {
+  master_password      = var.create_db_instance && var.create_random_password ? random_password.master_password[0].result : var.password
   db_subnet_group_name = var.replicate_source_db != null ? null : coalesce(var.db_subnet_group_name, module.db_subnet_group.this_db_subnet_group_id)
 
   parameter_group_name_id = var.create_db_parameter_group ? module.db_parameter_group.this_db_parameter_group_id : var.parameter_group_name
@@ -7,6 +8,14 @@ locals {
   option_group           = local.create_db_option_group ? module.db_option_group.this_db_option_group_id : var.option_group_name
 }
 
+# Random string to use as master password
+resource "random_password" "master_password" {
+  count = var.create_db_instance && var.create_random_password ? 1 : 0
+
+  length  = var.random_password_length
+  special = false
+}
+
 module "db_subnet_group" {
   source = "./modules/db_subnet_group"
 
@@ -70,7 +79,7 @@ module "db_instance" {
 
   name                                = var.name
   username                            = var.username
-  password                            = var.password
+  password                            = local.master_password
   port                                = var.port
   domain                              = var.domain
   domain_iam_role_name                = var.domain_iam_role_name

modules/db_instance/README.md

@@ -105,6 +105,7 @@ No Modules.
 | this\_db\_instance\_endpoint | The connection endpoint |
 | this\_db\_instance\_hosted\_zone\_id | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) |
 | this\_db\_instance\_id | The RDS instance ID |
+| this\_db\_instance\_master\_password | The master password |
 | this\_db\_instance\_name | The database name |
 | this\_db\_instance\_port | The database port |
 | this\_db\_instance\_resource\_id | The RDS Resource ID of this instance |

modules/db_instance/outputs.tf

@@ -15,6 +15,7 @@ locals {
   this_db_instance_ca_cert_identifier   = element(concat(aws_db_instance.this_mssql.*.ca_cert_identifier, aws_db_instance.this.*.ca_cert_identifier, [""]), 0)
   this_db_instance_domain               = element(concat(aws_db_instance.this_mssql.*.domain, [""]), 0)
   this_db_instance_domain_iam_role_name = element(concat(aws_db_instance.this_mssql.*.domain_iam_role_name, [""]), 0)
+  this_db_instance_master_password      = element(concat(aws_db_instance.this_mssql.*.password, aws_db_instance.this.*.password, [""]), 0)
 }
 
 output "enhanced_monitoring_iam_role_name" {
@@ -96,3 +97,9 @@ output "this_db_instance_domain_iam_role_name" {
   description = "The name of the IAM role to be used when making API calls to the Directory Service. "
   value       = local.this_db_instance_domain_iam_role_name
 }
+
+output "this_db_instance_master_password" {
+  description = "The master password"
+  value       = local.this_db_instance_master_password
+  sensitive   = true
+}

outputs.tf

@@ -60,7 +60,7 @@ output "this_db_instance_username" {
 
 output "this_db_instance_password" {
   description = "The database password (this password may be old, because Terraform doesn't track it after initial creation)"
-  value       = var.password
+  value       = local.master_password
   sensitive   = true
 }
 
@@ -114,3 +114,9 @@ output "this_db_option_group_arn" {
   description = "The ARN of the db option group"
   value       = module.db_option_group.this_db_option_group_arn
 }
+
+output "this_db_master_password" {
+  description = "The master password"
+  value       = module.db_instance.this_db_instance_master_password
+  sensitive   = true
+}
\ No newline at end of file

variables.tf

@@ -115,6 +115,7 @@ variable "username" {
 variable "password" {
   description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file"
   type        = string
+  default     = ""
 }
 
 variable "port" {
@@ -410,3 +411,15 @@ variable "delete_automated_backups" {
   type        = bool
   default     = true
 }
+
+variable "create_random_password" {
+  description = "Whether to create random password for RDS primary cluster"
+  type        = bool
+  default     = false
+}
+
+variable "random_password_length" {
+  description = "(Optional) Length of random password to create. (default: 10)"
+  type        = number
+  default     = 10
+}
\ No newline at end of file

versions.tf

@@ -6,10 +6,9 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 2.49"
     }
-
     random = {
       source  = "hashicorp/random"
-      version = ">= 2.2"
+      version = ">= 3.1"
     }
   }
 }