Skip to content

README.md

Latest commit

 

History

History
74 lines (59 loc) · 5.23 KB

README.md

File metadata and controls

74 lines (59 loc) · 5.23 KB

RDS Postgres Admin Login

Automatically rotates the admin password for an RDS secret.

The database details and initial password will be written to an AWS Secrets Manager secret. Once created, the secret will automatically rotate itself using a Lambda function.

Note that this performs a direct update of the admin password, so it isn't suitable for application credentials. We recommend you combine this module with user-login to create separate admin and user credentials.

Requirements

Name Version
terraform >= 1.6.2
aws ~> 6.0

Providers

Name Version
aws ~> 6.0

Modules

Name Source Version
rotation github.com/thoughtbot/terraform-aws-secrets//secret-rotation-function v0.9.1
secret github.com/thoughtbot/terraform-aws-secrets//secret v0.9.1
security_group ../../security-group n/a

Resources

Name Type
aws_iam_policy.describe_database resource
aws_iam_role_policy_attachment.access_admin_login resource
aws_db_instance.this data source
aws_iam_policy_document.describe_database data source

Inputs

Name Description Type Default Required
admin_principals Principals allowed to peform admin actions (default: current account) list(string) null no
alternate_username Username for the alternate login used during rotation string null no
database_name Name of the database to connect to string n/a yes
identifier Identifier of the database for which a login will be managed string n/a yes
initial_password ARN of the KMS key used to encrypt the admin login string n/a yes
read_principals Principals allowed to read the secret (default: current account) list(string) null no
replica_regions List of regions to replicate the secret to 
list(object({
    region     = string
    kms_key_id = optional(string)
  }))
 [] no
secret_name Override the name for this secret string null no
security_group_ids Security groups to attach to the rotation function list(string) [] no
subnet_ids Subnets in which the rotation function should run list(string) n/a yes
tags Tags to be applied to created resources map(string) {} no
trust_tags Tags required on principals accessing the secret map(string) {} no
username The username for which a login will be managed string n/a yes
vpc_id VPC in which the rotation function should run string n/a yes

Outputs

Name Description
environment_variables Environment variables set by this rotation function
kms_key_arn ID of the KMS key used to encrypt the secret
policy_json Required IAM policies
rotation_role_arn ARN of the IAM role allowed to rotate this secret
rotation_role_name Name of the IAM role allowed to rotate this secret
secret_arn ARN of the secrets manager secret containing credentials
secret_name Name of the secrets manager secret containing credentials