Creates a login to an RDS Postgres instance and automatically rotates the password.
An active, admin username and password must be provided in an existing secret. This admin user will be used to create and rotate credentials.
During rotation, the secret will toggle between primary and alternate usernames to avoid the scenario where the password is changed but hasn't been propagated to all users yet. This means that each password will remain active for two rotations.
Example:
module "rds_readonly_password" {
source = "git@github.com:thoughtbot/flightdeck-addons.git//aws/rds-postgres-login?ref=main"
admin_login_kms_key_id = module.rds_admin_password.kms_key_arn
admin_login_secret_arn = module.rds_admin_password.secret_arn
database = module.database.primary
subnet_ids = module.network_data.private_subnet_ids
username = "readonly"
vpc_id = module.network_data.vpc_id
grants = [
"GRANT USAGE ON SCHEMA public TO %s",
"GRANT SELECT ON ALL TABLES IN SCHEMA public TO %s"
]
}
module "rds_admin_password" {
source = "git@github.com:thoughtbot/flightdeck-addons.git//aws/rds-postgres-admin-login?ref=main"
database = module.database.primary
initial_password = module.database.initial_password
subnet_ids = module.network_data.private_subnet_ids
username = module.database.admin_username
vpc_id = module.network_data.vpc_id
}
Warning
The replica variable MUST be set to true when creating a login for a Postgres replica instance. This is needed to ensure the Database URL secret won't conflict with the primary instance. As a result of setting that variable, the Database URL for the replica will be available as "REPLICA_DATABASE_URL", while the primary instance will have "DATABASE_URL".
| Name | Version |
|---|---|
| terraform | >= 1.6.2 |
| aws | ~> 6.0 |
| Name | Version |
|---|---|
| aws | ~> 6.0 |
| Name | Source | Version |
|---|---|---|
| rotation | github.com/thoughtbot/terraform-aws-secrets//secret-rotation-function | v0.9.1 |
| secret | github.com/thoughtbot/terraform-aws-secrets//secret | v0.9.1 |
| Name | Type |
|---|---|
| aws_iam_policy.access_admin_login | resource |
| aws_iam_role_policy_attachment.access_admin_login | resource |
| aws_security_group.function | resource |
| aws_security_group_rule.function_egress | resource |
| aws_iam_policy_document.access_admin_login | data source |
| aws_kms_key.admin_login | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| admin_login_kms_key_id | ARN of the KMS key used to encrypt the admin login | string |
n/a | yes |
| admin_login_secret_arn | ARN of a SecretsManager secret containing admin login | string |
null |
no |
| admin_principals | Principals allowed to peform admin actions (default: current account) | list(string) |
null |
no |
| alternate_username | Username for the alternate login used during rotation | string |
null |
no |
| database | The database instance for which a login will be managed | object({ |
n/a | yes |
| grants | List of GRANT statements for this user | list(string) |
n/a | yes |
| read_principals | Principals allowed to read the secret (default: current account) | list(string) |
null |
no |
| replica | Whether the login is for a replica instance | bool |
false |
no |
| replica_regions | List of regions to replicate the secret to | list(object({ |
[] |
no |
| secret_name | Override the name for this secret | string |
null |
no |
| subnet_ids | Subnets in which the rotation function should run | list(string) |
n/a | yes |
| tags | Tags to be applied to created resources | map(string) |
{} |
no |
| trust_tags | Tags required on principals accessing the secret | map(string) |
{} |
no |
| username | The username for which a login will be managed | string |
n/a | yes |
| vpc_id | VPC in which the rotation function should run | string |
n/a | yes |
| Name | Description |
|---|---|
| environment_variables | Environment variables set by this rotation function |
| policy_json | Required IAM policies |
| secret_arn | ARN of the secrets manager secret containing credentials |
| secret_name | Name of the secrets manager secret containing credentials |