This makes sure the initial password is in place before the rotation is setup so that the rotator Lambda can read the current value. Notice that the secret_id references the aws_secretsmanager_secret_version instead of the aws_secretsmanager_secret. # initial password resource "random_password" "db_master_pass" įinally, this part configures rotation for the secret. Its structure that is expected by the rotation function is described in the documentation: The secret itself needs to encode everything to change the password to be usable with the AWS-provided scripts. Because of this, rotation requires a somewhat complicated VPC-based networking setup just to wire everything together. The AWS scripts implement the second approad, so the Lambda they use require a connection to the database as well as the Secrets Manager service as described in the documentation. While the first approach does not rely on connectivity to the database, the second one does. The other one is to connect to the database, log in with the current credentials then issue a SET PASSWORD command. But combined with the Data API, things become complicated.Ĭhanging a password can be done in two distinct ways: one is to use the ModifyDBCluster AWS API. Theoretically, these ready-made solutions should make it easy to implement everything. Moreover, there are templates you can deploy directly.
Luckily, AWS provides a template for this as well as implementations for different scenarios (such as this one for MySQL). Second, rotating a secret is a complicated process, consisting of Secrets Manager invoking a Lambda function multiple times with different steps. This turned out to be a complication later on. Since that means there is no need to make the database reachable, I did not want to expose it just because of rotation. It took me quite some time to figure out every detail of configuration to make it work.įirst, I used the Data API that does not go through the usual networking paths of a VPC but uses a different plane. It turned out that “supported by AWS” does not mean “easy” by any means. This gave an idea: why not set up rotation so that the password in the Terraform state is no longer valid? It is a best practice to change passwords from time to time, so this feels like a good solution. Secrets Manager supports password rotation.
0 kommentar(er)
