A Terraform module that creates an AWS Secrets Manager secret for RDS, with optional rotation support.
- Creates secret with the correct format required by RDS.
- Supports PostgreSQL but is easy to add other engines.
- When rotation is enabled, all required infrastructure is created (lambda, security group, etc)
Secret rotation is not only a great thing to do from a security perspective, but it negates the worry about the
aws_rds_cluster resource storing passwords in state.
module "root_user" {
source = "JCapriotti/rds-secret-rotation"
db_cluster_identifier = "my-db"
engine = "postgres"
host = "my-db.cluster-xxxxxxxx.us-east-1.rds.amazonaws.com"
name_prefix = "my-db-"
port = 5432
username = "root"
password = "SomethingSecret!"
rotation_days = 7
rotation_lambda_subnet_ids = ["subnet-0123456789", "subnet-abcdef0123"]
rotation_lambda_vpc_id = "vpc-0123456789"
db_security_group_id = aws_security_group.rds.id
}| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| db_cluster_identifier | The DB cluster identifier | string |
yes | |
| db_security_group_id | The security group ID for the database. Required for secret rotation. | string |
null |
no |
| engine | The database engine type | string |
yes | |
| host | The host name of the database instance | string |
yes | |
| master_secret_arn | The superuser credentials used to update another secret in the multiuser rotation strategy. Required when using multipleuser rotation strategy. |
string |
null | no |
| name_prefix | The prefix for names of created resources. | string |
yes | |
| password | The password for the user. | string |
yes | |
| port | The port number of the database instance. | number |
yes | |
| rotation_days | The number of days between rotations. When set to null (the default) rotation is not configured. |
number |
null |
no |
| rotation_lambda_env_variables | Optional environment variables for the rotation lambda; useful for integration with for certain layer providers. | map(string) |
{} |
no |
| rotation_lambda_handler | An optional lambda handler name; useful integration with for certain layer providers. | string |
null |
no |
| rotation_lambda_layers | Optional layers for the rotation lambda. | list(string) |
null |
no |
| rotation_lambda_policy_jsons | Additional policies to add to the rotation lambda; useful for integration with layer providers. | list(string) |
[] |
no |
| rotation_lambda_subnet_ids | The VPC subnets that the rotation lambda runs in. Required for secret rotation. | list(string) |
[] |
no |
| rotation_lambda_vpc_id | The VPC that the secret rotation lambda runs in. Required for secret rotation. | string |
null | no |
| rotation_strategy | Specifies how the secret is rotated, either by updating credentials for the user itself (single) or by using a superuser's credentials to change another user's credentials (multiuser). |
string |
single |
no |
| secret_recovery_window_days | The number of days that Secrets Manager waits before deleting a secret. | number |
0 |
no |
| tags | Tags to use for created resources. | map(string) |
{} |
no |
| username | The username. | string |
yes | |
| recreate_missing_package | Whether to recreate missing Lambda package if it is missing locally or not. | bool |
true | no |
| Name | Description |
|---|---|
| default_rotation_lambda_handler | The default lambda handler for the built-in function. Useful for when integrating with a layer. |
| rotation_lambda_role_name | The name of the IAM role created for the rotation lambda. |
| rotation_lambda_runtime | The runtime of the rotation lambda. |
| rotation_lambda_security_group_id | The security group created for the rotation lambda. |
| secret_arn | The ARN of the secret that was created. |
| secret_name | The name of the secret that was created. |