From c66cd738f86b9cd0742d9838635970ef7b5743e4 Mon Sep 17 00:00:00 2001 From: Roman Date: Sun, 25 Jun 2023 15:30:41 +0200 Subject: [PATCH] feat!: Replace random password generation with manage master password, min AWS provider version increased to 5.0, `id` output replaced with `identifier` (#489) Co-authored-by: Stephen Rayner Co-authored-by: Bryant Biggs --- .gitignore | 2 +- .pre-commit-config.yaml | 2 +- CHANGELOG.md | 10 ++-- README.md | 35 ++++++------- examples/complete-mssql/README.md | 11 ++-- examples/complete-mssql/main.tf | 4 +- examples/complete-mssql/outputs.tf | 12 ++--- examples/complete-mssql/versions.tf | 2 +- examples/complete-mysql/README.md | 14 +++--- examples/complete-mysql/main.tf | 4 +- examples/complete-mysql/outputs.tf | 24 +++------ examples/complete-mysql/versions.tf | 2 +- examples/complete-oracle/README.md | 11 ++-- examples/complete-oracle/main.tf | 4 +- examples/complete-oracle/outputs.tf | 12 ++--- examples/complete-oracle/versions.tf | 2 +- examples/complete-postgres/README.md | 14 +++--- examples/complete-postgres/main.tf | 4 +- examples/complete-postgres/outputs.tf | 24 +++------ examples/complete-postgres/versions.tf | 2 +- .../cross-region-replica-postgres/README.md | 17 +++---- .../cross-region-replica-postgres/main.tf | 19 +++---- .../cross-region-replica-postgres/outputs.tf | 18 +++---- .../cross-region-replica-postgres/versions.tf | 2 +- examples/enhanced-monitoring/README.md | 11 ++-- examples/enhanced-monitoring/main.tf | 4 +- examples/enhanced-monitoring/outputs.tf | 12 ++--- examples/enhanced-monitoring/versions.tf | 2 +- examples/groups/README.md | 2 +- examples/groups/versions.tf | 2 +- examples/replica-mysql/README.md | 13 +++-- examples/replica-mysql/main.tf | 11 ++-- examples/replica-mysql/outputs.tf | 18 +++---- examples/replica-mysql/versions.tf | 2 +- examples/replica-postgres/README.md | 13 +++-- examples/replica-postgres/main.tf | 11 ++-- examples/replica-postgres/outputs.tf | 18 +++---- examples/replica-postgres/versions.tf | 2 +- examples/s3-import-mysql/README.md | 14 ++---- examples/s3-import-mysql/main.tf | 21 +++----- examples/s3-import-mysql/outputs.tf | 12 ++--- examples/s3-import-mysql/versions.tf | 7 +-- main.tf | 14 ++---- modules/db_instance/README.md | 11 ++-- modules/db_instance/main.tf | 14 +++--- modules/db_instance/outputs.tf | 50 ++++++++----------- modules/db_instance/variables.tf | 15 ++++++ modules/db_instance/versions.tf | 2 +- .../outputs.tf | 2 +- .../versions.tf | 2 +- modules/db_option_group/README.md | 4 +- modules/db_option_group/outputs.tf | 4 +- modules/db_option_group/versions.tf | 2 +- modules/db_parameter_group/README.md | 4 +- modules/db_parameter_group/outputs.tf | 4 +- modules/db_parameter_group/versions.tf | 2 +- modules/db_subnet_group/README.md | 4 +- modules/db_subnet_group/outputs.tf | 4 +- modules/db_subnet_group/versions.tf | 2 +- outputs.tf | 14 ++---- variables.tf | 29 ++++++----- versions.tf | 7 +-- 62 files changed, 259 insertions(+), 357 deletions(-) diff --git a/.gitignore b/.gitignore index 397af322..7f041e9b 100644 --- a/.gitignore +++ b/.gitignore @@ -11,7 +11,7 @@ # Crash log files crash.log -# Exclude all .tfvars files, which are likely to contain sentitive data, such as +# Exclude all .tfvars files, which are likely to contain sensitive data, such as # password, private keys, and other secrets. These should not be part of version # control as they are data points which are potentially sensitive and subject # to change depending on the environment. diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f6f54bb6..0f342838 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.78.0 + rev: v1.81.0 hooks: - id: terraform_fmt - id: terraform_validate diff --git a/CHANGELOG.md b/CHANGELOG.md index 5e1c14c2..a2a2d51a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -394,7 +394,7 @@ All notable changes to this project will be documented in this file ## [v2.19.0] - 2020-10-15 - fix: Added tflint and fixes in README ([#265](https://github.com/terraform-aws-modules/terraform-aws-rds/issues/265)) -- docs: Change accound to account ([#261](https://github.com/terraform-aws-modules/terraform-aws-rds/issues/261)) +- docs: Change account to account ([#261](https://github.com/terraform-aws-modules/terraform-aws-rds/issues/261)) @@ -814,7 +814,7 @@ All notable changes to this project will be documented in this file ## [v1.14.0] - 2018-03-14 -- Updated readme with conditional creatino section +- Updated readme with conditional creation section - Enable db_parameter_group_name variable ([#47](https://github.com/terraform-aws-modules/terraform-aws-rds/issues/47)) @@ -852,7 +852,7 @@ All notable changes to this project will be documented in this file ## [v1.8.0] - 2018-01-23 -- Add availability zone to instance ressource module ([#35](https://github.com/terraform-aws-modules/terraform-aws-rds/issues/35)) +- Add availability zone to instance resource module ([#35](https://github.com/terraform-aws-modules/terraform-aws-rds/issues/35)) @@ -922,7 +922,7 @@ All notable changes to this project will be documented in this file - Merge branch 'master' of https://github.com/terraform-aws-modules/terraform-aws-rds - Updated README.md for MySQL RDS example - Updated README.md for Postgres RDS example -- fianl-snapshot_identifier should default to nothing +- final-snapshot_identifier should default to nothing - Add enhanced monitoring example to README, and add current contributors link - Merge branch 'master' into final_snapshot_identifier - Updated links using upstream path @@ -952,7 +952,7 @@ All notable changes to this project will be documented in this file - Removed unused variable - Improved kms_key_id description - Cleaned duplicated attributes & variables -- Merge branch 'encryption' of github.com:fmartingr/terraform-aws-rds into encryption +- Merge branch 'encryption' of github.com:formatting/terraform-aws-rds into encryption - Added parameters to example - Added kms_key_id parameter - Using `encrypted` to set the db_instance.storage_encrypted diff --git a/README.md b/README.md index 640fd1c1..afcd7548 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ Root module calls these modules which can also be used separately to create inde ```hcl module "db" { - source = "terraform-aws-modules/rds/aws" + source = "terraform-aws-modules/rds/aws" identifier = "demodb" @@ -37,8 +37,8 @@ module "db" { # Enhanced Monitoring - see example for details on how to create the role # by yourself, in case you don't want to create it automatically - monitoring_interval = "30" - monitoring_role_name = "MyRDSMonitoringRole" + monitoring_interval = "30" + monitoring_role_name = "MyRDSMonitoringRole" create_monitoring_role = true tags = { @@ -61,11 +61,11 @@ module "db" { parameters = [ { - name = "character_set_client" + name = "character_set_client" value = "utf8mb4" }, { - name = "character_set_server" + name = "character_set_server" value = "utf8mb4" } ] @@ -201,8 +201,7 @@ Users have the ability to: ## Notes 1. This module does not create RDS security group. Use [terraform-aws-security-group](https://github.com/terraform-aws-modules/terraform-aws-security-group) module for this. -2. By default, the variable `create_random_password` is set to true. Therefore, even if the user provides a password, it will not be read. The `create_random_password` variable should be set to false and the `password` variable should have a non-null value to be read and used. -3. For an RDS instance with `storage_type` using `gp3`, be aware that `iops` and `storage_throughput` cannot be specified if the `allocated_storage` value is below a per-`engine` threshold. See the [RDS User Guide](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html#gp3-storage) for details. +2. For an RDS instance with `storage_type` using `gp3`, be aware that `iops` and `storage_throughput` cannot be specified if the `allocated_storage` value is below a per-`engine` threshold. See the [RDS User Guide](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html#gp3-storage) for details. ## Requirements @@ -210,14 +209,11 @@ Users have the ability to: | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 4.65 | -| [random](#requirement\_random) | >= 3.1 | +| [aws](#requirement\_aws) | >= 5.0 | ## Providers -| Name | Version | -|------|---------| -| [random](#provider\_random) | >= 3.1 | +No providers. ## Modules @@ -230,9 +226,7 @@ Users have the ability to: ## Resources -| Name | Type | -|------|------| -| [random_password.master_password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | +No resources. ## Inputs @@ -257,7 +251,6 @@ Users have the ability to: | [create\_db\_parameter\_group](#input\_create\_db\_parameter\_group) | Whether to create a database parameter group | `bool` | `true` | no | | [create\_db\_subnet\_group](#input\_create\_db\_subnet\_group) | Whether to create a database subnet group | `bool` | `false` | no | | [create\_monitoring\_role](#input\_create\_monitoring\_role) | Create IAM role with a defined name that permits RDS to send enhanced monitoring metrics to CloudWatch Logs | `bool` | `false` | no | -| [create\_random\_password](#input\_create\_random\_password) | Whether to create random password for RDS primary cluster | `bool` | `true` | no | | [custom\_iam\_instance\_profile](#input\_custom\_iam\_instance\_profile) | RDS custom iam instance profile | `string` | `null` | no | | [db\_instance\_tags](#input\_db\_instance\_tags) | Additional tags for the DB instance | `map(string)` | `{}` | no | | [db\_name](#input\_db\_name) | The DB name to create. If omitted, no database is created initially | `string` | `null` | no | @@ -285,6 +278,8 @@ Users have the ability to: | [license\_model](#input\_license\_model) | License model information for this DB instance. Optional, but required for some DB engines, i.e. Oracle SE1 | `string` | `null` | no | | [maintenance\_window](#input\_maintenance\_window) | The window to perform maintenance in. Syntax: 'ddd:hh24:mi-ddd:hh24:mi'. Eg: 'Mon:00:00-Mon:03:00' | `string` | `null` | no | | [major\_engine\_version](#input\_major\_engine\_version) | Specifies the major version of the engine that this option group should be associated with | `string` | `null` | no | +| [manage\_master\_user\_password](#input\_manage\_master\_user\_password) | Set to true to allow RDS to manage the master user password in Secrets Manager | `bool` | `true` | no | +| [master\_user\_secret\_kms\_key\_id](#input\_master\_user\_secret\_kms\_key\_id) | The key ARN, key ID, alias ARN or alias name for the KMS key to encrypt the master user password secret in Secrets Manager.
If not specified, the default KMS key for your Amazon Web Services account is used. | `string` | `null` | no | | [max\_allocated\_storage](#input\_max\_allocated\_storage) | Specifies the value for Storage Autoscaling | `number` | `0` | no | | [monitoring\_interval](#input\_monitoring\_interval) | The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. The default is 0. Valid Values: 0, 1, 5, 10, 15, 30, 60 | `number` | `0` | no | | [monitoring\_role\_arn](#input\_monitoring\_role\_arn) | The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to CloudWatch Logs. Must be specified if monitoring\_interval is non-zero | `string` | `null` | no | @@ -304,14 +299,13 @@ Users have the ability to: | [parameter\_group\_name](#input\_parameter\_group\_name) | Name of the DB parameter group to associate or create | `string` | `null` | no | | [parameter\_group\_use\_name\_prefix](#input\_parameter\_group\_use\_name\_prefix) | Determines whether to use `parameter_group_name` as is or create a unique name beginning with the `parameter_group_name` as the prefix | `bool` | `true` | no | | [parameters](#input\_parameters) | A list of DB parameters (map) to apply | `list(map(string))` | `[]` | no | -| [password](#input\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file.
The password provided will not be used if the variable create\_random\_password is set to true. | `string` | `null` | no | +| [password](#input\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file.
The password provided will not be used if `manage_master_user_password` is set to true. | `string` | `null` | no | | [performance\_insights\_enabled](#input\_performance\_insights\_enabled) | Specifies whether Performance Insights are enabled | `bool` | `false` | no | | [performance\_insights\_kms\_key\_id](#input\_performance\_insights\_kms\_key\_id) | The ARN for the KMS key to encrypt Performance Insights data | `string` | `null` | no | | [performance\_insights\_retention\_period](#input\_performance\_insights\_retention\_period) | The amount of time in days to retain Performance Insights data. Valid values are `7`, `731` (2 years) or a multiple of `31` | `number` | `7` | no | | [port](#input\_port) | The port on which the DB accepts connections | `string` | `null` | no | | [publicly\_accessible](#input\_publicly\_accessible) | Bool to control if instance is publicly accessible | `bool` | `false` | no | | [putin\_khuylo](#input\_putin\_khuylo) | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! | `bool` | `true` | no | -| [random\_password\_length](#input\_random\_password\_length) | Length of random password to create | `number` | `16` | no | | [replica\_mode](#input\_replica\_mode) | Specifies whether the replica is in either mounted or open-read-only mode. This attribute is only supported by Oracle instances. Oracle replicas operate in open-read-only mode unless otherwise specified | `string` | `null` | no | | [replicate\_source\_db](#input\_replicate\_source\_db) | Specifies that this resource is a Replicate database, and to use this value as the source database. This correlates to the identifier of another Amazon RDS Database to replicate | `string` | `null` | no | | [restore\_to\_point\_in\_time](#input\_restore\_to\_point\_in\_time) | Restore to a point in time (MySQL is NOT supported) | `map(string)` | `null` | no | @@ -338,14 +332,13 @@ Users have the ability to: | [db\_instance\_ca\_cert\_identifier](#output\_db\_instance\_ca\_cert\_identifier) | Specifies the identifier of the CA certificate for the DB instance | | [db\_instance\_cloudwatch\_log\_groups](#output\_db\_instance\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes | | [db\_instance\_domain](#output\_db\_instance\_domain) | The ID of the Directory Service Active Directory domain the instance is joined to | -| [db\_instance\_domain\_iam\_role\_name](#output\_db\_instance\_domain\_iam\_role\_name) | The name of the IAM role to be used when making API calls to the Directory Service. | +| [db\_instance\_domain\_iam\_role\_name](#output\_db\_instance\_domain\_iam\_role\_name) | The name of the IAM role to be used when making API calls to the Directory Service | | [db\_instance\_endpoint](#output\_db\_instance\_endpoint) | The connection endpoint | | [db\_instance\_engine](#output\_db\_instance\_engine) | The database engine | | [db\_instance\_engine\_version\_actual](#output\_db\_instance\_engine\_version\_actual) | The running version of the database | | [db\_instance\_hosted\_zone\_id](#output\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) | -| [db\_instance\_id](#output\_db\_instance\_id) | The RDS instance ID | +| [db\_instance\_identifier](#output\_db\_instance\_identifier) | The RDS instance identifier | | [db\_instance\_name](#output\_db\_instance\_name) | The database name | -| [db\_instance\_password](#output\_db\_instance\_password) | The database password (this password may be old, because Terraform doesn't track it after initial creation) | | [db\_instance\_port](#output\_db\_instance\_port) | The database port | | [db\_instance\_resource\_id](#output\_db\_instance\_resource\_id) | The RDS Resource ID of this instance | | [db\_instance\_status](#output\_db\_instance\_status) | The RDS instance status | diff --git a/examples/complete-mssql/README.md b/examples/complete-mssql/README.md index a134c097..1cefe6b5 100644 --- a/examples/complete-mssql/README.md +++ b/examples/complete-mssql/README.md @@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 4.65 | +| [aws](#requirement\_aws) | >= 5.00 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.65 | +| [aws](#provider\_aws) | >= 5.00 | ## Modules @@ -35,8 +35,8 @@ Note that this example may create resources which cost money. Run `terraform des | [db](#module\_db) | ../../ | n/a | | [db\_automated\_backups\_replication](#module\_db\_automated\_backups\_replication) | ../../modules/db_instance_automated_backups_replication | n/a | | [db\_disabled](#module\_db\_disabled) | ../../ | n/a | -| [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.0 | -| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 4.0 | +| [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.0 | +| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 | ## Resources @@ -67,9 +67,8 @@ No inputs. | [db\_instance\_engine](#output\_db\_instance\_engine) | The database engine | | [db\_instance\_engine\_version\_actual](#output\_db\_instance\_engine\_version\_actual) | The running version of the database | | [db\_instance\_hosted\_zone\_id](#output\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) | -| [db\_instance\_id](#output\_db\_instance\_id) | The RDS instance ID | +| [db\_instance\_identifier](#output\_db\_instance\_identifier) | The RDS instance identifier | | [db\_instance\_name](#output\_db\_instance\_name) | The database name | -| [db\_instance\_password](#output\_db\_instance\_password) | The database password (this password may be old, because Terraform doesn't track it after initial creation) | | [db\_instance\_port](#output\_db\_instance\_port) | The database port | | [db\_instance\_resource\_id](#output\_db\_instance\_resource\_id) | The RDS Resource ID of this instance | | [db\_instance\_status](#output\_db\_instance\_status) | The RDS instance status | diff --git a/examples/complete-mssql/main.tf b/examples/complete-mssql/main.tf index 662c85af..3f7bf5cf 100644 --- a/examples/complete-mssql/main.tf +++ b/examples/complete-mssql/main.tf @@ -160,7 +160,7 @@ resource "aws_directory_service_directory" "demo" { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "~> 4.0" + version = "~> 5.0" name = local.name cidr = local.vpc_cidr @@ -177,7 +177,7 @@ module "vpc" { module "security_group" { source = "terraform-aws-modules/security-group/aws" - version = "~> 4.0" + version = "~> 5.0" name = local.name description = "Complete SqlServer example security group" diff --git a/examples/complete-mssql/outputs.tf b/examples/complete-mssql/outputs.tf index 5a7a86b5..f1bfb27f 100644 --- a/examples/complete-mssql/outputs.tf +++ b/examples/complete-mssql/outputs.tf @@ -33,9 +33,9 @@ output "db_instance_hosted_zone_id" { value = module.db.db_instance_hosted_zone_id } -output "db_instance_id" { - description = "The RDS instance ID" - value = module.db.db_instance_id +output "db_instance_identifier" { + description = "The RDS instance identifier" + value = module.db.db_instance_identifier } output "db_instance_resource_id" { @@ -59,12 +59,6 @@ output "db_instance_username" { sensitive = true } -output "db_instance_password" { - description = "The database password (this password may be old, because Terraform doesn't track it after initial creation)" - value = module.db.db_instance_password - sensitive = true -} - output "db_instance_port" { description = "The database port" value = module.db.db_instance_port diff --git a/examples/complete-mssql/versions.tf b/examples/complete-mssql/versions.tf index acd6016f..95708b63 100644 --- a/examples/complete-mssql/versions.tf +++ b/examples/complete-mssql/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.65" + version = ">= 5.00" } } } diff --git a/examples/complete-mysql/README.md b/examples/complete-mysql/README.md index dd0f1a8c..18119c14 100644 --- a/examples/complete-mysql/README.md +++ b/examples/complete-mysql/README.md @@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 4.65 | +| [aws](#requirement\_aws) | >= 5.00 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.65 | +| [aws](#provider\_aws) | >= 5.00 | ## Modules @@ -35,8 +35,8 @@ Note that this example may create resources which cost money. Run `terraform des | [db](#module\_db) | ../../ | n/a | | [db\_default](#module\_db\_default) | ../../ | n/a | | [db\_disabled](#module\_db\_disabled) | ../../ | n/a | -| [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.0 | -| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 4.0 | +| [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.0 | +| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 | ## Resources @@ -60,9 +60,8 @@ No inputs. | [db\_default\_instance\_engine](#output\_db\_default\_instance\_engine) | The database engine | | [db\_default\_instance\_engine\_version](#output\_db\_default\_instance\_engine\_version) | The running version of the database | | [db\_default\_instance\_hosted\_zone\_id](#output\_db\_default\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) | -| [db\_default\_instance\_id](#output\_db\_default\_instance\_id) | The RDS instance ID | +| [db\_default\_instance\_identifier](#output\_db\_default\_instance\_identifier) | The RDS instance identifier | | [db\_default\_instance\_name](#output\_db\_default\_instance\_name) | The database name | -| [db\_default\_instance\_password](#output\_db\_default\_instance\_password) | The database password (this password may be old, because Terraform doesn't track it after initial creation) | | [db\_default\_instance\_port](#output\_db\_default\_instance\_port) | The database port | | [db\_default\_instance\_resource\_id](#output\_db\_default\_instance\_resource\_id) | The RDS Resource ID of this instance | | [db\_default\_instance\_status](#output\_db\_default\_instance\_status) | The RDS instance status | @@ -80,9 +79,8 @@ No inputs. | [db\_instance\_engine](#output\_db\_instance\_engine) | The database engine | | [db\_instance\_engine\_version\_actual](#output\_db\_instance\_engine\_version\_actual) | The running version of the database | | [db\_instance\_hosted\_zone\_id](#output\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) | -| [db\_instance\_id](#output\_db\_instance\_id) | The RDS instance ID | +| [db\_instance\_identifier](#output\_db\_instance\_identifier) | The RDS instance identifier | | [db\_instance\_name](#output\_db\_instance\_name) | The database name | -| [db\_instance\_password](#output\_db\_instance\_password) | The database password (this password may be old, because Terraform doesn't track it after initial creation) | | [db\_instance\_port](#output\_db\_instance\_port) | The database port | | [db\_instance\_resource\_id](#output\_db\_instance\_resource\_id) | The RDS Resource ID of this instance | | [db\_instance\_status](#output\_db\_instance\_status) | The RDS instance status | diff --git a/examples/complete-mysql/main.tf b/examples/complete-mysql/main.tf index cfa086e0..2d2a86d3 100644 --- a/examples/complete-mysql/main.tf +++ b/examples/complete-mysql/main.tf @@ -135,7 +135,7 @@ module "db_disabled" { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "~> 4.0" + version = "~> 5.0" name = local.name cidr = local.vpc_cidr @@ -152,7 +152,7 @@ module "vpc" { module "security_group" { source = "terraform-aws-modules/security-group/aws" - version = "~> 4.0" + version = "~> 5.0" name = local.name description = "Complete MySQL example security group" diff --git a/examples/complete-mysql/outputs.tf b/examples/complete-mysql/outputs.tf index 902b1ae3..29b44a95 100644 --- a/examples/complete-mysql/outputs.tf +++ b/examples/complete-mysql/outputs.tf @@ -33,9 +33,9 @@ output "db_instance_hosted_zone_id" { value = module.db.db_instance_hosted_zone_id } -output "db_instance_id" { - description = "The RDS instance ID" - value = module.db.db_instance_id +output "db_instance_identifier" { + description = "The RDS instance identifier" + value = module.db.db_instance_identifier } output "db_instance_resource_id" { @@ -59,12 +59,6 @@ output "db_instance_username" { sensitive = true } -output "db_instance_password" { - description = "The database password (this password may be old, because Terraform doesn't track it after initial creation)" - value = module.db.db_instance_password - sensitive = true -} - output "db_instance_port" { description = "The database port" value = module.db.db_instance_port @@ -136,9 +130,9 @@ output "db_default_instance_hosted_zone_id" { value = module.db_default.db_instance_hosted_zone_id } -output "db_default_instance_id" { - description = "The RDS instance ID" - value = module.db_default.db_instance_id +output "db_default_instance_identifier" { + description = "The RDS instance identifier" + value = module.db_default.db_instance_identifier } output "db_default_instance_resource_id" { @@ -162,12 +156,6 @@ output "db_default_instance_username" { sensitive = true } -output "db_default_instance_password" { - description = "The database password (this password may be old, because Terraform doesn't track it after initial creation)" - value = module.db_default.db_instance_password - sensitive = true -} - output "db_default_instance_port" { description = "The database port" value = module.db_default.db_instance_port diff --git a/examples/complete-mysql/versions.tf b/examples/complete-mysql/versions.tf index acd6016f..95708b63 100644 --- a/examples/complete-mysql/versions.tf +++ b/examples/complete-mysql/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.65" + version = ">= 5.00" } } } diff --git a/examples/complete-oracle/README.md b/examples/complete-oracle/README.md index f695a9f3..558d62ed 100644 --- a/examples/complete-oracle/README.md +++ b/examples/complete-oracle/README.md @@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 4.65 | +| [aws](#requirement\_aws) | >= 5.00 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.65 | +| [aws](#provider\_aws) | >= 5.00 | ## Modules @@ -36,8 +36,8 @@ Note that this example may create resources which cost money. Run `terraform des | [db\_automated\_backups\_replication](#module\_db\_automated\_backups\_replication) | ../../modules/db_instance_automated_backups_replication | n/a | | [db\_disabled](#module\_db\_disabled) | ../../ | n/a | | [kms](#module\_kms) | terraform-aws-modules/kms/aws | ~> 1.0 | -| [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.0 | -| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 4.0 | +| [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.0 | +| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 | ## Resources @@ -62,9 +62,8 @@ No inputs. | [db\_instance\_engine](#output\_db\_instance\_engine) | The database engine | | [db\_instance\_engine\_version\_actual](#output\_db\_instance\_engine\_version\_actual) | The running version of the database | | [db\_instance\_hosted\_zone\_id](#output\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) | -| [db\_instance\_id](#output\_db\_instance\_id) | The RDS instance ID | +| [db\_instance\_identifier](#output\_db\_instance\_identifier) | The RDS instance identifier | | [db\_instance\_name](#output\_db\_instance\_name) | The database name | -| [db\_instance\_password](#output\_db\_instance\_password) | The database password (this password may be old, because Terraform doesn't track it after initial creation) | | [db\_instance\_port](#output\_db\_instance\_port) | The database port | | [db\_instance\_resource\_id](#output\_db\_instance\_resource\_id) | The RDS Resource ID of this instance | | [db\_instance\_status](#output\_db\_instance\_status) | The RDS instance status | diff --git a/examples/complete-oracle/main.tf b/examples/complete-oracle/main.tf index 61176444..8a995984 100644 --- a/examples/complete-oracle/main.tf +++ b/examples/complete-oracle/main.tf @@ -123,7 +123,7 @@ module "db_automated_backups_replication" { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "~> 4.0" + version = "~> 5.0" name = local.name cidr = local.vpc_cidr @@ -140,7 +140,7 @@ module "vpc" { module "security_group" { source = "terraform-aws-modules/security-group/aws" - version = "~> 4.0" + version = "~> 5.0" name = local.name description = "Complete Oracle example security group" diff --git a/examples/complete-oracle/outputs.tf b/examples/complete-oracle/outputs.tf index 8b50089d..dd8b5128 100644 --- a/examples/complete-oracle/outputs.tf +++ b/examples/complete-oracle/outputs.tf @@ -33,9 +33,9 @@ output "db_instance_hosted_zone_id" { value = module.db.db_instance_hosted_zone_id } -output "db_instance_id" { - description = "The RDS instance ID" - value = module.db.db_instance_id +output "db_instance_identifier" { + description = "The RDS instance identifier" + value = module.db.db_instance_identifier } output "db_instance_resource_id" { @@ -59,12 +59,6 @@ output "db_instance_username" { sensitive = true } -output "db_instance_password" { - description = "The database password (this password may be old, because Terraform doesn't track it after initial creation)" - value = module.db.db_instance_password - sensitive = true -} - output "db_instance_port" { description = "The database port" value = module.db.db_instance_port diff --git a/examples/complete-oracle/versions.tf b/examples/complete-oracle/versions.tf index acd6016f..95708b63 100644 --- a/examples/complete-oracle/versions.tf +++ b/examples/complete-oracle/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.65" + version = ">= 5.00" } } } diff --git a/examples/complete-postgres/README.md b/examples/complete-postgres/README.md index 0d15b045..c2794417 100644 --- a/examples/complete-postgres/README.md +++ b/examples/complete-postgres/README.md @@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 4.65 | +| [aws](#requirement\_aws) | >= 5.00 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.65 | +| [aws](#provider\_aws) | >= 5.00 | ## Modules @@ -37,8 +37,8 @@ Note that this example may create resources which cost money. Run `terraform des | [db\_default](#module\_db\_default) | ../../ | n/a | | [db\_disabled](#module\_db\_disabled) | ../../ | n/a | | [kms](#module\_kms) | terraform-aws-modules/kms/aws | ~> 1.0 | -| [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.0 | -| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 4.0 | +| [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.0 | +| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 | ## Resources @@ -63,9 +63,8 @@ No inputs. | [db\_default\_instance\_engine](#output\_db\_default\_instance\_engine) | The database engine | | [db\_default\_instance\_engine\_version](#output\_db\_default\_instance\_engine\_version) | The running version of the database | | [db\_default\_instance\_hosted\_zone\_id](#output\_db\_default\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) | -| [db\_default\_instance\_id](#output\_db\_default\_instance\_id) | The RDS instance ID | +| [db\_default\_instance\_identifier](#output\_db\_default\_instance\_identifier) | The RDS instance identifier | | [db\_default\_instance\_name](#output\_db\_default\_instance\_name) | The database name | -| [db\_default\_instance\_password](#output\_db\_default\_instance\_password) | The database password (this password may be old, because Terraform doesn't track it after initial creation) | | [db\_default\_instance\_port](#output\_db\_default\_instance\_port) | The database port | | [db\_default\_instance\_resource\_id](#output\_db\_default\_instance\_resource\_id) | The RDS Resource ID of this instance | | [db\_default\_instance\_status](#output\_db\_default\_instance\_status) | The RDS instance status | @@ -83,9 +82,8 @@ No inputs. | [db\_instance\_engine](#output\_db\_instance\_engine) | The database engine | | [db\_instance\_engine\_version\_actual](#output\_db\_instance\_engine\_version\_actual) | The running version of the database | | [db\_instance\_hosted\_zone\_id](#output\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) | -| [db\_instance\_id](#output\_db\_instance\_id) | The RDS instance ID | +| [db\_instance\_identifier](#output\_db\_instance\_identifier) | The RDS instance identifier | | [db\_instance\_name](#output\_db\_instance\_name) | The database name | -| [db\_instance\_password](#output\_db\_instance\_password) | The database password (this password may be old, because Terraform doesn't track it after initial creation) | | [db\_instance\_port](#output\_db\_instance\_port) | The database port | | [db\_instance\_resource\_id](#output\_db\_instance\_resource\_id) | The RDS Resource ID of this instance | | [db\_instance\_status](#output\_db\_instance\_status) | The RDS instance status | diff --git a/examples/complete-postgres/main.tf b/examples/complete-postgres/main.tf index 282613b5..8e9967ca 100644 --- a/examples/complete-postgres/main.tf +++ b/examples/complete-postgres/main.tf @@ -176,7 +176,7 @@ module "db_automated_backups_replication" { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "~> 4.0" + version = "~> 5.0" name = local.name cidr = local.vpc_cidr @@ -193,7 +193,7 @@ module "vpc" { module "security_group" { source = "terraform-aws-modules/security-group/aws" - version = "~> 4.0" + version = "~> 5.0" name = local.name description = "Complete PostgreSQL example security group" diff --git a/examples/complete-postgres/outputs.tf b/examples/complete-postgres/outputs.tf index a12bbb35..49ee6e4b 100644 --- a/examples/complete-postgres/outputs.tf +++ b/examples/complete-postgres/outputs.tf @@ -33,9 +33,9 @@ output "db_instance_hosted_zone_id" { value = module.db.db_instance_hosted_zone_id } -output "db_instance_id" { - description = "The RDS instance ID" - value = module.db.db_instance_id +output "db_instance_identifier" { + description = "The RDS instance identifier" + value = module.db.db_instance_identifier } output "db_instance_resource_id" { @@ -59,12 +59,6 @@ output "db_instance_username" { sensitive = true } -output "db_instance_password" { - description = "The database password (this password may be old, because Terraform doesn't track it after initial creation)" - value = module.db.db_instance_password - sensitive = true -} - output "db_instance_port" { description = "The database port" value = module.db.db_instance_port @@ -136,9 +130,9 @@ output "db_default_instance_hosted_zone_id" { value = module.db_default.db_instance_hosted_zone_id } -output "db_default_instance_id" { - description = "The RDS instance ID" - value = module.db_default.db_instance_id +output "db_default_instance_identifier" { + description = "The RDS instance identifier" + value = module.db_default.db_instance_identifier } output "db_default_instance_resource_id" { @@ -162,12 +156,6 @@ output "db_default_instance_username" { sensitive = true } -output "db_default_instance_password" { - description = "The database password (this password may be old, because Terraform doesn't track it after initial creation)" - value = module.db_default.db_instance_password - sensitive = true -} - output "db_default_instance_port" { description = "The database port" value = module.db_default.db_instance_port diff --git a/examples/complete-postgres/versions.tf b/examples/complete-postgres/versions.tf index acd6016f..95708b63 100644 --- a/examples/complete-postgres/versions.tf +++ b/examples/complete-postgres/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.65" + version = ">= 5.00" } } } diff --git a/examples/cross-region-replica-postgres/README.md b/examples/cross-region-replica-postgres/README.md index 788ca770..2ad9ffc9 100644 --- a/examples/cross-region-replica-postgres/README.md +++ b/examples/cross-region-replica-postgres/README.md @@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 4.65 | +| [aws](#requirement\_aws) | >= 5.00 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.65 | +| [aws](#provider\_aws) | >= 5.00 | ## Modules @@ -35,10 +35,10 @@ Note that this example may create resources which cost money. Run `terraform des | [kms](#module\_kms) | terraform-aws-modules/kms/aws | ~> 1.0 | | [master](#module\_master) | ../../ | n/a | | [replica](#module\_replica) | ../../ | n/a | -| [security\_group\_region1](#module\_security\_group\_region1) | terraform-aws-modules/security-group/aws | ~> 4.0 | -| [security\_group\_region2](#module\_security\_group\_region2) | terraform-aws-modules/security-group/aws | ~> 4.0 | -| [vpc\_region1](#module\_vpc\_region1) | terraform-aws-modules/vpc/aws | ~> 4.0 | -| [vpc\_region2](#module\_vpc\_region2) | terraform-aws-modules/vpc/aws | ~> 4.0 | +| [security\_group\_region1](#module\_security\_group\_region1) | terraform-aws-modules/security-group/aws | ~> 5.0 | +| [security\_group\_region2](#module\_security\_group\_region2) | terraform-aws-modules/security-group/aws | ~> 5.0 | +| [vpc\_region1](#module\_vpc\_region1) | terraform-aws-modules/vpc/aws | ~> 5.0 | +| [vpc\_region2](#module\_vpc\_region2) | terraform-aws-modules/vpc/aws | ~> 5.0 | ## Resources @@ -62,9 +62,8 @@ No inputs. | [master\_db\_instance\_engine](#output\_master\_db\_instance\_engine) | The database engine | | [master\_db\_instance\_engine\_version\_actual](#output\_master\_db\_instance\_engine\_version\_actual) | The running version of the database | | [master\_db\_instance\_hosted\_zone\_id](#output\_master\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) | -| [master\_db\_instance\_id](#output\_master\_db\_instance\_id) | The RDS instance ID | +| [master\_db\_instance\_identifier](#output\_master\_db\_instance\_identifier) | The RDS instance identifier | | [master\_db\_instance\_name](#output\_master\_db\_instance\_name) | The database name | -| [master\_db\_instance\_password](#output\_master\_db\_instance\_password) | The database password (this password may be old, because Terraform doesn't track it after initial creation) | | [master\_db\_instance\_port](#output\_master\_db\_instance\_port) | The database port | | [master\_db\_instance\_resource\_id](#output\_master\_db\_instance\_resource\_id) | The RDS Resource ID of this instance | | [master\_db\_instance\_status](#output\_master\_db\_instance\_status) | The RDS instance status | @@ -79,7 +78,7 @@ No inputs. | [replica\_db\_instance\_engine](#output\_replica\_db\_instance\_engine) | The database engine | | [replica\_db\_instance\_engine\_version\_actual](#output\_replica\_db\_instance\_engine\_version\_actual) | The running version of the database | | [replica\_db\_instance\_hosted\_zone\_id](#output\_replica\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) | -| [replica\_db\_instance\_id](#output\_replica\_db\_instance\_id) | The RDS instance ID | +| [replica\_db\_instance\_identifier](#output\_replica\_db\_instance\_identifier) | The RDS instance identifier | | [replica\_db\_instance\_name](#output\_replica\_db\_instance\_name) | The database name | | [replica\_db\_instance\_port](#output\_replica\_db\_instance\_port) | The database port | | [replica\_db\_instance\_resource\_id](#output\_replica\_db\_instance\_resource\_id) | The RDS Resource ID of this instance | diff --git a/examples/cross-region-replica-postgres/main.tf b/examples/cross-region-replica-postgres/main.tf index fb1eeb69..1d8bb265 100644 --- a/examples/cross-region-replica-postgres/main.tf +++ b/examples/cross-region-replica-postgres/main.tf @@ -100,8 +100,7 @@ module "replica" { identifier = "${local.name}-replica" # Source database. For cross-region use db_instance_arn - replicate_source_db = module.master.db_instance_arn - create_random_password = false + replicate_source_db = module.master.db_instance_arn engine = local.engine engine_version = local.engine_version @@ -113,10 +112,12 @@ module "replica" { allocated_storage = local.allocated_storage max_allocated_storage = local.max_allocated_storage + password = "UberSecretPassword" + # Not supported with replicas + manage_master_user_password = false + # Username and password should not be set for replicas - username = null - password = null - port = local.port + port = local.port multi_az = false vpc_security_group_ids = [module.security_group_region2.security_group_id] @@ -141,7 +142,7 @@ module "replica" { module "vpc_region1" { source = "terraform-aws-modules/vpc/aws" - version = "~> 4.0" + version = "~> 5.0" name = local.name cidr = "10.100.0.0/18" @@ -158,7 +159,7 @@ module "vpc_region1" { module "security_group_region1" { source = "terraform-aws-modules/security-group/aws" - version = "~> 4.0" + version = "~> 5.0" name = local.name description = "Replica PostgreSQL example security group" @@ -180,7 +181,7 @@ module "security_group_region1" { module "vpc_region2" { source = "terraform-aws-modules/vpc/aws" - version = "~> 4.0" + version = "~> 5.0" providers = { aws = aws.region2 @@ -201,7 +202,7 @@ module "vpc_region2" { module "security_group_region2" { source = "terraform-aws-modules/security-group/aws" - version = "~> 4.0" + version = "~> 5.0" providers = { aws = aws.region2 diff --git a/examples/cross-region-replica-postgres/outputs.tf b/examples/cross-region-replica-postgres/outputs.tf index 9dfb3e24..70109257 100644 --- a/examples/cross-region-replica-postgres/outputs.tf +++ b/examples/cross-region-replica-postgres/outputs.tf @@ -34,9 +34,9 @@ output "master_db_instance_hosted_zone_id" { value = module.master.db_instance_hosted_zone_id } -output "master_db_instance_id" { - description = "The RDS instance ID" - value = module.master.db_instance_id +output "master_db_instance_identifier" { + description = "The RDS instance identifier" + value = module.master.db_instance_identifier } output "master_db_instance_resource_id" { @@ -60,12 +60,6 @@ output "master_db_instance_username" { sensitive = true } -output "master_db_instance_password" { - description = "The database password (this password may be old, because Terraform doesn't track it after initial creation)" - value = module.master.db_instance_password - sensitive = true -} - output "master_db_instance_port" { description = "The database port" value = module.master.db_instance_port @@ -122,9 +116,9 @@ output "replica_db_instance_hosted_zone_id" { value = module.replica.db_instance_hosted_zone_id } -output "replica_db_instance_id" { - description = "The RDS instance ID" - value = module.replica.db_instance_id +output "replica_db_instance_identifier" { + description = "The RDS instance identifier" + value = module.replica.db_instance_identifier } output "replica_db_instance_resource_id" { diff --git a/examples/cross-region-replica-postgres/versions.tf b/examples/cross-region-replica-postgres/versions.tf index acd6016f..95708b63 100644 --- a/examples/cross-region-replica-postgres/versions.tf +++ b/examples/cross-region-replica-postgres/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.65" + version = ">= 5.00" } } } diff --git a/examples/enhanced-monitoring/README.md b/examples/enhanced-monitoring/README.md index 75255efc..811356d6 100644 --- a/examples/enhanced-monitoring/README.md +++ b/examples/enhanced-monitoring/README.md @@ -22,21 +22,21 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 4.65 | +| [aws](#requirement\_aws) | >= 5.00 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.65 | +| [aws](#provider\_aws) | >= 5.00 | ## Modules | Name | Source | Version | |------|--------|---------| | [db](#module\_db) | ../../ | n/a | -| [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.0 | -| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 4.0 | +| [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.0 | +| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 | ## Resources @@ -63,9 +63,8 @@ No inputs. | [db\_instance\_engine](#output\_db\_instance\_engine) | The database engine | | [db\_instance\_engine\_version\_actual](#output\_db\_instance\_engine\_version\_actual) | The running version of the database | | [db\_instance\_hosted\_zone\_id](#output\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) | -| [db\_instance\_id](#output\_db\_instance\_id) | The RDS instance ID | +| [db\_instance\_identifier](#output\_db\_instance\_identifier) | The RDS instance identifier | | [db\_instance\_name](#output\_db\_instance\_name) | The database name | -| [db\_instance\_password](#output\_db\_instance\_password) | The database password (this password may be old, because Terraform doesn't track it after initial creation) | | [db\_instance\_port](#output\_db\_instance\_port) | The database port | | [db\_instance\_resource\_id](#output\_db\_instance\_resource\_id) | The RDS Resource ID of this instance | | [db\_instance\_status](#output\_db\_instance\_status) | The RDS instance status | diff --git a/examples/enhanced-monitoring/main.tf b/examples/enhanced-monitoring/main.tf index 38f7b30e..3cdfb51d 100644 --- a/examples/enhanced-monitoring/main.tf +++ b/examples/enhanced-monitoring/main.tf @@ -99,7 +99,7 @@ data "aws_iam_policy_document" "rds_enhanced_monitoring" { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "~> 4.0" + version = "~> 5.0" name = local.name cidr = local.vpc_cidr @@ -116,7 +116,7 @@ module "vpc" { module "security_group" { source = "terraform-aws-modules/security-group/aws" - version = "~> 4.0" + version = "~> 5.0" name = local.name description = "Enhanced monitoring MySQL example security group" diff --git a/examples/enhanced-monitoring/outputs.tf b/examples/enhanced-monitoring/outputs.tf index 8b50089d..dd8b5128 100644 --- a/examples/enhanced-monitoring/outputs.tf +++ b/examples/enhanced-monitoring/outputs.tf @@ -33,9 +33,9 @@ output "db_instance_hosted_zone_id" { value = module.db.db_instance_hosted_zone_id } -output "db_instance_id" { - description = "The RDS instance ID" - value = module.db.db_instance_id +output "db_instance_identifier" { + description = "The RDS instance identifier" + value = module.db.db_instance_identifier } output "db_instance_resource_id" { @@ -59,12 +59,6 @@ output "db_instance_username" { sensitive = true } -output "db_instance_password" { - description = "The database password (this password may be old, because Terraform doesn't track it after initial creation)" - value = module.db.db_instance_password - sensitive = true -} - output "db_instance_port" { description = "The database port" value = module.db.db_instance_port diff --git a/examples/enhanced-monitoring/versions.tf b/examples/enhanced-monitoring/versions.tf index acd6016f..95708b63 100644 --- a/examples/enhanced-monitoring/versions.tf +++ b/examples/enhanced-monitoring/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.65" + version = ">= 5.00" } } } diff --git a/examples/groups/README.md b/examples/groups/README.md index b50cdee7..39842f06 100644 --- a/examples/groups/README.md +++ b/examples/groups/README.md @@ -20,7 +20,7 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 4.65 | +| [aws](#requirement\_aws) | >= 5.00 | ## Providers diff --git a/examples/groups/versions.tf b/examples/groups/versions.tf index acd6016f..95708b63 100644 --- a/examples/groups/versions.tf +++ b/examples/groups/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.65" + version = ">= 5.00" } } } diff --git a/examples/replica-mysql/README.md b/examples/replica-mysql/README.md index 84560f17..c2032966 100644 --- a/examples/replica-mysql/README.md +++ b/examples/replica-mysql/README.md @@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 4.65 | +| [aws](#requirement\_aws) | >= 5.00 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.65 | +| [aws](#provider\_aws) | >= 5.00 | ## Modules @@ -34,8 +34,8 @@ Note that this example may create resources which cost money. Run `terraform des |------|--------|---------| | [master](#module\_master) | ../../ | n/a | | [replica](#module\_replica) | ../../ | n/a | -| [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.0 | -| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 4.0 | +| [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.0 | +| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 | ## Resources @@ -59,9 +59,8 @@ No inputs. | [master\_db\_instance\_engine](#output\_master\_db\_instance\_engine) | The database engine | | [master\_db\_instance\_engine\_version\_actual](#output\_master\_db\_instance\_engine\_version\_actual) | The running version of the database | | [master\_db\_instance\_hosted\_zone\_id](#output\_master\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) | -| [master\_db\_instance\_id](#output\_master\_db\_instance\_id) | The RDS instance ID | +| [master\_db\_instance\_identifier](#output\_master\_db\_instance\_identifier) | The RDS instance identifier | | [master\_db\_instance\_name](#output\_master\_db\_instance\_name) | The database name | -| [master\_db\_instance\_password](#output\_master\_db\_instance\_password) | The database password (this password may be old, because Terraform doesn't track it after initial creation) | | [master\_db\_instance\_port](#output\_master\_db\_instance\_port) | The database port | | [master\_db\_instance\_resource\_id](#output\_master\_db\_instance\_resource\_id) | The RDS Resource ID of this instance | | [master\_db\_instance\_status](#output\_master\_db\_instance\_status) | The RDS instance status | @@ -76,7 +75,7 @@ No inputs. | [replica\_db\_instance\_engine](#output\_replica\_db\_instance\_engine) | The database engine | | [replica\_db\_instance\_engine\_version\_actual](#output\_replica\_db\_instance\_engine\_version\_actual) | The running version of the database | | [replica\_db\_instance\_hosted\_zone\_id](#output\_replica\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) | -| [replica\_db\_instance\_id](#output\_replica\_db\_instance\_id) | The RDS instance ID | +| [replica\_db\_instance\_identifier](#output\_replica\_db\_instance\_identifier) | The RDS instance identifier | | [replica\_db\_instance\_name](#output\_replica\_db\_instance\_name) | The database name | | [replica\_db\_instance\_port](#output\_replica\_db\_instance\_port) | The database port | | [replica\_db\_instance\_resource\_id](#output\_replica\_db\_instance\_resource\_id) | The RDS Resource ID of this instance | diff --git a/examples/replica-mysql/main.tf b/examples/replica-mysql/main.tf index 7c609b56..3c689ac7 100644 --- a/examples/replica-mysql/main.tf +++ b/examples/replica-mysql/main.tf @@ -75,8 +75,7 @@ module "replica" { identifier = "${local.name}-replica" # Source database. For cross-region use db_instance_arn - replicate_source_db = module.master.db_instance_id - create_random_password = false + replicate_source_db = module.master.db_instance_identifier engine = local.engine engine_version = local.engine_version @@ -89,6 +88,10 @@ module "replica" { port = local.port + password = "UberSecretPassword" + # Not supported with replicas + manage_master_user_password = false + multi_az = false vpc_security_group_ids = [module.security_group.security_group_id] @@ -109,7 +112,7 @@ module "replica" { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "~> 4.0" + version = "~> 5.0" name = local.name cidr = local.vpc_cidr @@ -126,7 +129,7 @@ module "vpc" { module "security_group" { source = "terraform-aws-modules/security-group/aws" - version = "~> 4.0" + version = "~> 5.0" name = local.name description = "Replica MySQL example security group" diff --git a/examples/replica-mysql/outputs.tf b/examples/replica-mysql/outputs.tf index 9dfb3e24..70109257 100644 --- a/examples/replica-mysql/outputs.tf +++ b/examples/replica-mysql/outputs.tf @@ -34,9 +34,9 @@ output "master_db_instance_hosted_zone_id" { value = module.master.db_instance_hosted_zone_id } -output "master_db_instance_id" { - description = "The RDS instance ID" - value = module.master.db_instance_id +output "master_db_instance_identifier" { + description = "The RDS instance identifier" + value = module.master.db_instance_identifier } output "master_db_instance_resource_id" { @@ -60,12 +60,6 @@ output "master_db_instance_username" { sensitive = true } -output "master_db_instance_password" { - description = "The database password (this password may be old, because Terraform doesn't track it after initial creation)" - value = module.master.db_instance_password - sensitive = true -} - output "master_db_instance_port" { description = "The database port" value = module.master.db_instance_port @@ -122,9 +116,9 @@ output "replica_db_instance_hosted_zone_id" { value = module.replica.db_instance_hosted_zone_id } -output "replica_db_instance_id" { - description = "The RDS instance ID" - value = module.replica.db_instance_id +output "replica_db_instance_identifier" { + description = "The RDS instance identifier" + value = module.replica.db_instance_identifier } output "replica_db_instance_resource_id" { diff --git a/examples/replica-mysql/versions.tf b/examples/replica-mysql/versions.tf index acd6016f..95708b63 100644 --- a/examples/replica-mysql/versions.tf +++ b/examples/replica-mysql/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.65" + version = ">= 5.00" } } } diff --git a/examples/replica-postgres/README.md b/examples/replica-postgres/README.md index d1f5feef..cf47efd6 100644 --- a/examples/replica-postgres/README.md +++ b/examples/replica-postgres/README.md @@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 4.65 | +| [aws](#requirement\_aws) | >= 5.00 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.65 | +| [aws](#provider\_aws) | >= 5.00 | ## Modules @@ -34,8 +34,8 @@ Note that this example may create resources which cost money. Run `terraform des |------|--------|---------| | [master](#module\_master) | ../../ | n/a | | [replica](#module\_replica) | ../../ | n/a | -| [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.0 | -| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 4.0 | +| [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.0 | +| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 | ## Resources @@ -59,9 +59,8 @@ No inputs. | [master\_db\_instance\_engine](#output\_master\_db\_instance\_engine) | The database engine | | [master\_db\_instance\_engine\_version\_actual](#output\_master\_db\_instance\_engine\_version\_actual) | The running version of the database | | [master\_db\_instance\_hosted\_zone\_id](#output\_master\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) | -| [master\_db\_instance\_id](#output\_master\_db\_instance\_id) | The RDS instance ID | +| [master\_db\_instance\_identifier](#output\_master\_db\_instance\_identifier) | The RDS instance identifier | | [master\_db\_instance\_name](#output\_master\_db\_instance\_name) | The database name | -| [master\_db\_instance\_password](#output\_master\_db\_instance\_password) | The database password (this password may be old, because Terraform doesn't track it after initial creation) | | [master\_db\_instance\_port](#output\_master\_db\_instance\_port) | The database port | | [master\_db\_instance\_resource\_id](#output\_master\_db\_instance\_resource\_id) | The RDS Resource ID of this instance | | [master\_db\_instance\_status](#output\_master\_db\_instance\_status) | The RDS instance status | @@ -76,7 +75,7 @@ No inputs. | [replica\_db\_instance\_engine](#output\_replica\_db\_instance\_engine) | The database engine | | [replica\_db\_instance\_engine\_version\_actual](#output\_replica\_db\_instance\_engine\_version\_actual) | The running version of the database | | [replica\_db\_instance\_hosted\_zone\_id](#output\_replica\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) | -| [replica\_db\_instance\_id](#output\_replica\_db\_instance\_id) | The RDS instance ID | +| [replica\_db\_instance\_identifier](#output\_replica\_db\_instance\_identifier) | The RDS instance identifier | | [replica\_db\_instance\_name](#output\_replica\_db\_instance\_name) | The database name | | [replica\_db\_instance\_port](#output\_replica\_db\_instance\_port) | The database port | | [replica\_db\_instance\_resource\_id](#output\_replica\_db\_instance\_resource\_id) | The RDS Resource ID of this instance | diff --git a/examples/replica-postgres/main.tf b/examples/replica-postgres/main.tf index fcd55302..28648632 100644 --- a/examples/replica-postgres/main.tf +++ b/examples/replica-postgres/main.tf @@ -49,6 +49,10 @@ module "master" { username = "replica_postgresql" port = local.port + password = "UberSecretPassword" + # Not supported with replicas + manage_master_user_password = false + multi_az = true db_subnet_group_name = module.vpc.database_subnet_group_name vpc_security_group_ids = [module.security_group.security_group_id] @@ -76,8 +80,7 @@ module "replica" { identifier = "${local.name}-replica" # Source database. For cross-region use db_instance_arn - replicate_source_db = module.master.db_instance_id - create_random_password = false + replicate_source_db = module.master.db_instance_identifier engine = local.engine engine_version = local.engine_version @@ -111,7 +114,7 @@ module "replica" { module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "~> 4.0" + version = "~> 5.0" name = local.name cidr = local.vpc_cidr @@ -128,7 +131,7 @@ module "vpc" { module "security_group" { source = "terraform-aws-modules/security-group/aws" - version = "~> 4.0" + version = "~> 5.0" name = local.name description = "Replica PostgreSQL example security group" diff --git a/examples/replica-postgres/outputs.tf b/examples/replica-postgres/outputs.tf index 9dfb3e24..70109257 100644 --- a/examples/replica-postgres/outputs.tf +++ b/examples/replica-postgres/outputs.tf @@ -34,9 +34,9 @@ output "master_db_instance_hosted_zone_id" { value = module.master.db_instance_hosted_zone_id } -output "master_db_instance_id" { - description = "The RDS instance ID" - value = module.master.db_instance_id +output "master_db_instance_identifier" { + description = "The RDS instance identifier" + value = module.master.db_instance_identifier } output "master_db_instance_resource_id" { @@ -60,12 +60,6 @@ output "master_db_instance_username" { sensitive = true } -output "master_db_instance_password" { - description = "The database password (this password may be old, because Terraform doesn't track it after initial creation)" - value = module.master.db_instance_password - sensitive = true -} - output "master_db_instance_port" { description = "The database port" value = module.master.db_instance_port @@ -122,9 +116,9 @@ output "replica_db_instance_hosted_zone_id" { value = module.replica.db_instance_hosted_zone_id } -output "replica_db_instance_id" { - description = "The RDS instance ID" - value = module.replica.db_instance_id +output "replica_db_instance_identifier" { + description = "The RDS instance identifier" + value = module.replica.db_instance_identifier } output "replica_db_instance_resource_id" { diff --git a/examples/replica-postgres/versions.tf b/examples/replica-postgres/versions.tf index acd6016f..95708b63 100644 --- a/examples/replica-postgres/versions.tf +++ b/examples/replica-postgres/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.65" + version = ">= 5.00" } } } diff --git a/examples/s3-import-mysql/README.md b/examples/s3-import-mysql/README.md index 73ba2db7..3cb9169a 100644 --- a/examples/s3-import-mysql/README.md +++ b/examples/s3-import-mysql/README.md @@ -49,15 +49,13 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 4.65 | -| [random](#requirement\_random) | >= 3.1 | +| [aws](#requirement\_aws) | >= 5.00 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.65 | -| [random](#provider\_random) | >= 3.1 | +| [aws](#provider\_aws) | >= 5.00 | ## Modules @@ -65,8 +63,8 @@ Note that this example may create resources which cost money. Run `terraform des |------|--------|---------| | [db](#module\_db) | ../../ | n/a | | [import\_s3\_bucket](#module\_import\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | ~> 3.0 | -| [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.0 | -| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 4.0 | +| [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 5.0 | +| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 | ## Resources @@ -74,7 +72,6 @@ Note that this example may create resources which cost money. Run `terraform des |------|------| | [aws_iam_role.s3_import](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy.s3_import](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | -| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource | | [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | | [aws_iam_policy_document.s3_import](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.s3_import_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -95,9 +92,8 @@ No inputs. | [db\_instance\_engine](#output\_db\_instance\_engine) | The database engine | | [db\_instance\_engine\_version\_actual](#output\_db\_instance\_engine\_version\_actual) | The running version of the database | | [db\_instance\_hosted\_zone\_id](#output\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) | -| [db\_instance\_id](#output\_db\_instance\_id) | The RDS instance ID | +| [db\_instance\_identifier](#output\_db\_instance\_identifier) | The RDS instance identifier | | [db\_instance\_name](#output\_db\_instance\_name) | The database name | -| [db\_instance\_password](#output\_db\_instance\_password) | The database password (this password may be old, because Terraform doesn't track it after initial creation) | | [db\_instance\_port](#output\_db\_instance\_port) | The database port | | [db\_instance\_resource\_id](#output\_db\_instance\_resource\_id) | The RDS Resource ID of this instance | | [db\_instance\_status](#output\_db\_instance\_status) | The RDS instance status | diff --git a/examples/s3-import-mysql/main.tf b/examples/s3-import-mysql/main.tf index 78d1d17b..70d57b99 100644 --- a/examples/s3-import-mysql/main.tf +++ b/examples/s3-import-mysql/main.tf @@ -67,13 +67,9 @@ module "db" { # Supporting Resources ################################################################################ -resource "random_pet" "this" { - length = 2 -} - module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "~> 4.0" + version = "~> 5.0" name = local.name cidr = local.vpc_cidr @@ -85,15 +81,12 @@ module "vpc" { create_database_subnet_group = true - enable_dns_hostnames = true - enable_dns_support = true - tags = local.tags } module "security_group" { source = "terraform-aws-modules/security-group/aws" - version = "~> 4.0" + version = "~> 5.0" name = local.name description = "S3 import VPC example security group" @@ -136,7 +129,7 @@ module "import_s3_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "~> 3.0" - bucket = "${local.name}-${random_pet.this.id}" + bucket_prefix = "${local.name}-" acl = "private" force_destroy = true @@ -157,7 +150,7 @@ data "aws_iam_policy_document" "s3_import_assume" { } resource "aws_iam_role" "s3_import" { - name = "${local.name}-${random_pet.this.id}" + name_prefix = "${local.name}-" description = "IAM role to allow RDS to import MySQL backup from S3" assume_role_policy = data.aws_iam_policy_document.s3_import_assume.json force_detach_policies = true @@ -189,9 +182,9 @@ data "aws_iam_policy_document" "s3_import" { } resource "aws_iam_role_policy" "s3_import" { - name = "${local.name}-${random_pet.this.id}" - role = aws_iam_role.s3_import.id - policy = data.aws_iam_policy_document.s3_import.json + name_prefix = "${local.name}-" + role = aws_iam_role.s3_import.id + policy = data.aws_iam_policy_document.s3_import.json # We need the files uploaded before the RDS instance is created, and the instance # also needs this role so this is an easy way of ensuring the backup is uploaded before diff --git a/examples/s3-import-mysql/outputs.tf b/examples/s3-import-mysql/outputs.tf index 8b50089d..dd8b5128 100644 --- a/examples/s3-import-mysql/outputs.tf +++ b/examples/s3-import-mysql/outputs.tf @@ -33,9 +33,9 @@ output "db_instance_hosted_zone_id" { value = module.db.db_instance_hosted_zone_id } -output "db_instance_id" { - description = "The RDS instance ID" - value = module.db.db_instance_id +output "db_instance_identifier" { + description = "The RDS instance identifier" + value = module.db.db_instance_identifier } output "db_instance_resource_id" { @@ -59,12 +59,6 @@ output "db_instance_username" { sensitive = true } -output "db_instance_password" { - description = "The database password (this password may be old, because Terraform doesn't track it after initial creation)" - value = module.db.db_instance_password - sensitive = true -} - output "db_instance_port" { description = "The database port" value = module.db.db_instance_port diff --git a/examples/s3-import-mysql/versions.tf b/examples/s3-import-mysql/versions.tf index e90a6ad8..95708b63 100644 --- a/examples/s3-import-mysql/versions.tf +++ b/examples/s3-import-mysql/versions.tf @@ -4,12 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.65" - } - - random = { - source = "hashicorp/random" - version = ">= 3.1" + version = ">= 5.00" } } } diff --git a/main.tf b/main.tf index c794d430..d3662668 100644 --- a/main.tf +++ b/main.tf @@ -3,9 +3,6 @@ locals { create_db_parameter_group = var.create_db_parameter_group && var.putin_khuylo create_db_instance = var.create_db_instance && var.putin_khuylo - create_random_password = local.create_db_instance && var.create_random_password - password = local.create_random_password ? random_password.master_password[0].result : var.password - db_subnet_group_name = var.create_db_subnet_group ? module.db_subnet_group.db_subnet_group_id : var.db_subnet_group_name parameter_group_name_id = var.create_db_parameter_group ? module.db_parameter_group.db_parameter_group_id : var.parameter_group_name @@ -13,13 +10,6 @@ locals { option_group = local.create_db_option_group ? module.db_option_group.db_option_group_id : var.option_group_name } -resource "random_password" "master_password" { - count = local.create_random_password ? 1 : 0 - - length = var.random_password_length - special = false -} - module "db_subnet_group" { source = "./modules/db_subnet_group" @@ -84,12 +74,14 @@ module "db_instance" { db_name = var.db_name username = var.username - password = local.password + password = var.manage_master_user_password ? null : var.password port = var.port domain = var.domain domain_iam_role_name = var.domain_iam_role_name iam_database_authentication_enabled = var.iam_database_authentication_enabled custom_iam_instance_profile = var.custom_iam_instance_profile + manage_master_user_password = var.manage_master_user_password + master_user_secret_kms_key_id = var.master_user_secret_kms_key_id vpc_security_group_ids = var.vpc_security_group_ids db_subnet_group_name = local.db_subnet_group_name diff --git a/modules/db_instance/README.md b/modules/db_instance/README.md index 4a2e0952..344fc51e 100644 --- a/modules/db_instance/README.md +++ b/modules/db_instance/README.md @@ -6,14 +6,14 @@ | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 4.65 | +| [aws](#requirement\_aws) | >= 5.0 | | [random](#requirement\_random) | >= 3.1 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.65 | +| [aws](#provider\_aws) | >= 5.0 | | [random](#provider\_random) | >= 3.1 | ## Modules @@ -70,6 +70,8 @@ No modules. | [kms\_key\_id](#input\_kms\_key\_id) | The ARN for the KMS encryption key. If creating an encrypted replica, set this to the destination KMS ARN. If storage\_encrypted is set to true and kms\_key\_id is not specified the default KMS key created in your account will be used | `string` | `null` | no | | [license\_model](#input\_license\_model) | License model information for this DB instance. Optional, but required for some DB engines, i.e. Oracle SE1 | `string` | `null` | no | | [maintenance\_window](#input\_maintenance\_window) | The window to perform maintenance in. Syntax: 'ddd:hh24:mi-ddd:hh24:mi'. Eg: 'Mon:00:00-Mon:03:00' | `string` | `null` | no | +| [manage\_master\_user\_password](#input\_manage\_master\_user\_password) | Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if password is provided | `bool` | `false` | no | +| [master\_user\_secret\_kms\_key\_id](#input\_master\_user\_secret\_kms\_key\_id) | The key ARN, key ID, alias ARN or alias name for the KMS key to encrypt the master user password secret in Secrets Manager.
If not specified, the default KMS key for your Amazon Web Services account is used. | `string` | `null` | no | | [max\_allocated\_storage](#input\_max\_allocated\_storage) | Specifies the value for Storage Autoscaling | `number` | `0` | no | | [monitoring\_interval](#input\_monitoring\_interval) | The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. The default is 0. Valid Values: 0, 1, 5, 10, 15, 30, 60. | `number` | `0` | no | | [monitoring\_role\_arn](#input\_monitoring\_role\_arn) | The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to CloudWatch Logs. Must be specified if monitoring\_interval is non-zero. | `string` | `null` | no | @@ -114,14 +116,13 @@ No modules. | [db\_instance\_ca\_cert\_identifier](#output\_db\_instance\_ca\_cert\_identifier) | Specifies the identifier of the CA certificate for the DB instance | | [db\_instance\_cloudwatch\_log\_groups](#output\_db\_instance\_cloudwatch\_log\_groups) | Map of CloudWatch log groups created and their attributes | | [db\_instance\_domain](#output\_db\_instance\_domain) | The ID of the Directory Service Active Directory domain the instance is joined to | -| [db\_instance\_domain\_iam\_role\_name](#output\_db\_instance\_domain\_iam\_role\_name) | The name of the IAM role to be used when making API calls to the Directory Service. | +| [db\_instance\_domain\_iam\_role\_name](#output\_db\_instance\_domain\_iam\_role\_name) | The name of the IAM role to be used when making API calls to the Directory Service | | [db\_instance\_endpoint](#output\_db\_instance\_endpoint) | The connection endpoint | | [db\_instance\_engine](#output\_db\_instance\_engine) | The database engine | | [db\_instance\_engine\_version\_actual](#output\_db\_instance\_engine\_version\_actual) | The running version of the database | | [db\_instance\_hosted\_zone\_id](#output\_db\_instance\_hosted\_zone\_id) | The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record) | -| [db\_instance\_id](#output\_db\_instance\_id) | The RDS instance ID | +| [db\_instance\_identifier](#output\_db\_instance\_identifier) | The RDS instance identifier | | [db\_instance\_name](#output\_db\_instance\_name) | The database name | -| [db\_instance\_password](#output\_db\_instance\_password) | The master password | | [db\_instance\_port](#output\_db\_instance\_port) | The database port | | [db\_instance\_resource\_id](#output\_db\_instance\_resource\_id) | The RDS Resource ID of this instance | | [db\_instance\_status](#output\_db\_instance\_status) | The RDS instance status | diff --git a/modules/db_instance/main.tf b/modules/db_instance/main.tf index 7227f5ad..a2acef12 100644 --- a/modules/db_instance/main.tf +++ b/modules/db_instance/main.tf @@ -10,9 +10,7 @@ locals { monitoring_role_name_prefix = var.monitoring_role_use_name_prefix ? "${var.monitoring_role_name}-" : null # Replicas will use source metadata - username = var.replicate_source_db != null ? null : var.username - password = var.replicate_source_db != null ? null : var.password - engine = var.replicate_source_db != null ? null : var.engine + is_replica = var.replicate_source_db != null } # Ref. https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#genref-aws-service-namespaces @@ -34,23 +32,25 @@ resource "aws_db_instance" "this" { identifier = local.identifier identifier_prefix = local.identifier_prefix - engine = local.engine + engine = local.is_replica ? null : var.engine engine_version = var.engine_version instance_class = var.instance_class - allocated_storage = var.allocated_storage + allocated_storage = local.is_replica ? null : var.allocated_storage storage_type = var.storage_type storage_encrypted = var.storage_encrypted kms_key_id = var.kms_key_id license_model = var.license_model db_name = var.db_name - username = local.username - password = local.password + username = !local.is_replica ? var.username : null + password = !local.is_replica && var.manage_master_user_password ? null : var.password port = var.port domain = var.domain domain_iam_role_name = var.domain_iam_role_name iam_database_authentication_enabled = var.iam_database_authentication_enabled custom_iam_instance_profile = var.custom_iam_instance_profile + manage_master_user_password = !local.is_replica && var.manage_master_user_password ? var.manage_master_user_password : null + master_user_secret_kms_key_id = !local.is_replica && var.manage_master_user_password ? var.master_user_secret_kms_key_id : null vpc_security_group_ids = var.vpc_security_group_ids db_subnet_group_name = var.db_subnet_group_name diff --git a/modules/db_instance/outputs.tf b/modules/db_instance/outputs.tf index 5b622634..29b45782 100644 --- a/modules/db_instance/outputs.tf +++ b/modules/db_instance/outputs.tf @@ -1,103 +1,97 @@ output "enhanced_monitoring_iam_role_name" { description = "The name of the monitoring role" - value = try(aws_iam_role.enhanced_monitoring[0].name, "") + value = try(aws_iam_role.enhanced_monitoring[0].name, null) } output "enhanced_monitoring_iam_role_arn" { description = "The Amazon Resource Name (ARN) specifying the monitoring role" - value = try(aws_iam_role.enhanced_monitoring[0].arn, "") + value = try(aws_iam_role.enhanced_monitoring[0].arn, null) } output "db_instance_address" { description = "The address of the RDS instance" - value = try(aws_db_instance.this[0].address, "") + value = try(aws_db_instance.this[0].address, null) } output "db_instance_arn" { description = "The ARN of the RDS instance" - value = try(aws_db_instance.this[0].arn, "") + value = try(aws_db_instance.this[0].arn, null) } output "db_instance_availability_zone" { description = "The availability zone of the RDS instance" - value = try(aws_db_instance.this[0].availability_zone, "") + value = try(aws_db_instance.this[0].availability_zone, null) } output "db_instance_endpoint" { description = "The connection endpoint" - value = try(aws_db_instance.this[0].endpoint, "") + value = try(aws_db_instance.this[0].endpoint, null) } output "db_listener_endpoint" { description = "Specifies the listener connection endpoint for SQL Server Always On" - value = try(aws_db_instance.this[0].listener_endpoint, "") + value = try(aws_db_instance.this[0].listener_endpoint, null) } output "db_instance_engine" { description = "The database engine" - value = try(aws_db_instance.this[0].engine, "") + value = try(aws_db_instance.this[0].engine, null) } output "db_instance_engine_version_actual" { description = "The running version of the database" - value = try(aws_db_instance.this[0].engine_version_actual, "") + value = try(aws_db_instance.this[0].engine_version_actual, null) } output "db_instance_hosted_zone_id" { description = "The canonical hosted zone ID of the DB instance (to be used in a Route 53 Alias record)" - value = try(aws_db_instance.this[0].hosted_zone_id, "") + value = try(aws_db_instance.this[0].hosted_zone_id, null) } -output "db_instance_id" { - description = "The RDS instance ID" - value = try(aws_db_instance.this[0].id, "") +output "db_instance_identifier" { + description = "The RDS instance identifier" + value = try(aws_db_instance.this[0].identifier, null) } output "db_instance_resource_id" { description = "The RDS Resource ID of this instance" - value = try(aws_db_instance.this[0].resource_id, "") + value = try(aws_db_instance.this[0].resource_id, null) } output "db_instance_status" { description = "The RDS instance status" - value = try(aws_db_instance.this[0].status, "") + value = try(aws_db_instance.this[0].status, null) } output "db_instance_name" { description = "The database name" - value = try(aws_db_instance.this[0].db_name, "") + value = try(aws_db_instance.this[0].db_name, null) } output "db_instance_username" { description = "The master username for the database" - value = try(aws_db_instance.this[0].username, "") + value = try(aws_db_instance.this[0].username, null) sensitive = true } output "db_instance_port" { description = "The database port" - value = try(aws_db_instance.this[0].port, "") + value = try(aws_db_instance.this[0].port, null) } output "db_instance_ca_cert_identifier" { description = "Specifies the identifier of the CA certificate for the DB instance" - value = try(aws_db_instance.this[0].ca_cert_identifier, "") + value = try(aws_db_instance.this[0].ca_cert_identifier, null) } output "db_instance_domain" { description = "The ID of the Directory Service Active Directory domain the instance is joined to" - value = try(aws_db_instance.this[0].domain, "") + value = try(aws_db_instance.this[0].domain, null) } output "db_instance_domain_iam_role_name" { - description = "The name of the IAM role to be used when making API calls to the Directory Service. " - value = try(aws_db_instance.this[0].domain_iam_role_name, "") -} - -output "db_instance_password" { - description = "The master password" - value = try(aws_db_instance.this[0].password, "") - sensitive = true + description = "The name of the IAM role to be used when making API calls to the Directory Service" + value = try(aws_db_instance.this[0].domain_iam_role_name, null) } ################################################################################ diff --git a/modules/db_instance/variables.tf b/modules/db_instance/variables.tf index ec455358..18080bd2 100644 --- a/modules/db_instance/variables.tf +++ b/modules/db_instance/variables.tf @@ -122,6 +122,21 @@ variable "password" { default = null } +variable "manage_master_user_password" { + description = "Set to true to allow RDS to manage the master user password in Secrets Manager. Cannot be set if password is provided" + type = bool + default = false +} + +variable "master_user_secret_kms_key_id" { + description = < [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 4.65 | +| [aws](#requirement\_aws) | >= 5.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.65 | +| [aws](#provider\_aws) | >= 5.0 | ## Modules diff --git a/modules/db_option_group/outputs.tf b/modules/db_option_group/outputs.tf index 3a87a8f6..377e169a 100644 --- a/modules/db_option_group/outputs.tf +++ b/modules/db_option_group/outputs.tf @@ -1,9 +1,9 @@ output "db_option_group_id" { description = "The db option group id" - value = try(aws_db_option_group.this[0].id, "") + value = try(aws_db_option_group.this[0].id, null) } output "db_option_group_arn" { description = "The ARN of the db option group" - value = try(aws_db_option_group.this[0].arn, "") + value = try(aws_db_option_group.this[0].arn, null) } diff --git a/modules/db_option_group/versions.tf b/modules/db_option_group/versions.tf index acd6016f..ddfcb0e0 100644 --- a/modules/db_option_group/versions.tf +++ b/modules/db_option_group/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.65" + version = ">= 5.0" } } } diff --git a/modules/db_parameter_group/README.md b/modules/db_parameter_group/README.md index de04627f..56e16577 100644 --- a/modules/db_parameter_group/README.md +++ b/modules/db_parameter_group/README.md @@ -6,13 +6,13 @@ | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 4.65 | +| [aws](#requirement\_aws) | >= 5.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.65 | +| [aws](#provider\_aws) | >= 5.0 | ## Modules diff --git a/modules/db_parameter_group/outputs.tf b/modules/db_parameter_group/outputs.tf index e67ec7c8..0ea46412 100644 --- a/modules/db_parameter_group/outputs.tf +++ b/modules/db_parameter_group/outputs.tf @@ -1,9 +1,9 @@ output "db_parameter_group_id" { description = "The db parameter group id" - value = try(aws_db_parameter_group.this[0].id, "") + value = try(aws_db_parameter_group.this[0].id, null) } output "db_parameter_group_arn" { description = "The ARN of the db parameter group" - value = try(aws_db_parameter_group.this[0].arn, "") + value = try(aws_db_parameter_group.this[0].arn, null) } diff --git a/modules/db_parameter_group/versions.tf b/modules/db_parameter_group/versions.tf index acd6016f..ddfcb0e0 100644 --- a/modules/db_parameter_group/versions.tf +++ b/modules/db_parameter_group/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.65" + version = ">= 5.0" } } } diff --git a/modules/db_subnet_group/README.md b/modules/db_subnet_group/README.md index bf062252..68a1d5ff 100644 --- a/modules/db_subnet_group/README.md +++ b/modules/db_subnet_group/README.md @@ -6,13 +6,13 @@ | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 4.65 | +| [aws](#requirement\_aws) | >= 5.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.65 | +| [aws](#provider\_aws) | >= 5.0 | ## Modules diff --git a/modules/db_subnet_group/outputs.tf b/modules/db_subnet_group/outputs.tf index aa803a34..dd92fe8b 100644 --- a/modules/db_subnet_group/outputs.tf +++ b/modules/db_subnet_group/outputs.tf @@ -1,9 +1,9 @@ output "db_subnet_group_id" { description = "The db subnet group name" - value = try(aws_db_subnet_group.this[0].id, "") + value = try(aws_db_subnet_group.this[0].id, null) } output "db_subnet_group_arn" { description = "The ARN of the db subnet group" - value = try(aws_db_subnet_group.this[0].arn, "") + value = try(aws_db_subnet_group.this[0].arn, null) } diff --git a/modules/db_subnet_group/versions.tf b/modules/db_subnet_group/versions.tf index acd6016f..ddfcb0e0 100644 --- a/modules/db_subnet_group/versions.tf +++ b/modules/db_subnet_group/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.65" + version = ">= 5.0" } } } diff --git a/outputs.tf b/outputs.tf index f9716d18..630a8029 100644 --- a/outputs.tf +++ b/outputs.tf @@ -48,9 +48,9 @@ output "db_instance_hosted_zone_id" { value = module.db_instance.db_instance_hosted_zone_id } -output "db_instance_id" { - description = "The RDS instance ID" - value = module.db_instance.db_instance_id +output "db_instance_identifier" { + description = "The RDS instance identifier" + value = module.db_instance.db_instance_identifier } output "db_instance_resource_id" { @@ -74,19 +74,13 @@ output "db_instance_username" { sensitive = true } -output "db_instance_password" { - description = "The database password (this password may be old, because Terraform doesn't track it after initial creation)" - value = local.password - sensitive = true -} - output "db_instance_domain" { description = "The ID of the Directory Service Active Directory domain the instance is joined to" value = module.db_instance.db_instance_domain } output "db_instance_domain_iam_role_name" { - description = "The name of the IAM role to be used when making API calls to the Directory Service. " + description = "The name of the IAM role to be used when making API calls to the Directory Service" value = module.db_instance.db_instance_domain_iam_role_name } diff --git a/variables.tf b/variables.tf index d14a2fde..f692a258 100644 --- a/variables.tf +++ b/variables.tf @@ -138,13 +138,28 @@ variable "username" { variable "password" { description = <