The psql password passed to the module is overridden by the one aws creates in Secret Manager

[lorenzophys]

Description

When creating a PostgreSQL RDS instance using the terraform-aws-rds module, I encountered an unexpected behavior where AWS auto-generates a password in the Secret Manager, even though I explicitly provided a username and password. This occurs despite the documentation stating that the manage_master_user_password input is false by default.
If I explicitly set manage_master_user_password = false then my password is actually used for the master user.

Versions

• Module version [Required]:

• Terraform version:

Terraform v1.5.7
on darwin_arm64

• Provider version(s):

Terraform v1.5.7
on darwin_arm64
+ provider registry.terraform.io/carlpett/sops v1.0.0
+ provider registry.terraform.io/hashicorp/aws v5.31.0
+ provider registry.terraform.io/hashicorp/random v3.6.0

Reproduction Code [Required]

module "db" {
  source = "terraform-aws-modules/rds/aws"

  identifier = local.id

  engine                    = "postgres"
  engine_version            = "12.14"
  major_engine_version      = "12"
  family                    = "postgres12" # DB parameter group
  create_db_parameter_group = false

  # DB option group
  instance_class    = "db.t3.small"
  allocated_storage = 20

  username                    = "postgres"
  password                    = data.sops_file.db_credentials.data["secrets.db_password"]
  #manage_master_user_password = false
  port                        = 5432

  multi_az               = false
  vpc_security_group_ids = [module.security_group.security_group_id]

  create_db_subnet_group      = true
  db_subnet_group_name        = "${local.short_name}-${data.aws_vpc.eks.id}"
  db_subnet_group_description = "Database subnet group accociated with ${local.environment} eks cluster for ${local.short_name}"
  subnet_ids                  = [for subnet in data.aws_subnets.eks.ids : subnet if !(contains(data.aws_subnets.eks_public.ids, subnet))]

  iam_database_authentication_enabled = false
  publicly_accessible                 = false

  auto_minor_version_upgrade = true

  maintenance_window = "Mon:00:00-Mon:03:00"
  backup_window      = "03:00-06:00"

  backup_retention_period = 0
  skip_final_snapshot     = true
  deletion_protection     = false

  performance_insights_enabled = false

  tags = local.tags
}

Steps to reproduce the behavior:

Just spin up an RDS instance with set username and password and check that the password you set doesn't work.

Expected behavior

I expect that if manage_master_user_password is not set, then aws does not override my own password.

Actual behavior

AWS auto-generates a password in the Secret Manager, even though I explicitly provided a username and password.

[bryantbiggs]

I expect that if manage_master_user_password is not set, then aws does not override my own password.

But it is set, its set to true by default since this is the recommended practice. If you want to opt out of the recommended practice, you will need to specify manage_master_user_password = false - this will mean that your password is in plaintext within your terraform statefile when using this route

[lorenzophys]

@bryantbiggs
I don't know how I missed it.

I double checked and I see here that this variable is set to false by default:

• https://github.com/terraform-aws-modules/terraform-aws-rds/tree/master/modules/db_instance#input_manage_master_user_password
• https://github.com/terraform-aws-modules/terraform-aws-rds/blob/master/modules/db_instance/variables.tf#L125

Why the discrepancy?

[bryantbiggs]

Why the discrepancy?

Just an oversight - it should be true in the sub-module as well. Most users don't use the sub-modules directly and instead use the root module which is why I suspect this wasn't caught before

[lorenzophys]

Ok, I was probably looking at that for some reason.

Thank you!

[bryantbiggs]

If you feel like opening a PR to fix that issue, I'd be happy to merge that in 😬

[lorenzophys]

Sure!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.