RDS authentication when deploying through Terraform

0

We are using cdktf terraform to deploy RDS on AWS. If I do not give username/password terraform errors out asking for the same. I did check the github documentation , for db_instance, which has used username/password, and I am aware that this information can be retrieved from secrets, as well.

https://github.com/terraform-aws-modules/terraform-aws-rds/tree/master/modules/db_instance

However, for security reasons, it has been suggested we create the dbinstance with only IAM authentication, and NOT use, the username/password at all in the terraform db Instance code. Can anyone confirm that this can actually be done through terraform , or do we need to use boto3 or other alternative instead?

Swee
質問済み 1年前3663ビュー
2回答
0

The master_username and master_password are required parameters for the Terraform aws_db_instance resource, which creates an RDS instance. After the RDS instance is created, you can use IAM roles to authenticate to the database, but the initial creation of the database still requires a username and password. For security purposes, you could create a random password during the Terraform apply stage that you don't store or use anywhere. Here's an example of how you could do this:

resource "random_password" "password" {
  length           = 16
  special          = true
  override_special = "_%@"
}

resource "aws_db_instance" "default" {
  ...
  master_username = "master"
  master_password = random_password.password.result
  ...
  iam_database_authentication_enabled = true
  ...
}

The random_password resource generates a random password that is passed to the aws_db_instance resource. The iam_database_authentication_enabled argument is set to true to enable IAM database authentication.

Please note that even though you are not using the master_username and master_password for your application to connect to the RDS, they still exist and can be used to authenticate to the database. So it's crucial to ensure these credentials are properly secured.

profile picture
エキスパート
回答済み 1年前
  • We would not generate a random password in first place, we can always retrieve from AWS secret manager. The question is, is there a way to create the instance without specifying the username/password , for security reasons. But based on what you are stating, looks like we do have to give some username/password, if deploying via terraform. Thank you, for your observation

0

You can set the manage_master_user_password attribute to true which enables RDS to manage the master password with Secrets Manager. In that way you do not store the password in terraform state file. Also by default RDS will auto-rotate the password every 7 days without any manual action.

Ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#managed-master-passwords-via-secrets-manager-default-kms-key

Sapta
回答済み 10ヶ月前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ