1

Using following terrform scripts , i can easily create secret in AWS, but don't find the way to link it with my existing RDS.

How can i create "Credentials for RDS database" secret? following code creates only "Other type of secrets". In terraform document, i don't find any option to associate secret with RDS database.

  resource "aws_secretsmanager_secret" "my_secret" {
   name = "mydbsecret"
   }

    locals {
     my_data = {
      username = "username"
      password = "userpassword"
      }
    }


    resource "aws_secretsmanager_secret_version" "my_secret_version" {
    secret_id     = aws_secretsmanager_secret.demo_secret.id
    secret_string = jsonencode(local.my_data)
    }
Cloud Delhi
  • 31
  • 4
  • You can't find it, because there is no such option. What do you want to achieve? Also with that setup, your secret will be in plain text in state file, which may not be a good idea. – Marcin Jun 28 '21 at 06:08
  • i want create "Credentials for RDS database", i can do it using AWS Console. but in terraform there is no such options. – Cloud Delhi Jun 28 '21 at 06:13
  • You already have `locals.my_data.username` and password, so use that as your password for rds. What's wrong with that? – Marcin Jun 28 '21 at 06:16
  • how credentials will associate with RDS? – Cloud Delhi Jun 28 '21 at 06:23
  • You specify the credentials for example in your aws_db_instance resource. – Jenneth Jun 28 '21 at 08:28

1 Answers1

1

This is not possible on a direct way, e.g. by specifying a certain parameter, but you can handover an associative array to the aws_secretsmanager_secret_version resource.
This would look like this:

resource "aws_secretsmanager_secret_version" "rds_credentials" {
  secret_id     = aws_secretsmanager_secret.rds_credentials.id
  secret_string = <<EOF
{
  "username": "${aws_rds_cluster.default.master_username}",
  "password": "${random_password.master_password.result}",
  "engine": "mysql",
  "host": "${aws_rds_cluster.default.endpoint}",
  "port": ${aws_rds_cluster.default.port},
  "dbClusterIdentifier": "${aws_rds_cluster.default.cluster_identifier}"
}
EOF
}

The origin of this solution is this comment from @Evan Closson. Hope that helps and credits to Evan for that example.

Michael Aicher
  • 629
  • 12
  • 14