-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathpassword.tf
More file actions
43 lines (38 loc) · 1.59 KB
/
password.tf
File metadata and controls
43 lines (38 loc) · 1.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
// TODO: We should move to IAM Authentication instead of creating a password
resource "random_password" "this" {
// Master password length constraints differ for each database engine. For more information, see the available settings when creating each DB instance.
length = 16
special = true
// The password for the master database user can include any printable ASCII character except /, ", @, or a space.
// We're also excluding the following characters:
// ':' - not allowed by DMS (Database Migration Service)
// ';' - not allowed by DMS
// '+' - not allowed by DMS
// '%' - not allowed by DMS, confuses url encoding
// '?' - confuses url encoding
// '#' - confuses url encoding
// '[' - confuses url encoding
// ']' - confuses url encoding
// '{' - confuses url encoding
// '}' - confuses url encoding
// '(' - issues with batch files
// ')' - issues with batch files
// '&' - issues with batch files
// '!' - issues with batch files
// '^' - issues with batch files
// '<' - issues with batch files
// '>' - issues with batch files
override_special = "$*-_="
lifecycle {
ignore_changes = [override_special] // Prevent changing passwords for provisioned dbs
}
}
resource "aws_secretsmanager_secret" "password" {
name = "${local.resource_name}/master"
tags = local.tags
kms_key_id = aws_kms_key.this.id
}
resource "aws_secretsmanager_secret_version" "password" {
secret_id = aws_secretsmanager_secret.password.id
secret_string = jsonencode(tomap({ "username" = aws_db_instance.this.username, "password" = random_password.this.result }))
}