DEV Community

Nathan (Nursultan) Bekenov for AWS Community Builders

Posted on • Edited on

Create RDS cluster and manage passwords in 2024

Hello there! In this post I am going to show you Terraform code example of how to create AWS RDS cluster and mange DB passwords in AWS Secrets Manager.


Ok, let's get started with creating RDS cluster. In my example I am going to create Aurora PostgreSQL Serverless DB. To create a cluster I am going to use existing terraform module . I will put details after each part of the code. Also the all scripts can be found in my repo

data.tf to get VPC details and engine details

data "aws_caller_identity" "current" {}

data "aws_vpc" "vpc" {
  filter {
    name   = "tag:Name"
    values = [var.vpc_name]
  }
}

data "aws_subnets" "private" {
  filter {
    name   = "tag:Name"
    values = ["${var.vpc_name}-private-*"]
  }
}

data "aws_rds_engine_version" "postgresql" {
  engine  = "aurora-postgresql"
  version = var.engine_version
}
Enter fullscreen mode Exit fullscreen mode

vars.tf - update vars based on your environment setup

variable "database_name" {
  type        = string
  description = "database_name"
  default     = "aurorapostgres"
}

variable "admin_user_name" {
  type        = string
  description = "admin_user_name"
  default     = "aurora_admin"
}

variable "engine_version" {
  type        = string
  description = "postgresql engine_version"
  default     = "15.4"
}

variable "max_capacity" {
  type        = number
  description = "max scaling capacity"
  default     = 4
}

variable "min_capacity" {
  type        = number
  description = "min scaling capacity"
  default     = 2
}

variable "vpc_name" {
  type        = string
  description = "vpc_name"
  default     = "main-vpc"
}
Enter fullscreen mode Exit fullscreen mode

rds.tf

resource "aws_kms_key" "aurora_kms_key" {
  description             = "CMK for Aurora PostgreSQL server side encryption"
  deletion_window_in_days = 10
  enable_key_rotation     = false
}

resource "aws_kms_alias" "aurora_kms_key_alias" {
  name          = "alias/aurora-data-store-key"
  target_key_id = aws_kms_key.aurora_kms_key.id
}

resource "aws_db_subnet_group" "serverlessv2_sg" {
  name       = "${var.database_name}-subnet_group"
  subnet_ids = data.aws_subnets.private.ids
}

module "aurora_postgresql_v2" {
  source  = "terraform-aws-modules/rds-aurora/aws"
  version = "8.5.0"

  name          = var.database_name
  database_name = var.database_name

  engine         = data.aws_rds_engine_version.postgresql.engine
  engine_version = data.aws_rds_engine_version.postgresql.version

  instance_class = "db.serverless"
  instances = {
    one = {}
    two = {}
  }
  serverlessv2_scaling_configuration = {
    min_capacity = var.min_capacity
    max_capacity = var.max_capacity
  }

  master_username                     = var.admin_user_name
  manage_master_user_password         = true
  storage_encrypted                   = true
  kms_key_id                          = aws_kms_key.aurora_kms_key.arn
  iam_database_authentication_enabled = true
  ca_cert_identifier                  = "rds-ca-rsa2048-g1"

  vpc_id               = data.aws_vpc.vpc.id
  db_subnet_group_name = aws_db_subnet_group.serverlessv2_sg.name
  security_group_rules = {
    vpc_ingress = {
      cidr_blocks = [data.aws_vpc.vpc.cidr_block]
    }
  }

  monitoring_interval = 60
  apply_immediately   = true
  skip_final_snapshot = true

  deletion_protection = true

}
Enter fullscreen mode Exit fullscreen mode

So here I am at first creating KMS key that will be used in server side encryption. Then I am creating cluster with subnet group. Let's stop on DB master user and password

Previously there were couple ways to setup DB master user and password:

  • create secret (password=random string) in AWS Secrets Manager and then using terraform ${data.aws_secretsmanager_secret_version.db_password.secret_string} provide password to create the cluster. In this case if someone will get access to your Terraform state file they will be able to see the DB password in the plain text.
  • To workaround this you could have configured password update by enabling secrets rotation in AWS Secrets Manager. That would usually require additional Lambda function that will trigger rotation and password update in RDS cluster

But now (well since Dec 22, 2022) "...RDS fully manages the master user password and stores it in AWS Secrets Manager whenever your RDS database instances are created, modified, or restored. The new feature supports the entire lifecycle maintenance for your RDS master user password including regular and automatic password rotations; removing the need for you to manage rotations using custom Lambda functions."

The life become significantly easier - you just need to select the option

  master_username                     = var.admin_user_name
  manage_master_user_password         = true
Enter fullscreen mode Exit fullscreen mode

And it will create secret for you. The rotation schedule by default is 7 days.

Image description

And that's it. We created RDS cluster and managing master password in most secure way with enabled rotation.

In the next post I will be providing details on how to configure secure access to RDS instances using Terraform

https://dev.to/aws-builders/securely-connect-to-an-amazon-rds-2i3p

Top comments (0)