feat: add support for AWS-managed master password

RoseSecurity · RoseSecurity · commit 2ec6acb7b6f4 · 2025-10-09T09:32:40.000-04:00
This update introduces the `manage_master_user_password` variable, allowing
the module to use AWS Secrets Manager for managing the DocumentDB master
user password. The logic in `main.tf` is updated to handle three cases:
1) AWS-managed password, 2) user-provided password, and 3) auto-generated
password. Also updates the AWS provider version constraint and fixes a
typo in the random_password resource.
diff --git a/src/main.tf b/src/main.tf
@@ -1,6 +1,11 @@
 locals {
   enabled         = module.this.enabled
-  create_password = local.enabled && (var.master_password == null || var.master_password == "")
+  create_password = local.enabled && var.master_password == null && var.manage_master_user_password == null
+  # 1. If manage_master_user_password is not null, AWS manages the password (master_password must be null)
+  # 2. If master_password is provided, that value is used (manage_master_user_password must be null)
+  # 3. If both are null, the module creates a random password
+  master_password = local.create_password ? one(random_password.master_password[*].result) : var.master_password
+
 }
 
 module "documentdb_cluster" {
@@ -27,9 +32,10 @@ module "documentdb_cluster" {
   apply_immediately          = var.apply_immediately
   auto_minor_version_upgrade = var.auto_minor_version_upgrade
 
-  db_port         = var.db_port
-  master_username = var.master_username
-  master_password = local.create_password ? one(random_password.master_password[*].result) : var.master_password
+  db_port                     = var.db_port
+  master_username             = var.master_username
+  master_password             = var.manage_master_user_password != null ? null : local.master_password
+  manage_master_user_password = var.manage_master_user_password
 
   vpc_id                  = module.vpc.outputs.vpc_id
   subnet_ids              = module.vpc.outputs.private_subnet_ids
diff --git a/src/ssm.tf b/src/ssm.tf
@@ -15,7 +15,7 @@ resource "random_password" "master_password" {
   special = false
   upper   = true
   lower   = true
-  number  = true
+  numeric = true
 
   min_special = 0
   min_upper   = 1
diff --git a/src/variables.tf b/src/variables.tf
@@ -40,6 +40,16 @@ variable "master_password" {
   description = "(Required unless a snapshot_identifier is provided) Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Please refer to the DocumentDB Naming Constraints"
 }
 
+variable "manage_master_user_password" {
+  type        = bool
+  description = "Whether to manage the master user password using AWS Secrets Manager."
+  default     = null
+  validation {
+    condition     = var.manage_master_user_password == null || var.manage_master_user_password == true
+    error_message = "Error: `manage_master_user_password` must be set to `true` or `null`"
+  }
+}
+
 variable "retention_period" {
   type        = number
   default     = 5
diff --git a/src/versions.tf b/src/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.0, < 6.0.0"
+      version = ">= 5.29.0, < 6.0.0"
     }
     random = {
       source  = "hashicorp/random"

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ terraform {`
`4`	`4`	`required_providers {`
`5`	`5`	`aws = {`
`6`	`6`	`source = "hashicorp/aws"`
`7`		`- version = ">= 3.0, < 6.0.0"`
	`7`	`+ version = ">= 5.29.0, < 6.0.0"`
`8`	`8`	`}`
`9`	`9`	`random = {`
`10`	`10`	`source = "hashicorp/random"`