cloudposse-terraform-components · goruha · Oct 14, 2025 · Oct 9, 2025
diff --git a/src/main.tf b/src/main.tf
@@ -1,6 +1,11 @@
 locals {
   enabled         = module.this.enabled
-  create_password = local.enabled && (var.master_password == null || var.master_password == "")
+  create_password = local.enabled && var.master_password == null && var.manage_master_user_password == null
+  # 1. If manage_master_user_password is not null, AWS manages the password (master_password must be null)
+  # 2. If master_password is provided, that value is used (manage_master_user_password must be null)
+  # 3. If both are null, the module creates a random password
+  master_password = local.create_password ? one(random_password.master_password[*].result) : var.master_password
+
 }
 
 module "documentdb_cluster" {
@@ -27,9 +32,10 @@ module "documentdb_cluster" {
   apply_immediately          = var.apply_immediately
   auto_minor_version_upgrade = var.auto_minor_version_upgrade
 
-  db_port         = var.db_port
-  master_username = var.master_username
-  master_password = local.create_password ? one(random_password.master_password[*].result) : var.master_password
+  db_port                     = var.db_port
+  master_username             = var.master_username
+  master_password             = var.manage_master_user_password != null ? null : local.master_password
+  manage_master_user_password = var.manage_master_user_password
 
   vpc_id                  = module.vpc.outputs.vpc_id
   subnet_ids              = module.vpc.outputs.private_subnet_ids

diff --git a/src/ssm.tf b/src/ssm.tf
@@ -15,7 +15,7 @@ resource "random_password" "master_password" {
   special = false
   upper   = true
   lower   = true
-  number  = true
+  numeric = true
 
   min_special = 0
   min_upper   = 1

diff --git a/src/variables.tf b/src/variables.tf
@@ -40,6 +40,16 @@ variable "master_password" {
   description = "(Required unless a snapshot_identifier is provided) Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Please refer to the DocumentDB Naming Constraints"
 }
 
+variable "manage_master_user_password" {
+  type        = bool
+  description = "Whether to manage the master user password using AWS Secrets Manager."
+  default     = null
+  validation {
+    condition     = var.manage_master_user_password == null || var.manage_master_user_password == true
+    error_message = "Error: `manage_master_user_password` must be set to `true` or `null`"
+  }
+}
+
 variable "retention_period" {
   type        = number
   default     = 5

diff --git a/src/versions.tf b/src/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.0, < 6.0.0"
+      version = ">= 5.29.0, < 6.0.0"
     }
     random = {
       source  = "hashicorp/random"