Manage RDS password in Terraform in a sane way

database.tf

resource "random_password" "db_master_pass" {
  length            = 40
  special           = true
  min_special       = 5
  override_special  = "!#$%^&*()-_=+[]{}<>:?"
  keepers           = {
    pass_version  = 1
  }
}

resource "aws_db_instance" "mysql_db" {
  username                            = "mysql_user"
  password                            = random_password.db_master_pass.result
  ...
}

secret.tf

resource "aws_secretsmanager_secret" "db-pass" {
  name = "db-pass-${terraform.workspace}"
}

resource "aws_secretsmanager_secret_version" "db-pass-val" {
  secret_id     = aws_secretsmanager_secret.db-pass.id
  secret_string = random_password.db_master_pass.result
}

You also have to account for potential secrets leakage in your plans though. We've started building modules (like this one) that create secrets with a lambda so they're never in TF state. There's varying levels of native support for Secrets Manager though of course.

Just when I think I'm right about something, I get shown something far more clever than I could've imagined 😂