8/16/2023 0 Comments Terraform bastion![]() ![]() The Lambda, the VPC, the resources inside, and various calls have some costs, but should be negligible as rotation happens rarely. I think the RDS endpoint is part of the database and as such it does not incur additional costs, but I’m not 100% sure about that. The Interface endpoint costs $0.01 / hour, which is $7.2 / month. Rotation is configured and clicking the “Rotate secret immediately” changes the stored password after a few seconds:Ī secret costs $0.4 / month. The rotator function is run with all the steps needed to change the password: TestingĪfter running terraform apply and waiting for the deployment to finish, the CloudFormation stack is created: Without it, there is a race condition: if the rotation is enabled first, the Lambda throws an error. This makes sure the initial password is in place before the rotation is setup so that the rotator Lambda can read the current value. Notice that the secret_id references the aws_secretsmanager_secret_version instead of the aws_secretsmanager_secret. # initial password resource "random_password" "db_master_pass" įinally, this part configures rotation for the secret. Its structure that is expected by the rotation function is described in the documentation: The secret itself needs to encode everything to change the password to be usable with the AWS-provided scripts. Because of this, rotation requires a somewhat complicated VPC-based networking setup just to wire everything together. The AWS scripts implement the second approad, so the Lambda they use require a connection to the database as well as the Secrets Manager service as described in the documentation. While the first approach does not rely on connectivity to the database, the second one does. The other one is to connect to the database, log in with the current credentials then issue a SET PASSWORD command. But combined with the Data API, things become complicated.Ĭhanging a password can be done in two distinct ways: one is to use the ModifyDBCluster AWS API. Theoretically, these ready-made solutions should make it easy to implement everything. Moreover, there are templates you can deploy directly. Luckily, AWS provides a template for this as well as implementations for different scenarios (such as this one for MySQL). Second, rotating a secret is a complicated process, consisting of Secrets Manager invoking a Lambda function multiple times with different steps. This turned out to be a complication later on. Since that means there is no need to make the database reachable, I did not want to expose it just because of rotation. It took me quite some time to figure out every detail of configuration to make it work.įirst, I used the Data API that does not go through the usual networking paths of a VPC but uses a different plane. It turned out that “supported by AWS” does not mean “easy” by any means. This gave an idea: why not set up rotation so that the password in the Terraform state is no longer valid? It is a best practice to change passwords from time to time, so this feels like a good solution. ![]() Secrets Manager supports password rotation. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |