Created
February 8, 2023 20:34
-
-
Save devops-adeel/fb1bac44a61cced95759b3d3014c5cf1 to your computer and use it in GitHub Desktop.
non-interactive consumption pattern for Vault secrets engine for RDS DB instance
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "random_uuid" "default" {} | |
resource "random_pet" "default" {} | |
resource "random_password" "default" { | |
length = 16 | |
special = true | |
override_special = "!#$%&*()-_=+[]{}<>:?" | |
} | |
resource "aws_db_instance" "default" { | |
allocated_storage = 10 | |
db_name = format("%s-%s-db", random_uuid.default.result, var.application) | |
engine = "mysql" | |
engine_version = "5.7" | |
instance_class = "db.t3.micro" | |
username = random_pet.default.id | |
password = random_password.default.result | |
parameter_group_name = "default.mysql5.7" | |
skip_final_snapshot = true | |
} | |
resource "vault_mount" "default" { | |
path = aws_db_instance.default.db_name | |
type = "database" | |
} | |
resource "vault_database_secret_backend_connection" "default" { | |
backend = vault_mount.default.path | |
name = aws_db_instance.default.db_name | |
allowed_roles = ["dev", "prod"] | |
mysql_rds { | |
username = aws_db_instance.default.username | |
password = aws_db_instance.default.password | |
connection_url = format( | |
"{{username}}:{{password}}@tcp(%s)/", | |
aws_db_instance.default.endpoint | |
) | |
} | |
} | |
resource "vault_database_secret_backend_role" "default" { | |
backend = vault_mount.default.path | |
name = aws_db_instance.default.db_name | |
db_name = vault_database_secret_backend_connection.default.name | |
creation_statements = ["CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment