Since pulumi isn’t automatically setting the password, is there a way to generate a UUID with pulumi that is persisted so it doesn’t keep changing the password? Changing the password as a form of rotation isn’t a bad idea, but it does create a gap where the applications are either using the old password or then new password before RDS has changed.

The password could be a pulumi secret that you pass into your stack https://www.pulumi.com/docs/intro/concepts/config/

@colossal-plastic-46140 Yeah I am trying to get away from loading stuff into the stack

I was under the impression that in these cases where you have an RDS and lets say 5 apps that use this RDS. I think you have a couple of options 1. Create a shared stack, that has the config details for the user/pass 2. Once creating a random password, you use that login to create a bunch of new logins for your services 3. Ditch logins all together and use IAM roles. This is a caveat that everything needs to be inside AWS

We don’t have that scenario

I'm thinking of using the randomPassword module to set a static secret for the master password, but using secret manager to manage database users for each application's read and write roles, then enabling secret rotation for those secrets since RDS rotation is a built-in lambda

We want to keep things simple and just attach the password (and others) as files on a mounted volume. Using the RandomPassword generator works fine for that. It actually solves my issue. The concern is rotation and making sure applications are up to date. ConfigMap changes are not hot reloaded so it’s tricky.

ah, you're using k8s. my apologies. yeah that sounds like it would work pretty well then. set up a file watcher in your app for when the secret value changes and you're all set 👍

The

pulumi.Random

provider was built for this exact purpose.