https://pulumi.com logo
#general
Title
# general
s

swift-australia-96791

10/20/2021, 7:37 AM
Hi All, Can we create "Credentials for RDS database" in Secret Manager using Pulumi?
p

prehistoric-activity-61023

10/20/2021, 8:23 AM
I can’t see why not 🙂 I’d go that way: • create a random password using
pulumi-random
module (https://github.com/pulumi/pulumi-random) • save this password to SecretManager using https://www.pulumi.com/registry/packages/aws/api-docs/secretsmanager/secret/ • create RDS database using https://www.pulumi.com/registry/packages/aws/api-docs/rds/instance/ (and passing the password created in the first step)
s

swift-australia-96791

10/20/2021, 8:40 AM
Yeah, thanks for the prompt response. I was looking for an option where I can leverage Credentials for RDS database feature of Secret Manager itself.
but yes if thats not feasible then your solutions is the way to go..
p

prehistoric-activity-61023

10/20/2021, 8:42 AM
I’m not that familiar with AWS so not sure if I can help. Can you share a link to AWS docs where this feature is described?
p

prehistoric-activity-61023

10/20/2021, 8:59 AM
well, I guess it’s double but it’s not gonna be as straightforward as we’d like it to be 😄
Secret manager is the way to go. However, the password rotation will be an issue. When you enable rotation in AWS console, AWS magically provisions a lambda for you. If you don’t use console, command line steps are a bit more involving as they require the use of aws serverless repo (SAR). Sadly, official support for SAR is not yet avaiable in terraform. Thus you would have to use 
local-exec
 provisioner to run aws cli to create rotation lambda as in the linked documentation using SAR.
source: https://stackoverflow.com/a/63546950
However, I’m not sure how you should actually “connect” the password from secret manager to RDS so it’s gonna be in sync 🤔
Oh… I think I might get it now… You need to provide the lambda function to actually rotate the password in related services (in this case, RDS database). Right now it’s just a guess on my side. If I’m right, it means that AWS creates a lambda function automatically for that when you use Web Console and in case of IaC, you have to do that on your own (that’s no surprise - many single-clicks on web ui are in fact a series of operations).
hah, it seems I might have guessed just right
s

swift-australia-96791

10/20/2021, 1:34 PM
thanks Jakub for providing useful information, really appreciate for your prompt responses
56 Views