No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

I can’t see why not :slightly_smiling_face:

I’d go that way:
• create a random password using `pulumi-random` module (<https://github.com/pulumi/pulumi-random>)
• save this password to SecretManager using <https://www.pulumi.com/registry/packages/aws/api-docs/secretsmanager/secret/>
• create RDS database using <https://www.pulumi.com/registry/packages/aws/api-docs/rds/instance/> (and passing the password created in the first step)

Yeah, thanks for the prompt response. I was looking for an option where I can leverage Credentials for RDS database feature of Secret Manager itself.

but yes if thats not feasible then your solutions is the way to go..

I’m not that familiar with AWS so not sure if I can help. Can you share a link to AWS docs where this feature is described?

<https://aws.amazon.com/blogs/security/rotate-amazon-rds-database-credentials-automatically-with-aws-secrets-manager/>

well, I guess it’s double but it’s not gonna be as straightforward as we’d like it to be :smile:

&gt; Secret manager is the way to go. However, the password rotation will be an issue. *When you enable rotation in AWS console, AWS magically provisions a lambda for you.* If you don’t use console, <https://docs.aws.amazon.com/secretsmanager/latest/userguide/enable-rotation-rds.html|command line steps> are a bit more involving as they require the use of aws serverless repo (SAR). Sadly, official support for SAR is <https://github.com/terraform-providers/terraform-provider-aws/issues/3981|not yet avaiable> in terraform. Thus you would have to use `local-exec` provisioner to run aws cli to create rotation lambda as in the linked documentation using SAR.
source: <https://stackoverflow.com/a/63546950>

I can see that pulumi has some resources for that <https://www.pulumi.com/registry/packages/aws/api-docs/secretsmanager/secretrotation/>

However, I’m not sure how you should actually “connect” the password from secret manager to RDS so it’s gonna be in sync :thinking_face:

Oh… I think I might get it now… You need to provide the lambda function to actually rotate the password in related services (in this case, RDS database). Right now it’s just a guess on my side. If I’m right, it means that AWS creates a lambda function automatically for that when you use Web Console and in case of IaC, you have to do that on your own (that’s no surprise - many single-clicks on web ui are in fact a series of operations).

hah, it seems I might have guessed just right

<@U02HHMBQF1N> take a look at this:
<https://github.com/giuseppeborgese/terraform-aws-secret-manager-with-rotation>

thanks Jakub for providing useful information, really appreciate for your prompt responses