How to avoid having plaintext master-passwords for RDS when deployed through terraform and How to retrieve password to use it in a server

Question

I'm new to stack overflow. Apologize if I didn't format it right. I'm currently using terraform to provision aurora-rds. Problem is, I shouldn't be having the db master-password as a plaintext sitting in the .tf file. I've been using this config initially with a plaintext password.

    engine          = "aurora-mysql"
    engine_version  = "5.7.12"
    cluster_family  = "aurora-mysql5.7"
    cluster_size    = "1"
    namespace       = "eg"
    stage           = "dev"
    admin_user      = "admin"
    admin_password  = "passwordhere"
    db_name         = "dbname"
    db_port         = "3306

I'm looking for a solution where I can skip a plaintext password like shown above and have something auto-generated and able to be included into terraform file. Also, I must be able to retrieve the password so that I can use that to configure wordpress server.

https://gist.github.com/smiller171/6be734957e30c5d4e4b15422634f13f4 I came across this solution but, not sure how to retrieve the password to use it in server. Well I haven't deployed this yet too.

Answer 1

As you mentioned in your question, there is a workaround, which you haven't yet tried.

I suggest to try that first and if its successful then to retrieve the password use output terraform resource.

output "db_password" {
  value = ${random_string.db_master_pass.result}
  description = "db password"
}

Once your terraform run is completed you can retrieve that value using terraform output db_password or if you want to refer that password somewhere in the terraform code itself then right away refer to that variable ${db_password}