<p>この記事は <a href="https://qiita.com/advent-calendar/2023/terraform" target="_blank" rel="nofollow noopener noreferrer">terraform Advent Calendar 2023</a> の 20日目（シリーズ2）の記事です。</p>
<h2 id="%E5%AE%9F%E6%96%BD%E3%81%AE%E3%81%8D%E3%81%A3%E3%81%8B%E3%81%91">
<a class="header-anchor-link" href="#%E5%AE%9F%E6%96%BD%E3%81%AE%E3%81%8D%E3%81%A3%E3%81%8B%E3%81%91" aria-hidden="true"></a> 実施のきっかけ</h2>
<p>マスターユーザーのパスワードをローテーションさせるというチケットが長く塩漬けになっていたところに、この記事に出会いました。</p>
<p><span class="embed-block zenn-embedded zenn-embedded-card"><iframe id="zenn-embedded__8d6a5a6a88715" src="https://embed.zenn.studio/card#zenn-embedded__8d6a5a6a88715" data-content="https%3A%2F%2Ftech.isid.co.jp%2Fentry%2Fterraform_manage_master_user_password" frameborder="0" scrolling="no" loading="lazy"></iframe></span><a href="https://tech.isid.co.jp/entry/terraform_manage_master_user_password" style="display:none" target="_blank" rel="nofollow noopener noreferrer">https://tech.isid.co.jp/entry/terraform_manage_master_user_password</a></p>
<p>この記事により、Secrets Managerへの保存とローテーションを自動化できるようになっていた（2022/12）ことを知りました。</p>
<p><span class="embed-block zenn-embedded zenn-embedded-card"><iframe id="zenn-embedded__31d8d4ec60cb2" src="https://embed.zenn.studio/card#zenn-embedded__31d8d4ec60cb2" data-content="https%3A%2F%2Faws.amazon.com%2Fjp%2Fabout-aws%2Fwhats-new%2F2022%2F12%2Famazon-rds-integration-aws-secrets-manager%2F" frameborder="0" scrolling="no" loading="lazy"></iframe></span><a href="https://aws.amazon.com/jp/about-aws/whats-new/2022/12/amazon-rds-integration-aws-secrets-manager/" style="display:none" target="_blank" rel="nofollow noopener noreferrer">https://aws.amazon.com/jp/about-aws/whats-new/2022/12/amazon-rds-integration-aws-secrets-manager/</a></p>
<blockquote>
<p>Amazon RDS は、RDS データベースインスタンスのマスターユーザーパスワードの管理方法を合理化するため、AWS Secrets Manager との統合をサポートするようになりました。</p>
</blockquote>
<h2 id="aws-provider-v4.61.0">
<a class="header-anchor-link" href="#aws-provider-v4.61.0" aria-hidden="true"></a> AWS provider v4.61.0</h2>
<p>v4.61.0（2023/05/31）以降のAWS providerでSecrets Managerとの統合が利用できるようになります。</p>
<p><span class="embed-block zenn-embedded zenn-embedded-card"><iframe id="zenn-embedded__7a1ea38d58e6b" src="https://embed.zenn.studio/card#zenn-embedded__7a1ea38d58e6b" data-content="https%3A%2F%2Fgithub.com%2Fhashicorp%2Fterraform-provider-aws%2Freleases%2Ftag%2Fv4.61.0" frameborder="0" scrolling="no" loading="lazy"></iframe></span><a href="https://github.com/hashicorp/terraform-provider-aws/releases/tag/v4.61.0" style="display:none" target="_blank" rel="nofollow noopener noreferrer">https://github.com/hashicorp/terraform-provider-aws/releases/tag/v4.61.0</a></p>
<blockquote>
<ul>
<li>resource/aws_db_instance: Add <code>manage_master_user_password</code>, <code>master_user_secret</code> and <code>master_user_secret_kms_key_id</code> arguments to support RDS managed master password in Secrets Manager (#28848)</li>
<li>resource/aws_rds_cluster: Add <code>manage_master_user_password</code>, <code>master_user_secret</code> and <code>master_user_secret_kms_key_id</code> arguments to support RDS managed master password in Secrets Manager (#28848)</li>
</ul>
</blockquote>
<p>リリースノートからのコピペですが、<code>master_user_secret</code>は正しくはargumentではなくattributeです（後で使います）。</p>
<h2 id="aws-provider-v5.22.0">
<a class="header-anchor-link" href="#aws-provider-v5.22.0" aria-hidden="true"></a> AWS provider v5.22.0</h2>
<p>v5.22.0（2023/10/20）ではスナップショットまたはポイントインタイムリカバリからの復元によって作成した<code>aws_db_instance</code>で<code>manage_master_user_password</code>が効かない問題が修正されています（<code>aws_rds_cluster</code>ではこの問題は発生していません）。</p>
<p><span class="embed-block zenn-embedded zenn-embedded-card"><iframe id="zenn-embedded__cb3e7701f04b3" src="https://embed.zenn.studio/card#zenn-embedded__cb3e7701f04b3" data-content="https%3A%2F%2Fgithub.com%2Fhashicorp%2Fterraform-provider-aws%2Freleases%2Ftag%2Fv5.22.0" frameborder="0" scrolling="no" loading="lazy"></iframe></span><a href="https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.22.0" style="display:none" target="_blank" rel="nofollow noopener noreferrer">https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.22.0</a></p>
<p><span class="embed-block zenn-embedded zenn-embedded-card"><iframe id="zenn-embedded__73ef9f859e275" src="https://embed.zenn.studio/card#zenn-embedded__73ef9f859e275" data-content="https%3A%2F%2Fgithub.com%2Fhashicorp%2Fterraform-provider-aws%2Fpull%2F33699" frameborder="0" scrolling="no" loading="lazy"></iframe></span><a href="https://github.com/hashicorp/terraform-provider-aws/pull/33699" style="display:none" target="_blank" rel="nofollow noopener noreferrer">https://github.com/hashicorp/terraform-provider-aws/pull/33699</a></p>
<h2 id="%E6%97%A2%E5%AD%98%E3%81%AEaws_rds_cluster%E3%81%A7manage_master_user_password%E3%82%92%E6%9C%89%E5%8A%B9%E3%81%AB%E3%81%99%E3%82%8B">
<a class="header-anchor-link" href="#%E6%97%A2%E5%AD%98%E3%81%AEaws_rds_cluster%E3%81%A7manage_master_user_password%E3%82%92%E6%9C%89%E5%8A%B9%E3%81%AB%E3%81%99%E3%82%8B" aria-hidden="true"></a> 既存のaws_rds_clusterでmanage_master_user_passwordを有効にする</h2>
<p>マスターユーザーはアプリケーションや運用で（一つの例外を除き）使っていないため、さくっと有効化します。</p>
<h3 id="%E6%9C%89%E5%8A%B9%E5%8C%96%E3%81%AE%E5%89%8D%E3%81%ABtfstate%E3%82%92%E8%A6%97%E3%81%8F">
<a class="header-anchor-link" href="#%E6%9C%89%E5%8A%B9%E5%8C%96%E3%81%AE%E5%89%8D%E3%81%ABtfstate%E3%82%92%E8%A6%97%E3%81%8F" aria-hidden="true"></a> 有効化の前にtfstateを覗く</h3>
<p><code>master_password</code>に平文でパスワードが書かれていました。</p>
<p><img src="https://storage.googleapis.com/zenn-user-upload/09376bcd6d1c-20231219.png" alt="state-before" loading="lazy" class="md-img"></p>
<h3 id="%E6%9C%89%E5%8A%B9%E5%8C%96%E3%81%99%E3%82%8B">
<a class="header-anchor-link" href="#%E6%9C%89%E5%8A%B9%E5%8C%96%E3%81%99%E3%82%8B" aria-hidden="true"></a> 有効化する</h3>
<p><code>master_password</code> argumentを削除して<code>manage_master_user_password = true</code>を追加するだけです。</p>
<h3 id="%E6%9C%89%E5%8A%B9%E5%8C%96%E3%81%97%E3%81%9F%E5%BE%8C%E3%81%ABtfstate%E3%82%92%E8%A6%97%E3%81%8F">
<a class="header-anchor-link" href="#%E6%9C%89%E5%8A%B9%E5%8C%96%E3%81%97%E3%81%9F%E5%BE%8C%E3%81%ABtfstate%E3%82%92%E8%A6%97%E3%81%8F" aria-hidden="true"></a> 有効化した後にtfstateを覗く</h3>
<p>最初から<code>manage_master_user_password = true</code>で作成すると<code>master_password</code>はnullになるようですが、途中で切り替えるとtfstateにはパスワードが書かれたままになります。<br>
すでに新しいパスワードがSecrets Managerに保存されているため、このパスワードはもう使えません。</p>
<p><img src="https://storage.googleapis.com/zenn-user-upload/de40f2425f47-20231219.png" alt="state-after" loading="lazy" class="md-img"></p>
<h3 id="secrets-manager%E3%82%92%E7%A2%BA%E8%AA%8D">
<a class="header-anchor-link" href="#secrets-manager%E3%82%92%E7%A2%BA%E8%AA%8D" aria-hidden="true"></a> Secrets Managerを確認</h3>
<p>RDSコンソールのConfigurationタブからSecrets Managerに飛べます。</p>
<p><img src="https://storage.googleapis.com/zenn-user-upload/bdd6d5943029-20231219.png" loading="lazy" class="md-img"></p>
<p>7日でローテーションするようになっています。</p>
<p><img src="https://storage.googleapis.com/zenn-user-upload/ebbfc5359141-20231219.png" loading="lazy" class="md-img"></p>
<details><summary>ローテーションの周期</summary><div class="details-content">
<p><span class="embed-block zenn-embedded zenn-embedded-card"><iframe id="zenn-embedded__2a3d0d25d973a" src="https://embed.zenn.studio/card#zenn-embedded__2a3d0d25d973a" data-content="https%3A%2F%2Fdocs.aws.amazon.com%2FAmazonRDS%2Flatest%2FAuroraUserGuide%2Frds-secrets-manager.html%23rds-secrets-manager-overview" frameborder="0" scrolling="no" loading="lazy"></iframe></span><a href="https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-secrets-manager.html#rds-secrets-manager-overview" style="display:none" target="_blank" rel="nofollow noopener noreferrer">https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-secrets-manager.html#rds-secrets-manager-overview</a></p>
<blockquote>
<p>Aurora はシークレットの設定を管理し、デフォルトではシークレットを7日ごとにローテーションします。ローテーション スケジュールなど、一部の設定を変更できます。</p>
</blockquote>
<p>ModifyDBClusterなどのAPIにはこれを制御するパラメータはないため、「一部の設定を変更」はSecretを直接編集することによって可能になります。</p>
<p><span class="embed-block zenn-embedded zenn-embedded-card"><iframe id="zenn-embedded__e7b6a57cc8367" src="https://embed.zenn.studio/card#zenn-embedded__e7b6a57cc8367" data-content="https%3A%2F%2Fdocs.aws.amazon.com%2FAmazonRDS%2Flatest%2FAPIReference%2FAPI_ModifyDBCluster.html" frameborder="0" scrolling="no" loading="lazy"></iframe></span><a href="https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html" style="display:none" target="_blank" rel="nofollow noopener noreferrer">https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html</a></p>
</div></details>
<h2 id="secrets-manager%E3%81%AB%E4%BF%9D%E5%AD%98%E3%81%95%E3%82%8C%E3%81%9F%E3%83%91%E3%82%B9%E3%83%AF%E3%83%BC%E3%83%89%E3%82%92mysql-provider%E3%81%A7%E4%BD%BF%E3%81%86">
<a class="header-anchor-link" href="#secrets-manager%E3%81%AB%E4%BF%9D%E5%AD%98%E3%81%95%E3%82%8C%E3%81%9F%E3%83%91%E3%82%B9%E3%83%AF%E3%83%BC%E3%83%89%E3%82%92mysql-provider%E3%81%A7%E4%BD%BF%E3%81%86" aria-hidden="true"></a> Secrets Managerに保存されたパスワードをMySQL providerで使う</h2>
<p>唯一の例外としてMySQL providerの動作にはマスターユーザーを利用していました。<br>
HashiCorpのMySQL providerがアーカイブされてからは非公式forkを利用しています。</p>
<p><span class="embed-block zenn-embedded zenn-embedded-card"><iframe id="zenn-embedded__1ed991a6a4be" src="https://embed.zenn.studio/card#zenn-embedded__1ed991a6a4be" data-content="https%3A%2F%2Fgithub.com%2Fpetoju%2Fterraform-provider-mysql" frameborder="0" scrolling="no" loading="lazy"></iframe></span><a href="https://github.com/petoju/terraform-provider-mysql" style="display:none" target="_blank" rel="nofollow noopener noreferrer">https://github.com/petoju/terraform-provider-mysql</a></p>
<p>以前はパラメータストアにマスターユーザーのパスワードを保存し、dataで参照していました。<br>
自前で用意したパラメータのため<code>name</code>で簡単にdataを取得できていましたが、RDSとの統合により自動作成されたSecretの名前やARNは事前には予測できません。</p>
<p>そのため、<code>aws_rds_cluster</code>の<a href="https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_user_secret" target="_blank" rel="nofollow noopener noreferrer">attribute</a>からSecretのARNを入手することになります。<br>
その際<code>master_user_secret.secret_arn</code>ではなく <strong><code>master_user_secret[0].secret_arn</code></strong> とする必要があります。</p>
<div class="code-block-container"><pre class="language-hcl"><code class="language-hcl"><span class="token keyword">provider<span class="token type variable"> "mysql" </span></span><span class="token punctuation">{</span>
  <span class="token property">endpoint</span> <span class="token punctuation">=</span> <span class="token string">"<span class="token interpolation"><span class="token punctuation">$</span><span class="token punctuation">{</span><span class="token keyword">local</span><span class="token punctuation">.</span><span class="token type variable">mysql_host</span><span class="token punctuation">}</span></span>:<span class="token interpolation"><span class="token punctuation">$</span><span class="token punctuation">{</span><span class="token keyword">var</span><span class="token punctuation">.</span><span class="token type variable">mysql_port</span><span class="token punctuation">}</span></span>"</span>
  <span class="token property">username</span> <span class="token punctuation">=</span> jsondecode(data.aws_secretsmanager_secret_version.master_password.secret_string)<span class="token punctuation">[</span><span class="token string">"username"</span><span class="token punctuation">]</span>
  <span class="token property">password</span> <span class="token punctuation">=</span> jsondecode(data.aws_secretsmanager_secret_version.master_password.secret_string)<span class="token punctuation">[</span><span class="token string">"password"</span><span class="token punctuation">]</span>
<span class="token punctuation">}</span>

<span class="token keyword">variable<span class="token type variable"> "mysql_port" </span></span><span class="token punctuation">{</span>
  <span class="token property">type</span>        <span class="token punctuation">=</span> number
<span class="token punctuation">}</span>

<span class="token keyword">data <span class="token type variable">"aws_rds_cluster"</span></span> <span class="token string">"this"</span> <span class="token punctuation">{</span>
  <span class="token property">cluster_identifier</span> <span class="token punctuation">=</span> local.cluster_identifier
<span class="token punctuation">}</span>

<span class="token keyword">data <span class="token type variable">"aws_secretsmanager_secret"</span></span> <span class="token string">"master_password"</span> <span class="token punctuation">{</span>
  <span class="token property">arn</span> <span class="token punctuation">=</span> data.aws_rds_cluster.this.master_user_secret<span class="token punctuation">[</span><span class="token number">0</span><span class="token punctuation">]</span>.secret_arn
<span class="token punctuation">}</span>

<span class="token keyword">data <span class="token type variable">"aws_secretsmanager_secret_version"</span></span> <span class="token string">"master_password"</span> <span class="token punctuation">{</span>
  <span class="token property">secret_id</span> <span class="token punctuation">=</span> data.aws_secretsmanager_secret.master_password.id
<span class="token punctuation">}</span>
</code></pre></div><p>AWS API的には複数存在することはなさそうですが、</p>
<p><span class="embed-block zenn-embedded zenn-embedded-github"><iframe id="zenn-embedded__879164fdfc592" src="https://embed.zenn.studio/github#zenn-embedded__879164fdfc592" data-content="https%3A%2F%2Fgithub.com%2Faws%2Faws-sdk-go%2Fblob%2F394d04f7e36b85532cede3eb815a6a23413b2eaa%2Fservice%2Frds%2Fapi.go%23L26834" frameborder="0" scrolling="no" loading="lazy"></iframe></span><a href="https://github.com/aws/aws-sdk-go/blob/394d04f7e36b85532cede3eb815a6a23413b2eaa/service/rds/api.go#L26834" style="display:none" target="_blank" rel="nofollow noopener noreferrer">https://github.com/aws/aws-sdk-go/blob/394d04f7e36b85532cede3eb815a6a23413b2eaa/service/rds/api.go#L26834</a></p>
<p><span class="embed-block zenn-embedded zenn-embedded-github"><iframe id="zenn-embedded__2ff3916d76516" src="https://embed.zenn.studio/github#zenn-embedded__2ff3916d76516" data-content="https%3A%2F%2Fgithub.com%2Fhashicorp%2Fterraform-provider-aws%2Fblob%2F91e190128b0c476411215ba1fae6425de5a9bfaf%2Finternal%2Fservice%2Frds%2Fcluster.go%23L1174-L1175" frameborder="0" scrolling="no" loading="lazy"></iframe></span><a href="https://github.com/hashicorp/terraform-provider-aws/blob/91e190128b0c476411215ba1fae6425de5a9bfaf/internal/service/rds/cluster.go#L1174-L1175" style="display:none" target="_blank" rel="nofollow noopener noreferrer">https://github.com/hashicorp/terraform-provider-aws/blob/91e190128b0c476411215ba1fae6425de5a9bfaf/internal/service/rds/cluster.go#L1174-L1175</a></p>
<p>attributeのtypeはlistになっているため、<code>master_user_secret[0]</code>とする必要がありました。</p>
<p><span class="embed-block zenn-embedded zenn-embedded-github"><iframe id="zenn-embedded__3d6bbd2a1239" src="https://embed.zenn.studio/github#zenn-embedded__3d6bbd2a1239" data-content="https%3A%2F%2Fgithub.com%2Fhashicorp%2Fterraform-provider-aws%2Fblob%2F91e190128b0c476411215ba1fae6425de5a9bfaf%2Finternal%2Fservice%2Frds%2Fcluster.go%23L277-L278" frameborder="0" scrolling="no" loading="lazy"></iframe></span><a href="https://github.com/hashicorp/terraform-provider-aws/blob/91e190128b0c476411215ba1fae6425de5a9bfaf/internal/service/rds/cluster.go#L277-L278" style="display:none" target="_blank" rel="nofollow noopener noreferrer">https://github.com/hashicorp/terraform-provider-aws/blob/91e190128b0c476411215ba1fae6425de5a9bfaf/internal/service/rds/cluster.go#L277-L278</a></p>
<p>これはどうも型の選択肢の都合でそうなっているみたいです。</p>
<p><span class="embed-block zenn-embedded zenn-embedded-card"><iframe id="zenn-embedded__de7ea799cd053" src="https://embed.zenn.studio/card#zenn-embedded__de7ea799cd053" data-content="https%3A%2F%2Fdeveloper.hashicorp.com%2Fterraform%2Fplugin%2Fsdkv2%2Fschemas%2Fschema-types" frameborder="0" scrolling="no" loading="lazy"></iframe></span><a href="https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-types" style="display:none" target="_blank" rel="nofollow noopener noreferrer">https://developer.hashicorp.com/terraform/plugin/sdkv2/schemas/schema-types</a></p>
<p><span class="embed-block zenn-embedded zenn-embedded-github"><iframe id="zenn-embedded__cdbbe25d5d12a" src="https://embed.zenn.studio/github#zenn-embedded__cdbbe25d5d12a" data-content="https%3A%2F%2Fgithub.com%2Fhashicorp%2Fterraform-plugin-sdk%2Fblob%2Ff3f8b0791224809d2d7ce6942fddde57ab686bd1%2Fhelper%2Fschema%2Fvaluetype.go%23L15-L22" frameborder="0" scrolling="no" loading="lazy"></iframe></span><a href="https://github.com/hashicorp/terraform-plugin-sdk/blob/f3f8b0791224809d2d7ce6942fddde57ab686bd1/helper/schema/valuetype.go#L15-L22" style="display:none" target="_blank" rel="nofollow noopener noreferrer">https://github.com/hashicorp/terraform-plugin-sdk/blob/f3f8b0791224809d2d7ce6942fddde57ab686bd1/helper/schema/valuetype.go#L15-L22</a></p>
<p>（typeObjectは非公開）</p>
<p><span class="embed-block zenn-embedded zenn-embedded-github"><iframe id="zenn-embedded__7084fec68365a" src="https://embed.zenn.studio/github#zenn-embedded__7084fec68365a" data-content="https%3A%2F%2Fgithub.com%2Fhashicorp%2Fterraform-plugin-sdk%2Fblob%2Ff3f8b0791224809d2d7ce6942fddde57ab686bd1%2Fhelper%2Fschema%2Fvaluetype.go%23L23" frameborder="0" scrolling="no" loading="lazy"></iframe></span><a href="https://github.com/hashicorp/terraform-plugin-sdk/blob/f3f8b0791224809d2d7ce6942fddde57ab686bd1/helper/schema/valuetype.go#L23" style="display:none" target="_blank" rel="nofollow noopener noreferrer">https://github.com/hashicorp/terraform-plugin-sdk/blob/f3f8b0791224809d2d7ce6942fddde57ab686bd1/helper/schema/valuetype.go#L23</a></p>


RDSのマスターユーザーパスワードを自動ローテーションさせる

既存のaws_rds_clusterでmanage_master_user_passwordを有効にする

Secrets Managerに保存されたパスワードをMySQL providerで使う

Discussion