Let’s assume the master password has already been generated in the past. It’s been done entirely in Terraform configuration templates. The code looks somewhat like this:
Let’s find the key for
random_password.rds_password resource in the state:
terraform state list | grep "random_password.rds_password"
For the article purposes, the key will be exactly:
random_password.rds_password. But in the case of more complex infrastructure
configuration, it can be e.g.
Replace the resource
Resource of generated password is already saved in the state of the
infrastructure. Terraform will not attempt to change it, but we can tell it to
do so. It can be achieved using the apply command with the
The final command for our code example is:
terraform apply -replace="random_password.rds_password"
Terraform will show the plan of required changes in the infrastructure. After accepting the changes, the AWS RDS cluster will immediately try to change the master password.
Password rotation can be simply automated on the CI/CD of choice. GitLab CI/CD example:
Define the job above in the
.gitlab-ci.yml file in the repository and head to
the CI/CD -> Schedules in the GitLab project. There can be added a schedule
of how often the CI will be triggered using cron notation. More information is
in the link to the GitLab repository at the end of the article.