manage root password

deploy/aws-dev/modules/cluster/main.tf

@@ -691,18 +691,25 @@ resource "aws_db_subnet_group" "default" {
 }
 
 resource "aws_db_instance" "postgres_db" {
-  identifier           = "${var.prefix}-postgres"
-  engine               = "postgres"
-  engine_version       = "13.8"
-  db_subnet_group_name = aws_db_subnet_group.default.name
-  instance_class       = "db.t4g.medium"
-  allocated_storage    = 20
-  storage_type         = "gp2"
-  username             = "postgres"
-  password             = "password"
-  db_name              = "main"
-  skip_final_snapshot  = true
+  identifier                  = "${var.prefix}-postgres"
+  engine                      = "postgres"
+  engine_version              = "13.8"
+  db_subnet_group_name        = aws_db_subnet_group.default.name
+  instance_class              = "db.t4g.medium"
+  allocated_storage           = 20
+  storage_type                = "gp2"
+  username                    = "postgres"
+  manage_master_user_password = true
+  db_name                     = "main"
+  skip_final_snapshot         = true
 
   depends_on = [aws_db_subnet_group.default]
 }
 
+data "aws_secretsmanager_secret" "rds_secret" {
+  arn = aws_db_instance.postgres_db.master_user_secret[0].secret_arn
+}
+
+data "aws_secretsmanager_secret_version" "current" {
+  secret_id = data.aws_secretsmanager_secret.rds_secret.id
+}

deploy/aws-dev/modules/cluster/outputs.tf

@@ -31,4 +31,10 @@ output "vpc_id" {
 output "public_subnets" {
   description = "Public subnets"
   value       = "${aws_subnet.public-us-east-1a.id},${aws_subnet.public-us-east-1b.id}"
-}
+}
+
+output "db_secret" {
+  value       = data.aws_secretsmanager_secret_version.current.secret_string
+  description = "The database master secret"
+  sensitive   = true
+}