Adjust admin-login module to handle replica

Saves the replica database url to the same secrets so its value can be exposed as env variable when needed.

rds-postgres/admin-login/main.tf

@@ -8,15 +8,7 @@ module "secret" {
   resource_tags    = var.tags
   trust_tags       = var.trust_tags
 
-  initial_value = jsonencode({
-    dbname       = var.database_name
-    engine       = data.aws_db_instance.this.engine
-    host         = data.aws_db_instance.this.address
-    replica_host = data.aws_db_instance.replica.address
-    password     = var.initial_password
-    port         = tostring(data.aws_db_instance.this.port)
-    username     = var.username
-  })
+  initial_value = jsonencode(local.initial_secret_value)
 }
 
 module "rotation" {
@@ -79,9 +71,22 @@ data "aws_db_instance" "this" {
 }
 
 data "aws_db_instance" "replica" {
+  count = var.replica_identifier ? 1 : 0
+
   db_instance_identifier = var.replica_identifier
 }
 
 locals {
   full_name = join("-", ["rds-postgres", var.identifier])
+
+  base_value = {
+    dbname       = var.database_name
+    engine       = data.aws_db_instance.this.engine
+    host         = data.aws_db_instance.this.address
+    password     = var.initial_password
+    port         = tostring(data.aws_db_instance.this.port)
+    username     = var.username
+  }
+
+  initial_secret_value = var.replica_identifier ? merge(locals.base_value, { replica_host = data.aws_db_instance.replica.address }) : local.base_value
 }

rds-postgres/admin-login/variables.tf

@@ -34,6 +34,7 @@ variable "read_principals" {
 variable "replica_identifier" {
   description = "Identifier of the database replica"
   type        = string
+  default     = null
 }
 
 variable "secret_name" {