I am trying to set up my infrastructure properly with no passwords or keys laying around. AWS RDS has an option to do so, by enabling users(applications) to authenticate with generated tokens.
However, in the documentation, one of the steps(this one) requires running a query in the Postgres database to create an user and grant him specific permissions:
CREATE USER test_rds WITH LOGIN;
GRANT rds_iam TO test_rds;
I want to provision entire stack with Terraform. I have looked up some "hacks" to run the query (here) after RDS instantiation by either using:
resource "null_resource" "db_setup" {
depends_on = ["aws_db_instance.your_database_instance", "aws_security_group.sg_allowing_external_access"]
provisioner "local-exec" {
// run shell commands to manually psql into the db
or:
resource "aws_instance" "web" {
provisioner "remote-exec" {
inline = [
// run shell commands to manually psql into the db
but both of them require creating master-password and somehow delivering it inside the "scripts".
Is it possible to do that with Terraform cleanly, with no hardcoded passwords getting passed around?
I would love to provision the database and enable only specific EC2/ECS instances with correct permissions to access it, without any passwords in my git repository.
