fix: adjust logic to address manage_master_user_password variable bugs (#131)

RoseSecurity · web-flow · commit bf9b3572ba31 · 2025-08-13T15:49:16.000+03:00
* fix: adjust logic to address var.manage_master_user_password bugs

* fix(auth): update master password management logic

Change the `manage_master_user_password` variable to use `null` as the
default value instead of `false` and add validation to ensure it can only
be set to `true` or `null`. Update related logic in password creation.

* fix: update logic for master password creation

* fix: update output logic

* chore: update docs and comments
diff --git a/main.tf b/main.tf
@@ -1,9 +1,9 @@
 locals {
   enabled         = module.this.enabled
   create_password = local.enabled && var.master_password == null && var.manage_master_user_password == null
-  // If both `var.master_password` and `var.manage_master_user_password` are set to null, the module will create a random password
-  // else if `var.master_password` is set to null - master_password is set to null as `manage_master_user_password` is set to true
-  // else `local.master_password` is set to the value provided in `var.master_password`
+  # 1. If manage_master_user_password is not null, AWS manages the password (master_password must be null)
+  # 2. If master_password is provided, that value is used (manage_master_user_password must be null)
+  # 3. If both are null, the module creates a random password
   master_password = local.create_password ? one(random_password.password[*].result) : var.master_password
 }
 
@@ -69,8 +69,9 @@ resource "aws_docdb_cluster" "default" {
   count              = local.enabled ? 1 : 0
   cluster_identifier = module.this.id
   master_username    = var.master_username
-  # If `master_password` or `manage_master_user_password` is set, the other MUST be set to null, otherwise it will cause an error.
-  master_password                 = local.master_password
+  # Set master_password OR manage_master_user_password, but not both (one must be null)
+  # manage_master_user_password=true enables AWS-managed passwords via Secrets Manager
+  master_password                 = var.manage_master_user_password != null ? null : local.master_password
   manage_master_user_password     = var.manage_master_user_password
   backup_retention_period         = var.retention_period
   preferred_backup_window         = var.preferred_backup_window
diff --git a/outputs.tf b/outputs.tf
@@ -4,8 +4,8 @@ output "master_username" {
 }
 
 output "master_password" {
-  value       = var.manage_master_user_password != null ? join("", aws_docdb_cluster.default[*].master_password) : null
-  description = "Password for the master DB user. If `manage_master_user_password` is set to true, this will be set to null."
+  value       = var.manage_master_user_password == true ? null : local.master_password
+  description = "Password for the master DB user. If `manage_master_user_password` is set to true, this will be set to null and the password is managed by AWS in Secrets Manager."
   sensitive   = true
 }
 

Original file line number	Diff line number	Diff line change
`@@ -4,8 +4,8 @@ output "master_username" {`
`4`	`4`	`}`
`5`	`5`
`6`	`6`	`output "master_password" {`
`7`		`- value = var.manage_master_user_password != null ? join("", aws_docdb_cluster.default[*].master_password) : null`
`8`		- description = "Password for the master DB user. If `manage_master_user_password` is set to true, this will be set to null."
	`7`	`+ value = var.manage_master_user_password == true ? null : local.master_password`
	`8`	+ description = "Password for the master DB user. If `manage_master_user_password` is set to true, this will be set to null and the password is managed by AWS in Secrets Manager."
`9`	`9`	`sensitive = true`
`10`	`10`	`}`
`11`	`11`