We generate random password via terraform, then store it in aws ssm parameter store and retrieve it via data keyword.
Add sensitive = true to prevent exposing of sensitive data
// Generate Password resource "random_password" "main" { length = 20 special = true # Default: !@#$%&*()-_=+[]{}<>:? override_special = "#!()_" } // Store Password resource "aws_ssm_parameter" "rds_password" { name = "/prod/prod-mysql-rds/password" description = "Master Password for RDS Database" type = "SecureString" value = random_password.main.result } // Retrieve Password data "aws_ssm_parameter" "rds_password" { name = "/prod/prod-mysql-rds/password" depends_on = [aws_ssm_parameter.rds_password] } #------- output "rds_address" { value = aws_db_instance.prod.address } output "rds_port" { value = aws_db_instance.prod.port } output "rds_username" { value = aws_db_instance.prod.username } output "rds_password" { value = data.aws_ssm_parameter.rds_password.value sensitive = true }