We generate random password via terraform, then store it in aws ssm parameter store and retrieve it via data keyword.
Add sensitive = true to prevent exposing of sensitive data
// Generate Password
resource "random_password" "main" {
length = 20
special = true # Default: !@#$%&*()-_=+[]{}<>:?
override_special = "#!()_"
}
// Store Password
resource "aws_ssm_parameter" "rds_password" {
name = "/prod/prod-mysql-rds/password"
description = "Master Password for RDS Database"
type = "SecureString"
value = random_password.main.result
}
// Retrieve Password
data "aws_ssm_parameter" "rds_password" {
name = "/prod/prod-mysql-rds/password"
depends_on = [aws_ssm_parameter.rds_password]
}
#-------
output "rds_address" {
value = aws_db_instance.prod.address
}
output "rds_port" {
value = aws_db_instance.prod.port
}
output "rds_username" {
value = aws_db_instance.prod.username
}
output "rds_password" {
value = data.aws_ssm_parameter.rds_password.value
sensitive = true
}