Here create a random password:
resource "random_password" "password" {
length = 12
special = true
override_special = "!#$%&*()-_=+[]{}:?"
}
Here I create a secret for the database:
resource "kubernetes_secret" "db_pass" {
metadata {
name = "db-pass"
}
data = {
MYSQL_PASSWORD = "${aws_db_instance.database.password}"
S3_ACCESS_KEY_ID : ""
S3_SECRET_KEY : ""
RABBITMQ_PASSWORD = "${var.rabbitpassw}"
RABBITMQ_ERLANGCOOKIE = "${var.erlangcookie}"
}
depends_on = [
aws_db_instance.database,
module.s3_bucket
]
}
Then this code should use a random password that db uses to connect:
resource "aws_db_instance" "database" {
allocated_storage = var.instance_storage_db
max_allocated_storage = var.max_storage_db
engine = var.instance_engine_db
engine_version = var.instance_engine_version_db
instance_class = var.instance_size_db
identifier = "${var.cluster_name}-db-instance"
db_name = "tester"
username = "admin"
password = random_password.password.result
snapshot_identifier = var.db_snapshot_id
db_subnet_group_name = aws_db_subnet_group.default.name
vpc_security_group_ids = [aws_security_group.db_sg.id]
skip_final_snapshot = var.skip_final_snapshot_db
multi_az = var.multi_az_db
backup_retention_period = var.ret_period_db
}
I I use it before, and it was working normally, now i create new cluster and secret create 24 character password, and i cannot connect to RDS it using mysql
When create hardcoded password, connections to RDS is normal
Same problem have with grafana random password.
Is anyone go true this problem?
2
Answers
Thanks to @mrexojo, I found what's the problem.
I change from windows to linux OS, and i used
kubectl get secret db-pass -o json
, while on windows i usedkubectl get secret db-pass -o json | jq '{name: .metadata.name,data: .data|map_values(@base64d)}'
On windows work normaly, but on linux is deferent commandThanks @MarkoE for help also, you are great!
right comand is
kubectl get secret db-pass -o jsonpath='{.data.MYSQL_PASSWORD}' -n namespace | base64 --decode | awk '{print $1}'
First of all, I’d use the
random_password.password.result
as data content for the kubernetes secret. You are creating a not necessary dependency.When you create a hardcoded password (not recomended) or
random_password.password.result
inside a aws_db_instance resource, it works because it use the real content.But remember that kubernetes secret content is offuscated with base64 format. So when you create a resource
kubernetes_secret
it’s already generating the random_password with base64.Anyway you can debug the content of your kubernetes secret and the random password.
Debug:
The output option from terraform is not allowed showing password even using sensitive = false , but if you has access to the plain text teraform.tfstate you could to find the plaint text of random password (something like
"result": "V1dp81Dxr#nj",
) and checking if it match with a similar query result of:I hope that it help you.