amazon-web-servicesterraform-provider-aws

The parameter MasterUserPassword is not a valid password. operation error RDS


I do not think it is my password problem. I use the aws secretsmanager get-secret-value --secret-id db-password to check the password, there is no special characters in it. It still told me that:`Error: creating RDS DB Instance (csye6225): operation error RDS: CreateDBInstance, https response error StatusCode: 400, RequestID: d45ec645-b0d1-4902-b769-2dcc448cd993, api error InvalidParameterValue: The parameter MasterUserPassword is not a valid password. Only printable ASCII characters besides '/', '@', '"', ' ' may be used.

I will show the code here and hope somebody could help me figure it out

resource "aws_secretsmanager_secret" "db_password" {
  name                    = "db-password"
  description             = "Database password for RDS"
  kms_key_id             = aws_kms_key.secret_manager_key.id 
}

resource "aws_secretsmanager_secret_version" "db_password_version" {
  secret_id     = aws_secretsmanager_secret.db_password.id
  secret_string = jsonencode({
    password = random_password.db_password.result
  })
}

resource "random_password" "db_password" {
  length  = 16
  special = true
  override_special = "!#$%&()*+,-./:;<=>?@[\\]^_`{|}~"
}
resource "aws_db_instance" "csye6225" {
  allocated_storage      = 20
  engine                 = "postgres"
  engine_version         = "14.13"
  instance_class         = "db.t3.micro"
  identifier             = "csye6225"
  username               = var.db_username
  db_name                = var.db_name
  parameter_group_name   = aws_db_parameter_group.csye6225.name
  db_subnet_group_name   = aws_db_subnet_group.csye6225.name
  vpc_security_group_ids = [aws_security_group.db_sg.id]
  publicly_accessible    = false
  multi_az               = false
  skip_final_snapshot    = true

  storage_encrypted      = true
  kms_key_id             = aws_kms_key.rds_kms_key.arn
  password              = data.aws_secretsmanager_secret_version.db_password_version.secret_string

  tags = {
    Name = "CSYE6225RDSInstance"
  }
}

data "aws_secretsmanager_secret_version" "db_password_version" {
  secret_id = aws_secretsmanager_secret.db_password.id
}

I have tried a lot of time and the error still shown and the db-password is "SecretString": "{"password":"uWC0UVl1sCzc02gt"}", "VersionStages": [ "AWSCURRENT" ], I do not think it is an invalid password


Solution

  • The error happens because the password you’re passing to the RDS instance is coming from AWS Secrets Manager as a JSON string, like {"password":"uWC0UVl1sCzc02gt"}. RDS by itself doesn’t know how to handle this as it needs just the password itself, not the entire JSON.

    You need to decode that JSON string and extract the password field before passing it to RDS.

    password = jsondecode(data.aws_secretsmanager_secret_version.db_password_version.secret_string).password
    

    This will ensure only the actual password is sent to RDS.