Skip to main content
The module supports two modes for the Aurora master user password: managed by RDS via Secrets Manager (the default), or a write-only password you supply directly.

Managed password (default)

With manage_master_user_password = true (the default), RDS automatically generates a strong password and stores it in AWS Secrets Manager. You never see the plaintext password in Terraform state.
manage_master_user_password
bool
default:"true"
Set to true to let RDS manage the master user password in Secrets Manager. Cannot be set together with master_password_wo.
master_user_secret_kms_key_id
string
default:"null"
KMS key ARN, key ID, alias ARN, or alias name to encrypt the secret in Secrets Manager. Defaults to the AWS-managed key when omitted.
Choose a meaningful master_username such as "admin" or your application name. The username is stored alongside the password in Secrets Manager and will appear in connection strings.
The secret ARN and metadata are available via the cluster_master_user_secret output: 
output "cluster_master_user_secret" {
  description = "The generated database master user secret when manage_master_user_password is set to true"
  value       = module.aurora.cluster_master_user_secret
}
The output contains a secret_arn field. To retrieve the password at runtime, first get the secret ARN from the Terraform output, then use the AWS CLI: 
# Get the secret ARN from the Terraform output
terraform output -json cluster_master_user_secret

# Retrieve the secret value from Secrets Manager
aws secretsmanager get-secret-value \
  --secret-id "<secret_arn_from_output>" \
  --query SecretString \
  --output text | jq .

Using the secret ARN in other resources

module "aurora" {
  source = "terraform-aws-modules/rds-aurora/aws"

  name            = "ex-postgresql"
  engine          = "aurora-postgresql"
  engine_version  = "17.5"
  master_username = "root"

  manage_master_user_password   = true
  master_user_secret_kms_key_id = module.kms.key_id

  # ...VPC, instances, etc.
}

# Reference the secret from another resource (e.g., an ECS task)
resource "aws_ecs_task_definition" "app" {
  # ...
  container_definitions = jsonencode([{
    name = "app"
    secrets = [{
      name      = "DB_PASSWORD"
      valueFrom = module.aurora.cluster_master_user_secret[0].secret_arn
    }]
  }])
}

Manual password (write-only)

When you need to supply your own password, disable managed passwords and use the ephemeral master_password_wo variable. This requires Terraform 1.11+.
manage_master_user_password
bool
default:"true"
Set to false to disable RDS-managed passwords and provide master_password_wo instead.
master_password_wo
string (write-only, ephemeral)
The master DB user password. This is a write-only ephemeral variable — Terraform does not store it in state. Required when manage_master_user_password = false, unless restoring from a snapshot or using a global cluster secondary.
master_password_wo_version
number
default:"null"
An integer version counter used alongside master_password_wo. Increment this value to trigger a password change on the next terraform apply.
module "aurora" {
  source = "terraform-aws-modules/rds-aurora/aws"

  name            = "ex-postgresql"
  engine          = "aurora-postgresql"
  master_username = "admin"

  manage_master_user_password = false
  master_password_wo          = var.db_password   # sensitive, ephemeral variable
  master_password_wo_version  = 1                  # increment to rotate

  # ...VPC, instances, etc.
}

Password rotation

When using the managed password, you can configure automatic rotation through Secrets Manager.
manage_master_user_password_rotation
bool
default:"false"
Whether the module manages automatic password rotation. When set to false after previously being true, automatic rotation is disabled.
master_user_password_rotation_automatically_after_days
number
default:"null"
Number of days between automatic scheduled rotations. Either this or master_user_password_rotation_schedule_expression must be provided when rotation is enabled.
master_user_password_rotation_schedule_expression
string
default:"null"
A cron() or rate() expression defining the rotation schedule. Either this or master_user_password_rotation_automatically_after_days must be provided.
master_user_password_rotation_duration
string
default:"null"
Length of the rotation window, e.g. "3h" for three hours.
master_user_password_rotate_immediately
bool
default:"null"
Whether to rotate the secret immediately when the rotation configuration is applied, or wait for the next scheduled window.
There is currently no way to disable password rotation on an initial terraform apply. To use managed passwords without rotation, you must apply twice:
  1. First apply with manage_master_user_password_rotation = true and a schedule set via master_user_password_rotation_automatically_after_days or master_user_password_rotation_schedule_expression.
  2. Then set manage_master_user_password_rotation = false and apply again.
To prevent the password from being immediately rotated during this workaround, set master_user_password_rotate_immediately = false.See hashicorp/terraform-provider-aws#37779 for status.
Example — rotation on a fixed schedule: 
module "aurora" {
  source = "terraform-aws-modules/rds-aurora/aws"

  name            = "ex-postgresql"
  engine          = "aurora-postgresql"
  master_username = "root"

  manage_master_user_password = true

  manage_master_user_password_rotation                  = true
  master_user_password_rotation_automatically_after_days = 30
  master_user_password_rotation_duration                 = "3h"
  master_user_password_rotate_immediately                = false

  # ...VPC, instances, etc.
}

Build docs developers (and LLMs) love

Get started for freeTalk to us