From ecac0851bad4b6ef7dc215e17b4fbbdc4d81187f Mon Sep 17 00:00:00 2001 From: Ravi Bagri Date: Thu, 22 Feb 2024 13:34:33 +0100 Subject: [PATCH 1/8] added ability to auto-generate password in referenced secret Signed-off-by: Ravi Bagri --- apis/rds/v1beta1/zz_cluster_types.go | 7 + apis/rds/v1beta1/zz_generated.deepcopy.go | 5 + config/common/common_test.go | 168 ++++++++++++++++++ config/rds/config.go | 26 +++ examples/rds/v1beta1/cluster.yaml | 10 +- package/crds/rds.aws.upbound.io_clusters.yaml | 14 +- 6 files changed, 218 insertions(+), 12 deletions(-) diff --git a/apis/rds/v1beta1/zz_cluster_types.go b/apis/rds/v1beta1/zz_cluster_types.go index a187f7a7f0..0b8564dad9 100755 --- a/apis/rds/v1beta1/zz_cluster_types.go +++ b/apis/rds/v1beta1/zz_cluster_types.go @@ -423,6 +423,13 @@ type ClusterParameters struct { // +kubebuilder:validation:Optional ApplyImmediately *bool `json:"applyImmediately,omitempty" tf:"apply_immediately,omitempty"` + // Password for the master DB user. Note that this may show up in + // logs, and it will be stored in the state file. Cannot be set if manage_master_user_password is set to true. + // If true, the password will be auto-generated and stored in the Secret referenced by the passwordSecretRef field. + // +upjet:crd:field:TFTag=- + // +kubebuilder:validation:Optional + AutoGeneratePassword *bool `json:"autoGeneratePassword,omitempty" tf:"-"` + // List of EC2 Availability Zones for the DB cluster storage where DB cluster instances can be created. // We recommend specifying 3 AZs or using the if necessary. // A maximum of 3 AZs can be configured. diff --git a/apis/rds/v1beta1/zz_generated.deepcopy.go b/apis/rds/v1beta1/zz_generated.deepcopy.go index 77d271b7c7..b0de7e7c47 100644 --- a/apis/rds/v1beta1/zz_generated.deepcopy.go +++ b/apis/rds/v1beta1/zz_generated.deepcopy.go @@ -2677,6 +2677,11 @@ func (in *ClusterParameters) DeepCopyInto(out *ClusterParameters) { *out = new(bool) **out = **in } + if in.AutoGeneratePassword != nil { + in, out := &in.AutoGeneratePassword, &out.AutoGeneratePassword + *out = new(bool) + **out = **in + } if in.AvailabilityZones != nil { in, out := &in.AvailabilityZones, &out.AvailabilityZones *out = make([]*string, len(*in)) diff --git a/config/common/common_test.go b/config/common/common_test.go index a9cd392bbb..f366029970 100644 --- a/config/common/common_test.go +++ b/config/common/common_test.go @@ -85,6 +85,35 @@ func TestPasswordGenerator(t *testing.T) { }, }, }, + "ClusterSecretAlreadyFull": { + reason: "Should be no-op if the Secret already has password.", + args: args{ + kube: &test.MockClient{ + MockGet: func(ctx context.Context, key client.ObjectKey, obj client.Object) error { + s, ok := obj.(*corev1.Secret) + if !ok { + return errors.New("needs to be secret") + } + s.Data = map[string][]byte{ + "password": []byte("foo"), + } + return nil + }, + }, + secretRefFieldPath: "parameterizable.parameters.masterPasswordSecretRef", + mg: &ujfake.Terraformed{ + Parameterizable: ujfake.Parameterizable{ + Parameters: map[string]any{ + "masterPasswordSecretRef": map[string]any{ + "name": "foo", + "namespace": "bar", + "key": "password", + }, + }, + }, + }, + }, + }, "NoSecretReference": { reason: "Should be no-op if the secret reference is not given.", args: args{ @@ -98,6 +127,19 @@ func TestPasswordGenerator(t *testing.T) { }, }, }, + "NoClusterSecretReference": { + reason: "Should be no-op if the secret reference is not given.", + args: args{ + secretRefFieldPath: "parameterizable.parameters.masterPasswordSecretRef", + mg: &ujfake.Terraformed{ + Parameterizable: ujfake.Parameterizable{ + Parameters: map[string]any{ + "another": "field", + }, + }, + }, + }, + }, "ToggleNotSet": { reason: "Should be no-op if the toggle is not set at all.", args: args{ @@ -119,6 +161,27 @@ func TestPasswordGenerator(t *testing.T) { }, }, }, + "ClusterToggleNotSet": { + reason: "Should be no-op if the toggle is not set at all.", + args: args{ + kube: &test.MockClient{ + MockGet: test.NewMockGetFn(nil), + }, + secretRefFieldPath: "parameterizable.parameters.masterPasswordSecretRef", + toggleFieldPath: "parameterizable.parameters.autoGeneratePassword", + mg: &ujfake.Terraformed{ + Parameterizable: ujfake.Parameterizable{ + Parameters: map[string]any{ + "masterPasswordSecretRef": map[string]any{ + "name": "foo", + "namespace": "bar", + "key": "password", + }, + }, + }, + }, + }, + }, "ToggleFalse": { reason: "Should be no-op if the toggle is set to false.", args: args{ @@ -141,6 +204,28 @@ func TestPasswordGenerator(t *testing.T) { }, }, }, + "ClusterToggleFalse": { + reason: "Should be no-op if the toggle is set to false.", + args: args{ + kube: &test.MockClient{ + MockGet: test.NewMockGetFn(nil), + }, + secretRefFieldPath: "parameterizable.parameters.masterPasswordSecretRef", + toggleFieldPath: "parameterizable.parameters.autoGeneratePassword", + mg: &ujfake.Terraformed{ + Parameterizable: ujfake.Parameterizable{ + Parameters: map[string]any{ + "masterPasswordSecretRef": map[string]any{ + "name": "foo", + "namespace": "bar", + "key": "password", + }, + "autoGeneratePassword": false, + }, + }, + }, + }, + }, "GenerateAndApply": { reason: "Should apply if we generate, set the content of an already existing secret.", args: args{ @@ -183,6 +268,48 @@ func TestPasswordGenerator(t *testing.T) { }, }, }, + "ClusterSecretGenerateAndApply": { + reason: "Should apply if we generate, set the content of an already existing secret.", + args: args{ + kube: &test.MockClient{ + MockGet: func(ctx context.Context, key client.ObjectKey, obj client.Object) error { + s, ok := obj.(*corev1.Secret) + if !ok { + return errors.New("needs to be secret") + } + s.CreationTimestamp = metav1.Time{Time: time.Now()} + return nil + }, + MockPatch: func(ctx context.Context, obj client.Object, patch client.Patch, opts ...client.PatchOption) error { + s, ok := obj.(*corev1.Secret) + if !ok { + return errors.New("needs to be secret") + } + if len(s.Data["password"]) == 0 { + return errors.New("password is not set") + } + if len(s.OwnerReferences) != 0 { + return errors.New("owner references should not be set if secret already exists") + } + return nil + }, + }, + secretRefFieldPath: "parameterizable.parameters.masterPasswordSecretRef", + toggleFieldPath: "parameterizable.parameters.autoGeneratePassword", + mg: &ujfake.Terraformed{ + Parameterizable: ujfake.Parameterizable{ + Parameters: map[string]any{ + "masterPasswordSecretRef": map[string]any{ + "name": "foo", + "namespace": "bar", + "key": "password", + }, + "autoGeneratePassword": true, + }, + }, + }, + }, + }, "GenerateAndCreate": { reason: "Should create if we generate, set the content and there is no secret in place.", args: args{ @@ -224,6 +351,47 @@ func TestPasswordGenerator(t *testing.T) { }, }, }, + "ClusterSecretGenerateAndCreate": { + reason: "Should create if we generate, set the content and there is no secret in place.", + args: args{ + kube: &test.MockClient{ + MockGet: test.NewMockGetFn(kerrors.NewNotFound(schema.GroupResource{}, "")), + MockCreate: func(ctx context.Context, obj client.Object, opts ...client.CreateOption) error { + s, ok := obj.(*corev1.Secret) + if !ok { + return errors.New("needs to be secret") + } + if len(s.Data["password"]) == 0 { + return errors.New("password is not set") + } + if len(s.OwnerReferences) == 1 && + s.OwnerReferences[0].Name == "foo-mgd" { + return nil + } + return errors.New("owner references should be set if secret is created") + }, + }, + secretRefFieldPath: "parameterizable.parameters.masterPasswordSecretRef", + toggleFieldPath: "parameterizable.parameters.autoGeneratePassword", + mg: &ujfake.Terraformed{ + Managed: fake.Managed{ + ObjectMeta: metav1.ObjectMeta{ + Name: "foo-mgd", + }, + }, + Parameterizable: ujfake.Parameterizable{ + Parameters: map[string]any{ + "masterPasswordSecretRef": map[string]any{ + "name": "foo", + "namespace": "bar", + "key": "password", + }, + "autoGeneratePassword": true, + }, + }, + }, + }, + }, } for name, tc := range cases { t.Run(name, func(t *testing.T) { diff --git a/config/rds/config.go b/config/rds/config.go index 46f4d53e56..08e1edc968 100644 --- a/config/rds/config.go +++ b/config/rds/config.go @@ -44,6 +44,9 @@ func Configure(p *config.Provider) { if a, ok := attr["port"]; ok { conn["port"] = []byte(fmt.Sprintf("%v", a)) } + if a, ok := attr["password"].(string); ok { + conn["password"] = []byte(a) + } return conn, nil } r.OverrideFieldNames = map[string]string{ @@ -57,6 +60,29 @@ func Configure(p *config.Provider) { "MasterUserSecretInitParameters": "ClusterMasterUserSecretInitParameters", "MasterUserSecretObservation": "ClusterMasterUserSecretObservation", } + desc, _ := comments.New("If true, the password will be auto-generated and"+ + " stored in the Secret referenced by the masterPasswordSecretRef field.", + comments.WithTFTag("-")) + r.TerraformResource.Schema["auto_generate_password"] = &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + Description: desc.String(), + } + r.InitializerFns = append(r.InitializerFns, + common.PasswordGenerator( + "spec.forProvider.masterPasswordSecretRef", + "spec.forProvider.autoGeneratePassword", + )) + r.TerraformResource.Schema["password"] = &schema.Schema{ + Type: schema.TypeString, + Optional: true, + Sensitive: true, + Description: "Password for the master DB user. If you set autoGeneratePassword to true, the Secret referenced here will be created or updated with generated password if it does not already contain one.", + } + r.TerraformResource.Schema["password"].Description = "Password for the " + + "master DB user. If you set autoGeneratePassword to true, the Secret" + + " referenced here will be created or updated with generated password" + + " if it does not already contain one." }) p.AddResourceConfigurator("aws_rds_cluster_instance", func(r *config.Resource) { diff --git a/examples/rds/v1beta1/cluster.yaml b/examples/rds/v1beta1/cluster.yaml index 5a1442be9b..d9c896403e 100644 --- a/examples/rds/v1beta1/cluster.yaml +++ b/examples/rds/v1beta1/cluster.yaml @@ -9,6 +9,7 @@ spec: region: us-west-1 engine: aurora-postgresql masterUsername: cpadmin + autoGeneratePassword: true masterPasswordSecretRef: name: sample-cluster-password namespace: upbound-system @@ -17,12 +18,3 @@ spec: writeConnectionSecretToRef: name: sample-rds-cluster-secret namespace: upbound-system ---- -apiVersion: v1 -kind: Secret -metadata: - name: sample-cluster-password - namespace: upbound-system -type: Opaque -stringData: - password: TestPass0! diff --git a/package/crds/rds.aws.upbound.io_clusters.yaml b/package/crds/rds.aws.upbound.io_clusters.yaml index fcbedc02ae..e0751e76ac 100644 --- a/package/crds/rds.aws.upbound.io_clusters.yaml +++ b/package/crds/rds.aws.upbound.io_clusters.yaml @@ -86,6 +86,12 @@ spec: immediately, or during the next maintenance window. Default is false. See Amazon RDS Documentation for more information. type: boolean + autoGeneratePassword: + description: Password for the master DB user. Note that this may + show up in logs, and it will be stored in the state file. Cannot + be set if manage_master_user_password is set to true. If true, + the password will be auto-generated and stored in the Secret + referenced by the masterPasswordSecretRef field. availabilityZones: description: |- List of EC2 Availability Zones for the DB cluster storage where DB cluster instances can be created. @@ -373,9 +379,11 @@ spec: type: boolean masterPasswordSecretRef: description: Password for the master DB user. Note that this may - show up in logs, and it will be stored in the state file. Please - refer to the RDS Naming Constraints. Cannot be set if manage_master_user_password - is set to true. + show up in logs, and it will be stored in the state file. Cannot + be set if manage_master_user_password is set to true. Password + for the master DB user. If you set autoGeneratePassword to true, + the Secret referenced here will be created or updated with generated + password if it does not already contain one. properties: key: description: The key to select. From 4c6e782a5e1b0e60713757eab12368fc6fe899d1 Mon Sep 17 00:00:00 2001 From: Ravi Bagri Date: Thu, 22 Feb 2024 14:10:20 +0100 Subject: [PATCH 2/8] added the missing type for autoGeneratePassword Signed-off-by: Ravi Bagri --- package/crds/rds.aws.upbound.io_clusters.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/package/crds/rds.aws.upbound.io_clusters.yaml b/package/crds/rds.aws.upbound.io_clusters.yaml index e0751e76ac..ae255d6eef 100644 --- a/package/crds/rds.aws.upbound.io_clusters.yaml +++ b/package/crds/rds.aws.upbound.io_clusters.yaml @@ -92,6 +92,7 @@ spec: be set if manage_master_user_password is set to true. If true, the password will be auto-generated and stored in the Secret referenced by the masterPasswordSecretRef field. + type: boolean availabilityZones: description: |- List of EC2 Availability Zones for the DB cluster storage where DB cluster instances can be created. From 59e98af281b3c1f987ac9dd9477570d0e53878be Mon Sep 17 00:00:00 2001 From: Ravi Bagri Date: Thu, 22 Feb 2024 15:09:29 +0100 Subject: [PATCH 3/8] modified the comment for autoGeneratePassword Signed-off-by: Ravi Bagri --- apis/rds/v1beta1/zz_cluster_types.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apis/rds/v1beta1/zz_cluster_types.go b/apis/rds/v1beta1/zz_cluster_types.go index 0b8564dad9..2760044cca 100755 --- a/apis/rds/v1beta1/zz_cluster_types.go +++ b/apis/rds/v1beta1/zz_cluster_types.go @@ -425,7 +425,7 @@ type ClusterParameters struct { // Password for the master DB user. Note that this may show up in // logs, and it will be stored in the state file. Cannot be set if manage_master_user_password is set to true. - // If true, the password will be auto-generated and stored in the Secret referenced by the passwordSecretRef field. + // If true, the password will be auto-generated and stored in the Secret referenced by the masterPasswordSecretRef field. // +upjet:crd:field:TFTag=- // +kubebuilder:validation:Optional AutoGeneratePassword *bool `json:"autoGeneratePassword,omitempty" tf:"-"` @@ -557,6 +557,7 @@ type ClusterParameters struct { ManageMasterUserPassword *bool `json:"manageMasterUserPassword,omitempty" tf:"manage_master_user_password,omitempty"` // Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Please refer to the RDS Naming Constraints. Cannot be set if manage_master_user_password is set to true. + // If you set autoGeneratePassword to true, the Secret referenced here will be created or updated with generated password if it does not already contain one. // +kubebuilder:validation:Optional MasterPasswordSecretRef *v1.SecretKeySelector `json:"masterPasswordSecretRef,omitempty" tf:"-"` From 9928d87657ca28323447c0028ca70d8b4b43daa2 Mon Sep 17 00:00:00 2001 From: Ravi Bagri Date: Fri, 23 Feb 2024 12:13:15 +0100 Subject: [PATCH 4/8] Updated error package in unit test --- config/common/common_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/common/common_test.go b/config/common/common_test.go index f366029970..4f2f6f4bec 100644 --- a/config/common/common_test.go +++ b/config/common/common_test.go @@ -9,11 +9,11 @@ import ( "testing" "time" - "github.com/crossplane/crossplane-runtime/pkg/errors" "github.com/crossplane/crossplane-runtime/pkg/resource" "github.com/crossplane/crossplane-runtime/pkg/resource/fake" "github.com/crossplane/crossplane-runtime/pkg/test" "github.com/google/go-cmp/cmp" + "github.com/pkg/errors" corev1 "k8s.io/api/core/v1" kerrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" From a8a52f41c1bb25ef6386e3be105ce28a15ae9cee Mon Sep 17 00:00:00 2001 From: Ravi Kumar Date: Tue, 5 Mar 2024 13:48:18 +0100 Subject: [PATCH 5/8] fixed cyclomatic complexity Signed-off-by: Ravi Kumar --- config/rds/config.go | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/config/rds/config.go b/config/rds/config.go index 08e1edc968..b5a5112062 100644 --- a/config/rds/config.go +++ b/config/rds/config.go @@ -44,9 +44,6 @@ func Configure(p *config.Provider) { if a, ok := attr["port"]; ok { conn["port"] = []byte(fmt.Sprintf("%v", a)) } - if a, ok := attr["password"].(string); ok { - conn["password"] = []byte(a) - } return conn, nil } r.OverrideFieldNames = map[string]string{ @@ -73,16 +70,6 @@ func Configure(p *config.Provider) { "spec.forProvider.masterPasswordSecretRef", "spec.forProvider.autoGeneratePassword", )) - r.TerraformResource.Schema["password"] = &schema.Schema{ - Type: schema.TypeString, - Optional: true, - Sensitive: true, - Description: "Password for the master DB user. If you set autoGeneratePassword to true, the Secret referenced here will be created or updated with generated password if it does not already contain one.", - } - r.TerraformResource.Schema["password"].Description = "Password for the " + - "master DB user. If you set autoGeneratePassword to true, the Secret" + - " referenced here will be created or updated with generated password" + - " if it does not already contain one." }) p.AddResourceConfigurator("aws_rds_cluster_instance", func(r *config.Resource) { From 44ad106f69993862191e48c5456c9e54828aa4e8 Mon Sep 17 00:00:00 2001 From: Ravi Kumar Date: Tue, 5 Mar 2024 14:12:50 +0100 Subject: [PATCH 6/8] fixed cyclomatic complexity Signed-off-by: Ravi Kumar --- apis/rds/v1beta1/zz_cluster_types.go | 3 --- package/crds/rds.aws.upbound.io_clusters.yaml | 16 ++++++---------- 2 files changed, 6 insertions(+), 13 deletions(-) diff --git a/apis/rds/v1beta1/zz_cluster_types.go b/apis/rds/v1beta1/zz_cluster_types.go index 2760044cca..f11fce2992 100755 --- a/apis/rds/v1beta1/zz_cluster_types.go +++ b/apis/rds/v1beta1/zz_cluster_types.go @@ -423,8 +423,6 @@ type ClusterParameters struct { // +kubebuilder:validation:Optional ApplyImmediately *bool `json:"applyImmediately,omitempty" tf:"apply_immediately,omitempty"` - // Password for the master DB user. Note that this may show up in - // logs, and it will be stored in the state file. Cannot be set if manage_master_user_password is set to true. // If true, the password will be auto-generated and stored in the Secret referenced by the masterPasswordSecretRef field. // +upjet:crd:field:TFTag=- // +kubebuilder:validation:Optional @@ -557,7 +555,6 @@ type ClusterParameters struct { ManageMasterUserPassword *bool `json:"manageMasterUserPassword,omitempty" tf:"manage_master_user_password,omitempty"` // Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Please refer to the RDS Naming Constraints. Cannot be set if manage_master_user_password is set to true. - // If you set autoGeneratePassword to true, the Secret referenced here will be created or updated with generated password if it does not already contain one. // +kubebuilder:validation:Optional MasterPasswordSecretRef *v1.SecretKeySelector `json:"masterPasswordSecretRef,omitempty" tf:"-"` diff --git a/package/crds/rds.aws.upbound.io_clusters.yaml b/package/crds/rds.aws.upbound.io_clusters.yaml index ae255d6eef..b3fa4e9e8e 100644 --- a/package/crds/rds.aws.upbound.io_clusters.yaml +++ b/package/crds/rds.aws.upbound.io_clusters.yaml @@ -87,11 +87,9 @@ spec: is false. See Amazon RDS Documentation for more information. type: boolean autoGeneratePassword: - description: Password for the master DB user. Note that this may - show up in logs, and it will be stored in the state file. Cannot - be set if manage_master_user_password is set to true. If true, - the password will be auto-generated and stored in the Secret - referenced by the masterPasswordSecretRef field. + description: If true, the password will be auto-generated and + stored in the Secret referenced by the masterPasswordSecretRef + field. type: boolean availabilityZones: description: |- @@ -380,11 +378,9 @@ spec: type: boolean masterPasswordSecretRef: description: Password for the master DB user. Note that this may - show up in logs, and it will be stored in the state file. Cannot - be set if manage_master_user_password is set to true. Password - for the master DB user. If you set autoGeneratePassword to true, - the Secret referenced here will be created or updated with generated - password if it does not already contain one. + show up in logs, and it will be stored in the state file. Please + refer to the RDS Naming Constraints. Cannot be set if manage_master_user_password + is set to true. properties: key: description: The key to select. From 765cdfd5485b9999b8830cffedb8b4d488110918 Mon Sep 17 00:00:00 2001 From: Ravi Kumar Date: Mon, 11 Mar 2024 09:36:53 +0100 Subject: [PATCH 7/8] added master_password description Signed-off-by: Ravi Kumar --- config/rds/config.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/rds/config.go b/config/rds/config.go index b5a5112062..02b78953e3 100644 --- a/config/rds/config.go +++ b/config/rds/config.go @@ -70,6 +70,10 @@ func Configure(p *config.Provider) { "spec.forProvider.masterPasswordSecretRef", "spec.forProvider.autoGeneratePassword", )) + r.TerraformResource.Schema["master_password"].Description = "Password for the " + + "master DB user. If you set autoGeneratePassword to true, the Secret" + + " referenced here will be created or updated with generated password" + + " if it does not already contain one." }) p.AddResourceConfigurator("aws_rds_cluster_instance", func(r *config.Resource) { From 5b4c82f3529f3cd72065735879d63d577d18cb9d Mon Sep 17 00:00:00 2001 From: Ravi Kumar Date: Mon, 11 Mar 2024 10:17:17 +0100 Subject: [PATCH 8/8] added autogenerated Signed-off-by: Ravi Kumar --- apis/rds/v1beta1/zz_cluster_types.go | 1 + package/crds/rds.aws.upbound.io_clusters.yaml | 7 +++---- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/apis/rds/v1beta1/zz_cluster_types.go b/apis/rds/v1beta1/zz_cluster_types.go index 726913ce5f..f9f87088f2 100755 --- a/apis/rds/v1beta1/zz_cluster_types.go +++ b/apis/rds/v1beta1/zz_cluster_types.go @@ -555,6 +555,7 @@ type ClusterParameters struct { ManageMasterUserPassword *bool `json:"manageMasterUserPassword,omitempty" tf:"manage_master_user_password,omitempty"` // Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Please refer to the RDS Naming Constraints. Cannot be set if manage_master_user_password is set to true. + // Password for the master DB user. If you set autoGeneratePassword to true, the Secret referenced here will be created or updated with generated password if it does not already contain one. // +kubebuilder:validation:Optional MasterPasswordSecretRef *v1.SecretKeySelector `json:"masterPasswordSecretRef,omitempty" tf:"-"` diff --git a/package/crds/rds.aws.upbound.io_clusters.yaml b/package/crds/rds.aws.upbound.io_clusters.yaml index 183964a25e..3712c64f5c 100644 --- a/package/crds/rds.aws.upbound.io_clusters.yaml +++ b/package/crds/rds.aws.upbound.io_clusters.yaml @@ -377,10 +377,9 @@ spec: is provided. type: boolean masterPasswordSecretRef: - description: Password for the master DB user. Note that this may - show up in logs, and it will be stored in the state file. Please - refer to the RDS Naming Constraints. Cannot be set if manage_master_user_password - is set to true. + description: |- + Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. Please refer to the RDS Naming Constraints. Cannot be set if manage_master_user_password is set to true. + Password for the master DB user. If you set autoGeneratePassword to true, the Secret referenced here will be created or updated with generated password if it does not already contain one. properties: key: description: The key to select.