Skip to content

Move Auto Drive secrets out of module and into Infisical #528

Open
Open
Move Auto Drive secrets out of module and into Infisical#528
Assignees
jim-counter
@jim-counter

Description

@jim-counter
jim-counter
opened on Mar 11, 2026

Context

Per vedhavyas's review on PR #520, secrets like the RabbitMQ password should be managed via Infisical through common.auto.tfvars rather than generated inside the module. This aligns with the pattern used across other projects in this repo.

Candidates

1. RabbitMQ password — modules/auto-drive/broker.tf lines 1-5

Currently generated inside the module via random_password.rabbitmq_password. This should be:

  • Generated once externally (or via a one-time bootstrap)
  • Stored in Infisical
  • Passed into the module as a variable (e.g., var.rabbitmq.password)
  • Added to common.auto.tfvars (managed by Infisical)
# Current (in-module generation)
resource "random_password" "rabbitmq_password" {
  length           = 15
  special          = true
  override_special = "!@#$%^&*()-_=+[]{}<>:?"
}

2. RabbitMQ username — resources/terraform/auto-drive-production/variables.tf lines 13-18

Currently has a hardcoded default value ("guru") and is marked sensitive = true. Should be:

  • Removed from variables.tf default
  • Stored in Infisical
  • Passed via common.auto.tfvars
# Current (hardcoded default)
variable "rabbitmq_username" {
  description = "RabbitMQ username"
  type        = string
  sensitive   = true
  default     = "guru"
}

Tasks

  • Add rabbitmq_password as a new field in the module's rabbitmq variable object
  • Remove random_password.rabbitmq_password resource from broker.tf
  • Update broker.tf line 39 to use var.rabbitmq.password instead of random_password.rabbitmq_password.result
  • Remove hardcoded default from rabbitmq_username variable
  • Add both rabbitmq_username and rabbitmq_password to common.auto.tfvars via Infisical
  • Update common.auto.tfvars.example with the expected keys
  • Coordinate the password value — retrieve the current password from AWS MQ console or state before switching, to avoid resetting the live broker password

⚠️ Migration note

The current random_password resource already has a value in state, so the existing broker password is stable (it doesn't regenerate on every apply). When migrating to Infisical, the current password value must be extracted from Terraform state (terraform output or terraform state show) and stored in Infisical to avoid a password rotation on the live broker.

Related

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions