RDS: Allow defining ManageMasterUserPassword property instead of the …

…MasterUserPassword property.
cloudtools · Oct 21, 2023 · 7090af9 · 7090af9
1 parent d3ec594
commit 7090af9
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 3 deletions.
diff --git a/tests/test_rds.py b/tests/test_rds.py
@@ -41,11 +41,47 @@ def test_it_rds_instances_require_either_a_snapshot_or_credentials(self):
 
         with self.assertRaisesRegex(
             ValueError,
-            r"Either \(MasterUsername and MasterUserPassword\) or"
+            r"Either \(MasterUsername and either "
+            r"MasterUserPassword or ManageMasterUserPassword\) or"
             r" DBSnapshotIdentifier are required",
         ):
             rds_instance.to_dict()
 
+    def test_it_rds_credentials_using_masteruserpassword(self):
+        rds_instance = rds.DBInstance(
+            "SomeTitle",
+            Engine="MySQL",
+            MasterUsername="user",
+            MasterUserPassword="password",
+        )
+        rds_instance.to_dict()
+
+    def test_it_rds_credentials_using_managemasteruserpassword(self):
+        rds_instance = rds.DBInstance(
+            "SomeTitle",
+            Engine="MySQL",
+            MasterUsername="user",
+            ManageMasterUserPassword=True,
+        )
+        rds_instance.to_dict()
+
+    def test_it_rds_masteruserpassword_and_managemasteruserpassword_mutually_exclusive(
+        self,
+    ):
+        rds_instance = rds.DBInstance(
+            "SomeTitle",
+            Engine="MySQL",
+            MasterUsername="user",
+            MasterUserPassword="password",
+            ManageMasterUserPassword=True,
+        )
+
+        with self.assertRaisesRegex(
+            ValueError,
+            r"Both MasterUserPassword and ManageMasterUserPassword cannot be set simultaneously.",
+        ):
+            rds_instance.to_dict()
+
     def test_it_allows_an_rds_replica(self):
         rds_instance = rds.DBInstance(
             "SomeTitle",

diff --git a/troposphere/validators/rds.py b/troposphere/validators/rds.py
@@ -350,16 +350,28 @@ def validate_dbinstance(self) -> None:
         )
         and (
             "MasterUsername" not in self.properties
-            or "MasterUserPassword" not in self.properties
+            or (
+                "MasterUserPassword" not in self.properties
+                and "ManageMasterUserPassword" not in self.properties
+            )
         )
         and ("DBClusterIdentifier" not in self.properties)
     ):
         raise ValueError(
-            r"Either (MasterUsername and MasterUserPassword) or"
+            r"Either (MasterUsername and either MasterUserPassword or ManageMasterUserPassword) or"
             r" DBSnapshotIdentifier are required in type "
             r"AWS::RDS::DBInstance."
         )
 
+    if (
+        "MasterUserPassword" in self.properties
+        and "ManageMasterUserPassword" in self.properties
+    ):
+        raise ValueError(
+            "Both MasterUserPassword and ManageMasterUserPassword cannot"
+            " be set simultaneously."
+        )
+
     if "KmsKeyId" in self.properties and "StorageEncrypted" not in self.properties:
         raise ValueError(
             "If KmsKeyId is provided, StorageEncrypted is required "