Issue with AWS RDS aws_rds_cluster and master_user_secret option

Hi

I’m trying to find a way to retrieve the ARN of the secret AWS automatically creates when the following option for the aws_rds_cluster resource is set to true: manage_master_user_password

The following doc does not indicate that the ARN of the secret is included in the Attributes Reference: aws_rds_cluster | Resources | hashicorp/aws | Terraform Registry

However, it is included in a configuration block: aws_rds_cluster | Resources | hashicorp/aws | Terraform Registry

I tried to specify the ARN of a secret in the configuration block but Terraform reports the following error:

╷
│ Error: Value for unconfigurable attribute
│
│ with aws_rds_cluster.default,
│ on subnet_group_change.tf line 15, in resource “aws_rds_cluster” “default”:
│ 15: resource “aws_rds_cluster” “default” {
│
│ Can’t configure a value for “master_user_secret”: its value will be decided
│ automatically based on the result of applying this configuration.

I’m also not able to reference it as an output value for the aws_rds_cluster resource.

Can anyone please confirm what the purpose of the configuration block is? Also if possible how to reference the secret that is created by AWS?

Can anyone please confirm what the purpose of the configuration block is? Also if possible how to reference the secret that is created by AWS?

I encountered the same problem. Following is my idea.

The purpose of the configuration block is to reference the secrete “after” AWS create the secrete automatically.

Example

When other apps want to use the credential created with manage_master_user_password = true, they access with the configuration.

data "aws_secretsmanager_secret" "master_password" {
  arn = data.aws_rds_cluster.this.master_user_secret[0].secret_arn
}

kms_key_id,secret_arn,secret_status are the attributes of the user_secret[0]

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_user_secret