feat: auto-generate DB password, add connection URI, switch to name_prefix, and add validations + docs

Author: simplyalam

.gitignore

@@ -0,0 +1 @@
+.terraform/

.terraform.lock.hcl

@@ -8,7 +8,7 @@ This Terraform module provisions a PostgreSQL database instance on Amazon RDS wi
 - Sets up a dedicated VPC security group with configurable access rules
 - Configures subnet groups for the RDS instance
 - Supports encryption, backups, and maintenance windows
-- Generates random pet names for resource identification
+ - Uses a caller-provided name prefix for resource identification
 
 ## Usage
 
@@ -19,9 +19,9 @@ module "postgres" {
   # Required variables
   vpc_id        = "vpc-xxxxxxxx"
   subnet_ids    = ["subnet-xxxxxxxx", "subnet-yyyyyyyy"]
+  name_prefix   = "myapp-prod"
   database_name = "myapp"
   username      = "dbadmin"
-  password      = "your-secure-password"
 
   # Optional variables
   instance_class    = "db.t3.micro"
@@ -37,6 +37,19 @@ module "postgres" {
 }
 ```
 
+The module auto-generates a strong random password and exposes it as a sensitive Terraform output named `db_master_password`.
+Retrieve it after apply with:
+
+```
+terraform output -raw db_master_password
+```
+
+For a ready-to-use PostgreSQL connection URI (includes the password):
+
+```
+terraform output -raw db_connection_uri
+```
+
 ## Requirements
 
 - Terraform >= 1.0.0
@@ -58,9 +71,9 @@ module "postgres" {
 |------|-------------|------|---------|
 | vpc_id | VPC ID where RDS will be deployed | `string` | - |
 | subnet_ids | A list of VPC subnet IDs | `list(string)` | - |
+| name_prefix | Name prefix for RDS identifier and related resources | `string` | - |
 | database_name | The name of the database to create | `string` | - |
 | username | Username for the master DB user | `string` | - |
-| password | Password for the master DB user | `string` | - |
 
 ### Optional Variables
 
@@ -81,6 +94,12 @@ module "postgres" {
 | egress_cidr_blocks | List of CIDR blocks to allow egress traffic from the database | `list(string)` | `["0.0.0.0/0"]` |
 | tags | A mapping of tags to assign to all resources | `map(string)` | `{}` |
 
+## Naming Constraints
+
+- name_prefix: 1–63 chars, lowercase, starts with a letter, contains only letters, numbers, and hyphens; no trailing hyphen; no consecutive hyphens.
+- database_name: 1–63 chars, lowercase, starts with a letter, contains only letters, numbers, and underscores.
+- username: 1–63 chars, lowercase, starts with a letter, contains only letters and numbers; reserved names not allowed: `postgres`, `rdsadmin`.
+
 ## Outputs
 
 | Name | Description |
@@ -91,14 +110,18 @@ module "postgres" {
 | db_instance_port | The database port |
 | db_subnet_group_id | The db subnet group name |
 | db_security_group_id | The security group ID |
+| db_master_password | The generated master password (sensitive) |
+| db_connection_uri | PostgreSQL connection URI with credentials (sensitive) |
 
 ## Security Considerations
 
 - By default, the security group allows inbound access on port 5432 from all IP addresses (0.0.0.0/0). It's strongly recommended to restrict this using the `ingress_cidr_blocks` variable in production environments.
 - Database encryption is enabled by default using AWS KMS.
 - Final snapshots are created by default when destroying the database (skip_final_snapshot = false).
 - The module uses Kubernetes backend configuration. Ensure your Terraform environment is properly configured for this.
+ - The password is generated at apply time and marked as a sensitive output. Store it securely (e.g., AWS Secrets Manager) rather than relying on CLI history.
+ - Ensure `name_prefix` conforms to AWS naming constraints for RDS identifiers (letters, numbers, hyphens; must start with a letter; max 63 characters).
 
 ## License
 
-This module is maintained by Ryvn Technologies.
+This module is maintained by Ryvn Technologies.

README.md

@@ -1,20 +1,13 @@
-resource "random_pet" "this" {
-  length    = 2
-  separator = "-"
-  prefix    = "postgres"
-}
-
-
 resource "aws_db_subnet_group" "this" {
-  name       = random_pet.this.id
+  name       = "${var.name_prefix}-subnet-group"
   subnet_ids = var.subnet_ids
 
   tags = var.tags
 }
 
 resource "aws_security_group" "this" {
-  name        = "${random_pet.this.id}-rds-sg"
-  description = "Security group for ${random_pet.this.id} RDS instance"
+  name        = "${var.name_prefix}-rds-sg"
+  description = "Security group for ${var.name_prefix} RDS instance"
   vpc_id      = var.vpc_id
 
   ingress {
@@ -43,7 +36,7 @@ data "aws_rds_orderable_db_instance" "postgres" {
 }
 
 resource "aws_db_instance" "this" {
-  identifier = random_pet.this.id
+  identifier = var.name_prefix
 
   engine         = "postgres"
   engine_version = var.engine_version
@@ -55,7 +48,7 @@ resource "aws_db_instance" "this" {
 
   db_name  = var.database_name
   username = var.username
-  password = var.password
+  password = random_password.master.result
   port     = 5432
 
   multi_az               = var.multi_az
@@ -70,3 +63,13 @@ resource "aws_db_instance" "this" {
 
   tags = var.tags
 }
+
+resource "random_password" "master" {
+  length           = 20
+  special          = true
+  min_upper        = 1
+  min_lower        = 1
+  min_numeric      = 1
+  min_special      = 1
+  override_special = "!#$%&*()-_=+[]{}<>:?@"
+}

main.tf

@@ -27,3 +27,22 @@ output "db_security_group_id" {
   description = "The security group ID"
   value       = aws_security_group.this.id
 }
+
+output "db_master_password" {
+  description = "The generated master password (sensitive)"
+  value       = random_password.master.result
+  sensitive   = true
+}
+
+output "db_connection_uri" {
+  description = "PostgreSQL connection URI including credentials (sensitive)"
+  value = format(
+    "postgresql://%s:%s@%s:%d/%s",
+    urlencode(var.username),
+    urlencode(random_password.master.result),
+    aws_db_instance.this.address,
+    aws_db_instance.this.port,
+    var.database_name,
+  )
+  sensitive = true
+}

outputs.tf

@@ -15,20 +15,79 @@ variable "subnet_ids" {
   type        = list(string)
 }
 
+variable "name_prefix" {
+  description = "Name prefix used for RDS identifier and related resources"
+  type        = string
+
+  validation {
+    condition     = length(var.name_prefix) > 0 && length(var.name_prefix) <= 63
+    error_message = "name_prefix must be 1-63 characters long."
+  }
+
+  validation {
+    condition     = lower(var.name_prefix) == var.name_prefix
+    error_message = "name_prefix must be lowercase."
+  }
+
+  validation {
+    condition     = can(regex("^[a-z][a-z0-9-]*$", var.name_prefix))
+    error_message = "name_prefix must start with a letter and contain only lowercase letters, numbers, and hyphens."
+  }
+
+  validation {
+    condition     = length(regexall("--", var.name_prefix)) == 0
+    error_message = "name_prefix must not contain consecutive hyphens ('--')."
+  }
+
+  validation {
+    condition     = endswith(var.name_prefix, "-") == false
+    error_message = "name_prefix must not end with a hyphen."
+  }
+}
+
 variable "database_name" {
   description = "The name of the database to create"
   type        = string
+
+  validation {
+    condition     = length(var.database_name) > 0 && length(var.database_name) <= 63
+    error_message = "database_name must be 1-63 characters long."
+  }
+
+  validation {
+    condition     = lower(var.database_name) == var.database_name
+    error_message = "database_name must be lowercase."
+  }
+
+  validation {
+    condition     = can(regex("^[a-z][a-z0-9_]*$", var.database_name))
+    error_message = "database_name must start with a letter and contain only lowercase letters, numbers, and underscores."
+  }
 }
 
 variable "username" {
   description = "Username for the master DB user"
   type        = string
-}
 
-variable "password" {
-  description = "Password for the master DB user"
-  type        = string
-  sensitive   = true
+  validation {
+    condition     = length(var.username) > 0 && length(var.username) <= 63
+    error_message = "username must be 1-63 characters long."
+  }
+
+  validation {
+    condition     = lower(var.username) == var.username
+    error_message = "username must be lowercase."
+  }
+
+  validation {
+    condition     = can(regex("^[a-z][a-z0-9]*$", var.username))
+    error_message = "username must start with a letter and contain only lowercase letters and numbers."
+  }
+
+  validation {
+    condition     = !(var.username == "postgres" || var.username == "rdsadmin")
+    error_message = "username cannot be one of the reserved names: postgres, rdsadmin."
+  }
 }
 
 # Optional variables with defaults