fix: Remove empty logging list, add default password management to replace prior default password generation

bryantbiggs · bryantbiggs · commit 2f27803a1088 · 2025-11-16T09:53:28.000-06:00
diff --git a/README.md b/README.md
@@ -266,9 +266,9 @@ No modules.
 | <a name="input_iam_role_tags"></a> [iam\_role\_tags](#input\_iam\_role\_tags) | A map of additional tags to add to the scheduled action IAM role created | `map(string)` | `{}` | no |
 | <a name="input_iam_role_use_name_prefix"></a> [iam\_role\_use\_name\_prefix](#input\_iam\_role\_use\_name\_prefix) | Determines whether scheduled action the IAM role name (`iam_role_name`) is used as a prefix | `string` | `true` | no |
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | The ARN for the KMS encryption key. When specifying `kms_key_arn`, `encrypted` needs to be set to `true` | `string` | `null` | no |
-| <a name="input_logging"></a> [logging](#input\_logging) | Logging configuration for the cluster | <pre>object({<br/>    bucket_name          = optional(string)<br/>    log_destination_type = optional(string)<br/>    log_exports          = optional(list(string), [])<br/>    s3_key_prefix        = optional(string)<br/>  })</pre> | `null` | no |
+| <a name="input_logging"></a> [logging](#input\_logging) | Logging configuration for the cluster | <pre>object({<br/>    bucket_name          = optional(string)<br/>    log_destination_type = optional(string)<br/>    log_exports          = optional(list(string))<br/>    s3_key_prefix        = optional(string)<br/>  })</pre> | `null` | no |
 | <a name="input_maintenance_track_name"></a> [maintenance\_track\_name](#input\_maintenance\_track\_name) | The name of the maintenance track for the restored cluster. When you take a snapshot, the snapshot inherits the MaintenanceTrack value from the cluster. The snapshot might be on a different track than the cluster that was the source for the snapshot. Default value is `current` | `string` | `null` | no |
-| <a name="input_manage_master_password"></a> [manage\_master\_password](#input\_manage\_master\_password) | Whether to use AWS SecretsManager to manage the cluster admin credentials. Conflicts with `master_password`. One of `master_password` or `manage_master_password` is required unless `snapshot_identifier` is provided | `bool` | `false` | no |
+| <a name="input_manage_master_password"></a> [manage\_master\_password](#input\_manage\_master\_password) | Whether to use AWS SecretsManager to manage the cluster admin credentials. Conflicts with `master_password_wo`. One of `master_password_wo` or `manage_master_password` is required unless `snapshot_identifier` is provided | `bool` | `true` | no |
 | <a name="input_manage_master_password_rotation"></a> [manage\_master\_password\_rotation](#input\_manage\_master\_password\_rotation) | Whether to manage the master user password rotation. Setting this value to false after previously having been set to true will disable automatic rotation | `bool` | `false` | no |
 | <a name="input_manual_snapshot_retention_period"></a> [manual\_snapshot\_retention\_period](#input\_manual\_snapshot\_retention\_period) | The default number of days to retain a manual snapshot. If the value is -1, the snapshot is retained indefinitely. This setting doesn't change the retention period of existing snapshots. Valid values are between `-1` and `3653`. Default value is `-1` | `number` | `null` | no |
 | <a name="input_master_password_rotate_immediately"></a> [master\_password\_rotate\_immediately](#input\_master\_password\_rotate\_immediately) | Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window | `bool` | `null` | no |
diff --git a/docs/UPGRADE-7.0.md b/docs/UPGRADE-7.0.md
@@ -8,6 +8,7 @@ Please consult the `examples` directory for reference example configurations. If
 - AWS provider `v6.18` is now minimum supported version
 - The ability for the module to create a random password has been removed in order to ensure passwords are not stored in plain text within the state file. Users must now provide their own password via the `master_password_wo` variable.
   - `master_password` is no longer supported and only the write-only equivalent is supported (`master_password_wo` and `master_password_wo_version`)
+  - `manage_master_password` default changed from `false` to `true` to ensure password rotation is managed by default.
 - The variable(s) used to create access endpoints has changed from creating a single endpoint to n-number of endpoints
 
 ## Additional changes
@@ -21,6 +22,7 @@ Please consult the `examples` directory for reference example configurations. If
 
 - Variable definitions now contain detailed `object` types in place of the previously used any type.
 - Default value for `parameter_group_family` changed from `redshift-1.0` to `redshift-2.0`
+- `manage_master_password` default changed from `false` to `true`
 
 ### Removed
 
diff --git a/variables.tf b/variables.tf
@@ -105,9 +105,9 @@ variable "maintenance_track_name" {
 }
 
 variable "manage_master_password" {
-  description = "Whether to use AWS SecretsManager to manage the cluster admin credentials. Conflicts with `master_password`. One of `master_password` or `manage_master_password` is required unless `snapshot_identifier` is provided"
+  description = "Whether to use AWS SecretsManager to manage the cluster admin credentials. Conflicts with `master_password_wo`. One of `master_password_wo` or `manage_master_password` is required unless `snapshot_identifier` is provided"
   type        = bool
-  default     = false
+  default     = true
 }
 
 variable "manual_snapshot_retention_period" {
@@ -465,7 +465,7 @@ variable "logging" {
   type = object({
     bucket_name          = optional(string)
     log_destination_type = optional(string)
-    log_exports          = optional(list(string), [])
+    log_exports          = optional(list(string))
     s3_key_prefix        = optional(string)
   })
   default = null
diff --git a/wrappers/main.tf b/wrappers/main.tf
@@ -39,7 +39,7 @@ module "wrapper" {
   kms_key_arn                                       = try(each.value.kms_key_arn, var.defaults.kms_key_arn, null)
   logging                                           = try(each.value.logging, var.defaults.logging, null)
   maintenance_track_name                            = try(each.value.maintenance_track_name, var.defaults.maintenance_track_name, null)
-  manage_master_password                            = try(each.value.manage_master_password, var.defaults.manage_master_password, false)
+  manage_master_password                            = try(each.value.manage_master_password, var.defaults.manage_master_password, true)
   manage_master_password_rotation                   = try(each.value.manage_master_password_rotation, var.defaults.manage_master_password_rotation, false)
   manual_snapshot_retention_period                  = try(each.value.manual_snapshot_retention_period, var.defaults.manual_snapshot_retention_period, null)
   master_password_rotate_immediately                = try(each.value.master_password_rotate_immediately, var.defaults.master_password_rotate_immediately, null)
