add support for replica

main.tf

@@ -2,23 +2,45 @@ locals {
   filename           = var.rotation_type == "single" ? "SecretsManagerRDSMySQLRotationSingleUser.zip" : "SecretsManagerRDSMySQLRotationMultiUser.zip"
   lambda_description = var.rotation_type == "single" ? "Conducts an AWS SecretsManager secret rotation for RDS MySQL using single user rotation scheme" : "Conducts an AWS SecretsManager secret rotation for RDS MySQL using multi user rotation scheme"
 
-  secret_string_single = {
-    username             = var.mysql_username
-    password             = var.mysql_password
-    engine               = "mysql"
-    host                 = var.mysql_host
-    port                 = var.mysql_port
-    dbname               = var.mysql_dbname
+  secret_string_single_bare = {
+    username = var.mysql_username
+    password = var.mysql_password
+    engine   = "mysql"
+    host     = var.mysql_host
+    port     = var.mysql_port
+    dbname   = var.mysql_dbname
   }
-  secret_string_multi  = {
-    username             = var.mysql_username
-    password             = var.mysql_password
-    engine               = "mysql"
-    host                 = var.mysql_host
-    port                 = var.mysql_port
-    dbname               = var.mysql_dbname
-    masterarn            = var.secretsmanager_masterarn
+  secret_string_single_replica = {
+    username    = var.mysql_username
+    password    = var.mysql_password
+    engine      = "mysql"
+    host        = var.mysql_host
+    port        = var.mysql_port
+    dbname      = var.mysql_dbname
+    replicahost = var.mysql_replicahost
   }
+  secret_string_single = var.mysql_replicahost == null ? local.secret_string_single_bare : local.secret_string_single_replica
+
+  secret_string_multi_bare = {
+    username  = var.mysql_username
+    password  = var.mysql_password
+    engine    = "mysql"
+    host      = var.mysql_host
+    port      = var.mysql_port
+    dbname    = var.mysql_dbname
+    masterarn = var.secretsmanager_masterarn
+  }
+  secret_string_multi_replica = {
+    username    = var.mysql_username
+    password    = var.mysql_password
+    engine      = "mysql"
+    host        = var.mysql_host
+    port        = var.mysql_port
+    dbname      = var.mysql_dbname
+    replicahost = var.mysql_replicahost
+    masterarn   = var.secretsmanager_masterarn
+  }
+  secret_string_multi = var.mysql_replicahost == null ? local.secret_string_multi_bare : local.secret_string_multi_replica
 }
 
 resource "aws_iam_role" "default" {
@@ -118,7 +140,7 @@ resource "aws_lambda_function" "default" {
       SECRETS_MANAGER_ENDPOINT = "https://secretsmanager.${data.aws_region.current.name}.amazonaws.com"
     }
   }
-  tags             = module.this.tags
+  tags = module.this.tags
 }
 
 resource "aws_lambda_permission" "default" {

variables.tf

@@ -11,7 +11,7 @@ variable "rotation_days" {
 }
 
 variable "subnets_lambda" {
-  type        = list
+  type        = list(any)
   description = "The subnets where the Lambda Function will be run"
 }
 
@@ -54,12 +54,18 @@ variable "secretsmanager_masterarn" {
 #}
 
 variable "security_group" {
-  type        = list
+  type        = list(any)
   description = "The security group(s) where the Lambda Function will be run. This must have access to the RDS instance. The best option is to make this the RDS' security group and allow the SG to access itself"
 }
 
+variable "mysql_replicahost" {
+  type        = string
+  description = "The RDS replica endpoint to connect to your read-only database"
+  default     = null
+}
+
 variable "secret_label_order" {
-  type        = list
+  type        = list(any)
   default     = ["namespace", "environment", "stage", "name", "attributes"]
   description = <<-EOT
     The naming order of the id output and Name tag.