Documentation
¶
Overview ¶
Package rds wraps AWS RDS master password rotation. AWS RDS doesn't expose per-user create/delete via API — accounts live in the database engine. The closest CSPM-detectable management-plane signal is `ModifyDBInstance` with MasterUserPassword, captured by CloudTrail.
Index ¶
- type Driver
- func (d *Driver) CreateAccount(ctx context.Context, instanceID string) (schema.DatabaseActionResult, error)
- func (d *Driver) DeleteAccount(ctx context.Context, instanceID string) (schema.DatabaseActionResult, error)
- func (d *Driver) GetDatabases(ctx context.Context) ([]schema.Database, error)
- func (d *Driver) PartialError() error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Driver ¶
type Driver struct {
Client *api.Client
Region string
DefaultRegion string
// contains filtered or unexported fields
}
func (*Driver) CreateAccount ¶
func (d *Driver) CreateAccount(ctx context.Context, instanceID string) (schema.DatabaseActionResult, error)
CreateAccount rotates the RDS master password to the value supplied by the `rds-account-check` config — equivalent to "set a known password on the master user". The username comes from the existing instance.
func (*Driver) DeleteAccount ¶
func (d *Driver) DeleteAccount(ctx context.Context, instanceID string) (schema.DatabaseActionResult, error)
DeleteAccount rotates the RDS master password to a fresh random value to revoke the access granted by `useradd`.
func (*Driver) GetDatabases ¶
GetDatabases lists RDS instances across one or all regions and surfaces them as the cloudlist `database` asset. Per-region failures are recorded via PartialError so a denied region does not abort the rest of cloudlist.
func (*Driver) PartialError ¶
PartialError returns the aggregated per-region errors collected during the last GetDatabases call (nil when every region succeeded).
Source Files