Rotate dev + demo MDR DB passwords (follow-up to #938)

[bjagg]

Follow-up to #938 / PR #951.

What

After PR #951 lands and the MDR API redeploys, the future startup logs no longer leak DATABASE_URL. But the previous credential is still in CloudWatch retention history — every prior MDR API task start emitted a log line containing it. Anyone with logs:FilterLogEvents on the shared dev / demo log groups can recover the password by searching old streams.

The leak is only fully closed once we rotate.

Scope

• Rotate MDRDatabasePassword (or whatever the SSM key is for the Aurora cluster's master password) for both dev and demo.
• Confirm MDR API picks up the new password on its next task start (ECS reads from SSM at task launch).
• Optional: tighten log-group permissions so the next leak is less recoverable (broader cleanup, separate issue).

Steps (rough)

1. Identify the current SSM param name(s): aws ssm describe-parameters --filters Key=Name,Values=mdr-db,Option=Contains.
2. Generate a new password (Aurora has constraints — 8–128 chars, ASCII printable except /, @, ", space).
3. Update the password on the Aurora cluster: aws rds modify-db-cluster --master-user-password <new>.
4. Update the SSM param to the new value.
5. Force the MDR API service to redeploy so it picks up the new value on next task start: ./aws-deploy.sh -s dev --only-stack dev-lif-mdr-api --update-ecs.
6. Verify MDR API health after the rolling deploy completes.

Don't forget

• The flyway/SAM Lambda also pulls the master password from SSM; check it still works on next deploy.
• Other services (GraphQL, translator, etc.) connect to their own DBs, not the MDR DB — they're not in scope here.

Related

• MDR API logs DATABASE_URL with plaintext credentials at startup #938 — the leak itself
• PR Issue #938: Redact DATABASE_URL password before logging at startup #951 — the code fix
• Self-Serve MDR: Security review / threat model #937 — security review umbrella; this should be linked from there