Managing AWS secrets in Terraform

Managing AWS secrets in Terraform

Terraform is a great Infrastructure As Code tool for provisioning cloud services using declarative configuration files. The most common question that comes up with terraform is how to handle the secrets like database passwords, Authentication Keys, and other data which are sensitive.

We should not store the sensitive data in plain text in our Terraform configuration. Because anyone who has access to that repository can see the secrets.

Never store sensitive data in plain text

AWS Secret Manager allows us to retrieve database credentials, API keys, and other secrets using Secret Manager API. Instead of storing the hardcoded secret values, we can directly fetch them from the secret manager API. It also provides us the option to rotate the credentials for a configurable number of days.

In this blog post, we will create a secret in AWS Secrets Manager and show how we can retrieve the values using Terraform.

Create an AWS Secrets Manager

  1. Select the AWS secret Manager service from the AWS console.

  2. Click on Store a new secret button.

  3. It provides various options for the secret Type. It supports credentials for RDS, DocumentDB, Redshift clusters, and also other types of secret. Here, we select other types of secret.

  4. In Plaintext store the MongoDB credentials. mongodb://USERNAME:PASSWORD@rahul-mongo.cluster.ap-south-1.docdb.amazonaws.com:27017 secret-type.png

  5. Click on Next and then provide the secret name mongodbURI. secret-name.png

  6. Click on Next and you can configure automatic rotation. We will Disable automatic rotation.

  7. Click on Next and you will be taken to review the configuration. Click on the Store button.

  8. You can see the secret in the list as shown below.

store-secret.png

Terraform Configuration

Now, in the terraform code, we can use the aws_secretsmanager_secret_version data source to read this secret.

data "aws_secretsmanager_secret" "secret_name" {
   name = "mongodbURI"
}

data "aws_secretsmanager_secret_version" "secret_credentials" {
  secret_id = data.aws_secretsmanager_secret.secret_name.id
}

And now you can use those secrets in the rest of your Terraform code. For example, we can get the secrets in environment_variables.

environment_variables = {
    "mongoURI"       = data.aws_secretsmanager_secret_version.secret_credentials.secret_string
  }

In our Lambda, we can see the value is extracted by going to the AWS Lambda console and check the environment variable.

mongodb-environment.png

Conclusion

In this blog post, we see how to create a secret in the AWS Secret Manager service. We also looked at the terraform script to extract the secret values into the environment variable of Lambda. The associated Git Repository is here

Did you find this article valuable?

Support Rahul Lokurte by becoming a sponsor. Any amount is appreciated!