Skip to main content
HashnodeRahul Lokurte Blog

Command Palette

Search for a command to run...

Managing AWS secrets in Terraform

Published
2 min read
Managing AWS secrets in Terraform
R
Rahul Lokurte

I am a Lead Engineer from India. Love to blog about serverless and help teams design and develop serverless architecture. An AWS cloud practitioner. Blogs about AWS Services utilising AWS CDK, CloudFormation, Terraform.

Terraform is a great Infrastructure As Code tool for provisioning cloud services using declarative configuration files. The most common question that comes up with terraform is how to handle the secrets like database passwords, Authentication Keys, and other data which are sensitive.

We should not store the sensitive data in plain text in our Terraform configuration. Because anyone who has access to that repository can see the secrets.

Never store sensitive data in plain text

AWS Secret Manager allows us to retrieve database credentials, API keys, and other secrets using Secret Manager API. Instead of storing the hardcoded secret values, we can directly fetch them from the secret manager API. It also provides us the option to rotate the credentials for a configurable number of days.

In this blog post, we will create a secret in AWS Secrets Manager and show how we can retrieve the values using Terraform.

Create an AWS Secrets Manager

  1. Select the AWS secret Manager service from the AWS console.

  2. Click on Store a new secret button.

  3. It provides various options for the secret Type. It supports credentials for RDS, DocumentDB, Redshift clusters, and also other types of secret. Here, we select other types of secret.

  4. In Plaintext store the MongoDB credentials. mongodb://USERNAME:PASSWORD@rahul-mongo.cluster.ap-south-1.docdb.amazonaws.com:27017 secret-type.png

  5. Click on Next and then provide the secret name mongodbURI. secret-name.png

  6. Click on Next and you can configure automatic rotation. We will Disable automatic rotation.

  7. Click on Next and you will be taken to review the configuration. Click on the Store button.

  8. You can see the secret in the list as shown below.

store-secret.png

Terraform Configuration

Now, in the terraform code, we can use the aws_secretsmanager_secret_version data source to read this secret.

data "aws_secretsmanager_secret" "secret_name" {
   name = "mongodbURI"
}

data "aws_secretsmanager_secret_version" "secret_credentials" {
  secret_id = data.aws_secretsmanager_secret.secret_name.id
}

And now you can use those secrets in the rest of your Terraform code. For example, we can get the secrets in environment_variables.

environment_variables = {
    "mongoURI"       = data.aws_secretsmanager_secret_version.secret_credentials.secret_string
  }

In our Lambda, we can see the value is extracted by going to the AWS Lambda console and check the environment variable.

mongodb-environment.png

Conclusion

In this blog post, we see how to create a secret in the AWS Secret Manager service. We also looked at the terraform script to extract the secret values into the environment variable of Lambda. The associated Git Repository is here

#aws#terraform#cloud#cloud-computing
197K views

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

R

Rahul Lokurte Blog

34 posts

I'm a Devops and Cloud Engineer with 10 years of experience designing and building applications using containers and serverless technologies. Love blogging about AWS