# Managing AWS secrets in Terraform

Terraform is a great Infrastructure As Code tool for provisioning cloud services using declarative configuration files. The most common question that comes up with terraform is how to handle the secrets like database passwords, Authentication Keys, and other data which are sensitive.

We should not store the sensitive data in plain text in our Terraform configuration. Because anyone who has access to that repository can see the secrets.

> Never store sensitive data in plain text

AWS Secret Manager allows us to retrieve database credentials, API keys, and other secrets using Secret Manager API. Instead of storing the hardcoded secret values, we can directly fetch them from the secret manager API. It also provides us the option to rotate the credentials for a configurable number of days.

In this blog post, we will create a secret in AWS Secrets Manager and show how we can retrieve the values using Terraform.

## Create an AWS Secrets Manager

1. Select the AWS secret Manager service from the AWS console.

2. Click on **_Store a new secret_** button.

3. It provides various options for the secret Type. It supports credentials for RDS, DocumentDB, Redshift clusters, and also other types of secret. Here, we select **_other types of secret_**.

4. In **_Plaintext_** store the MongoDB credentials.
   `mongodb://USERNAME:PASSWORD@rahul-mongo.cluster.ap-south-1.docdb.amazonaws.com:27017`
![secret-type.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1627644197113/0Yj1jSyvf.png)

5. Click on Next and then provide the secret name **_mongodbURI_**.
![secret-name.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1627644315609/xk6wN0LQX.png)

6. Click on Next and you can configure automatic rotation. We will Disable automatic rotation.

7. Click on Next and you will be taken to review the configuration. Click on the ***Store*** button.

8. You can see the secret in the list as shown below.

![store-secret.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1627643911289/zZD-V6dHi.png)

## Terraform Configuration

Now, in the terraform code, we can use the ***aws_secretsmanager_secret_version*** data source to read this secret.


```json
data "aws_secretsmanager_secret" "secret_name" {
   name = "mongodbURI"
}

data "aws_secretsmanager_secret_version" "secret_credentials" {
  secret_id = data.aws_secretsmanager_secret.secret_name.id
}
``` 
And now you can use those secrets in the rest of your Terraform code. For example, we can get the secrets in environment_variables.

```json
environment_variables = {
    "mongoURI"       = data.aws_secretsmanager_secret_version.secret_credentials.secret_string
  }
``` 

In our Lambda, we can see the value is extracted by going to the AWS Lambda console and check the environment variable.

![mongodb-environment.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1627649145400/mbyRRlTjP.png)

## Conclusion

In this blog post, we see how to create a secret in the AWS Secret Manager service. We also looked at the terraform script to extract the secret values into the environment variable of Lambda. The associated Git Repository is <a href="https://github.com/rahulmlokurte/aws-usage/tree/main/terraform/secret-manager-terraform" target="_blank">**here**</a>






