AWS Terraform Secrets Manager | All About

Ensuring the confidentiality of user credentials is paramount in today’s digital landscape. AWS Secrets Manager provides a reliable platform to securely store and manage various types of sensitive information, including database credentials, SaaS application credentials, third-party API keys, SSH keys, and on-premise resource information.

Pre-requisite 1: Don’t Store Secrets in Plain Text

The first and most important rule of secrets management is to avoid storing secrets in plain text. Storing secrets directly in your Terraform code and checking them into version control is a bad practice that exposes sensitive information to anyone who has access to the code. It also leaves secrets vulnerable on various computers and software systems.

Pre-requisite 2: Keep Your Terraform State Secure

Terraform state files store important data about your infrastructure, including the parameters you pass in. By default, these state files are stored in plain text, even if you use secure techniques to pass in secrets. To ensure the security of your Terraform state, you should store it in a backend that supports encryption, such as S3, GCS, or Azure Blob Storage. Additionally, you should strictly control access to the Terraform backend to limit who can retrieve the state files.

Technique 1: Environment Variables

One technique to handle secrets in Terraform is to use environment variables. Instead of hard-coding secrets in your code, you declare variables for the secrets and pass them to the Terraform resources using environment variables. For example, you can define variables for the username and password of the master user in your Terraform code:

 
variable "username" {
  description = "The username for the DB master user"
  type        = string
}

variable "password" {
  description = "The password for the DB master user"
  type        = string
}

Then, you can set environment variables TF_VAR_username and TF_VAR_password with the respective values before running Terraform.

Technique 2: Encrypted Files (e.g., KMS, PGP, SOPS)

Another technique is to encrypt secrets and store the encrypted version in a file that can be checked into version control. This technique involves using encryption keys provided by your cloud provider’s key service, such as AWS KMS, GCP KMS, or Azure Key Vault.

To use this technique, you would encrypt the secrets using the key service and write the encrypted data to a file. You can then use Terraform’s data sources, such as aws_kms_secrets, to decrypt the secrets during Terraform execution. The decrypted secrets can be passed to the appropriate resources.

For example, you can create a file called db-creds.yml with the secrets and encrypt it using AWS KMS:

 
aws kms encrypt \
  --key-id <YOUR KMS KEY> \
  --region <AWS REGION> \
  --plaintext fileb://db-creds.yml \
  --output text \
  --query CiphertextBlob \
  > db-creds.yml.encrypted

You can then use the aws_kms_secrets data source in your Terraform code to decrypt the secrets and pass them to the resources.

These are two techniques you can use to manage secrets securely in Terraform. By following these best practices, you can protect sensitive information and minimize the risk of unauthorized access to your infrastructure. Remember to choose the technique that best suits your specific requirements and environment.

Conculsion

Codeyo Genie is here to help, so don’t forget that. If you need more help or would rather have an expert show you the way, Contact us today to improve how your website works and make sure your users can always get to it.