How to pull encrypted data from the SSMParameter Store into the terraform var file and keep it encrypt end to end?

My requirement is: I want to keep my passwords and some other environment variables in AWS SSM/AWS Secrets Manager, now pull that value into the environment variable in the encrypted form itself and finally decrypt it inside the terraform code. Any best way to do it?

1

There are 1 answers

0
thekbb On

You can have a pretty simple script that uses AWS cli to pull the secret from secrets manager and sets it to an env var (local to that script) which then calls terraform plan and then terraform apply. This snippet will grab a secret named secret-name from aws secrets-manager and then put it in an environment variable TF_VAR_secret (prefixing with TF_VAR_ which will pass the var as the value of the terraform variable secret)

#!/bin/bash -e
set -o pipefail
set +x
export TF_VAR_secret=$(aws secretsmanager get-secret-value --secret-id arn:aws:secretsmanager:us-east-2:<AWS ACCT #>:secret:secret-name | jq -r .SecretString)
set -x
terraform plan

Keep in mind that using this pattern won't encrypt the value in terraform state. You'll want to make sure that whatever you're setting it to is marked as sensitive by the provider, as well as that wherever the remote statefile resides is encrypted at rest, and that access to read the state is appropriate for the data you have there. See https://www.terraform.io/docs/state/sensitive-data.html

If you're using AWS codebuild, this gets way simpler by using an environment_variable of type SECRET_MANAGER

To sum up: your state should be encrypted, but not values in the state. You solve this by encrypting the whole sate at rest and controlling access to state. If a provider did encrypt values in state, it would be pulled from the official registry.