How to pull encrypted data from the SSMParameter Store into the terraform var file and keep it encrypt end to end?
My requirement is: I want to keep my passwords and some other environment variables in AWS SSM/AWS Secrets Manager, now pull that value into the environment variable in the encrypted form itself and finally decrypt it inside the terraform code. Any best way to do it?
You can have a pretty simple script that uses AWS cli to pull the secret from secrets manager and sets it to an env var (local to that script) which then calls terraform plan and then terraform apply. This snippet will grab a secret named
secret-name
from aws secrets-manager and then put it in an environment variableTF_VAR_secret
(prefixing withTF_VAR_
which will pass the var as the value of the terraform variablesecret
)Keep in mind that using this pattern won't encrypt the value in terraform state. You'll want to make sure that whatever you're setting it to is marked as sensitive by the provider, as well as that wherever the remote statefile resides is encrypted at rest, and that access to read the state is appropriate for the data you have there. See https://www.terraform.io/docs/state/sensitive-data.html
If you're using AWS codebuild, this gets way simpler by using an
environment_variable
of typeSECRET_MANAGER
To sum up: your state should be encrypted, but not values in the state. You solve this by encrypting the whole sate at rest and controlling access to state. If a provider did encrypt values in state, it would be pulled from the official registry.