InfrastructureAWSGoDatabaseMonitoringRaspberryPIPythonTerraformGitAIDIYData Analytics
Catalogue
Don't Add aws_ssm_parameter's value to ignore_changes
Posted 2020-06-01Terraform2 minutes read (About 340 words)

Don't Add aws_ssm_parameter's value to ignore_changes

🌐 日本語で読む

ToC

Overview

Up until now, secret information was often handled in ways like the following.

1
2
3
4
5
6
7
8
9
resource "aws_ssm_parameter" "master_password" {
  name  = "master_password"
  type  = "SecureString"
  value = "dummy"

  lifecycle {
    ignore_changes = [value]
  }
}
1
2
3
data "aws_ssm_parameter" "master_password" {
  name = "master_password"
}

In either of the above cases, registering the value in Parameter Store beforehand is required.
In other words, this introduces work that is not managed by Terraform.

Steps to Address This

The way to keep everything within Terraform is to encrypt the value before registering it in Parameter Store.

  1. Create the KMS Key needed for encryption
1
2
3
4
resource "aws_kms_key" "a" {
  description             = "KMS key 1"
  deletion_window_in_days = 10
}
  1. Encrypt the value with aws kms encrypt
1
2
3
aws kms encrypt --key-id <key-id> --plaintext <value>

AQECAHgaPa0J8...3MmDBdqP8dPp28OoAQ==
  1. Register the value obtained via data.aws_kms_secrets in Parameter Store
1
2
3
4
5
6
7
8
9
10
11
12
data "aws_kms_secrets" "parameters" {
  secret {
    name    = "master_password"
    payload = "AQECAHgaPa0J8...3MmDBdqP8dPp28OoAQ=="
  }
}

resource "aws_ssm_parameter" "master_password" {
  name  = "/${var.environment}/database/password/master"
  type  = "SecureString"
  value = data.aws_kms_secrets.parameters.plaintext["master_password"]
}

Under the premise of registering it in Parameter Store, the resource "aws_ssm_parameter" processing was necessary, but you can also specify it directly on a resource as shown below.

1
2
3
4
5
resource "aws_rds_cluster" "example" {
  # ... other configuration ...
  master_password = data.aws_kms_secrets.parameters.plaintext["master_password"]
  master_username = data.aws_kms_secrets.parameters.plaintext["master_username"]
}

Summary

It’s truly common that, when you’re stuck, checking the official documentation resolves the issue.

By the way,
when you think about who is the one encrypting with the KMS key, it’s probably the person writing the Terraform code, and that operator needs permission to encrypt with the KMS key.

  • kms:Encrypt

That’s all.
I hope this helps.

#
kenzo0107

kenzo0107

About me

Like this article? Support the author with

×