search

4. Secrets Manager

terraform/secrets/mainf.tf
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.62.0"
    }
  }

  required_version = ">= 1.0.8"
}

provider "aws" {
  region = "eu-central-1"
}

resource "random_password" "password" {
  length           = 16
  special          = true
  override_special = "_%@"
}

resource "random_id" "db_secret_suffix" {
  byte_length = 8
}

resource "aws_secretsmanager_secret" "db_secret" {
  name = "db-secret-${random_id.db_secret_suffix.b64_std}"
}

resource "aws_secretsmanager_secret_version" "db_secret_version" {
  secret_id = aws_secretsmanager_secret.db_secret.id
  secret_string = jsonencode({
    name     = "workshopsdb"
    username = "workshopsuser"
    password = random_password.password.result
  })
}
circle-info

If you want to keep database name and username secure you can create input variables and pass its values via environment variables that match the pattern TF_VAR_<VARIABLE_NAME>. You can learn more about this topic herearrow-up-right. Also, you can use HashiCorp Vaultarrow-up-right to manage secrets.

Try to read the secret's value using the AWS CLI:

Our application will need to read the secret's value to be able to connect to the database. We need to make sure we can read the secret's value from the EC2 instance which is running in the private subnet. First, we need to create IAM Role that the EC2 instance will use.

circle-info

IAM Role is a way of giving some privileges to some AWS resource to let it do something with another AWS resource.

Previous3. Virtual Private CloudNext5. IAM Role

Last updated