amazon web services - How to retrieve a secret in terraform from aws secret manager

ID : 274559

viewed : 33

Tags : terraformaws-secrets-manager





Top 5 Answer for amazon web services - How to retrieve a secret in terraform from aws secret manager

vote vote

94

Here is an example. By default, aws_secretsmanager_secret_version retrieves information based on the AWSCURRENT label (a.k.a. the latest version):

data "aws_secretsmanager_secret" "secrets" {   arn = "arn:aws:secretsmanager:us-east-1:123456789012:secret:my_secrety_name-123456" }  data "aws_secretsmanager_secret_version" "current" {   secret_id = data.aws_secretsmanager_secret.secrets.id } 

And use data.aws_secretsmanager_secret_version.current.secret_string to get the secret. If you want to retrieve a specific value inside that secret like DATABASE_URL you can use the built-in function jsondecode:

jsondecode(data.aws_secretsmanager_secret_version.current.secret_string)["DATABASE_URL"] 
vote vote

86

Please note that Terraform 0.14 added the ability to redact Sensitive values in console output.

Therefore, if you are using Terraform > 0.14, you will have to use nonsensitive function to expose the actual secret value.

nonsensitive function takes a sensitive value and returns a copy of that value with the sensitive marking removed, thereby exposing the actual value.

data "aws_secretsmanager_secret" "secrets" {   arn = "arn:aws:secretsmanager:us-east-1:123456789012:secret:my_secrety_name-123456" }  data "aws_secretsmanager_secret_version" "current" {   secret_id = data.aws_secretsmanager_secret.secrets.id }  output "sensitive_example_hash" {   value = jsondecode(nonsensitive(data.aws_secretsmanager_secret_version.current.secret_string)) }  
vote vote

76

aws_secretsmanager_secret is a AWS secretsmanager secret object, but a secret can have multiple versions, and the values are stored in the versions, not in the parent secret object.

So this is what you're looking for instead: https://www.terraform.io/docs/providers/aws/r/secretsmanager_secret_version.html (and it describes how to get the value of the secret version, ie. aws_secretsmanager_secret_version.example.secret_string).

vote vote

70

Instead of hardcoding ARN or the AWS account ID

    data "aws_secretsmanager_secret" "example_secret" {       name = "<secret_name>" # As stored in the AWS Secrets Manager     }      # Give a meaningful name to the version for easy identification     # If multiple secrets are present     data "aws_secretsmanager_secret_version" "example_latest_ver" {       secret_id = data.aws_secretsmanager_secret.example_secret.id     } 

And, simply refer this in your code as data.aws_secretsmanager_secret_version.example_latest_ver.secret_string

To find out, the current AWS account ID, use ${data.aws_caller_identity.current.account_id}

vote vote

53

Top 3 video Explaining amazon web services - How to retrieve a secret in terraform from aws secret manager







Related QUESTION?