How to create Secrets in AWS Secrets Manager using Terraform in Amazon account.

No comments

Are you saving your passwords in text files or configuration files or deployment files while deploying in Amazon AWS accounts? That’s very very risking but no worries you have come to right place to learn and use AWS secrets which solves all your security concerns and encrypts all of your stored password and decrypt only while retrieving them.

Table of content

  1. What is AWS Secrets and Secret Manager?
  2. Prerequisites
  3. How to Install Terraform on Ubuntu 18.04 LTS
  4. Terraform Configuration Files and Structure
  5. Configure Terraform File to Create AWS Secrets and Secrets versions on AWS
  6. Create Postgres database using terraform with database master account credentials as AWS Secrets
  7. Conclusion

What is AWS Secrets?

There was a time when all the passwords of database or applications were kept in configuration files. Although they are kept secure but at the same time they can be compromised if not taken care . If you required to update the credentials it use to take tons of hours to apply those changes at every single file and if you miss any of the file it can cause entire application to get down immediately.

Now here come a AWS service which manages all the above issues with Secrets manager by retrieving the password programmatically. Another major benefit of using AWS secrets is it can rotate your credentials at any schedules defined by you.

We are using AWS Secrets Manager , so that we can keep our main and important Passwords safe and secure.

Application connects with Secret Manager to retrieve secrets and then connects with database

Prerequisites

  • Ubuntu machine to run terraform preferably 18.04 version + , if you don’t have any machine you can create a ec2 instance on AWS account or AWS Account
  • Recommended to have 4GB RAM
  • At least 5GB of drive space
  • Ubuntu machine should have IAM role attached with full access to create AWS secrets or it is always great to have administrator permissions to work with demo’s.

You may incur a small charge for creating an EC2 instance on Amazon Managed Web Service.

How to Install Terraform on Ubuntu 18.04 LTS

  • Update your already existing system packages.
sudo apt update
  • Download the latest version of terraform in opt directory
wget https://releases.hashicorp.com/terraform/0.14.8/terraform_0.14.8_linux_amd64.zip
This image has an empty alt attribute; its file name is image-163.png
  • Install zip package which will be required to unzip
sudo apt-get install zip -y
  • unzip the Terraform download zip file
unzip terraform*.zip
  • Move the executable to executable directory
sudo mv terraform /usr/local/bin
  • Verify the terraform by checking terraform command and version of terraform
terraform               # To check if terraform is installed 

terraform -version      # To check the terraform version  
This image has an empty alt attribute; its file name is image-164.png
This image has an empty alt attribute; its file name is image-165.png
  • This confirms that terraform has been successfully installed on ubuntu 18.04 machine.

Terraform Configuration Files and Structure

Let us first understand terraform configuration files before running Terraform commands.

  • main.tf : This file contains code that create or import other AWS resources.
  • vars.tf : This file defines variable types and optionally set the values.
  • output.tf: This file helps in generating of the output of AWS resources .The output is generated after the terraform apply command is executed.
  • terraform.tfvars: This file contains the actual values of variables which we created in vars.tf
  • provider.tf: This file is very important . You need to provide the details of providers such as AWS , Oracle or Google etc. so that terraform can make the communication with the same provider and then work with resources.

Configure Terraform File to Create AWS Secrets and Secrets versions on AWS

Now, Lets create terraform configuration files which will be required to create secrets.

  • Create a folder in opt directory and name it as terraform-demo-secrets and create all the files under this folder.

main.tf

# Firstly we will create a random generated password which we will use in secrets.

resource "random_password" "password" {
  length           = 16
  special          = true
  override_special = "_%@"
}


# Now create secret and secret versions for database master account 

resource "aws_secretsmanager_secret" "secretmasterDB" {
   name = "Masteraccoundb"
}

resource "aws_secretsmanager_secret_version" "sversion" {
  secret_id = aws_secretsmanager_secret.secretmasterDB.id
  secret_string = <<EOF
   {
    "username": "adminaccount",
    "password": "${random_password.password.result}"
   }
EOF
}


# Lets import the Secrets which got created recently and store it so that we can use later. 


data "aws_secretsmanager_secret" "secretmasterDB" {
  arn = aws_secretsmanager_secret.secretmasterDB.arn
}

data "aws_secretsmanager_secret_version" "creds" {
  secret_id = data.aws_secretsmanager_secret.secretmasterDB.arn
}

# After Importing the secrets Storing the Imported Secrets into Locals

locals {
  db_creds = jsondecode(
  data.aws_secretsmanager_secret_version.creds.secret_string
   )
}

provider.tf

provider "aws" {
  region = "us-east-2"
}
  • Now your files and code are ready for execution . Initialize the terraform
terraform init
  • Terraform initialized successfully , now its time to see the plan which is kind of blueprint before deployment. We generally use plan to confirm if correct resources is going to provisioned or deleted.
terraform plan
  • After verification , now its time to actually deploy the code using apply.
terraform apply
  • Now Open your AWS account and search for AWS Secrets Manager.
  • Click on the secret which we created . In our case it was Masteraccoundb and scroll little down .
  • Click on Retrieve secret value

We can see that secrets got created successfully using terraform. Next step is to use these secrets as credentials for database master account while creating the database.

Create Postgres database using terraform with database master account credentials as AWS Secrets

  • Open the same main.tf again and paste the below code at the bottom
resource "aws_rds_cluster" "main" { 
  cluster_identifier = "democluster"
  database_name = "maindb"
  master_username = local.db_creds.username
  master_password = local.db_creds.password
  port = 5432
  engine = "aurora-postgresql"
  engine_version = "11.6"
  db_subnet_group_name = "dbsubntg"  # Make sure you create this before manually
  storage_encrypted = true 
}


resource "aws_rds_cluster_instance" "main" { 
  count = 2
  identifier = "myinstance-${count.index + 1}"
  cluster_identifier = "${aws_rds_cluster.main.id}"
  instance_class = "db.r4.large"
  engine = "aurora-postgresql"
  engine_version = "11.6"
  db_subnet_group_name = "dbsubntg"
  publicly_accessible = true 
}
  • This time you can directly run apply command as this is demo version , although its recommend to run terraform init then plan and then apply.
terraform apply
  • Now go to AWS RDS service on Amazon account and check the Postgres cluster
  • Now click on democluster and then hop over to configurations.

Conclusion

In this tutorial, we demonstrated AWS Secrets Manager and learnt how to create AWS secrets and later created Postgres database utilizing AWS secrets as master account credentials.

Hope this tutorial will help you in understanding the terraform and provisioning the AWS secrets on Amazon cloud. Please share with your friends

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s