How to create Secrets in AWS Secrets Manager using Terraform in Amazon account.

Are you saving your passwords in text files or configuration files or deployment files while deploying in Amazon AWS accounts? That’s very very risking but no worries you have come to the right place to learn and use AWS secrets which solves all your security concerns and encrypts all of your stored passwords and decrypt only while retrieving them.

Table of content

  1. What is AWS Secrets and Secret Manager?
  2. Prerequisites
  3. How to Install Terraform on Ubuntu 18.04 LTS
  4. Terraform Configuration Files and Structure
  5. Configure Terraform File to Create AWS Secrets and Secrets versions on AWS
  6. Create Postgres database using terraform with database master account credentials as AWS Secrets
  7. Conclusion

What are AWS Secrets?

There was a time when all the passwords of databases or applications were kept in configuration files. Although they are kept secure at the same time they can be compromised if not taken care of. If you are required to update the credentials it use to take tons of hours to apply those changes at every single file and if you miss any of the files it can cause the entire application to get down immediately.

Now here comes an AWS service that manages all the above issues with Secrets manager by retrieving the password programmatically. Another major benefit of using AWS secrets is it can rotate your credentials at any schedule defined by you.

We are using AWS Secrets Manager so that we can keep our main and important Passwords safe and secure.

The application connects with Secret Manager to retrieve secrets and then connects with database

Prerequisites

  • Ubuntu machine to run terraform preferably 18.04 version + , if you don’t have any machine you can create a ec2 instance on AWS account or AWS Account
  • Recommended to have 4GB RAM
  • At least 5GB of drive space
  • Ubuntu machine should have IAM role attached with full access to create AWS secrets or it is always great to have administrator permissions to work with demo’s.

You may incur a small charge for creating an EC2 instance on Amazon Managed Web Service.

How to Install Terraform on Ubuntu 18.04 LTS

  • Update your already existing system packages.
sudo apt update
  • Download the latest version of terraform in opt directory
wget https://releases.hashicorp.com/terraform/0.14.8/terraform_0.14.8_linux_amd64.zip
This image has an empty alt attribute; its file name is image-163.png
  • Install zip package which will be required to unzip
sudo apt-get install zip -y
  • unzip the Terraform download zip file
unzip terraform*.zip
  • Move the executable to executable directory
sudo mv terraform /usr/local/bin
  • Verify the terraform by checking terraform command and version of terraform
terraform               # To check if terraform is installed 
terraform -version      # To check the terraform version  
This image has an empty alt attribute; its file name is image-164.png
  • This confirms that terraform has been successfully installed on ubuntu 18.04 machine.
This image has an empty alt attribute; its file name is image-165.png

Terraform Configuration Files and Structure

Let us first understand terraform configuration files before running Terraform commands.

  • main.tf : This file contains code that create or import other AWS resources.
  • vars.tf : This file defines variable types and optionally set the values.
  • output.tf: This file helps in generating of the output of AWS resources .The output is generated after the terraform apply command is executed.
  • terraform.tfvars: This file contains the actual values of variables which we created in vars.tf
  • provider.tf: This file is very important . You need to provide the details of providers such as AWS , Oracle or Google etc. so that terraform can make the communication with the same provider and then work with resources.

Configure Terraform File to Create AWS Secrets and Secrets versions on AWS

Now, Let’s create terraform configuration files that will be required to create secrets.

  • Create a folder in opt directory and name it as terraform-demo-secrets and create a file and name it as main.tf.
# Firstly we will create a random generated password which we will use in secrets.

resource "random_password" "password" {
  length           = 16
  special          = true
  override_special = "_%@"
}


# Now create secret and secret versions for database master account 

resource "aws_secretsmanager_secret" "secretmasterDB" {
   name = "Masteraccoundb"
}

resource "aws_secretsmanager_secret_version" "sversion" {
  secret_id = aws_secretsmanager_secret.secretmasterDB.id
  secret_string = <<EOF
   {
    "username": "adminaccount",
    "password": "${random_password.password.result}"
   }
EOF
}

# Lets import the Secrets which got created recently and store it so that we can use later. 

data "aws_secretsmanager_secret" "secretmasterDB" {
  arn = aws_secretsmanager_secret.secretmasterDB.arn
}

data "aws_secretsmanager_secret_version" "creds" {
  secret_id = data.aws_secretsmanager_secret.secretmasterDB.arn
}

# After Importing the secrets Storing the Imported Secrets into Locals

locals {
  db_creds = jsondecode(
  data.aws_secretsmanager_secret_version.creds.secret_string
   )
}
  • Create another file and name it as provider.tf
provider "aws" {
  region = "us-east-2"
}
  • Now your files and code are ready for execution . Initialize the terraform
terraform init
  • Terraform initialized successfully , now its time to see the plan which is kind of blueprint before deployment. We generally use plan to confirm if correct resources is going to provisioned or deleted.
terraform plan
  • After verification , now its time to actually deploy the code using apply.
terraform apply
  • Now Open your AWS account and search for AWS Secrets Manager. As you can see the secret has been created succesfully. Click on the secret which we created . In our case it was Masteraccoundb and scroll little down .
  • Click on Retrieve secret value
  • You can see the secrets keys and values are succesfully added.

We can see that secrets got created successfully using terraform. The next step is to use these secrets as credentials for the database master account while creating the database.

Create Postgres database using terraform with database master account credentials as AWS Secrets

  • Open the same main.tf again and paste the below code at the bottom
resource "aws_rds_cluster" "main" { 
  cluster_identifier = "democluster"
  database_name = "maindb"
  master_username = local.db_creds.username
  master_password = local.db_creds.password
  port = 5432
  engine = "aurora-postgresql"
  engine_version = "11.6"
  db_subnet_group_name = "dbsubntg"  # Make sure you create this before manually
  storage_encrypted = true 
}


resource "aws_rds_cluster_instance" "main" { 
  count = 2
  identifier = "myinstance-${count.index + 1}"
  cluster_identifier = "${aws_rds_cluster.main.id}"
  instance_class = "db.r4.large"
  engine = "aurora-postgresql"
  engine_version = "11.6"
  db_subnet_group_name = "dbsubntg"
  publicly_accessible = true 
}
  • This time you can directly run apply command as this is demo version , although its recommend to run terraform init then plan and then apply.
terraform apply
  • Now go to AWS RDS service on Amazon account and check the Postgres cluster
  • Now click on democluster and then hop over to configurations.

Conclusion

In this tutorial, we demonstrated AWS Secrets Manager and learned how to create AWS secrets, and later created a Postgres database utilizing AWS secrets as master account credentials.

Hope this tutorial will help you in understanding the terraform and provisioning the AWS secrets on the Amazon cloud. Please share with your friends