Secure Secrets Management in Terraform Part1: Leveraging AWS KMS
- z4ck404
- Aws kms , Terraform , Secure development
- November 17, 2024
Secure Secrets Management in Terraform — Part1: Leveraging AWS KMS
One of the key principles of modern Infrastructure as Code is the secure management of sensitive information. In thins first part of our series about secure secrets management in Terraform/OpenTofu, we will focus on the use of AWS Key Management Service, better known as KMS, to securely encrypt and manage secrets with Terraform/OpenTofu.
Prerequisites
- AWS Account with appropriate permissions
- Terraform/OpenTofu installed
- AWS CLI configured
AWS KMS
First, let’s create a KMS key with proper permissions and configurations:
resource "aws_kms_key" "secrets_key" {
description = "KMS key for encrypting application secrets"
deletion_window_in_days = 7
enable_key_rotation = true
}
resource "aws_kms_alias" "secrets_key_alias" {
name = "alias/awsmorocco-key"
target_key_id = aws_kms_key.secrets_key.key_id
}
resource "aws_kms_key_policy" "example" {
key_id = aws_kms_key.secrets_key.id
policy = jsonencode({
Id = "example"
Statement = [
{
Action = "kms:*"
Effect = "Allow"
Principal = {
AWS = "*"
}
Resource = "*"
Sid = "Enable IAM User Permissions"
},
]
Version = "2012-10-17"
})
}
After applying this configuration, you can find the key in the AWS Console under KMS > Customer managed keys :
Encrypting Secrets with AWS CLI
Now that we have our KMS key set up, we can use it to encrypt sensitive values using the AWS CLI:
aws kms encrypt \
--key-id alias/awsmorocco-key \
--plaintext fileb://<(echo -n "my-super-secret-password") \
--output text \
--query CiphertextBlob \
--region us-east-1
This command will output a base64-encoded encrypted string that you can safely store in your Terraform configurations
Using Encrypted Values in Terraform:
Create variables to store the encrypted values:
# variables.tf
variable "encrypted_db_password" {
description = "KMS encrypted database password"
type = string
default = "AQICAHhw31bEpV7TSsANCrrf6ZKimnQvVlNeIPn2xFDmUQPjOAGLFV0lcS4XiuwfqRIC1YI+AAAAdjB0BgkqhkiG9w0BBwagZzBlAgEAMGAGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM/MZEgbuuMwVNBHJ1AgEQgDNUMmkSJO/f1t5w5JIWLc2MmGyU4/Az5IypmMuTTShUqRArmYsyzvA/G54jekuCyip7VmA="
# the best way is to use a valuesfiles: terraform.tfvars
# encrypted_db_password = "AQICAHhw31bEpV7TSsANCrrf6ZKimnQvVlNeIPn2xFDmUQPjOAGLFV0lcS4XiuwfqRIC1YI+AAAAdjB0BgkqhkiG9w0BBwagZzBlAgEAMGAGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM/MZEgbuuMwVNBHJ1AgEQgDNUMmkSJO/f1t5w5JIWLc2MmGyU4/Az5IypmMuTTShUqRArmYsyzvA/G54jekuCyip7VmA="
}
variable "encrypted_api_key" {
type = string
default = ""
}
Create data sources to decrypt the values:
### data sources
data "aws_kms_secrets" "application_secrets" {
secret {
name = "db_password"
payload = var.encrypted_db_password
}
# You can decrypt multiple secrets in one block
# secret {
# name = "api_key"
# payload = var.encrypted_api_key
# }
}
# Access the decrypted value
locals {
db_password = data.aws_kms_secrets.application_secrets.plaintext["db_password"]
#api_key = data.aws_kms_secrets.application_secrets.plaintext["api_key"]
}
Use the decrypted values in your resources:
### Provision resources and provide the decrypted values
resource "aws_db_instance" "db" {
identifier = "awsmorocco-db"
engine = "mysql"
instance_class = "db.t3.micro"
username = "awsmorocco-admin-user-1"
password = local.db_password # Using the decrypted
parameter_group_name = "default.mysql8.0"
skip_final_snapshot = true
allocated_storage = 10
}
Best Practices for KMS Usage
1 — Key Rotation
- Enable automatic key rotation as we did in our configuration
- Consider using different keys for different environments
2 — Access Control
- Implement least-privilege access in your key policies
- Use separate keys for different applications or services
3 — Monitoring
- Enable AWS CloudTrail to audit KMS key usage
- Set up alerts for unauthorized access attempts
4 — Security
- Never store unencrypted sensitive values in version control
- Use separate key aliases for different environments
- Implement proper backup and recovery procedures
Next Steps
In Part 2 of this series, we’ll explore how to integrate AWS Secrets Manager with our KMS setup for more advanced secrets management capabilities.
Conclusion
Using AWS KMS with Terraform provides a secure way to manage encrypted secrets in your infrastructure code. By following these practices, you can ensure that your sensitive data remains protected while still being accessible to your authorized applications and services.
ℹ️ Terraform code is available here
Secure Secrets Management in Terraform — Part1: Leveraging AWSKMS was originally published in AWSMorocco on Medium, where people are continuing the conversation by highlighting and responding to this story.
