Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move secret out of Lamba function #20

Open
johnmikee opened this issue Sep 21, 2021 · 3 comments
Open

Move secret out of Lamba function #20

johnmikee opened this issue Sep 21, 2021 · 3 comments

Comments

@johnmikee
Copy link
Contributor

I put together a variation of this module that moves the secret from sitting in plain text in the lambda function to amazon secrets-manager. Since this is a decent sized change in architecture I was curious if you would be interested in a PR or not.
@stilljake
Copy link
Contributor

I would vote against this idea. We can already decide how we want to pass the secrets via the parent module. Some people may want to pass them as env vars or use another secrets store (vault, gcp etc). To me it seems like this would remove all of those options.

@grahamgilbert
Copy link
Owner

Considering the password sits on all of your endpoints unencrypted, I would think it being accessible from your aws console / terraform state would be the least of your worries if you have actual things to protect in there.

@johnmikee
Copy link
Contributor Author

I would vote against this idea. We can already decide how we want to pass the secrets via the parent module. Some people may want to pass them as env vars or use another secrets store (vault, gcp etc). To me it seems like this would remove all of those options.

Thats a valid point. This is cut from a large piece of the module but you could see where you could pull the password from and pass it to the aws_secretsmanager_secret_version resource instead of using a random_password resource

resource "random_password" "password" {
  length           = 20
  special          = true
}

resource "aws_secretsmanager_secret" "munki_password" {
  name = var.secret_name
}

resource "aws_secretsmanager_secret_version" "sversion" {
  secret_id     = aws_secretsmanager_secret.munki_password.id
  secret_string = <<EOF
   {
    "username": "${var.username}",
    "password": "${random_password.password.result}"
   }
EOF
}

data "aws_secretsmanager_secret" "munki_password" {
  arn = aws_secretsmanager_secret.munki_password.arn
}

data "aws_secretsmanager_secret_version" "creds" {
  secret_id = data.aws_secretsmanager_secret.munki_password.arn
}

locals {
  munki_creds = jsondecode(
    data.aws_secretsmanager_secret_version.creds.secret_string
  )
}

Considering the password sits on all of your endpoints unencrypted, I would think it being accessible from your aws console / terraform state would be the least of your worries if you have actual things to protect in there.
I agree with you. This came as a result from an ask by security to change that. 100% necessary? No. Exercise in futility? Maybe. I'll probably just throw it on my page for anyone who wants to try it that way but wanted to run it by you first since its 80% based off this module.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@grahamgilbert @stilljake @johnmikee