2017-01-29 22:01:38 +01:00
|
|
|
---
|
|
|
|
|
layout: "aws"
|
|
|
|
|
page_title: "AWS: aws_kms_secret"
|
|
|
|
|
sidebar_current: "docs-aws-datasource-kms-secret"
|
|
|
|
|
description: |-
|
2017-02-09 03:42:07 +01:00
|
|
|
Provides secret data encrypted with the KMS service
|
2017-01-29 22:01:38 +01:00
|
|
|
---
|
|
|
|
|
|
|
|
|
|
# aws\_kms\_secret
|
|
|
|
|
|
|
|
|
|
The KMS secret data source allows you to use data encrypted with the AWS KMS
|
|
|
|
|
service within your resource definitions.
|
|
|
|
|
|
2017-01-26 21:56:08 +01:00
|
|
|
~> **NOTE**: Using this data provider will allow you to conceal secret data within your
|
2017-01-29 22:01:38 +01:00
|
|
|
resource definitions but does not take care of protecting that data in the
|
|
|
|
|
logging output, plan output or state output.
|
|
|
|
|
|
|
|
|
|
Please take care to secure your secret data outside of resource definitions.
|
|
|
|
|
|
|
|
|
|
## Example Usage
|
|
|
|
|
|
|
|
|
|
First, let's encrypt a password with KMS using the [AWS CLI
|
|
|
|
|
tools](http://docs.aws.amazon.com/cli/latest/reference/kms/encrypt.html). This
|
|
|
|
|
requires you to have your AWS CLI setup correctly, and you would replace the
|
|
|
|
|
key-id with your own.
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ echo 'master-password' > plaintext-password
|
|
|
|
|
$ aws kms encrypt \
|
|
|
|
|
> --key-id ab123456-c012-4567-890a-deadbeef123 \
|
|
|
|
|
> --plaintext fileb://plaintext-example \
|
|
|
|
|
> --encryption-context foo=bar \
|
|
|
|
|
> --output text --query CiphertextBlob
|
|
|
|
|
AQECAHgaPa0J8WadplGCqqVAr4HNvDaFSQ+NaiwIBhmm6qDSFwAAAGIwYAYJKoZIhvcNAQcGoFMwUQIBADBMBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDI+LoLdvYv8l41OhAAIBEIAfx49FFJCLeYrkfMfAw6XlnxP23MmDBdqP8dPp28OoAQ==
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Now, take that output and add it to your resource definitions.
|
|
|
|
|
|
2017-04-07 17:54:28 +02:00
|
|
|
```hcl
|
2017-01-29 22:01:38 +01:00
|
|
|
data "aws_kms_secret" "db" {
|
2017-02-18 23:48:50 +01:00
|
|
|
secret {
|
|
|
|
|
name = "master_password"
|
|
|
|
|
payload = "AQECAHgaPa0J8WadplGCqqVAr4HNvDaFSQ+NaiwIBhmm6qDSFwAAAGIwYAYJKoZIhvcNAQcGoFMwUQIBADBMBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDI+LoLdvYv8l41OhAAIBEIAfx49FFJCLeYrkfMfAw6XlnxP23MmDBdqP8dPp28OoAQ=="
|
2017-01-29 22:01:38 +01:00
|
|
|
|
2017-02-18 23:48:50 +01:00
|
|
|
context {
|
|
|
|
|
foo = "bar"
|
2017-01-29 22:01:38 +01:00
|
|
|
}
|
2017-02-18 23:48:50 +01:00
|
|
|
}
|
2017-01-29 22:01:38 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
resource "aws_rds_cluster" "rds" {
|
2017-02-18 23:48:50 +01:00
|
|
|
master_username = "root"
|
|
|
|
|
master_password = "${data.aws_kms_secret.db.master_password}"
|
|
|
|
|
|
|
|
|
|
# ...
|
2017-01-29 22:01:38 +01:00
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
And your RDS cluster would have the root password set to "master-password"
|
|
|
|
|
|
|
|
|
|
## Argument Reference
|
|
|
|
|
|
|
|
|
|
The following arguments are supported:
|
|
|
|
|
|
|
|
|
|
* `secret` - (Required) One or more encrypted payload definitions from the KMS
|
|
|
|
|
service. See the Secret Definitions below.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### Secret Definitions
|
|
|
|
|
|
|
|
|
|
Each secret definition supports the following arguments:
|
|
|
|
|
|
|
|
|
|
* `name` - (Required) The name to export this secret under in the attributes.
|
|
|
|
|
* `payload` - (Required) Base64 encoded payload, as returned from a KMS encrypt
|
|
|
|
|
opertation.
|
|
|
|
|
* `context` - (Optional) An optional mapping that makes up the Encryption
|
|
|
|
|
Context for the secret.
|
|
|
|
|
* `grant_tokens` (Optional) An optional list of Grant Tokens for the secret.
|
|
|
|
|
|
|
|
|
|
For more information on `context` and `grant_tokens` see the [KMS
|
|
|
|
|
Concepts](http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html)
|
|
|
|
|
|
|
|
|
|
## Attributes Reference
|
|
|
|
|
|
|
|
|
|
Each `secret` defined is exported under its `name` as a top-level attribute.
|
