Terraform: Retrieve Secrets from AWS Secrets Manager

Introduction
Step-by-Step Guide
Code Example
Additional Notes
Summary
Conclusion
References

Introduction

This guide demonstrates how to retrieve a secret stored in AWS Secrets Manager and utilize it within your Terraform configurations. You'll learn how to define the necessary data source, access the secret value securely, and incorporate it into your infrastructure deployments. The guide also covers important security considerations, versioning, permissions, and error handling to ensure robust and secure secret management within your Terraform workflows.

Step-by-Step Guide

To retrieve a secret from AWS Secrets Manager using Terraform, you can utilize the aws_secretsmanager_secret_version data source.

Define the data source: In your Terraform configuration file, define the aws_secretsmanager_secret_version data source. Specify the secret_id attribute with the ARN or name of your secret in AWS Secrets Manager.
```
data "aws_secretsmanager_secret_version" "example" {
  secret_id = "your-secret-name"
}
```
Access the secret value: The secret_string attribute of the data source contains the actual secret value. You can access it using the following syntax:
```
data.aws_secretsmanager_secret_version.example.secret_string
```
Use the secret value: You can now use the retrieved secret value in your Terraform resources or modules. For instance, you can pass it as an environment variable to an EC2 instance or use it as a database password.
```
resource "aws_instance" "example" {
  # ... other configurations ...

  environment = {
    DB_PASSWORD = data.aws_secretsmanager_secret_version.example.secret_string
  }
}
```

Important Considerations:

Security: Avoid hardcoding the secret value directly in your Terraform code. Instead, use variables, environment variables, or other secure methods to pass the secret ID to your Terraform configuration.
Versioning: By default, Terraform retrieves the latest version of the secret. If you need a specific version, you can specify the version_stage or version_id attribute in the data source configuration.
Permissions: Ensure that your Terraform execution environment has the necessary IAM permissions to access the Secrets Manager secret.
Error Handling: Implement error handling mechanisms to gracefully handle scenarios where the secret retrieval fails. This might involve using conditional logic or the try() function in Terraform.

Code Example

This Terraform code defines infrastructure on AWS. It configures the AWS provider and sets the region. It retrieves a secret value from AWS Secrets Manager and uses it as an environment variable (DB_PASSWORD) for a newly created EC2 instance. The instance is based on a specified AMI and has a tag with the name "Example EC2 Instance". Remember to replace placeholders for region, secret name, and AMI ID with your desired values. Ensure your environment has the necessary IAM permissions before running the code.

# Configure the AWS Provider
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }
}

# Configure the AWS Region
provider "aws" {
  region = "your-aws-region" 
}

# Define the data source to retrieve the secret from AWS Secrets Manager
data "aws_secretsmanager_secret_version" "example" {
  secret_id = "your-secret-name"
}

# Create an EC2 instance using the retrieved secret as an environment variable
resource "aws_instance" "example" {
  ami           = "ami-0c55b31ad6e202306" # Replace with your desired AMI ID
  instance_type = "t2.micro"

  # Access the secret value and pass it as an environment variable
  environment = {
    DB_PASSWORD = data.aws_secretsmanager_secret_version.example.secret_string
  }

  # Add tags to the EC2 instance
  tags = {
    Name = "Example EC2 Instance"
  }
}

Explanation:

Provider Configuration: The code starts by configuring the AWS provider with the required region.
Data Source: The data "aws_secretsmanager_secret_version" "example" block defines a data source that fetches the secret value from AWS Secrets Manager. Replace "your-secret-name" with the actual name or ARN of your secret.
Secret Access: The data.aws_secretsmanager_secret_version.example.secret_string expression retrieves the secret value from the data source.
EC2 Instance: The resource "aws_instance" "example" block creates an EC2 instance.
Environment Variable: The environment block within the EC2 instance resource defines an environment variable named DB_PASSWORD. The value of this variable is set to the retrieved secret value.

Before Running:

Replace Placeholders: Update "your-aws-region" with your desired AWS region, "your-secret-name" with the name of your secret in AWS Secrets Manager, and "ami-0c55b31ad6e202306" with your desired AMI ID.
IAM Permissions: Ensure that your Terraform execution environment has the necessary IAM permissions to access Secrets Manager and create EC2 instances.

To Use:

Save the code as a .tf file (e.g., main.tf).
Run terraform init to initialize the provider.
Run terraform apply to create the resources.

This code demonstrates a basic example of retrieving a secret from AWS Secrets Manager and using it in an EC2 instance. You can adapt this pattern to use secrets in other resources or modules within your Terraform configuration.

Additional Notes

Best Practices and Security:

Principle of Least Privilege: Grant the minimal IAM permissions necessary to your Terraform execution role. This might involve creating a dedicated IAM role for Terraform with read-only access to specific secrets.
Rotation Strategies: Utilize Secrets Manager's built-in rotation features to automatically rotate your secrets periodically. Integrate Terraform with these rotations to ensure your applications are updated with the latest secret versions.
Secret Masking: When displaying Terraform output or logs, ensure sensitive secret values are masked or redacted to prevent accidental exposure.
Avoid Storing Secrets in State: While Terraform can store the secret value in its state file, it's generally recommended to avoid this. Instead, retrieve the secret dynamically during resource creation or updates.

Advanced Usage:

Dynamic Secret Selection: Use Terraform variables or conditional logic to dynamically select different secrets based on environments (e.g., development, staging, production).
Modules and Encapsulation: Encapsulate secret retrieval logic within reusable Terraform modules to promote code organization and simplify secret management across multiple projects.
Integration with Other Tools: Integrate Secrets Manager with other security and DevOps tools, such as CI/CD pipelines, configuration management systems, and monitoring solutions.

Troubleshooting:

Access Denied Errors: Verify your IAM permissions and ensure the Terraform execution environment has the necessary access to Secrets Manager.
Secret Not Found: Double-check the secret name or ARN used in your Terraform configuration. Ensure the secret exists in the correct AWS region.
Version Mismatch: If you're expecting a specific secret version, confirm that the version_stage or version_id attributes are correctly configured in your data source.

Alternatives:

AWS Parameter Store: For simpler use cases or storing configuration parameters, consider using AWS Parameter Store as a lightweight alternative to Secrets Manager.
HashiCorp Vault: For more advanced secret management features, such as dynamic secrets, secret leasing, and auditing, explore using HashiCorp Vault.

Remember that security is an ongoing process. Regularly review and update your secret management practices and Terraform configurations to incorporate best practices and address emerging threats.

Summary

This table summarizes how to retrieve secrets from AWS Secrets Manager using Terraform:

Step	Description	Terraform Code Example
1. Define Data Source	Use the `aws_secretsmanager_secret_version` data source to specify the secret you want to retrieve.	`terraform<br>data "aws_secretsmanager_secret_version" "example" {<br> secret_id = "your-secret-name"<br>}`
2. Access Secret Value	Access the secret value through the `secret_string` attribute of the data source.	`terraform<br>data.aws_secretsmanager_secret_version.example.secret_string`
3. Utilize Secret Value	Use the retrieved secret value in your Terraform resources or modules.	`terraform<br>resource "aws_instance" "example" {<br> # ... other configurations ...<br> environment = {<br> DB_PASSWORD = data.aws_secretsmanager_secret_version.example.secret_string<br> }<br>}`

Key Considerations:

Security: Never hardcode secret values directly in your code. Use secure methods like variables or environment variables to pass the secret ID.
Versioning: Specify the version_stage or version_id attribute if you need a specific secret version.
Permissions: Ensure your Terraform environment has the necessary IAM permissions to access Secrets Manager.
Error Handling: Implement error handling to gracefully manage scenarios where secret retrieval fails.

Conclusion

By following the steps outlined in this article, you can effectively leverage AWS Secrets Manager to securely manage and utilize sensitive information within your Terraform projects. Remember to prioritize security by following best practices such as adhering to the principle of least privilege, implementing secret rotation strategies, and avoiding hardcoding secret values in your code. By combining the power of Terraform with the robust security features of AWS Secrets Manager, you can enhance the security and maintainability of your infrastructure deployments.

References

Couldn't retrieve the secret from aws secret manager using terraform ... | Trying to retrieve the secret from aws secret manager using terraform data "aws_secretsmanager_secret" "emr" { name = format("certificate/%s/emr.jks", "us-east-1") provider = aws.secrets } data "aw...
How to create and retrieve the AWS RDS secret with Terraform : r/aws | Posted by u/tezarin - 6 votes and 21 comments
aws_secretsmanager_secret_version | hashicorp/aws | Terraform | Retrieve information about a Secrets Manager secret version, including its secret value. To retrieve secret metadata, see the aws_secretsmanager_secret data ...
Is there a way to use AWS Secrets Manager as a data source for ... | Posted by u/TacoJihad - 3 votes and 10 comments
Terraform Registry | SSM Incident Manager Incidents. SSO Admin. SSO Identity Store. STS (Security Token). SWF (Simple Workflow). SageMaker. Secrets Manager. Security Hub. Security ...
How to retrieve a secret stored in AWS Secret Manager in terraform ... | How to retrieve a secret stored in AWS Secret Manager in terraform. - terraform_retrieve_secret_aws.tf
awscc_secretsmanager_secret | hashicorp/awscc | Terraform | For information about retrieving a secret in code, see Retrieve secrets from Secrets Manager. Example Usage. Basic Usage. Create an AWS Secrets Manager secret.
How to get values from Data Sources with local variables with ... | Hello, I am trying to access values from data sources, so I can use them in creating more resources. Specifically, I want to access secrets from AWS secrets manager and use that in my db_instance. As example data "aws_secretsmanager_secret_version" "creds" { secret_id = "db-creds" } locals { db_creds = jsondecode( data.aws_secretsmanager_secret_version.creds.secret_string ) } And then use the variables like local.db_creds.username. I am trying to do the same with Python and CDK...
Use AWS Secrets Manager secrets in AWS Lambda functions - AWS ... | You can use the AWS Parameters and Secrets Lambda Extension to retrieve and cache AWS Secrets Manager secrets in Lambda functions without using an SDK.