https://github.com/umihico/terraform-aws-stateless-ssm-parameter

Terraform module which creates ssm paratemers without leaking raw values on git and tfstates
https://github.com/umihico/terraform-aws-stateless-ssm-parameter

aws aws-ss ssm terraform terraform-module terraform-modules

Last synced: about 2 months ago
JSON representation

Terraform module which creates ssm paratemers without leaking raw values on git and tfstates

• Host: GitHub
• URL: https://github.com/umihico/terraform-aws-stateless-ssm-parameter
• Owner: umihico
• Created: 2022-01-23T07:49:30.000Z (almost 3 years ago)
• Default Branch: main
• Last Pushed: 2022-03-13T10:20:21.000Z (almost 3 years ago)
• Last Synced: 2024-05-01T14:35:02.082Z (8 months ago)
• Topics: aws, aws-ss, ssm, terraform, terraform-module, terraform-modules
• Language: HCL
• Homepage: https://registry.terraform.io/modules/umihico/stateless-ssm-parameter/
• Size: 11.7 KB
• Stars: 0
• Watchers: 2
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        
# stateless-ssm-parameter

Terraform module which creates ssm paratemers without leaking raw values on git and tfstates

## Usage

```hcl

module "ssm_parameters" {

  source = "umihico/stateless-ssm-parameter/aws"

  parameters = [

    {

      name            = "stateless-ssm-parameters-demo-aws-access-key-id"

      encrypted_value = "AQICAHhknPcMN2mPQjlgkKH9EhrUk79o+4j1nUtJMmNPXkAKWgHMyR2vUsqH8wKITgQmgvysAAAAcjBwBgkqhkiG9w0BBwagYzBhAgEAMFwGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMGIi7bRe0nfMJk4LHAgEQgC+8pD0sNt3aXQ97B7mAenZLWSTa9xrUYxEObS0c6M5PcJsUY96yPqpWR8d11rkk1w=="

      # plain text is AKIAIOSFODNN7EXAMPLE

    },

    {

      name            = "stateless-ssm-parameters-demo-aws-access-secret-key"

      encrypted_value = "AQICAHhknPcMN2mPQjlgkKH9EhrUk79o+4j1nUtJMmNPXkAKWgFJO3StxQSrfvTKupiSxQ9fAAAAhzCBhAYJKoZIhvcNAQcGoHcwdQIBADBwBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDA+oQzzMdeJwKG35QwIBEIBD14aLRt9gKfEBZjiCL1/QfbmhPqknTM3lo7MCoj7vKHWxqir4x0Gafylx/piwspv40i+3523obtUfWiN0dxhJXdsG5g=="

      # plain text is wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

    },

  ]

}

```

## Benefits

- Parameters are encrypted and version controllable by git

- **Original values will be never contained and leak from tfstate**

- Only ARNs and names, such insensitive values are referenceable for [ECS enviroment variable reference](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data-parameters.html).

## How to encrypt

```bash

# encrypting value 'AKIAIOSFODNN7EXAMPLE'

aws kms encrypt \

 --key-id alias/stateless-ssm-parameter-sample \

 --plaintext "$(echo -n 'AKIAIOSFODNN7EXAMPLE' | base64)" \

 --output text \

 --query CiphertextBlob

```

If you don't have kms key or alias yet, please create like below.

```bash

# with terraform

resource "aws_kms_key" "sample" {

  description         = "stateless-ssm-parameter-sample-master-key"

  enable_key_rotation = true

  is_enabled          = true

}

resource "aws_kms_alias" "sample" {

  name          = "alias/stateless-ssm-parameter-sample"

  target_key_id = aws_kms_key.sample.key_id

}

# with aws cli

aws kms create-alias --alias-name "alias/stateless-ssm-parameter-sample2" --target-key-id $(aws kms create-key --output text --query "KeyMetadata.KeyId" --description "stateless-ssm-parameter-sample2-master-key")

```

## Inputs

| Name       | Description                                                                                                                                                                                                                | Type                                                                              | Default     | Required |

| ---------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- | ----------- | :------: |

| parameters | Takes name(s) and encrypted_value(s) as same as [aws_ssm_parameter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) takes name and value                                        | `
list(object({
 name = string
 encrypted_value = string
 }))
` | -           |   yes    |

| region     | Optional, and detected region by terraform will be used without this                                                                                                                                                       | `string`                                                                          | `null`      |    no    |

| profile    | If terraform works with named profile, you need to specify same one here, or if the name is personal, you can overwrite by TF_VARS without commiting it like this. `TF_VAR_STATELESS_SSM_PROFILE=profile2 terraform apply` | `string`                                                                          | `"default"` |    no    |


## Outputs

| Name               |                                                                                      Description                                                                                       |

| ------------------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------: |

| aws_ssm_parameters | Returns list of arn, name, type and value(encrypted) as same as [aws_ssm_parameter](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) returns |