Skip to content
This repository has been archived by the owner on Aug 2, 2024. It is now read-only.

enhance and clarify secrets management #59

Open
moritzzimmer opened this issue Mar 10, 2020 · 1 comment
Open

enhance and clarify secrets management #59

moritzzimmer opened this issue Mar 10, 2020 · 1 comment
Assignees
@moritzzimmer
Labels
enhancement New feature or request question Further information is requested

Comments

@moritzzimmer
Copy link
Contributor

moritzzimmer commented Mar 10, 2020
edited
Loading

There are different possibilities and recommendations how to manage and access secrets (e.g. database passwords) inside Lambda functions (see e.g here and here).

Currently this module supports reading (optionally encrypted) parameters from AWS Systems Manager Parameter Store at runtime by creating IAM policies allowing access to and decryption of parameters by setting ssm_parameter_names and kms_key_arn. This is the recommended way for Lambda functions if the Parameter Store API limits are no concern in case of horizontal scaling.

Unfortunately kms_key_arn conflicts with the parameter specified in the Terraform Lambda ressource to specify a key that is used to encrypt environment variables.

Proposal:

  • create a new configuration option (e.g. ssm { parameters: [], kms_key_arn: ""}) to configure IAM policies for runtime SSM access (with custom key)
  • switch (optional) variable kms_key_arn to it's default meaning an pass it down to lambda submodule
  • (optionally) support configuration option for using AWS Secrets Manager
@moritzzimmer moritzzimmer added enhancement New feature or request question Further information is requested labels Mar 10, 2020
@moritzzimmer moritzzimmer self-assigned this Mar 10, 2020
moritzzimmer added a commit to moritzzimmer/terraform-aws-lambda that referenced this issue Aug 28, 2020
@moritzzimmer
new configuration for ssm
c7cc971 
- custom object which can be enhanced for kms_key later
- adapted documentation and added example
- allow `ssm:GetParameter`

for spring-media users, this fixes spring-media/terraform-aws-lambda#61 and spring-media/terraform-aws-lambda#59
@moritzzimmer moritzzimmer mentioned this issue Aug 28, 2020
Merged
moritzzimmer added a commit to moritzzimmer/terraform-aws-lambda that referenced this issue Aug 28, 2020
@moritzzimmer
Refactoring of SSM configuration (#3)
156ee79 
* streamlined tests and variables

- use objects in favour of maps to have a more precise API and documentation (those are interchangeable from a client perspective)
- use lambda fixture in all tests
- streamlined examples
- added deprecation comments for ssm
- use `kms_key_arn` (also) as described in https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#kms_key_arn

* new configuration for ssm

- custom object which can be enhanced for kms_key later
- adapted documentation and added example
- allow `ssm:GetParameter`

for spring-media users, this fixes spring-media/terraform-aws-lambda#61 and spring-media/terraform-aws-lambda#59
@moritzzimmer
Copy link
Contributor Author

this is fixed with https://github.com/moritzzimmer/terraform-aws-lambda/releases/tag/v5.4.0

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@moritzzimmer moritzzimmer

Labels
enhancement New feature or request question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@moritzzimmer