Last active
May 11, 2022 12:18
-
-
Save shollingsworth/82e202a07ec23c5c72c9cceb937842fc to your computer and use it in GitHub Desktop.
generate secret value via kms and reference the secret in terraform
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -euo pipefail | |
| IFS=$'\n\t' | |
| key_alias="alias/github-barracuda-internal" | |
| param_name="supersecret" | |
| secret=$(openssl rand -hex 256 | tr -d '\n' | base64 -w 0) | |
| arg="${1:-}" | |
| test "${arg}" && secret="$(echo "${arg}" | base64 -w 0)" | |
| blob=$( | |
| aws kms encrypt \ | |
| --key-id "$key_alias" \ | |
| --plaintext "$secret" \ | |
| --query CiphertextBlob --output text | tee | |
| ) | |
| cat << EOF | |
| ############################################################################### | |
| # Terraform example code | |
| ############################################################################### | |
| data "aws_kms_secrets" "secret" { | |
| secret { | |
| name = "${param_name}" | |
| payload = "${blob}" | |
| } | |
| } | |
| # Reference | |
| # data.aws_kms_secrets.secret.plaintext["${param_name}"] | |
| EOF | |
| echo "# Testing Decrypt:" | |
| pt=$( | |
| aws kms decrypt \ | |
| --key-id "$key_alias" \ | |
| --ciphertext-blob "$blob" \ | |
| --query Plaintext --output text | base64 -d | |
| ) | |
| echo "# ${pt}" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment