terraform-aws-lambda icon indicating copy to clipboard operation
terraform-aws-lambda copied to clipboard

Published 20 hours ago verified publisher icon spring-media

enhance and clarify secrets management

Open moritzzimmer opened this issue 5 years ago • 1 comments

There are different possibilities and recommendations how to manage and access secrets (e.g. database passwords) inside Lambda functions (see e.g here and here).

Currently this module supports reading (optionally encrypted) parameters from AWS Systems Manager Parameter Store at runtime by creating IAM policies allowing access to and decryption of parameters by setting ssm_parameter_names and kms_key_arn. This is the recommended way for Lambda functions if the Parameter Store API limits are no concern in case of horizontal scaling.

Unfortunately kms_key_arn conflicts with the parameter specified in the Terraform Lambda ressource to specify a key that is used to encrypt environment variables.

Proposal:

  • create a new configuration option (e.g. ssm { parameters: [], kms_key_arn: ""}) to configure IAM policies for runtime SSM access (with custom key)
  • switch (optional) variable kms_key_arn to it's default meaning an pass it down to lambda submodule
  • (optionally) support configuration option for using AWS Secrets Manager

moritzzimmer avatar Mar 10 '20 12:03 moritzzimmer

this is fixed with https://github.com/moritzzimmer/terraform-aws-lambda/releases/tag/v5.4.0

moritzzimmer avatar Aug 31 '20 05:08 moritzzimmer