An AWS Secrets Manager secret is a resource to store secure credentials. In the past, I created an AWS Secrets Manager resource using Terraform from my laptop. I did this by storing the secret value in the tfvars file and ensuring that the tfvars file is not part of the repository using the .gitignore file. Since the secret value was not committed to the repository, the approach worked fine in that case. However, how do you do that when provisioning resources with secure values via a pipeline using Terraform configuration code? Enter Github Actions secrets - a secure information transfer mechanism for GitHub Actions pipelines.
In this repository , I store the Terraform configuration and GitHub Actions YAML pipeline to create an AWS Secrets manager secret. If you want to read the detailed documentation around this, click here.
Before working on this use case, please understand two critical concepts associated with deploying Terraform configuration to the AWS cloud using GitHub actions.
Concept#1: Securely integrate AWS Credentials with GitHub Actions using OpenID Connect
Concept#2: CI-CD with Terraform and GitHub Actions to deploy to AWS
Review the code including the terraform.yml to understand the steps in the GitHub Actions pipeline. Also review the terraform code to understand all the concepts associated with creating an AWS Secrets Manager secret.
I also have a static code analysis enabled in this repository using Checkov. The scan result is accessible at checkov-scan.
If you want to learn more about how to enable Checkov static analysis checks for terraform code in your repository, you may read that at automate-terraform-configuration-scan-with-checkov-and-github-actions.
If you want to check the pipeline logs, click on the Build Badge (terrform-infra-provisioning) above the image in this ReadMe.
| Name | Version |
|---|---|
| aws | 5.82.2 |
| Name | Version |
|---|---|
| aws | 5.82.2 |
No modules.
| Name | Type |
|---|---|
| aws_kms_alias.key | resource |
| aws_kms_key.local_key | resource |
| aws_kms_key_policy.encrypt_kms | resource |
| aws_secretsmanager_secret.db_secrets | resource |
| aws_secretsmanager_secret.secret_one | resource |
| aws_secretsmanager_secret_version.db_secrets_version | resource |
| aws_secretsmanager_secret_version.secure_one_version | resource |
| aws_caller_identity.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| SomeOtherSecret | Some other secret | string |
"" |
no |
| access_key | The access_key that belongs to the IAM user | string |
"" |
no |
| password | The password of the entity | string |
"" |
no |
| region | Infrastructure region | string |
"us-east-2" |
no |
| secret_key | The secret_key that belongs to the IAM user | string |
"" |
no |
| username | The username of the entity | string |
"" |
no |
No outputs.
If you find any issues or have suggestions for improvement, feel free to open an issue or submit a pull request. Contributions are always welcome!
This code is released under the Unlicense License. See LICENSE.