-
Notifications
You must be signed in to change notification settings - Fork 25
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add aws-ssm-params and aws-ssm-params-writer (#111)
- Loading branch information
Showing
11 changed files
with
181 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
# AWS SSM Params Writer (DEPRECATED) | ||
|
||
__*Deprecated. Please use `aws-ssm-params-writer` module for new code*__ | ||
|
||
This module will set encrypted string parameters in the AWS SSM parameter store. Designed to be used in combination with | ||
[Chamber](https://github.com/segmentio/chamber) to send variables that are output by a Terraform run to a process via | ||
environment variables. | ||
|
||
Parameters are stored in AWS SSM Parameter store at the path `/{project}-{env}-{service}/{name}` where name | ||
is each of the keys of the parameters input. | ||
|
||
**WARNING:** These parameters will stored **unencrypted** in the Terraform state file. See more about this issue | ||
in the [Terraform docs](https://www.terraform.io/docs/state/sensitive-data.html). | ||
|
||
<!-- START --> | ||
## Inputs | ||
|
||
| Name | Description | Type | Default | Required | | ||
|------|-------------|:----:|:-----:|:-----:| | ||
| env | Env for tagging and naming. See [doc](../README.md#consistent-tagging). | string | n/a | yes | | ||
| owner | Owner for tagging and naming. See [doc](../README.md#consistent-tagging). | string | n/a | yes | | ||
| parameters | Map from parameter names to values to set. | map(string) | n/a | yes | | ||
| project | Project for tagging and naming. See [doc](../README.md#consistent-tagging) | string | n/a | yes | | ||
| service | Service for tagging and naming. See [doc](../README.md#consistent-tagging). | string | n/a | yes | | ||
|
||
<!-- END --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
locals { | ||
service_name = "${var.project}-${var.env}-${var.service}" | ||
} | ||
|
||
data "aws_kms_key" "key" { | ||
key_id = "alias/parameter_store_key" | ||
} | ||
|
||
resource "aws_ssm_parameter" "parameter" { | ||
for_each = var.parameters | ||
name = "/${local.service_name}/${each.key}" | ||
value = each.value | ||
|
||
type = "SecureString" | ||
key_id = data.aws_kms_key.key.id | ||
overwrite = true | ||
|
||
tags = { | ||
managedBy = "terraform" | ||
project = var.project | ||
env = var.env | ||
service = var.service | ||
owner = var.owner | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
package test | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/gruntwork-io/terratest/modules/terraform" | ||
) | ||
|
||
func TestAWSSSMParamsWriter(t *testing.T) { | ||
options := &terraform.Options{ | ||
TerraformDir: ".", | ||
} | ||
terraform.Init(t, options) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
variable "project" { | ||
type = string | ||
description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)" | ||
} | ||
|
||
variable "env" { | ||
type = string | ||
description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)." | ||
} | ||
|
||
variable "service" { | ||
type = string | ||
description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)." | ||
} | ||
|
||
variable "owner" { | ||
type = string | ||
description = "Owner for tagging and naming. See [doc](../README.md#consistent-tagging)." | ||
} | ||
|
||
variable "parameters" { | ||
type = map(string) | ||
description = "Map from parameter names to values to set." | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
# AWS SSM Params Reader | ||
|
||
This module is made to work together with [Chamber](https://github.com/segmentio/chamber) to manage secrets in AWS. Typically a user would use chamber to put secrets into the ParamStore and then use this module to read them out in Terraform code. | ||
|
||
You can use [our secrets setup module](../aws-param-secrets-setup/README.md) to prepare an AWS account/region to work with these tools. | ||
|
||
## Example | ||
|
||
```hcl | ||
module "secret" { | ||
source = "github.com/chanzuckerberg/cztack/aws-ssm-params-secret?ref=v0.18.2" | ||
project = "acme" | ||
env = "staging" | ||
service = "website" | ||
parameters = ["password"] | ||
} | ||
# yeah don't really do this | ||
output "secret" { | ||
value = module.secret.values | ||
} | ||
``` | ||
|
||
<!-- START --> | ||
## Inputs | ||
|
||
| Name | Description | Type | Default | Required | | ||
|------|-------------|:----:|:-----:|:-----:| | ||
| env | Env for tagging and naming. See [doc](../README.md#consistent-tagging) | string | n/a | yes | | ||
| parameters | Set of names of secrets. | set(string) | n/a | yes | | ||
| project | Project for tagging and naming. See [doc](../README.md#consistent-tagging) | string | n/a | yes | | ||
| service | Service for tagging and naming. See [doc](../README.md#consistent-tagging) | string | n/a | yes | | ||
|
||
## Outputs | ||
|
||
| Name | Description | | ||
|------|-------------| | ||
| values | "Map from keys to corresponding values stored in the SSM Parameter Store." | | ||
|
||
<!-- END --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
locals { | ||
service_name = "${var.project}-${var.env}-${var.service}" | ||
} | ||
|
||
data "aws_ssm_parameter" "secret" { | ||
# https://github.com/hashicorp/terraform/issues/22281#issuecomment-517080564 | ||
for_each = { for v in var.parameters : v => v } | ||
name = "/${local.service_name}/${each.key}" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
package test | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/gruntwork-io/terratest/modules/terraform" | ||
) | ||
|
||
func TestAWSSSMParams(t *testing.T) { | ||
options := &terraform.Options{ | ||
TerraformDir: ".", | ||
} | ||
terraform.Init(t, options) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
output "values" { | ||
description = "Map from keys to corresponding values stored in the SSM Parameter Store." | ||
value = { for k, v in data.aws_ssm_parameter.secret : k => v.value } | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
variable "env" { | ||
type = string | ||
description = "Env for tagging and naming. See [doc](../README.md#consistent-tagging)" | ||
} | ||
|
||
variable "project" { | ||
type = string | ||
description = "Project for tagging and naming. See [doc](../README.md#consistent-tagging)" | ||
} | ||
|
||
variable "service" { | ||
type = string | ||
description = "Service for tagging and naming. See [doc](../README.md#consistent-tagging)" | ||
} | ||
|
||
variable "parameters" { | ||
type = set(string) | ||
description = "Set of names of secrets." | ||
} |