Skip to content
This repository was archived by the owner on Aug 2, 2024. It is now read-only.
This repository was archived by the owner on Aug 2, 2024. It is now read-only.

enhance and clarify secrets management #59

Open
Open
enhance and clarify secrets management#59
Assignees
moritzzimmer
Labels
enhancementNew feature or requestquestionFurther information is requested
@moritzzimmer

Description

@moritzzimmer
moritzzimmer
opened on Mar 10, 2020

There are different possibilities and recommendations how to manage and access secrets (e.g. database passwords) inside Lambda functions (see e.g here and here).

Currently this module supports reading (optionally encrypted) parameters from AWS Systems Manager Parameter Store at runtime by creating IAM policies allowing access to and decryption of parameters by setting ssm_parameter_names and kms_key_arn. This is the recommended way for Lambda functions if the Parameter Store API limits are no concern in case of horizontal scaling.

Unfortunately kms_key_arn conflicts with the parameter specified in the Terraform Lambda ressource to specify a key that is used to encrypt environment variables.

Proposal:

  • create a new configuration option (e.g. ssm { parameters: [], kms_key_arn: ""}) to configure IAM policies for runtime SSM access (with custom key)
  • switch (optional) variable kms_key_arn to it's default meaning an pass it down to lambda submodule
  • (optionally) support configuration option for using AWS Secrets Manager

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requestquestionFurther information is requested

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions