» Data Source: aws_kms_secret

The KMS secret data source allows you to use data encrypted with the AWS KMS service within your resource definitions.

Please take care to secure your secret data outside of resource definitions.

» Example Usage

First, let's encrypt a password with KMS using the AWS CLI tools. This requires you to have your AWS CLI setup correctly, and you would replace the key-id with your own. If you have a newline character at the end of your file, secrets will be decrypted with this newline character intact. For most use-cases this is undesirable and leads to incorrect passwords or invalid values, as well as possible changes in the plan. Alternatively you can use --plaintext 'password' instead of reading from a file.

$ echo -n 'master-password' > plaintext-password
$ aws kms encrypt \
> --key-id ab123456-c012-4567-890a-deadbeef123 \
> --plaintext fileb://plaintext-password \
> --encryption-context foo=bar \
> --output text --query CiphertextBlob
AQECAHgaPa0J8WadplGCqqVAr4HNvDaFSQ+NaiwIBhmm6qDSFwAAAGIwYAYJKoZIhvcNAQcGoFMwUQIBADBMBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDI+LoLdvYv8l41OhAAIBEIAfx49FFJCLeYrkfMfAw6XlnxP23MmDBdqP8dPp28OoAQ==

Now, take that output and add it to your resource definitions.

data "aws_kms_secret" "db" {
  secret {
    name    = "master_password"
    payload = "AQECAHgaPa0J8WadplGCqqVAr4HNvDaFSQ+NaiwIBhmm6qDSFwAAAGIwYAYJKoZIhvcNAQcGoFMwUQIBADBMBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDI+LoLdvYv8l41OhAAIBEIAfx49FFJCLeYrkfMfAw6XlnxP23MmDBdqP8dPp28OoAQ=="

    context {
      foo = "bar"
    }
  }
}

resource "aws_rds_cluster" "rds" {
  master_username = "root"
  master_password = "${data.aws_kms_secret.db.master_password}"

  # ...
}

And your RDS cluster would have the root password set to "master-password"

» Argument Reference

The following arguments are supported:

  • secret - (Required) One or more encrypted payload definitions from the KMS service. See the Secret Definitions below.

» Secret Definitions

Each secret definition supports the following arguments:

  • name - (Required) The name to export this secret under in the attributes.
  • payload - (Required) Base64 encoded payload, as returned from a KMS encrypt opertation.
  • context - (Optional) An optional mapping that makes up the Encryption Context for the secret.
  • grant_tokens (Optional) An optional list of Grant Tokens for the secret.

For more information on context and grant_tokens see the KMS Concepts

» Attributes Reference

Each secret defined is exported under its name as a top-level attribute.