How to hide terraform aws_ssm_parameter values

Question

I have an SSM parameter created with type SecureString and key-value as (pasword=Passwor@d123). I am trying to fetch the value using data resources where the value is getting printed in plan output.

data "aws_ssm_parameter" "foo" {
 name = "password"
}

module "lamda_env_vars" {
New_password = data.aws_ssm_parameter.foo.value
}

plan output:-

New_paswword = Password@123

I tried encryption like below.

data "aws_ssm_parameter" "foo" {
 name = "password"
with_decryption = false
}

module "lambda_env_vars" {
New_password = data.aws_ssm_parameter.foo.value
}

plan output:-
New_password = Q#iuws##)9ssdhs(some encryptrd value)

Here the problem is the same encrypted hash code is getting assigned as the value for my lambda function.

How to mask value while terraforming plan and get the plain text value for my lambda function?

Marcin · Accepted Answer · 2020-08-25T12:57:41.343

1

Generally you would just pass the name of the SSM's SecretString parameter as an env variable to your lambda function. Then the lambda function would fetch it itself from the SSM Parameter Store.

If you want to use approach with with_decryption = false, then your lambda function will have to call KMS decrypt API to actually decrypt the ciphered text into its plain text version.

In both cases the execution role of your function would need to have permissions to KMS and/or SSM Parameter Store.

edited Aug 25 '20 at 12:57

answered Aug 25 '20 at 06:03

Marcin

215,873
14
235
294

while using the `with_decryption = false` how KMS coming to picture the value was encrypted by terraform right. We are not passing any KMS key to encrypt to the data resource. – SNR Aug 25 '20 at 12:49
@siva Hi. Its done by KMS. The `with_decryption` attribute in TF maps directly to [WithDecryption](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html#systemsmanager-GetParameter-request-WithDecryption) parameter in AWS REST API. – Marcin Aug 25 '20 at 12:53
@Macin Got it aws_ssm_parameter resource by default encrypts with default KMS key. – SNR Aug 26 '20 at 05:19
@siva I think best would be to make new question with relevant description, error messages or use-cases. – Marcin Sep 01 '20 at 02:07
Posted new question [How to decrypt ssm parameter secure string value returned by terraform data resource](https://stackoverflow.com/questions/63682612/how-to-decrypt-ssm-parameter-secure-string-value-returned-by-terraform-data-reso) – SNR Sep 01 '20 at 06:45

How to hide terraform aws_ssm_parameter values

1 Answers1

Linked