-1

I have same-named secrets across all of my 4 environments. The problem is AWS adds characters at the end of the secret ARN, meaning all of my secrets have different "names", besides their environment, which is not a problem. The specific problem can be described with this:

For example, secret called "dbpass" looks like this on the dev account:

data "aws_secretsmanager_secret" "s1" {
  arn = "arn:aws:secretsmanager:us-east-1:xxx:secret:/dev/dbpass-123456"
}

While a secret with the same name looks like this on prod:

data "aws_secretsmanager_secret" "s1" {
  arn = "arn:aws:secretsmanager:us-east-1:xxx:secret:/prod/dbpass-654321"
}

These numbers after dbpass are randomized, I'm guessing for security reasons. But this created the following problem for me: While I can turn the region, account ID and environment into variables whose value depends on the environment I'm deploying to, I can't do the same with the secret arn. These 4 environments are all deployed with a single pipeline, so its very important I have 1 resource acting as a representative for all 4 environments. Now, this can be solved like this:

locals{
  dev = "${var.env == "dev" ? "dbpass-123456" : ""}"
  prod = "${var.env == "prod" ? "dbpass-654321" : ""}"

  dbpass = "${coalesce(local.dev, local.prod)}"
}

And then I could just do:

data "aws_secretsmanager_secret" "s1" {
  arn = "arn:aws:secretsmanager:${var.region}:${var.account}:secret:/${var.env}/${local.dbpass}"
}

The problem here however, is that I'd have to make this locals block for every single secret, go into each AWS account, retrieve them... and there's a lot of secrets. Terraform doesn't let me call a secret by its name/path in the Secrets Manager, only by its ARN. Is there a way to make this easier, or am I stuck with hundreds of locals blocks?

sneedster2
  • 1
  • 1
  • I think you are looking for this actually: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version. Also, you can fetch a secret by its name, it doesn't have to be an ARN. – Marko E Nov 07 '22 at 18:21
  • "Terraform doesn't let me call a secret by its name/path in the Secrets Manager, only by its ARN." It actually does let you use the name without the full ARN. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret However you still need a list of all the names some where in your Terraform code because of the way you have random numbers in each name. – Mark B Nov 07 '22 at 18:48
  • @MarkB Wait, the ARN has randomized characters at the end, not the name? – sneedster2 Nov 08 '22 at 11:45
  • No that's not what I said. I said you have added random numbers at the end of the name for some reason, which means you still have to have a map or list or something in Terraform of each name for each of your environments. – Mark B Nov 08 '22 at 12:36

1 Answers1

0

You can use terraformer (https://github.com/GoogleCloudPlatform/terraformer/blob/master/docs/aws.md) to import your entire infrastructure. For example:

#import segret manager
terraformer import aws --resources=secretsmanager --regions=us-east-1
Raphael Santos
  • 1
  • 2
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Nov 12 '22 at 21:44