This module creates a lambda which generates a secret value and stores the value in SSM. The module requires npm to be installed.
Once the lambda generated by this module is in place, the lambda can be used as part of a solution to generate secrets and store them in SSM. This is achieved by using this module in conjunction with the aws-secret module. The benefit of this approach is that secrets can be managed by Infrastructure as code (IaC) and secrets will never be leaked into the remote state or the CI/CD tooling context. The Lambda supports importing of existing secrets into IaC.
This module creates a Lambda which processes the required events for a CloudFormation custom resource , the custom resource events which follow a CRUD like operation are mapped to a secret. So the create event populates the secret in SSM and delete removes the secret for example.
Then, the aws-secret module creates a CloudFormation stack which sets up the custom resource. When its created for the first time the secret will be populated in SSM and the CloudFormation stack will be added to the Terraform remote state. Thereafter the secret is managed in the normal way Terraform modules are managed. If the reference to the secret using the module is removed it will cascade the Terraform destroy to the CloudFormation stack which in term triggers a delete event to the custom resource which invokes the Lambda with a delete event.
See the below diagram which outlines the creation of a secret.
From version 1.3.1 the module accepts a list of regions in which the SSM parameteres will be created. If the requirement is to have replicate the secret across regions the module should be instantiated higher up in the stack.
In case of multiple regions and one of the regions already has the parameter, and if the respectInitialValue is set
to true, the module creation will fail and the existing parameter will be left intact.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| lambda_name | Name given to the Lambda which generates secrets | string |
"ssm-secret-generator" |
no |
| namespace | Namespace used for the Lambda, this is used for tagging and within the Lambda name | string |
n/a | yes |
| stage | The stage of the distribution - (dev, staging etc). | string |
n/a | yes |
| tags | Tags applied to the distribution, these should follow what is defined here. | map(string) |
n/a | yes |
| regions | The regions in which SSM parameters with the same value will be created | string[] | credential's region | no |
| Name | Description |
|---|---|
| lambda_name | Name given to the lambda |
The below example use the aws-secret module.
The region is inferred from the AWS credentials.
module "lambda_secrets_generator" {
source = "Adaptavist/secret-generator/module"
version = "1.3.1"
namespace = "test"
lambda_name = "ssm-secret-generator-${random_string.random.result}"
stage = local.stage
tags = local.tags
}
module "single_region_parameter" {
source = "Adaptavist/aws-secret/module"
version = "1.1.0"
secret_lambda_function_name = module.lambda_secrets_generator.lambda_name
secret_ssm_path = var.positive_test_ssm_parameter_name
tags = local.tags
stage = local.stage
depends_on = [
module.lambda]
}module "lambda_secrets_generator" {
source = "Adaptavist/secret-generator/module"
version = "1.3.1"
namespace = "test"
lambda_name = "ssm-secret-generator-${random_string.random.result}"
stage = local.stage
tags = local.tags
}
module "multi_region_param" {
source = "Adaptavist/aws-secret/module"
version = "1.1.0"
secret_lambda_function_name = module.lambda_secrets_generator.lambda_name
secret_ssm_path = var.positive_test_ssm_parameter_name
tags = local.tags
stage = local.stage
regions = [
"us-west-2",
"eu-central-1"]
depends_on = [
module.lambda]
}