-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option to configure secrets manager secret for aws_dms_endpoint #18123
Comments
Yes, please. We should NOT store the username/password for our databases in the plain text, even if it's a read-only access to get the data out. |
References: |
Your question is explained in the documentation: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_rotation More specific topic: You can follow To turn on rotation (console) section of the article. Or you can follow AWS SDK and AWS CLI section and using AWS CLI examples you can create equivalent ones in terraform. It's not a trivial procedure and requires understanding how it works: Secrets Manager can automatically rotate them on a schedule. When it rotates a secret, Secrets Manager updates the credentials in both the secret and the database or service so that you don't have to manually change the credentials. Secrets Manager uses a Lambda rotation function to communicate with both Secrets Manager and the database or service. The rotation function: Calls the Secrets Manager API to retrieve and update secrets. Sends requests to the database or service to update the user password. NOTE: If your Lambda function runs in a VPC, then to allow it to communicate with Secrets Manager, you have two options: You can enable your Lambda function to access the public Secrets Manager endpoint by adding a NAT gateway to your VPC, which allows traffic from your VPC to reach the public endpoint. This exposes your VPC to a level of risk because an IP address for the gateway can be attacked from the public Internet. You can configure Secrets Manager service endpoints within your VPC. This allows your VPC to intercept any request addressed to the public regional endpoint and redirect the VPC to the private service endpoint running within your VPC. For more information, see VPC endpoints. |
@antonakv I think there has been a misunderstanding and I don't think the issue deserves a thumbs down - this is not about rotating Secrets manager secrets but adding an option to reference a secrets manager secret id in AWS DMS endpoint in Terraform. I understand we can use Secrets Manager to also rotate the secrets but that's not what this issue is about - I wanted to just reference the SM secret ID in the DMS endpoint configuration in TF so DMS can get details about source/target from there. That AWS announcement does talk about rotating secrets in DMS endpoints, but you don't really need to do that, I used this feature (manually in GUI) without any kind of rotation, just to store source and target credentials and not have them in committed in plain text in the resource |
We use to "manage" those endpoints using following code: resource "aws_dms_endpoint" "this" {
endpoint_id = var.name
endpoint_type = var.type
engine_name = var.engine
database_name = var.database_name
// password = "unused"
// username = "unused"
// server_name = "unused"
// port = 1234
extra_connection_attributes = join(";", [
"secretsManagerAccessRoleArn=${module.credentials.access_role_arn}",
"secretsManagerEndpointOverride=${var.secretsmanager_vpc_endpoint_dns}",
"secretsManagerSecretId=${module.credentials.secret_id}",
"", // for trailing ;
])
lifecycle {
ignore_changes = [password]
}
} ( Process is:
|
Hi all 👋 Just letting you know that this is issue is featured on this quarters roadmap. If a PR exists to close the issue a maintainer will review and either make changes directly, or work with the original author to get the contribution merged. If you have written a PR to resolve the issue please ensure the "Allow edits from maintainers" box is checked. Thanks for your patience and we are looking forward to getting this merged soon! |
This functionality has been released in v3.70.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I am trying to use secrets manager to store credentials .
But it errors out for me
|
@blanco750 which DBMS are you using? The feature has only been implemented for Oracle and Postgres so far, afaik, in #19040 |
Hello @sbrandtb thanks for the reply. It is for MySql. Probably thats why it is not working. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Community Note
Description
The aws_dms_endpoint allows to configure AWS Secrets manager secret with database details like host, user, password. Please add this to the resource.
New or Affected Resource(s)
Potential Terraform Configuration
References
The text was updated successfully, but these errors were encountered: