AWS/Terraform design advice - Lambda env vars and KMS?
1,534 views
Skip to first unread message
Oli
Jun 21, 2017, 4:38:53 PM6/21/17
to Terraform
Hi,
I'm wondering about the best way to pass sensitive environment variables in to my Lambda function, eg API keys and secrets. I'm aware of the approach where you store it in S3, encrypted with KMS, and then you load it from S3 in the function and it gets automatically decrypted.
But as you know Lambda support environment variables, as does the aws_lambda_function resource. In fact, you can encrypt the secrets with the aws_kms_ciphertext data source, pass the ciphertext_blob in to the variables map in the aws_lambda_function, and then decrypt it inside your function. This all works!
However aws_kms_ciphertext returns a different value for every plan, even if the plaintext didn't change - this is consistent with the AWS CLI. This means that every single plan contains a change to the Lambda environment variables. Now I could suppress this with a lifecycle ignore_changes... but if I did that, I wouldn't then be able to actually change the environment variables without tainting the aws_lambda_function, right?
Is there a better way to do this? What's the best practice for Terraforming sensitive environment variables for Lambda functions?
Oli
I'm wondering about the best way to pass sensitive environment variables in to my Lambda function, eg API keys and secrets. I'm aware of the approach where you store it in S3, encrypted with KMS, and then you load it from S3 in the function and it gets automatically decrypted.
But as you know Lambda support environment variables, as does the aws_lambda_function resource. In fact, you can encrypt the secrets with the aws_kms_ciphertext data source, pass the ciphertext_blob in to the variables map in the aws_lambda_function, and then decrypt it inside your function. This all works!
However aws_kms_ciphertext returns a different value for every plan, even if the plaintext didn't change - this is consistent with the AWS CLI. This means that every single plan contains a change to the Lambda environment variables. Now I could suppress this with a lifecycle ignore_changes... but if I did that, I wouldn't then be able to actually change the environment variables without tainting the aws_lambda_function, right?
Is there a better way to do this? What's the best practice for Terraforming sensitive environment variables for Lambda functions?
Oli
Martin Atkins
Jun 22, 2017, 8:45:33 PM6/22/17
to Terraform
Hi Oli,
If this data source does not produce a stable resource I think that may be a bug. Would you mind opening an issue for that in the aws provider repository and we can see if we can get to the bottom of it, or at least figure out a workaround?
Thanks!
Oli
Jun 23, 2017, 4:11:09 PM6/23/17
to Terraform
Done: https://github.com/terraform-providers/terraform-provider-aws/issues/960
As regards my design problem, I'm going to have a look at the EC2 Parameter Store (https://aws.amazon.com/ec2/systems-manager/parameter-store/), for which Terraform support seems to have recently landed.
As regards my design problem, I'm going to have a look at the EC2 Parameter Store (https://aws.amazon.com/ec2/systems-manager/parameter-store/), for which Terraform support seems to have recently landed.
Reply all
Reply to author
Forward
0 new messages