Keeping Secrets as Secret on Amazon ECS UsingTerraform

Gizem Gürby Gizem Gür
28 Eylül 2020
4 dk okuma
SOSYAL MEDYADA PAYLAŞIN
TwitterFacebookLinkedInEmail

Last updated on Sep 28, 2020

"Keeping secrets as secret" is one of the most important things on every infrastructure. To protect and manage sensitive data, creating simple workflows is a good starting point. You can increase the protection level even further if you create and manage secrets in a way that you'll never see and touch.

Cloud and automation make that possible for you. On AWS, there are many ways to store sensitive data. Two main services are AWS Systems Manager Parameter Store and AWS Secrets Manager. Though these services are similar at first sight, there are a number of differences between them such as secret rotation functionality, cross-account access and costs.

Amazon ECS enables you to inject sensitive data into your containers by storing your sensitive data in both services. In this post we will take a look at how to store secrets on AWS Systems Manager Parameter Store vs AWS Secrets Manager and how to inject them into Amazon ECS tasks using Terraform.

Creating a Secret

Let's start with creating a randomized password using Terraform's random password generator, which is using a cryptographic random number generator. It is available in all versions of random provider following the v.2.2.0 and later versions.

Remember that, all attributes including generated passwords are stored as plain text in state files. So protect your state files!

resource "random_password" "database_password" {
  length  = 16
  special = false
}

Using AWS Secrets Manager to Store Credentials

Create a secret on AWS Secrets Manager to store the generated password:

resource "aws_secretsmanager_secret" "database_password_secret" {
  name = "/production/database/password/master"
}

resource "aws_secretsmanager_secret_version" "database_password_secret_version" {
  secret_id     = aws_secretsmanager_secret.database_password_secret.id
  secret_string = random_password.database_password.result
}

Create an IAM policy to access stored secret from Amazon ECS task using ECS Task Execution Role:

resource "aws_iam_role_policy" "password_policy_secretsmanager" {
  name = "password-policy-secretsmanager"
  role = aws_iam_role.ecs_task_execution_role.id

  policy = <<-EOF
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": [
          "secretsmanager:GetSecretValue"
        ],
        "Effect": "Allow",
        "Resource": [
          "${aws_secretsmanager_secret.database_password_secret.arn}"
        ]
      }
    ]
  }
  EOF
}

You can use variables to pass secret ARN to your task template:

data "template_file" "task_template_secretsmanager" {
  template = "${file("./templates/task.json.tpl")}"

  vars = {
    app_cpu           = var.cpu
    app_memory        = var.memory
    database_password = aws_secretsmanager_secret.database_password_secret.arn
  }
}

Create task template as following ./templates/task.json.tpl:

[
  {
    "name": "application",
    "image": "service/latest",
    "cpu": ${app_cpu},
    "memory": ${app_memory},
    "essential": true,
    "secrets": [
      {
        "name": "PASSWORD",
        "valueFrom": "${database_password}"
      }
    ]
  }
]

Create task definition that will use the task template that you just created:

resource "aws_ecs_task_definition" "task_definition_secretsmanager" {
  family                   = "task-secretsmanager"
  execution_role_arn       = aws_iam_role.ecs_task_execution_role.arn
  requires_compatibilities = ["EC2"]
  cpu                      = var.cpu
  memory                   = var.memory
  network_mode             = "awsvpc"
  container_definitions    = data.template_file.task_template_secretsmanager.rendered
}

Using Parameter Store to Store Credentials

Create SSM parameter to store the generated password:

resource "aws_ssm_parameter" "database_password_parameter" {
	name        = "/production/database/password/master"
	description = "Production environment database password"
	type        = "SecureString"
	value       = random_password.database_password.result
}

Create an IAM policy to access stored parameter from Amazon ECS task using ECS Task Execution Role,

Note that all users within the customer account have access to the default AWS managed key. If you use (or plan to use) customer managed CMK then you also need to give kms:Decrypt permission to ECS Task Execution Role. For more information check here.

resource "aws_iam_role_policy" "password_policy_parameterstore" {
  name = "password-policy-parameterstore"
  role = aws_iam_role.ecs_task_execution_role.id

  policy = <<-EOF
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": [
          "ssm:GetParameters"
        ],
        "Effect": "Allow",
        "Resource": [
          "${aws_ssm_parameter.database_password_parameter.arn}"
        ]
      }
    ]
  }
  EOF
}

You can use variables to pass parameter store ARN to your task template:

data "template_file" "task_template_parameterstore" {
  template = "${file("./templates/task.json.tpl")}"

  vars = {
    app_cpu           = var.cpu
    app_memory        = var.memory
    database_password = aws_ssm_parameter.database_password_parameter.arn
  }
}

Create task template as following ./templates/task.json.tpl:

[
  {
    "name": "application",
    "image": "service/latest",
    "cpu": ${app_cpu},
    "memory": ${app_memory},
    "essential": true,
    "secrets": [
      {
        "name": "PASSWORD",
        "valueFrom": "${database_password}"
      }
    ]
  }
]

Create task definition that will use the task template that you just created:

resource "aws_ecs_task_definition" "task_definition_parameterstore" {
  family                   = "task-parameterstore"
  execution_role_arn       = aws_iam_role.ecs_task_execution_role.arn
  requires_compatibilities = ["EC2"]
  cpu                      = var.cpu
  memory                   = var.memory
  network_mode             = "awsvpc"
  container_definitions    = data.template_file.task_template_parameterstore.rendered
}

Check full source code example from:

Learn more about managing sensitive data:

  • Terraform Random Provider: https://registry.terraform.io/providers/hashicorp/random/latest/docs

  • Specifying Sensitive Data to Amazon ECS: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html

Information

Need help in protecting and managing your sensitive data? Book an Appointment now to implement best practices to ensure full security and compliance!

Yazar hakkında:

author avatar
Gizem Gür

AWS Ambassador & Senior Solutions Architect

Bir zamanlar Software Developer iken şimdi bir AWS Certified Solutions Architect Professional ve AWS Ambassador olan Gizem, profesyonel zorlukları üstlenmeye her zaman heveslidir. İşlerindeki titizliği, bilgisini teknoloji bilgisi yüksek profesyonellerle ve topluluklarla paylaşma tutkusu ile birleşir.

Önerdiğimiz Blog Yazıları

Teknoloji kullanımımız, çözümlerimiz ve rehberlerimizle ilgili en son güncellemeleri ve makaleleri keşfedin.

Amazon Web Services (AWS) Nedir?

Amazon Web Services (AWS) Nedir?

Amazon Web Services (AWS), Amazon tarafından sunulan kapsamlı bir bulut bilişim platformudur. İşletmelerin altyapılarını oluşturmasına, ölçeklendirmesine ve optimize etmesine yardımcı olmak için geniş bir hizmet yelpazesi sunar.

Infrastructure as Code

Infrastructure as Code

Infrastructure as Code enables you to easily manage and provision your resources through code. Here are the advantages and steps of implementation of IaC.

Web Application Protection on AWS

Web Application Protection on AWS

AWS WAF provides a managed Web Application Firewall for your infrastructure. Here are its features and use cases to protect your applications from web exploits.

Tümünü Gör

Dijital Dönüşümünüzü Başlatın

Görüşme Ayarlayın