SecretManagement for Terraform and Ansible

Fri, 05 Oct 2018 22:31:32 +0200

In this quick article, I’ll show you how I use AWS SSM Parameter Store as glue between Terraform and Ansible.

For a personal project, I needed to pass some parameters (key/value) and secrets (encrypted) from my IaC Terraform to Ansible.

AWS SSM Parameter Store is a secure key-value store, a native EC2 functionality.

Parameter Store offers the following benefits and features:

Use a secure, scalable, hosted secrets management service (No servers to manage).
Improve your security posture by separating your data from your code.
Store configuration data and secure strings in hierarchies and track versions.
Control and audit access at granular levels.
Configure change notifications and trigger automated actions.
Tag parameters individually, and then secure access from different levels, including operational, parameter, EC2 tag, or path levels.
Reference AWS Secrets Manager secrets by using Parameter Store parameters.
Use Parameter Store parameters with other Systems Manager capabilities and AWS services to retrieve secrets and configuration data from a central store. The following AWS services support Parameter Store parameters: Amazon EC2, Amazon Elastic Container Service, AWS Lambda, AWS CloudFormation, AWS CodeBuild, and AWS CodeDeploy.
Configure integration with AWS KMS, Amazon SNS, Amazon CloudWatch, and AWS CloudTrail for encryption, notification, monitoring, and audit capabilities.

Set SSM secrets the right way:

Glue on zoph.me