9

我正在尝试使用 AWS 机密管理器来声明 RDS 管理员凭证。

  1. 将变量 RdsAdminCred 中的 rds.tf 中的凭据声明为键/值对
  2. 在同一个 tf 文件中也声明了秘密
variable "RdsAminCred" {
    default = {
        username = "dbadmin"
        password = "dbadmin#02avia"
    }
    type = map(string)
}

resource "aws_secretsmanager_secret" "RdsAminCred" {
  name = "RdsAminCred"
}
resource "aws_secretsmanager_secret_version" "RdsAminCred" {
  secret_id     = aws_secretsmanager_secret.RdsAminCred.id
  secret_string = jsonencode(var.RdsAminCred)
}
  1. 我不确定如何在下面的声明中使用秘密字符串来替换用户名和密码的硬编码值。
resource "aws_db_instance" "default" {
  identifier            = "testdb"
  allocated_storage    = 20
  storage_type         = "gp2"
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t2.medium"
  name                 = "mydb"
 
  username             = "dbadmin"
  password             = "dbadmin#01avia"

任何帮助表示赞赏..

4

4 回答 4

11

我建议改用该random_password资源。然后您可以在集群配置和机密管理器中引用它。

例子:

resource "random_password" "master_password" {
  length  = 16
  special = false
}

resource "aws_rds_cluster" "default" {
  cluster_identifier = "my-cluster"
  
  master_username = "admin"
  master_password = random_password.default_master_password.result

  # other configurations
  # .
  # .
  # .
}

resource "aws_secretsmanager_secret" "rds_credentials" {
  name = "credentials"
}

resource "aws_secretsmanager_secret_version" "rds_credentials" {
  secret_id     = aws_secretsmanager_secret.rds_credentials.id
  secret_string = <<EOF
{
  "username": "${aws_rds_cluster.default.master_username}",
  "password": "${random_password.master_password.result}",
  "engine": "mysql",
  "host": "${aws_rds_cluster.default.endpoint}",
  "port": ${aws_rds_cluster.default.port},
  "dbClusterIdentifier": "${aws_rds_cluster.default.cluster_identifier}"
}
EOF
}
于 2021-06-10T20:07:57.380 回答
10

我会有一个 TF 配置来设置您的密钥并将其存储在 AWS Secrets Manager 中,就像这样。

resource "random_password" "master"{
  length           = 16
  special          = true
  override_special = "_!%^"
}

resource "aws_secretsmanager_secret" "password" {
  name = "test-db-password"
}

resource "aws_secretsmanager_secret_version" "password" {
  secret_id = aws_secretsmanager_secret.password.id
  secret_string = random_password.master.result
}

然后在您的数据库的单独 TF 配置中,您可以使用来自 AWS Secrets Manager 的密钥。

data "aws_secretsmanager_secret" "password" {
  name = "test-db-password"

}

data "aws_secretsmanager_secret_version" "password" {
  secret_id = data.aws_secretsmanager_secret.password
}

resource "aws_db_instance" "default" {
  identifier            = "testdb"
  allocated_storage    = 20
  storage_type         = "gp2"
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t2.medium"
  name                 = "mydb"
 
  username             = "dbadmin"
  password             = data.aws_secretsmanager_secret_version.password

在上面的评论中,Asri Badlah 建议在控制台中手动输入密码。我想你可以做到这一点。然而,这种方法确实开始偏离 IaC 的基本原则 - 将所有内容置于源代码控制中。当然,您不想将密码、私钥等检查到源代码控制中。但是在这里,你可以看到我们没有这样做。我们用一个配置填充一个秘密,并用另一个配置来使用它。这确保了代码可以签入源代码管理,但密码不能签入。

就状态而言,密码确实会在 TF 状态下被存储和破译。但是,如果您使用适当的状态管理,这应该不是问题。理想情况下,您会希望使用远程状态、加密且访问受限。

最后一点,我不会像 Evan Closson 建议的那样只使用 random_password 。这种方法意味着您的数据库密码 100% 由 Terraform 管理。通过使用 Secrets Manager,您的密码由服务管理,这意味着您可以执行其他操作,例如轮换密码(未显示)和检索密码,而无需依赖 Terraform(例如 terraform 输出或破解打开状态文件) .

于 2021-06-30T19:46:25.777 回答
1

在您的 Terraform 代码中,您可以使用 aws_secretsmanager_secret_version 数据源来读取此密钥:

data "aws_secretsmanager_secret_version" "creds" {
  # write your secret name here
  secret_id = "your_secret"
}

使用 jsondecode 从 JSON 解析秘密:

locals {
  your_secret = jsondecode(
    data.aws_secretsmanager_secret_version.creds.secret_string
  )
}

现在将秘密传递给 RDS:

resource "aws_db_instance" "example" {
  engine               = "engine"
  engine_version       = "version"
  instance_class       = "instance"
  name                 = "example"
  # Set the secrets from AWS Secrets Manager
  username = local.your_secret.username
  password = local.your_secret.password
}
于 2021-01-06T22:42:50.640 回答
0 
variable "RdsAdminCred" {
  default = {
    username = "dbadmin"
    password = "dbadmin#02avia"
  }
  type = map(string)
}

resource "aws_secretsmanager_secret" "RdsAdminCred" {
  name = "RdsAdminCred"
}
resource "aws_secretsmanager_secret_version" "RdsAdminCred" {
  secret_id     = aws_secretsmanager_secret.RdsAdminCred.id
  secret_string = jsonencode(var.RdsAdminCred)
}

创建秘密后,您需要从那里获取数据

data "aws_secretsmanager_secret" "env_secrets" {
  name = "RdsAdminCred"
  depends_on = [
    aws_secretsmanager_secret.RdsAdminCred
  ]
}
data "aws_secretsmanager_secret_version" "current_secrets" {
  secret_id = data.aws_secretsmanager_secret.env_secrets.id
}
resource "aws_db_instance" "default" {
  identifier        = "testdb"
  allocated_storage = 20
  storage_type      = "gp2"
  engine            = "mysql"
  engine_version    = "5.7"
  instance_class    = "db.t2.medium"
  name              = "mydb"

  username = jsondecode(data.aws_secretsmanager_secret_version.current_secrets.secret_string)["username"]
  password = jsondecode(data.aws_secretsmanager_secret_version.current_secrets.secret_string)["password"]
}
于 2021-12-21T10:32:29.137 回答