SECURE ACCESS FOR USE OF TERRAFORM (PART-8)

Updated: Aug 9, 2020



Hello Readers, hope you are doing good and enjoying the articles on Terraform. This is the eighth part of the series, if you have missed the previous parts, feel free to read them once for better understanding.


In this part, we are going to look upon how to configure credentials in a secure manner so that they are hard to compromise and in the end, we are going to look upon how we can encrypt sensitive information while working with Terraform. So let's begin...




Handling access and secret keys the right way


Till now, we have been hard coding the aws-region parameter within the providers.tf

But this is not the best way to do things as keys can be compromised and moreover when we will put our code to GitHub repositories, keys would be visible.

To get rid of this we should always configure keys via awscli

Steps to install awscli on a centos system is as below

  • Login with root user on the Linux box (normal user should have sudo access)

  • yum install epel-release

  • yum install python-pip -y

  • pip install awscli

  • aws configure

  • If we are using an ec2 instance to use terraform, we can attach a role as well with admin access and completely get rid of keys.

  • If we do any of the above approaches, we can remove credentials from provider.tf



Provider use case: Resources in multiple regions



In scenarios where specific resources have to be created in different regions, provider configuration provides us with a feature of the alias which helps in configuring resources in different regions.





Handling Multiple AWS profiles with providers

AWS allows us to work with multiple AWS accounts (account profiles)




If in case we have to deal with multiple accounts, we can change provider.tf and make changes to it like below.

Let's say we have to create an elastic IP.



resource "aws_eip" "myeip" {
 vpc = "true"
}
 
resource "aws_eip" "myeip01" {
 vpc = "true"
 provider = "aws.aws02"
}
 providers.tf
provider "aws" {
 region = "us-east-1"
}
 
provider "aws" {
 alias = "aws02"
 region = "ap-south-1"
 profile = "project1"
}

Assume Role with STS in Terraform

Here we can create a role with all the required permissions and ask to terraform to assume this role by mentioning the below configuration.



 provider "aws" {
  assume_role {
  role_arn = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
  session_name = "SESSION_NAME"
  external_id = "EXTERNAL_ID"
  }
 }
 
 

All in all, we learned here the best practices related to the security of Terraform. We should always try to avoid the use of access keys with Terraform.


Handling Sensitive data

Let’s say that there are values in terraform configuration or some output values that are sensitive and should not be displayed on the screen, we can declare that variable as sensitive as shown below





Code is available for reference at: LinuxAdvise GitHubRepo


Thanks for reading :)







341 views0 comments

Recent Posts

See All