Nahidul Islam's Blog
Securely Managing Database Passwords in AWS with Terraform and AWS Secrets Manager

Securely Managing Database Passwords in AWS with Terraform and AWS Secrets Manager

Nahidul Islam's photo
Nahidul Islam
·

3 min read

Managing sensitive data like database passwords securely is crucial in cloud environments. AWS Secrets Manager, in combination with Terraform, provides a robust solution for storing and accessing these secrets. In this project, we'll demonstrate the seamless integration of AWS Secrets Manager with Terraform to securely store and manage our database password. The goal is to create an Amazon RDS instance and an EC2 instance, both accessing the database password securely stored in AWS Secrets Manager. This approach enhances security by eliminating the need to store passwords directly in code.

Setting Up AWS Provider in Terraform:

Firstly, we need to configure the required provider settings and set the region. Here, we've utilized the required AWS provider and set the region as "us-east-1". Hence, we've created the main.tf file and added the following code:

Creating Secrets in AWS Secrets Manager with Terraform:

Now, to store our database password in AWS Secrets Manager, we'll create a secret. So, we've made a file named secret.tf and added the following code:

Create an Amazon RDS Instance

Next, we'll create an Amazon RDS instance using the password from the Secrets Manager. For this, we'll create a new file named rds.tf and add the following code:

resource "aws_db_instance" "example" {
  allocated_storage    = 20
  storage_type         = "gp2"
  engine               = "postgres"
  engine_version       = "13.8"
  instance_class       = "db.t3.micro"
  username             = "myusername"
  password             = aws_secretsmanager_secret_version.db_password.secret_string
  parameter_group_name = "default.postgres13"
  skip_final_snapshot  = true
}

we'll create an Amazon EC2 instance to connect to the database using the stored secret. To do this, we'll create a new file named ec2.tf and add the following code:

Once the resources are set up, we need to generate and review an execution plan. It's a good practice to execute "terraform plan" after "terraform init" to preview any changes in our infrastructure.

terraform init
terraform plan
terraform apply

Terraform will ask for confirmation before making changes. If everything appears correct, type "yes" and hit enter.

Great, the apply is complete! Terraform has successfully created four resources.

Upon completion, you'll have an RDS database, an EC2 instance, and a secret containing a password associated with it. In your source code, you can reference that secret instead of using the plain text password.

Looks like our instances and databases have been successfully created.

Our primary goal was to check if our database's password has been stored in the secret manager. Let's confirm that now.

Wow! Our secret manager has been created. The most exciting news is that the secret password of our database has been successfully stored.

Destroy Your Infrastructure

Lastly, when our task is completed, we might want to destroy the resources to avoid unnecessary costs. Terraform simplifies this process with the 'destroy' command, which deletes the existing resources determined from the Terraform files.

To execute this, simply type 'terraform destroy' and hit enter.

terraform destroy

Great, it shows in our terminal that the four resources have been successfully destroyed.

In conclusion, by following the above steps, we've securely stored the database password and other important keys in AWS Secrets Manager within our AWS environment.