AWS Secrets

Note: Premium video content requires a subscription.

The aws_secret helper fetches secret data from AWS Secrets Manager.

Example

config/stacks/demo/tfvars/dev.tfvars

user = "<%= aws_secret("demo-:ENV-user") %>"
pass = "<%= aws_secret("demo-:ENV-pass") %>"

For example if you have these secret values:

$ aws secretsmanager get-secret-value --secret-id demo-dev-user | jq '.SecretString'
bob
$ aws secretsmanager get-secret-value --secret-id demo-dev-pass | jq '.SecretString'
test

.terraspace-cache/us-west-2/dev/stacks/demo/1-dev.auto.tfvars

user = "bob"
pass = "test"

Automatic Expansion

Notice how :ENV is expanded in the example above. Support for this was automatically added in terraspace_plugin_aws 0.3.6.

To selectively disable expansion you can provide the expand: false option.

config/stacks/demo/tfvars/dev.tfvars

user = "<%= aws_secret("demo-:ENV-user, expand: false") %>"
pass = "<%= aws_secret("demo-:ENV-pass, expand: false") %>"

More tools: