Skip to content
/ terraform-google-gcloud-kms-secure-decoder Public

A Terraform module to perform KMS Decoding which will prevent plaintext secrets to be in your state file

1 star 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

AndrewFarley/terraform-google-gcloud-kms-secure-decoder

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
README.md
README.md
 
 
get-secret.py
get-secret.py
 
 
main.tf
main.tf
 
 

Repository files navigation

Terraform Module - Google Cloud KMS Decoder

Google Cloud KMS Secrets if you decode them in Terraform will have their plaintext value show up in the state file, which on most strict compliance and regulatory entities is a huge red flag. Secrets plaintext should NEVER live anywhere on any system, and should only ever be requested when they need to be used. And naturally only stored in memory during runtime.

Requirements

  • Must have a Python interpreter installed
  • Must be using a Unix-ey machine (linux/osx) (sorry Windows)
  • Must have GCLoud CLI installed

Usage

First, create the KMS Key Ring and Crypto Key

variable "project" { value = "my-project-name" }
variable "region" { value = "europe-west1" }

resource "google_kms_key_ring" "secrets" {
  name     = "my-secrets"
  location = "${var.region}"
}
resource "google_kms_crypto_key" "secrets" {
  name     = "my-secrets"
  key_ring = "${google_kms_key_ring.secrets.id}"
}

Next, create a secret (easier to do via shell...)

echo -n "SECRET GOES HERE" | gcloud kms encrypt \
--project my-project-name     \
--location europe-west1       \
--keyring my-secrets          \
--key my-secrets              \
--plaintext-file -            \
--ciphertext-file -           \
| base64 --wrap=0 && echo ""
# The output will look something like this...
CiQAHZpVct7KFNwG7IP3zp/asl1n912bih1281h2n1h8aW3iMGAOOJv1SIyEI=

Then expand your original TF script above to have...

variable "project" { value = "my-project-name" }
variable "region" { value = "europe-west1" }
variable "ciphertext" { value = "CiQAHZpVct7KFNwG7IP3zp/asl1n912bih1281h2n1h8aW3iMGAOOJv1SIyEI="}

resource "google_kms_key_ring" "secrets" {
  name     = "my-secrets"
  location = "${var.region}"
}
resource "google_kms_crypto_key" "secrets" {
  name     = "my-secrets"
  key_ring = "${google_kms_key_ring.secrets.id}"
}
module "secret" {
  source     = "AndrewFarley/gcloud-kms-secure-decoder/google"
  version    = "1.0.2"
  region     = "${var.region}"
  keyring    = "my-secrets"
  key        = "my-secrets"
  ciphertext = "${var.ciphertext}"
}
output "plaintext" {
  value = "${module.secret.plaintext}"
}

Now you can safely store that KMS ciphertext inside your tfvars files, and not worry that their plaintext equivalent will ever be inside your project or your state file.

Author, Support, Feedback, Questions

Module created and managed by Farley - farley at neonsurge dot com

Please feel free to file Github bugs if you find any or suggestions for features! If you're technically minded, please feel free to fork and make your own modifications. If you make any fixed/changes that are awesome, please send me pull requests or patches.

If you have any questions/problems beyond that, feel free to email me.

License

Apache 2 Licensed. See LICENSE for full details.

About

A Terraform module to perform KMS Decoding which will prevent plaintext secrets to be in your state file

Resources

Readme
Activity

Stars

1 star

Watchers

3 watching

Forks

2 forks
Report repository

Releases 2

Fixing sensitive outputs Latest
Dec 6, 2018
+ 1 release

Packages

No packages published

Languages