NOTE: This repo contains only the documentation for the private BoltsOps Pro repo code. Original file: https://github.com/boltopspro/secrets-manager/blob/master/README.md The docs are publish so they are available for interested customers. For access to the source code, you must be a paying BoltOps Pro subscriber. If are interested, you can contact us at contact@boltops.com or https://www.boltops.com
This blueprint provisions a SecretsManager Secret. It is useful to be able to test out Secrets Manager and then be able clean up all the resources after testing.
- Several AWS::SecretsManager::Secret properties are configurable with Parameters. Additionally, properties that require further customization are configurable with Variables.
- Add blueprint to Gemfile
- Configure: configs/secrets-manager values
- Deploy
Add the blueprint to your lono project's Gemfile
.
gem "secrets-manager", git: "git@github.com:boltopspro/secrets-manager.git"
First you want to configure the configs files. Use lono seed to configure starter values quickly.
lono seed secrets-manager
The generated files in config/secrets-manager
folder look something like this:
configs/secrets-manager/
├── params
│ └── development.txt
└── variables
└── development.rb
Here's an example of the params file:
configs/secrets-manager/params/development.txt:
# Parameter Group: AWS::SecretsManager::Secret
# Description=
# KmsKeyId=
# Name=
# SecretString=
AWS recommends generating a random value for the secret and not hardcoding it with the SecretString
property. We achieve that with the @generate_secret_string
variable. Here's an example:
configs/secrets-manager/variables/development.rb:
@generate_secret_string = {
SecretStringTemplate: '{"username":"test-user"}',
GenerateStringKey: "password",
PasswordLength: 30,
ExcludeCharacters: '"@/\\'
}
Use the lono cfn deploy command to deploy. Example:
lono cfn deploy secrets-manager --blueprint secrets-manager --sure
By leveraging the lono Stack Name and CLI conventions, we can organize the configs files in a way that matches the stack name. Example:
lono cfn deploy secret-1 --blueprint secrets-manager
lono cfn deploy secret-2 --blueprint secrets-manager
Will use the corresponding config files:
configs/secrets-manager/development/secret-1.txt
configs/secrets-manager/development/secret-2.txt
If you elect to use SecretString
instead, you must set @generate_secret_string = nil
. Example:
configs/secrets-manager/params/development.txt:
# Parameter Group: AWS::SecretsManager::Secret
SecretString=secret-value
configs/secrets-manager/variables/development.rb:
@generate_secret_string = nil