How to Handle Sensitive Data Securely in Terraform

Managing Sensitive Data in Terraform with AWS Secrets Manager

In modern DevOps practices, managing sensitive data securely is crucial for maintaining both operational efficiency and security. Hardcoding passwords or other sensitive information in your Terraform configurations can expose them to risks such as data breaches or unauthorized access. Fortunately, Terraform allows you to use secure services like AWS Secrets Manager to securely manage secrets like EC2 admin passwords, database login credentials, preventing these risks.

In this post, we’ll explore how to securely manage an EC2 admin password using Terraform and AWS Secrets Manager, following best practices for secret management.

Why Manage Sensitive Data Securely?

Sensitive data, such as passwords and access keys, must be protected both in transit and at rest. By storing these secrets in a service like AWS Secrets Manager instead of directly in your Terraform configuration, you can:

• Prevent accidental exposure of secrets through version control systems.
• Leverage encryption for added security.
• Rotate secrets periodically to improve security hygiene.
• Enforce access control using IAM policies to ensure only authorized users and services can access secrets.

Example Setup: Managing EC2 Admin Password

Let’s break down the two Terraform files we will use: main.tf and variables.tf.

variables.tf (Storing the EC2 Admin Password Securely)

In variables.tf, we define the EC2 admin password as a variable, allowing us to securely pass the value to Terraform without hardcoding it directly in the configuration.

variable "ec2_admin_password" {
  description = "The admin password for the EC2 instance"
  type        = string
  sensitive   = true
}

The sensitive = true flag tells Terraform to treat this variable as sensitive, meaning it won't be displayed in the Terraform output or logs.

main.tf (Configuring the EC2 Instance and Secret Manager)

Now, let’s configure the resources. We'll create a secret in AWS Secrets Manager to store the EC2 admin password securely. We'll also set up the EC2 instance and its SSH key pair.

provider "aws" {
  region = "us-east-1"
}

# Create a Secret in AWS Secrets Manager
resource "aws_secretsmanager_secret" "ec2_admin_password_secret" {
  name        = "EC2AdminPassword"
  description = "Admin password for the EC2 instance"
}

resource "aws_secretsmanager_secret_version" "ec2_admin_password_version" {
  secret_id     = aws_secretsmanager_secret.ec2_admin_password_secret.id
  secret_string = jsonencode({ admin_password = var.ec2_admin_password })
}

# Create a Key Pair for SSH Access
resource "aws_key_pair" "key_pair" {
  key_name   = "my-key"
  public_key = file("C:\\Users\\madus\\.ssh\\my-key.pub") 
}

# Security Group for EC2
resource "aws_security_group" "ec2_security_group" {
  name        = "ec2_security_group"
  description = "Allow SSH and HTTP access"

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"] # Adjust for better security in production
  }

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

# Launch an EC2 Instance
resource "aws_instance" "web_server" {
  ami           = "ami-0e2c8caa4b6378d8c" #Ubuntu AMI
  instance_type = "t2.micro"

  key_name = aws_key_pair.key_pair.key_name
  security_groups = [
    aws_security_group.ec2_security_group.name
  ]

  user_data = <<-EOT
              #!/bin/bash
              apt update -y
              apt install -y apache2
              systemctl start apache2
              systemctl enable apache2
              echo "Admin password is stored securely!" > /var/www/html/index.html
              EOT

  tags = {
    Name = "WebServer"
  }
}

output "instance_public_ip" {
  value = aws_instance.web_server.public_ip
  description = "Public IP of the EC2 instance"
}

Just after initializing terraform,hit terraform apply. You'll see the prompt to enter admin password for the EC2 instance.

Password for the EC2 instance successfully created an stored securely.

Explanation of the Terraform Configuration:

1. AWS Secrets Manager: We create a secret to store the EC2 admin password, which is then referenced by the aws_secretsmanager_secret_version resource to securely store the password.
2. SSH Key Pair: A key pair is created to provide secure SSH access to the EC2 instance.
3. EC2 Instance: The EC2 instance is launched with the ami-0e2c8caa4b6378d8c (Ubuntu AMI) and configured with the provided key pair for SSH access. We also define the instance's user_data to automatically install and start an HTTP server on the instance.

Benefits of Using Secrets Manager:

• Encryption: Secrets Manager automatically encrypts the password using AWS Key Management Service (KMS), ensuring that sensitive data is stored securely.
• Access Control: Using AWS IAM, you can control who can access and manage the stored secret.
• Password Rotation: Secrets Manager supports automatic password rotation, further enhancing security by ensuring passwords are regularly updated.

Conclusion

By using Terraform alongside AWS Secrets Manager, we can securely manage sensitive data like EC2 admin passwords, preventing potential vulnerabilities. This approach adheres to best practices in secret management, ensuring our infrastructure remains both secure and compliant. Whether you're managing one EC2 instance or thousands, implementing secure secret management with AWS Secrets Manager is a critical step toward a more robust cloud infrastructure.

Remember to always treat sensitive data with care, and leverage AWS services to secure and automate your cloud infrastructure management.