如何隐藏 terraform aws_ssm_parameter 值 [英] How to hide terraform aws_ssm_parameter values
问题描述
我创建了一个 SSM 参数,其类型为 SecureString,键值为 (pasword=Passwor@d123).我正在尝试使用在计划输出中打印值的数据资源获取值.
I have an SSM parameter created with type SecureString and key-value as (pasword=Passwor@d123). I am trying to fetch the value using data resources where the value is getting printed in plan output.
data "aws_ssm_parameter" "foo" {
name = "password"
}
module "lamda_env_vars" {
New_password = data.aws_ssm_parameter.foo.value
}
plan output:-
New_paswword = Password@123
我尝试过如下加密.
data "aws_ssm_parameter" "foo" {
name = "password"
with_decryption = false
}
module "lambda_env_vars" {
New_password = data.aws_ssm_parameter.foo.value
}
plan output:-
New_password = Q#iuws##)9ssdhs(some encryptrd value)
这里的问题是相同的加密哈希码被分配为我的 lambda 函数的值.
Here the problem is the same encrypted hash code is getting assigned as the value for my lambda function.
如何在改造计划时屏蔽值并为我的 lambda 函数获取纯文本值?
How to mask value while terraforming plan and get the plain text value for my lambda function?
推荐答案
通常,您只需将 SSM 的 SecretString 参数的名称作为环境变量传递给您的 lambda功能.然后 lambda 函数会自己从 SSM 参数存储中获取它.
Generally you would just pass the name of the SSM's SecretString parameter as an env variable to your lambda function. Then the lambda function would fetch it itself from the SSM Parameter Store.
如果您想使用带有 with_decryption = false 的方法,那么您的 lambda 函数将必须调用 KMS decrypt API 将密文实际解密为纯文本版本.
If you want to use approach with with_decryption = false, then your lambda function will have to call KMS decrypt API to actually decrypt the ciphered text into its plain text version.
在这两种情况下,您的函数的执行角色都需要拥有 KMS 和/或 SSM Parameter Store 的权限.
In both cases the execution role of your function would need to have permissions to KMS and/or SSM Parameter Store.
这篇关于如何隐藏 terraform aws_ssm_parameter 值的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
