在 terraform rds 配置中存储 master_username 和 master_password 的更好方法是什么? [英] what's better way to store master_username and master_password in terraform rds configuration?

查看:14
本文介绍了在 terraform rds 配置中存储 master_username 和 master_password 的更好方法是什么?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我需要关于在 中存储 master_password 的更好方法的帮助https://www.terraform.io/docs/providers/aws/r/rds_cluster.html.目前我在提交到 github 之前用 XXX 屏蔽.你能建议一个更好的方法来存储这个吗?谢谢

I need help on what's the better way to store the master_password in https://www.terraform.io/docs/providers/aws/r/rds_cluster.html. Currently I masked with XXX before commit to the github. Could you please advise a better way to store this? Thanks

resource "aws_rds_cluster" "default" {
  cluster_identifier      = "aurora-cluster-demo"
  engine                  = "aurora-mysql"
  availability_zones      = ["us-west-2a", "us-west-2b", "us-west-2c"]
  database_name           = "mydb"
  master_username         = "foo"
  master_password         = "bar"
  backup_retention_period = 5
  preferred_backup_window = "07:00-09:00"
}

推荐答案

最好使用 AWS Secrets Manager 并且根本不将任何敏感数据存储在状态文件中(即使您的状态文件可能已加密,这是一个很好的做法)避免这样的实现).

Preferable you use AWS Secrets Manager and not store any sensitive data in the state file at all (even though your state file might be encrypted, it's a good practice to avoid such implementations).

在这里,我创建了一个 secrets.tf,负责生成随机密码并将其存储在 AWS Secrets Manager 中.

Here I've created a secrets.tf that's responsible for generating a random password and storing it in AWS Secrets Manager.

resource "random_password" "master"{
  length           = 16
  special          = true
  override_special = "_!%^"
}

resource "aws_secretsmanager_secret" "password" {
  name = "${var.environment}-${var.service_name}-primary-cluster-password"
}

resource "aws_secretsmanager_secret_version" "password" {
  secret_id = aws_secretsmanager_secret.password.id
  secret_string = random_password.master.result
}

现在为了在 tf apply 期间获取数据,我使用了一个数据提供程序(它在申请期间从 AWS 即时获取数据):

Now to get the data during the tf apply, I use a data provider (this gets data from AWS on the fly during the apply):

data "aws_secretsmanager_secret" "password" {
  name = "${var.environment}-${var.service_name}-primary-cluster-password"

}

data "aws_secretsmanager_secret_version" "password" {
  secret_id = data.aws_secretsmanager_secret.password.id
}

然后我在我的 Aurora 集群中引用它们,如下所示:

I then reference them in my Aurora cluster as following:

resource "aws_rds_global_cluster" "main" {
  global_cluster_identifier = "${var.environment}-${var.service_name}-global-cluster"
  engine                    = "aurora"
  engine_version            = "5.6.mysql_aurora.1.22.2"
  database_name             = "${var.environment}-${var.service_name}-global-cluster"
}

resource "aws_rds_cluster" "primary" {
  provider                  = aws
  engine                    = aws_rds_global_cluster.main.engine
  engine_version            = aws_rds_global_cluster.main.engine_version
  cluster_identifier        = "${var.environment}-${var.service_name}-primary-cluster"
  master_username           = "dbadmin"
  master_password           = data.aws_secretsmanager_secret_version.password
  database_name             = "example_db"
  global_cluster_identifier = aws_rds_global_cluster.main.id
  db_subnet_group_name      = "default"
}

希望这会有所帮助.

这篇关于在 terraform rds 配置中存储 master_username 和 master_password 的更好方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆