This module creates a lambda which generates a secret value and stores the value in SSM. The module requires npm to be installed.
Once the lambda generated by this module is in place, the lambda can be used as part of a solution to generate secrets and store them in SSM. This is achieved by using this module in conjunction with the aws-secret module. The benefit of this approach is that secrets can be managed by Infrastructure as code (IaC) and secrets will never be leaked into the remote state or the CI/CD tooling context. The Lambda supports importing of existing secrets into IaC.
This module creates a Lambda which processes the required events for a CloudFormation custom resource , the custom resource events which follow a CRUD like operation are mapped to a secret. So the create event populates the secret in SSM and delete removes the secret for example.
Then, the aws-secret module creates a CloudFormation stack which sets up the custom resource. When its created for the first time the secret will be populated in SSM and the CloudFormation stack will be added to the Terraform remote state. Thereafter the secret is managed in the normal way Terraform modules are managed. If the reference to the secret using the module is removed it will cascade the Terraform destroy to the CloudFormation stack which in term triggers a delete event to the custom resource which invokes the Lambda with a delete event.
See the below diagram which outlines the creation of a secret.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| lambda_name | Name given to the Lambda which generates secrets | string |
"ssm-secret-generator" |
no |
| namespace | Namespace used for the Lambda, this is used for tagging and within the Lambda name | string |
n/a | yes |
| stage | The stage of the distribution - (dev, staging etc). | string |
n/a | yes |
| tags | Tags applied to the distribution, these should follow what is defined here. | map(string) |
n/a | yes |
| Name | Description |
|---|---|
| lambda_name | Name given to the lambda |
The below example use the aws-secret module.
The region is inferred from the AWS credentials.
module "lambda_secrets_generator" {
source = "Adaptavist/secret-generator/module"
version = "2.0.0"
namespace = "test"
lambda_name = "ssm-secret-generator-${random_string.random.result}"
stage = local.stage
tags = local.tags
}
module "single_parameter" {
source = "Adaptavist/aws-secret/module"
version = "1.3.2"
secret_lambda_function_name = module.lambda_secrets_generator.lambda_name
secret_ssm_path = var.positive_test_ssm_parameter_name
tags = local.tags
stage = local.stage
depends_on = [
module.lambda]
}Version 1.4.0 introduced multi-region support which was flawed and subsequently removed in version 2.0.0
Additionally version 2.0.0 changed the PhysicalResourceId returned to Cloudformation so its incompatible with version 1.x.x and upgrading the module in-place will cause deletion of SSM parameters.