github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/website/source/docs/providers/aws/d/kms_secret.html.markdown

github.com/danp/terraform@v0.9.5-0.20170426144147-39d740081351/website/source/docs/providers/aws/d/kms_secret.html.markdown (about)

     1  ---
     2  layout: "aws"
     3  page_title: "AWS: aws_kms_secret"
     4  sidebar_current: "docs-aws-datasource-kms-secret"
     5  description: |-
     6      Provides secret data encrypted with the KMS service
     7  ---
     8  
     9  # aws\_kms\_secret
    10  
    11  The KMS secret data source allows you to use data encrypted with the AWS KMS
    12  service within your resource definitions.
    13  
    14  ~> **NOTE**: Using this data provider will allow you to conceal secret data within your
    15  resource definitions but does not take care of protecting that data in the
    16  logging output, plan output or state output.
    17  
    18  Please take care to secure your secret data outside of resource definitions.
    19  
    20  ## Example Usage
    21  
    22  First, let's encrypt a password with KMS using the [AWS CLI
    23  tools](http://docs.aws.amazon.com/cli/latest/reference/kms/encrypt.html).  This
    24  requires you to have your AWS CLI setup correctly, and you would replace the
    25  key-id with your own.
    26  
    27  ```
    28  $ echo 'master-password' > plaintext-password
    29  $ aws kms encrypt \
    30  > --key-id ab123456-c012-4567-890a-deadbeef123 \
    31  > --plaintext fileb://plaintext-example \
    32  > --encryption-context foo=bar \
    33  > --output text --query CiphertextBlob
    34  AQECAHgaPa0J8WadplGCqqVAr4HNvDaFSQ+NaiwIBhmm6qDSFwAAAGIwYAYJKoZIhvcNAQcGoFMwUQIBADBMBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDI+LoLdvYv8l41OhAAIBEIAfx49FFJCLeYrkfMfAw6XlnxP23MmDBdqP8dPp28OoAQ==
    35  ```
    36  
    37  Now, take that output and add it to your resource definitions.
    38  
    39  ```hcl
    40  data "aws_kms_secret" "db" {
    41    secret {
    42      name    = "master_password"
    43      payload = "AQECAHgaPa0J8WadplGCqqVAr4HNvDaFSQ+NaiwIBhmm6qDSFwAAAGIwYAYJKoZIhvcNAQcGoFMwUQIBADBMBgkqhkiG9w0BBwEwHgYJYIZIAWUDBAEuMBEEDI+LoLdvYv8l41OhAAIBEIAfx49FFJCLeYrkfMfAw6XlnxP23MmDBdqP8dPp28OoAQ=="
    44  
    45      context {
    46        foo = "bar"
    47      }
    48    }
    49  }
    50  
    51  resource "aws_rds_cluster" "rds" {
    52    master_username = "root"
    53    master_password = "${data.aws_kms_secret.db.master_password}"
    54  
    55    # ...
    56  }
    57  ```
    58  
    59  And your RDS cluster would have the root password set to "master-password"
    60  
    61  ## Argument Reference
    62  
    63  The following arguments are supported:
    64  
    65  * `secret` - (Required) One or more encrypted payload definitions from the KMS
    66    service.  See the Secret Definitions below.
    67  
    68  
    69  ### Secret Definitions
    70  
    71  Each secret definition supports the following arguments:
    72  
    73  * `name` - (Required) The name to export this secret under in the attributes.
    74  * `payload` - (Required) Base64 encoded payload, as returned from a KMS encrypt
    75    opertation.
    76  * `context` - (Optional) An optional mapping that makes up the Encryption
    77    Context for the secret.
    78  * `grant_tokens` (Optional) An optional list of Grant Tokens for the secret.
    79  
    80  For more information on `context` and `grant_tokens` see the [KMS
    81  Concepts](http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html)
    82  
    83  ## Attributes Reference
    84  
    85  Each `secret` defined is exported under its `name` as a top-level attribute.