0

I am creating RDS using Terraform by using a code that looks something like this:

data "aws_secretsmanager_secret_version" "creds" {
  # Fill in the name you gave to your secret
  secret_id = "db-creds"
}

locals {
  db_creds = jsondecode(
    data.aws_secretsmanager_secret_version.creds.secret_string
  )
}

resource "aws_db_instance" "example" {
  engine               = "mysql"
  engine_version       = "5.7"
  instance_class       = "db.t2.micro"
  name                 = "example"
  # Set the secrets from AWS Secrets Manager
  username = local.db_creds.username
  password = local.db_creds.password
}

Using rego in OPA how can I raise an error if password is NOT passed from secrets manager as shown above (and passed through illegal ways like hardcoded password instead)?

Terraform plan output just shows the password irrespective of whether it was obtained through a hardcoded value or through secrets manager - hence my confusion.

Biju
  • 820
  • 1
  • 11
  • 34
  • 1 thought is to create a wrapper script to handle that. Assuming secrets manager isn't / wasn't set up with terraform. 2nd thought is to use aws secrets manager data source. I haven't tested but I do see there's a data source for it: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version 3rd thought is to set up secrets manager with terraform RDS like in this example: https://stackoverflow.com/questions/65603923/terraform-rds-database-credentials – paulg Jul 19 '22 at 15:20
  • Thanks - my question was not how to avoid illegal usage. I would like to have a step in my pipeline which would "detect and flag" illegal usages of passwords. I need a "linting" mechanism. – Biju Jul 19 '22 at 15:48
  • So this would occur if someone modified the config, which means this would occur in the workflow, and be validated in the reviews and pipeline. You would probably approach this problem from that direction. – Matthew Schuchard Jul 19 '22 at 16:39

1 Answers1

0

OPA normally works on the level of the plan file, so that would not be possible. The OPA-based conftest project allows you to write policies on HCL converted to JSON, so that might be an option, depending on your circumstances.

Devoops
  • 2,018
  • 8
  • 21