README
¶
aws-secrets-dumper
aws-secrets-dumper is command line tool to initialize managing secrets on AWS.
It supports:
- dump secrets in AWS Sysetms Manager Parameter Store or AWS Secrets Manager as YAML formaat
- generate Terraform files defines and import secrets
Installation
Download binary from releases
Setup
- Install sops
- For encrypt dumped YAML file
- Set up your terraform project
- Follow terraform documentation
Usage
First, dump secrets into row YAML file.
$ aws-secrets-dumper --target secretsmanager -prefix production/ dump > secrets.yml
Then, encrypt raw YAML file by sops.
$ sops --encrypt --kms $KMS_KEY_ARN secrets.yml > secrets.encrypted.yml
Generate .tf file to manage and import secrets by Terraform.
$ aws-secrets-dumper --target ssm -prefix production/ tf | tee secrets.tf
data "sops_file" "ssm_parameters" {
source_file = "secrets.encrypted.yml"
}
locals {
ssm_parameters = nonsensitive(
distinct([
for key in keys(data.sops_file.ssm_parameters.data) : split(".", key)[0]
])
)
}
resource "aws_ssm_parameter" "parameter" {
for_each = toset(local.ssm_parameters)
name = "production/${each.key}"
description = each.value.description
type = "SecureString"
value = data.sops_file.ssm_parameters.data["${each.value}.value"]
}
import {
id = "production/SOME_SECRET"
to = aws_ssm_parameter.parameter["SOME_SECRET"]
}
import {
id = "production/THAT_ID"
to = aws_ssm_parameter.parameter["THAT_ID"]
}
Finally, run terraform plan and check the result.
Options
$ aws-secrets-dumper -help
NAME:
aws-secrets-dumper - Management migration helper for secrets on AWS SSM Parameter Store and AWS Secrets Manager with terraform
USAGE:
main [global options] command [command options] [arguments...]
COMMANDS:
version show version
dump dump yaml formatted secrets to stdout
tf output terraform resource denifition(s) to stdout
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--target value 'ssm' or 'secretsmanager
--prefix value secret name prefix
--remove-prefix remove prefix from key in dump result (default: false)
--help, -h show help (default: false)
Run COMMAND with --help flag to show helps for each.
License
see LICENSE file.
Author
@handlename (https://github.com/handlename)
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type SSMService ¶
type SSMService struct {
}
func (SSMService) GenerateTF ¶
func (SSMService) Name ¶
func (s SSMService) Name() string
func (SSMService) RetrieveSecrets ¶
func (SSMService) Target ¶
func (s SSMService) Target() string
type SecretService ¶
type SecretsManagerService ¶
type SecretsManagerService struct {
}
func (SecretsManagerService) GenerateTF ¶
func (SecretsManagerService) Name ¶
func (s SecretsManagerService) Name() string
func (SecretsManagerService) RetrieveSecrets ¶
func (SecretsManagerService) Target ¶
func (s SecretsManagerService) Target() string
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.