Create AWS Secrets Manager secret using Terraform secure variables and GitHub Actions secrets

A little while back, I encountered an exciting use case requiring me to use GitHub Actions secrets. The use case was to create an AWS Secrets Manager secret resource using Terraform in a CI/CD pipeline.

An AWS Secrets Manager secret is a resource to store secure credentials. In the past, I created an AWS Secrets Manager resource using Terraform from my laptop. I did this by storing the secret value in the tfvars file and ensuring that the tfvars file is not part of the repository using the .gitignore file. Since the secret value was not committed to the repository, the approach worked fine in that case. However, how do you do that when provisioning resources with secure values via a pipeline using Terraform configuration code? Enter Github Actions secrets  –a secure information transfer mechanism for GitHub Actions pipelines.

In this note, I detail all the nuances of creating an AWS Secrets Manager secret using Terraform and GitHub Actions.

Before working on this use case, please understand two critical concepts associated with deploying Terraform configuration to the AWS cloud using GitHub actions.
Concept#1: Securely integrate AWS Credentials with GitHub Actions using OpenID Connect
Concept#2: CI-CD with Terraform and GitHub Actions to deploy to AWS
Once you are comfortable with the above two concepts, you can move to the next section in this use case.

There are three aspects to this use case.
1. Store the secret value in a GitHub repository secret
2. Securely transfer the GitHub repository secrets to Terraform, and
3. The Terraform configuration to create the AWS Secrets Manager secret.
In the following few paragraphs, I will walk you through each aspect. If interested, please access my GitHub repository: add-aws-secretsmanager-terraform and follow along.

1. Store the secret value in a GitHub repository secret.
Each GitHub repository can store secure variables  -navigate to the Settings Tab and under the Security category, Secrets and variables -> Actions. This option can be used to store variables and secrets. For example, below is a screenshot of a secret I added.
After reviewing the correct value, I clicked the “Add secret” button. Once a secret is added to GitHub Actions secrets, one cannot view the value. For this use case, I stored three secrets in GitHub Actions secrets.
2. Securely transfer the GitHub repository secrets to Terraform.
As I mentioned in concept#2 above, CI-CD with Terraform and GitHub Actions to deploy to AWS, Terraform is invoked via the GitHub Actions pipeline. GitHub Actions secrets are accessible to the pipeline via the ${{ secrets.SecretName }} construct where SecretName is VariableOne in our use case. I passed the values to Terraform during the terraform plan and terraform apply step in the terraform.yml pipeline that I stored in the .github\workflows folder in my GitHub repository.

Below is an image of the terraform apply step:
3. The Terraform configuration to create the AWS Secrets Manager secret
I stored two types of AWS Secrets Manager secrets in the Terraform configuration file  -one as a secret string and the other as a key-value pair.

After committing the changes to my local repository, I pushed the changes up to the remote repository in GitHub. That action triggered a couple of pipelines; the checkov scan of the terraform configuration and a terraform pipeline run. Next, I created a pull request and merged the changes to the main branch. This merge operation triggered another pipeline run with the terraform apply step enabled.
After the pipeline succeeded, I logged into my AWS account and navigated to AWS Secrets Manager -> Secrets. Then I clicked on the “retrieve secret value” button to access the values of these secrets. Next, I reviewed the secrets that GitHub Actions created using the Terraform configurations there. As you can see from the screenshot below, two types of secrets were available -one is a plaintext secret, while the other is a key-value pair. And GitHub Actions provisioned the AWS Secret Manager secrets without exposing the secure values.

I hope this was a helpful note to understand how to manage secure variables for AWS cloud resources using Terraform and GitHub Actions. Please do let me know if you have any questions.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s