Versions Compared

Old Version 1

changes.mady.by.user Joe Ferris

Saved on

compared with

New Version 2

changes.mady.by.user Joe Ferris

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Following these guidelines will limit the damage if secrets are partly disclosed and will make recovery from secret disclosure easier.

For each secret you create, you will need to give your application’s service role permission to access the secret. You can do using IAM policies in Terraform:

Code Block
module "rails_secret" {
  source = "github.com/thoughtbot/terraform-aws-secrets//secret?ref=v0.4.0"

  description = "Secrets for the Rails application"
  name        = "example-app-secret"

  initial_value = jsonencode({
    SECRET_KEY_BASE = random_password.secret_key_base.result
  })
}

module "service_policy" {
  source = "github.com/thoughtbot/flightdeck//aws/service-account-policy?ref=v0.9.0"

  name       = "example-app-service"
  role_names = [module.service_role.name]

  policy_documents = concat(
    module.rails_secret.policy_json,
    # Other secrets or policies
  )
}

For more information on using Secrets Manager secrets, see Managing Secrets in the Deploy section.