You can use Terraform to create and manage secrets. This topic describes how to create a secret.
Overview
Key Management Service (KMS) uses keys to encrypt and protect secrets. You must create a key before you create a secret. For more information about secrets, see Overview.
For more information about how to configure Terraform to manage secrets, see alicloud_kms_secret.
Limits
The Terraform version must be 0.14.0 or later. We recommend that you use the latest version. You can go to the Terraform official website to download the latest version.
Prerequisites
A Resource Access Management (RAM) user is created, and the AliyunKMSFullAccess and AliyunRAMFullAccess policies are attached to the RAM user. This condition is used when you log on to Terraform as a RAM user. AliyunKMSFullAccess grants permissions to manage KMS resources. AliyunRAMFullAccess grants permissions to manage RAM resources. For more information, see Grant permissions to RAM users.
Procedure
We recommend that you specify sensitive = true in secret_data to avoid printing sensitive secret values in logs or in the KMS console. For more information, see Protect sensitive input variables.
Create a working directory and a file named
main.tfin the directory.Add the following content to the
main.tffile to create a key that is used to encrypt secret values.ImportantYou must use a symmetric key.
// The ID of the KMS instance. variable "kms_instance_id" { default = "kst-gzz650d0533ntu2fm****" } // Create an Advanced Encryption Standard (AES) key in the KMS instance. // The key type is Aliyun_AES_256. The key is used for encryption and decryption (ENCRYPT/DECRYPT). resource "alicloud_kms_key" "aes_key" { description = "default_key_encrypt_decrypt description" key_usage = "ENCRYPT/DECRYPT" key_spec = "Aliyun_AES_256" dkms_instance_id = var.kms_instance_id pending_window_in_days = 7 tags = { "Environment" = "Production" "Name" = "KMS-01" "SupportTeam" = "PlatformEngineering" "Contact" = "aliyun@example.com" } }Add the following content to the
main.tffile to create a secret.Generic secret
//Create a generic secret. The secret name is kms_secret_general1 and the secret value is secret_data_kms_secret_general1. resource "alicloud_kms_secret" "kms_secret_general" { secret_name = "kms_secret_general1" description = "secret_data_kms_secret_general" secret_type = "Generic" force_delete_without_recovery = true dkms_instance_id = var.kms_instance_id encryption_key_id = alicloud_kms_key.aes_key.id version_id = "v1" secret_data_type ="text" secret_data = "secret_data_kms_secret_general1" }RAM secret
// Create a RAM secret. //Prerequisites: A RAM user and an AccessKey pair are created. //Procedure // Step 1: Authorize KMS to manage the AccessKey pair of the RAM user. // 1.1 Create a custom permission policy named AliyunKMSManagedRAMCrendentialsRolePolicy. resource "alicloud_ram_policy" "AliyunKMSManagedRAMCrendentialsRolePolicy" { policy_name = "AliyunKMSManagedRAMCrendentialsRolePolicy" policy_document = <<EOF { "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "ram:ListAccessKeys", "ram:CreateAccessKey", "ram:DeleteAccessKey", "ram:UpdateAccessKey" ], "Resource": "*" } ] } EOF description = "AliyunKMSManagedRAMCrendentialsRolePolicy" force = true } // 1.2 Create a RAM role named AliyunKMSManagedRAMCrendentialsRole. resource "alicloud_ram_role" "AliyunKMSManagedRAMCrendentialsRole" { name = "AliyunKMSManagedRAMCrendentialsRole" description = "AliyunKMSManagedRAMCrendentialsRole" document = <<EOF { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": [ "kms.aliyuncs.com" ] } } ], "Version": "1" } EOF force = true } // 1.3 Attach the AliyunKMSManagedRAMCrendentialsRolePolicy policy to the RAM role AliyunKMSManagedRAMCrendentialsRole. resource "alicloud_ram_role_policy_attachment" "attach" { policy_name = alicloud_ram_policy.AliyunKMSManagedRAMCrendentialsRolePolicy.policy_name policy_type = alicloud_ram_policy.AliyunKMSManagedRAMCrendentialsRolePolicy.type role_name = alicloud_ram_role.AliyunKMSManagedRAMCrendentialsRole.name } // Step 2: Create a RAM secret. resource "alicloud_kms_secret" "kms_secret_RAMCredentials" { secret_name = "$Auto" description = "secret_kms_secret_RAMCredentials" secret_type = "RAMCredentials" dkms_instance_id = var.kms_instance_id // The ID of the key that is used to encrypt secret values. encryption_key_id = alicloud_kms_key.aes_key.id force_delete_without_recovery = true enable_automatic_rotation = true rotation_interval = "7d" extended_config = "{\"SecretSubType\":\"RamUserAccessKey\", \"UserName\":\"exampleUser2\"}" version_id = "V1" secret_data_type ="text" secret_data = "{\"AccessKeys\":[{\"AccessKeyId\":\"********\",\"AccessKeySecret\":\"********\"}]}" }ApsaraDB RDS secret
The following section describes how to create an ApsaraDB RDS secret in Manage Dual Account mode.
// Create an ApsaraDB RDS secret. //Prerequisites: An ApsaraDB RDS instance named rm-7xv1450tq4pj4**** is created. The usernames are rdsuser1 and rdsuser2, and the password is Admin****. resource "alicloud_kms_secret" "kms_secret_RDS_MYSQL" { secret_name = "rds_secret/rm-7xv1450tq4pj4****" secret_type = "Rds" dkms_instance_id = var.kms_instance_id // The ID of the key that is used to encrypt secret values. encryption_key_id = alicloud_kms_key.aes_key.id enable_automatic_rotation = true rotation_interval = "7d" force_delete_without_recovery = true extended_config = "{\"SecretSubType\":\"DoubleUsers\", \"DBInstanceId\":\"rm-7xv1450tq4pj4****\" ,\"CustomData\": {}}" version_id = "V1" secret_data_type = "text" secret_data = "{\"Accounts\":[{\"AccountName\":\"rdsuser1\",\"AccountPassword\":\"Admin****\"},{\"AccountName\":\"rdsuser2\",\"AccountPassword\":\"Admin****\"}]}" }
Run the
terraform initcommand to initialize the runtime environment for Terraform.Run the
terraform plancommand to create an execution plan.Run the
terraform applycommand to create the secret.