Domain - Security Primer
Multi-Provider Configuration
Base Code (multi-provider-config.tf)
provider "aws" {
region = "ap-southeast-1"
}
resource "aws_security_group" "allow_tls" {
name = "prod_firewall"
provider = aws.usa
}
resource "aws_security_group" "allow_tls" {
name = "staging_firewall"
provider = aws.mumbai
}Final Code
provider "aws" {
region = "ap-southeast-1"
}
provider "aws" {
alias = "mumbai"
region = "ap-south-1"
}
provider "aws" {
alias = "usa"
region = "us-east-1"
}
resource "aws_security_group" "sg_1" {
name = "prod_firewall"
provider = aws.usa
}
resource "aws_security_group" "sg_2" {
name = "staging_firewall"
provider = aws.mumbai
}eip.tf
resource "aws_eip" "myeip" {
vpc = true
}
resource "aws_eip" "myeip01" {
domain = "vpc"
provider = aws.aws02
}1st EIP -- one region
2nd EIP -- second region
providers.tf
provider "aws" {
region = "us-west-1"
}
provider "aws" {
alias = "aws02"
region = "ap-south-1"
profile = "account02"
}Sensitive Parameters
Documentation Referenced
- Local File Resource (opens in a new tab)
- Local Sensitive File Resource (opens in a new tab)
- AWS DB Instance Resource (opens in a new tab)
Base Code
resource "local_file" "foo" {
content = "supersecretpassw0rd"
filename = "password.txt"
}Code with Variable
variable "password" {
default = "supersecretpassw0rd"
}
resource "local_file" "foo" {
content = var.password
filename = "password.txt"
}Code where Sensitive Parameter is set at Variable
variable "password" {
default = "supersecretpassw0rd"
sensitive = true
}
resource "local_file" "foo" {
content = var.password
filename = "password.txt"
}Using Local Sensitive File Resource Type
resource "local_sensitive_file" "foo" {
content = "supersecretpassw0rd"
filename = "password.txt"
}Code Block using Output Values
resource "local_sensitive_file" "foo" {
content = "supersecretpassw0rd"
filename = "password.txt"
}
output "pass" {
value = local_sensitive_file.foo.content
sensitive = true
}RDS Configuration
RDS Code Block
resource "aws_db_instance" "default" {
allocated_storage = 10
db_name = "mydb"
engine = "mysql"
engine_version = "8.0"
instance_class = "db.t3.micro"
username = "foo"
password = "foobarbaz"
parameter_group_name = "default.mysql8.0"
skip_final_snapshot = true
}RDS Configuration File
provider "aws" {
region = "us-east-1"
access_key = "YOUR-KEY"
secret_key = "YOUR-KEY"
}
resource "aws_db_instance" "default" {
allocated_storage = 5
storage_type = "gp2"
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t2.micro"
name = "mydb"
username = "foo"
password = file("../rds_pass.txt")
parameter_group_name = "default.mysql5.7"
skip_final_snapshot = true
}rds_pass.txt
Please store this file outside of the folder of rds.tf
mysecretpassword505Vault Configuration
provider "vault" {
address = "http://127.0.0.1:8200"
}
data "vault_generic_secret" "demo" {
path = "secret/db_creds"
}
output "vault_secrets" {
value = data.vault_generic_secret.demo.data_json
sensitive = true
}eip.tf
resource "aws_eip" "myeip" {
vpc = true
}providers.tf
provider "aws" {
region = "us-west-1"
}AWS CLI Installation
For detailed instructions on installing the AWS CLI, please refer to the official AWS documentation (opens in a new tab).
Terraform Configuration
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.60"
}
}
}
# Configure the AWS Provider
provider "aws" {
region = "us-east-1"
}
resource "aws_instance" "web" {
ami = "ami-123"
instance_type = "t2.micro"
}