Managing and deploying AWS IAM User Login Profiles in Terraform requires a base-64 encoded PGP public key or a Keybase, as stated in the official documentation. But, there is no info on how to get to this PGP key, hence the topic for today will describe the required steps.
Prerequisites
- Terraform
Solution
Step 1. Install GPG from the official site https://gnupg.org/download.
Step 2. Create a template file that will include all the key options, for instance create a file called key-template
:
Key-Type: RSA
Subkey-Type: RSA
Name-Real: <first_name> <last_name>
Name-Comment: PGP key for <first_name>'s AWS IAM user
Name-Email: <insert_email_here>
Expire-Date: 0
# Passphrase: COMMENT_OUT_SO_IT_WILL_PROMPT_TO_INSERT_PASSWORD
Note(s): Setting the Expire-Date
to 0 will disable the expiration. So, please don’t be lazy and set a proper value well-aligned with your company security policies.
Step 3. Now, save the template file and create a copy named key-template-devcoops
for the sake of example.
Step 4. Set the env variable GPG_TTY as per below:
export GPG_TTY=$(tty)
Step 5. Generate a new key. Once you run the command below, you’ll be prompt for a password. Make sure to save it securely, because you’ll need it later for decryption.
gpg --batch --gen-key key-template-devcoops
Step 6. Output the key in a binary format.
gpg --output public-key-binary-devcoops.gpg --export [email protected]
Step 7. Add the following code block in Terraform:
data "local_file" "pgp_key_devcoops" {
filename = "./public-key-devcoops.gpg"
}
resource "aws_iam_user" "devcoops" {
name = "devcoops"
path = "/"
force_destroy = true
}
resource "aws_iam_user_login_profile" "devcoops" {
user = aws_iam_user.devcoops.name
pgp_key = data.local_file.pgp_key_devcoops.content_base64
}
output "password" {
value = aws_iam_user_login_profile.devcoops.encrypted_password
}
Step 8. init
, plan
and apply
the changes.
terraform init
terraform plan
terraform apply
Step 9. The TF output password
will print out the encrypted version. For instance:
Outputs:
password = "wpICA3/L5g...1/09HTJKK=="
Regarding decryption, Decrypt iam_user_login_profile password in Terraform.
Conclusion
Encrypting secrets in TF is a great practice, since it helps us protect sensitive information in following scenarios:
- TF outputs leaked from a CI/CD deployment tool log files.
- Compromised TF state file.
Feel free to leave a comment below and if you find this tutorial useful, follow our official channel on Telegram.