Using AWS KMS to store secrets in Terraform

I found myself needing to know how to store secrets easily, using KMS and Terraform today. Figured I’d share for easy reference. Terraform includes a super easy way to make this happen.

Make a key in KMS:

resource "aws_kms_key" "magic" {
  description             = "ponies"
  deletion_window_in_days = 30
  enable_key_rotation     = true

Lets now encrypt a password to use for an RDS instance:

kms encrypt --key-id 12345abc90-d123-45ef-678g-asdfjkl12345 --plaintext mag1ca1p0wni3s --output text --query CiphertextBlob

The above command will output a “payload” that is an encoded string. Terraform uses this to decrypt the secret and allows you to make your resource using that resource.

data "aws_kms_secret" "rds" {
  secret {
    name    = "db-password"
    payload = "PAYLOAD"

resource "aws_db_instance" "db" {
    password                  = "${data.aws_kms_secret.rds.db-password}"

Now you can this all of this out using terraform plan.