前提
構成図
👆の図のように、
- SecretsManagerで管理するのは、RDSProxyが使うDB認証とLambdaが使うDB認証。
環境構築用のmain.tf, variable.tf
main.tf
# secret used by application
resource "aws_secretsmanager_secret" "dbstring" {
name = "${var.project}-${var.env}-db-connection-string"
description = "PGconnection string will be used for connecting to database"
tags = {
Env = var.env
Account = var.account
Project = var.project
}
}
# secret used by rds proxy
resource "aws_secretsmanager_secret" "dbpw" {
name = "${var.project}-${var.env}-db-connection-pw"
description = "RDSProxy"
tags = {
Env = var.env
Account = var.account
Project = var.project
}
}
variable.tf
# common variable
variable "project" {
type = string
description = "project name"
}
variable "account" {
type = string
description = "prod or no-prod"
}
variable "env" {
type = string
description = "dev, test, stage or prod"
}
outputs.tf
output "secretsmanager_dbstring_arn"{
value = aws_secretsmanager_secret.dbstring.arn
description = "arn of secrets manager' secret used by application"
}
output "secretsmanager_dbpw_arn"{
value = aws_secretsmanager_secret.dbpw.arn
description = "arn of secrets manager' secret used by rds proxy"
}
設計思想
- importする場合、secret情報そのものはtfファイルに記載しない。
(outputs.tfで他リソースから利用できさえすればいい) - 最初からterraform でインフラ構築する場合、注意が必要!