AWS Secrets
AWS secrets can be managed with AwsSecrets
This can be done for both Terraform and OpenTofu. Here is an example for Terraform.
For OpenTofu just replace terraform with opentofu.
Here is a simple usage example of setting up AWS secrets and then using it within a source set.
import org.ysb33r.gradle.iac.base.secrets.AwsSecrets
terraform {
secrets {
awsAcct1(AwsSecrets) { (1)
useAccessKeyId('1234567890')
useSecretAccessKey('abcdefghijklmn')
}
}
sourceSets {
main {
fromSecretsProvider(opentofu.secrets.awsAcct1) (2)
}
}
backends { (3)
s3(S3Backend) {
fromSecretsProvider(opentofu.secrets.awsAcct1) (4)
}
}
}| 1 | You can also set a profile to use instead of supplying credentials. Credentials can be read from providers. |
| 2 | Place the correct environment variables at the time the tool executes. |
| 3 | If you are using the S3 backend for remote state, you can pass the same credentials to the backend. |
You can reuse the AWS security variables from the environment is you wish
secrets {
awsAcct1(AwsSecrets) {
useAwsCredentialsFromEnvironment()
}
}This will extract as many of the following environment variables from that are available, and reuse them:
-
AWS_ACCESS_KEY_ID -
AWS_SECRET_ACCESS_KEY -
AWS_SESSION_TOKEN -
AWS_PROFILE -
AWS_CONFIG_FILE -
AWS_SHARED_CREDENTIALS_FILE
You can also opt to use a profile, which is especially useful when working locally,
secrets {
awsAcct1(AwsSecrets) {
useProfile('ysb33r') (1)
useSharedCredentialsFile('/path/to/credentials') (2)
useConfigFile('/path/to/config') (3)
}
}| 1 | Use a named profile from credentials and config files. |
| 2 | Optionally override the location of the credentials file. |
| 3 | Optionally override the location of the config file. |