Systems Manager Parameter store

[kikobr82]

Objectives:

• generate 4 empty keys to store wordpress secrets
  • /wordpress/WORDPRESS_DB_HOST
  • /wordpress/WORDPRESS_DB_USER
  • /wordpress/WORDPRESS_DB_PASSWORD
  • /wordpress/WORDPRESS_DB_NAME
• use aws managed key to encrypt values for these keys. Do it manually through AWS console
• make sure to use same values when configuring wordpress image

Acceptance Criteria:

• All values in parameter store are encrypted
• My ec2 instance can get the values from the Parameter Store

[deniseddi]

To generate 4 keys to store wordpress secrets:

• Created four aws ssm parameter resource through Terraform.

  • A parameter is a key-value pair for any data that you want to store and reference. You need to specify a name, data type and value for the parameter.

• To store an encrypted value:

  • set parameter type to “SecureString”
  • used the default SSM KMS key

• Run terraform init, plan, apply.

• To comply with testing requirements, I’ve created an EC2 instance through terraform and attached an IAM role to it. Connected to instance using SSH key and accessed parameter value using the command:
  <$ aws ssm get-parameters --names "/wordpress/WORDPRESS_DB_NAME" "/wordpress/WORDPRESS_DB_USER" --region ap-southeast-2 --with-decryption>

[deniseddi]

How shoud I name this file?
parameter-store.tf ?

[kikobr82]

That's your decision.. :) file names can change anytime anyway.. no need to worry with that.

Please, create a PR, so we can approve it and merge. Remember to include in the documentation what needs to be done once the terraform code is applied.

[deniseddi]

"Remember to include in the documentation what needs to be done once the terraform code is applied." So, after running terraform apply ?

• Create an EC2 instance to test accessing the parameter details?
• Encrypt values for these keys manually through AWS console ? (Even though "SecureString" seems to do the job)
• Use same "values" when configuring wordpress image ?

Kiko, I am not sure if you meant the above or something else?
And does this information to go into the documentation is to be saved in a file annexed to the parameter-store.tf as a README file or in here or elsewhere?
Cheers

[kikobr82]

The EC2 creatio. is just so you can test and validate it's all working, so no need to be done on every deployment.

What you need to include in the README is the steps required to include the right values in those parameters store keys...
As you mentioning, if you are doing through the console, those values will be encrypted by default, so no need too have the encryption step included, but how to change the values in the console should be there..

[deniseddi]

For the README

After running terraform apply, in order to include the right values in the parameters store keys or change the values manually:

• Log in to AWS console then go to Systems Manager service, which is located under Management & Governance.
• Navigate to Parameter Store, under Application Management.
• Select the parameter and click “Edit” to change/add the new value. Save changes.
  Remember to select “SecureString” to encrypt sensitive data using the KMS keys for your account.