Support for passwords using ec2ParameterStore

snowplow-devops / terraform-aws-snowflake-loader-ec2

Other

0 stars 4 forks source link

Support for passwords using ec2ParameterStore #18

Open thomas-brx opened 1 year ago

thomas-brx commented 1 year ago

In https://github.com/snowplow/snowplow-rdb-loader/commit/656adb3113732e013859a204373805aa0dfea61b, support was added to store snowflake passwords in ec2 parameter store. It would be great if support was added in the terraform module as well, to avoid the real password being stored in the state file.

"password": {
  "ec2ParameterStore": {
    "parameterName": "path.to.snowflake.password"
  }
}

The instance role should then also include the policies required to read that password.

thomas-brx commented 1 year ago

And in case anybody needs a workaround, here is one using some ~horrible~creative config-injection:

  snowflake_password           = "\", \"password\": {\"ec2ParameterStore\": {\"parameterName\": \"foo.bar.baz\"}}, \"dummy\": \"dummy"

This will generate the configuration:

    # DB password
    "password": "", "password": {"ec2ParameterStore": {"parameterName": "foo.bar.baz"}}, "dummy": "dummy",

The second password overrides the first, and the dummy is there to swallow the extra quotation mark in the template.

jbeemster commented 1 year ago

Hi @thomas-brx if you have the bandwidth to implement this feature I would be more than happy to review and merge it in! Otherwise it might be a while until we get to adding this.