There are different possibilities and recommendations how to manage and access secrets (e.g. database passwords) inside Lambda functions (see e.g here and here).
Currently this module supports reading (optionally encrypted) parameters from AWS Systems Manager Parameter Store at runtime by creating IAM policies allowing access to and decryption of parameters by setting ssm_parameter_names and kms_key_arn. This is the recommended way for Lambda functions if the Parameter Store API limits are no concern in case of horizontal scaling.
Unfortunately kms_key_arn conflicts with the parameter specified in the Terraform Lambda ressource to specify a key that is used to encrypt environment variables.
Proposal:
create a new configuration option (e.g. ssm { parameters: [], kms_key_arn: ""}) to configure IAM policies for runtime SSM access (with custom key)
switch (optional) variable kms_key_arn to it's default meaning an pass it down to lambda submodule
(optionally) support configuration option for using AWS Secrets Manager
There are different possibilities and recommendations how to manage and access secrets (e.g. database passwords) inside Lambda functions (see e.g here and here).
Currently this module supports reading (optionally encrypted) parameters from
AWS Systems Manager Parameter Store
at runtime by creating IAM policies allowing access to and decryption of parameters by settingssm_parameter_names
andkms_key_arn
. This is the recommended way for Lambda functions if the Parameter Store API limits are no concern in case of horizontal scaling.Unfortunately
kms_key_arn
conflicts with the parameter specified in the Terraform Lambda ressource to specify a key that is used to encrypt environment variables.Proposal:
ssm { parameters: [], kms_key_arn: ""}
) to configure IAM policies for runtime SSM access (with custom key)kms_key_arn
to it's default meaning an pass it down to lambda submoduleAWS Secrets Manager