moritzzimmer
commented
4 years ago this is fixed with https://github.com/moritzzimmer/terraform-aws-lambda/releases/tag/v5.4.0
Open moritzzimmer opened 4 years ago
moritzzimmer
commented
4 years ago this is fixed with https://github.com/moritzzimmer/terraform-aws-lambda/releases/tag/v5.4.0
There are different possibilities and recommendations how to manage and access secrets (e.g. database passwords) inside Lambda functions (see e.g here and here).
Currently this module supports reading (optionally encrypted) parameters from
AWS Systems Manager Parameter Storeat runtime by creating IAM policies allowing access to and decryption of parameters by settingssm_parameter_namesandkms_key_arn. This is the recommended way for Lambda functions if the Parameter Store API limits are no concern in case of horizontal scaling.Unfortunately
kms_key_arnconflicts with the parameter specified in the Terraform Lambda ressource to specify a key that is used to encrypt environment variables.Proposal:
ssm { parameters: [], kms_key_arn: ""}) to configure IAM policies for runtime SSM access (with custom key)kms_key_arnto it's default meaning an pass it down to lambda submoduleAWS Secrets Manager