What specific changes need to be made to the syntax of the example below in order for Terraform to successfully upload the named file into a secret in AWS Secrets Manager?
Note that an AWS EC2 instance running Amazon Linux 2 is also created by the same Terraform module and needs to retrieve this file from the Secrets manager. The same Amazon Linux 2 EC2 instance is already able to successfully retrieve a string secret from the same AWS Secrets Manager. Therefore, this problem is isolated to uploading a file instead of a short string.
If it is not possible to upload the file object, then a second best answer would show how to upload the textual contents of the file. Note that the file is an x509 certificate that will need to be used by a program running in an EC2 instance. The textual contents are the typical length of an x509 certificate, which is a relatively small amount of text.
variable "certFileAndPath" { default = "C:\\path\\to\\the\\x509\\certificate.crt" }
resource "aws_secretsmanager_secret" "example-cert" {
name = "example-cert"
recovery_window_in_days = 0
resource "aws_secretsmanager_secret_version" "cert-val" {
secret_id = aws_secretsmanager_secret.example-cert.id
secret_binary = filebase64(var.certFileAndPath)
Currently, the Terraform code above results in None
being echoed out by the cloud-init
script that retrieves the secret. And also, the AWS web UI console for secret manager does not show any content when a human user tries to read the contents of the secret which indeed is created by the below. And Terraform runs the code above without throwing an error.
The cloud-init
bash userdata command that echoes out None
in the resulting EC2 instance's /var/log/cloud-init-output.log
echo "example-cert is: \n"
echo $(aws secretsmanager get-secret-value --secret-id "example-cert" --version-stage AWSCURRENT --region "${var._region}" --output text --query SecretString)
If you are using secret_binary
, in the AWS CLI you should use SecretBinary
aws secretsmanager get-secret-value --secret-id "example-cert" --version-stage AWSCURRENT --region "${var._region}" --output text --query SecretBinary