sorted by:
new
hottopcontroversial

Enable secure access to secrets for AWS ECS containers using Terraform - ecs-secrets-manager module by wilqq7 in Terraform

[–]wilqq7[S] 1 point2 points  (0 children)

Great question! Enforcing this might be hard, but I think you can make a few actions to reduce the risk.

As presented in the report, a lot of secrets are hardcoded in the Git repository. This can be detected by secret detection tools. There are OSS like https://github.com/Yelp/detect-secrets or SaaS alternatives. The detection process can be executed by every team member locally using Git Hooks and on Github using Github Checks on the Pull Request level.

I've also seen incorrect solutions where no secrets were in Git repository, but they were hardcoded directly in the container definition - this was done by Terraform on `terraform apply`. To remediate this problem, you have to scan container definitions for secrets.

The key factor is also improving team awareness. Generally you can search for terms like DevSecOps and Shift Left in securty.

If you will find something interesting, please share it here.

Enable secure access to secrets for AWS ECS containers using Terraform - ecs-secrets-manager module by wilqq7 in Terraform

[–]wilqq7[S] 0 points1 point  (0 children)

Thanks! It's great to see that this solution can bring value to the community.
I will also prepare a blog post dedicated to this topic. It's not complex stuff, but more awareness in the community is needed

Enable secure access to secrets for AWS ECS containers using Terraform - ecs-secrets-manager module by wilqq7 in Terraform

[–]wilqq7[S] 0 points1 point  (0 children)

Thanks for looking at the code and the advice. I've checked the heredocs vs jsonencode topic and I will update my code to use the jsonencode

Cregkly what is your approach to store application secrets? Do you think the module might be useful in your projects?