How to encrypt db password
1. Create KMS master key from AWS GUI console.
http://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
(be careful about the Region! Make sure the key is created in the right region)
2. Create a text file with your password in it
echo "mypassword" > /home/igorg/db.txt
3. Encrypt your plain text password with aws key
aws kms encrypt --key-id 3fb2...c7f3 --plaintext fileb:///home/igorg/db.txt --output text --query CiphertextBlob
the output would be an encrypted string.
4. Put your encrypted password in terraform definition
data "aws_kms_secret" "db" {
secret {
name = "master_password"
payload = "AQICAHg...C0rTg="
}
}
resource "aws_db_instance" "krdb1" {
allocated_storage = 5
storage_type = "gp2"
engine = "mysql"
engine_version = "5.6.35"
instance_class = "db.t2.micro"
name = "krdb1"
username = "admin"
password = "${data.aws_kms_secret.db.master_password}"
db_subnet_group_name = "krdb_group"
vpc_security_group_ids = ["${aws_security_group.db.id}"]
}
