Terraform encryption

How to encrypt db password

1. Create KMS master key from AWS GUI console.
http://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html

(be careful about the Region!  Make sure the key is created in the right region)

2.  Create a text file with your password in it
echo "mypassword" > /home/igorg/db.txt

3.  Encrypt your plain text password with aws key

aws kms encrypt --key-id 3fb2...c7f3 --plaintext fileb:///home/igorg/db.txt --output text --query CiphertextBlob

the output would be an encrypted string.

4.  Put your encrypted password in terraform definition

data "aws_kms_secret" "db" {
  secret {
    name    = "master_password"
    payload = "AQICAHg...C0rTg="
  }
}

resource "aws_db_instance" "krdb1" {
  allocated_storage    = 5
  storage_type         = "gp2"
  engine               = "mysql"
  engine_version       = "5.6.35"
  instance_class       = "db.t2.micro"
  name                 = "krdb1"
  username             = "admin"
  password             = "${data.aws_kms_secret.db.master_password}"
  db_subnet_group_name = "krdb_group"
  vpc_security_group_ids = ["${aws_security_group.db.id}"]
}