AWS Secrets Manager Setup

🚧

You can generate this

If you ran symflow generate, you might already be configured with a secrets.tf file! If so, then you do not need to complete these steps.

📘

Prerequisites

  1. An environment.tf file generated by symflow init
    a. If you have not run symflow init, please follow the instructions in Installing Sym
  2. A runtime_connector module defined in connectors.tf
    a. If you do not have a connectors.tf, please follow the instructions in AWS Runtime Setup

Grant Sym Read-Only Access to AWS Secrets Manager

In the directory that contains your Sym configuration (i.e. the directory created by symflow init), create a new file named secrets.tf with the following contents:


# This secrets_manager_access module defines an AWS IAM Policy and attachment that grants the Sym Runtime Role
# the permissions to read secrets from AWS Secrets Manager that are under the /sym/ path and tagged with
# `SymEnv = local.environment_name`.
module "secrets_manager_access" {
  source  = "symopsio/secretsmgr-addon/aws"
  version = "~> 1.1"

  environment   = local.environment_name
  iam_role_name = module.runtime_connector.sym_runtime_connector_role.name
}

# This resource tells Sym how to access your AWS account's Secrets Manager instance.
resource "sym_secrets" "this" {
  type = "aws_secrets_manager"
  name = "${local.environment_name}-sym-secrets"

  settings = {
    # This tells Sym to use the runtime_context integration defined in runtime.tf to access
    # your AWS account's Secrets Manager.
    context_id = sym_integration.runtime_context.id
  }
}

Finally, run terraform init && terraform apply to save your configuration.

For more information about the inputs and outputs of the secrets_manager_access module, see the Terraform registry.

Next Steps

The Sym Runtime should now have read-only access to your AWS Secrets Manager Secrets. In Share Secrets with the Sym Runtime we will describe how to Terraform secrets and share them with the Sym Runtime.