pfandie/encrypt_decrypt.txt

## encrypt_decrypt.txt
# How to encrypt/decrypt your text secret with AWS KMS in AWS cli
## NOTE: the encrypted string is only a dummy for documentation ;)

KMS_KEY="alias/aws_kms_key"
SECRET_STRING="super_safe_string"
PROFILE="my-aws-profile-to-use"
CIPHERTEXT_BLOB="1235jFCFui9IzEWhXSrkM5IQl6sQsveW3jlyQ/eEVvX0m6XFk8L25mFhMZX7UQeKm0mFFQM93I123456789HSaEd1WnrAL7Qirs7iQ1n2nEUkFn8tcoVZVMgxJq2Qpw2gn6qfv1th0BefRMKJU4uWSHdWYKfz8I63ezlErQF9uIMWVQkxtmhrSKjVfwbCFMP4IGl7SfsNwrH7G+XYaaVY+lBWmEfuCHHTD68GAvK5IGwkGUDEnzd36MkZz9+Eg9HDOdR9kZ2LgJkMeB9vYfDRKfZz+f9qsuwmdFAbVPd/i7v/sc82rH3BzbgGoXpKLvULCAqc1f6ZoMTtjGdpaaPOo3vRBGLvJJxHDHd18IuV+suwE9LUkO3wE1U68VhlGK81aj+snZ1zyBuUn2s7QCUDSSl2xtYXhne9oTtZlLoRwT7h7bCRsdUn7L8pEg6CwnPxIwrhMsTRcvkNNZrP6zXgpO+IbwqTyEO88eeKYulgZfJoDKSdBRe52oV0a3do0w9PXDw1/8eu1nS4IKxyrLzlYMvRVo5HxFT8cg1zIjQfu1vwgKUwB43GtS81DS0n/1234567891bQC8SNNYN1EGFojVRZfF7whkeoXToWqFrBQXRUZJR4ZXssH5/eSaHeEaq6uwPPm/1234567898/CO1jG3DMnzoT2OZgskzaeRaE="

# if not set in config use manual region
#REGION="eu-central-1"

# in case of not standard algorithm
#ALGORITHM="RSAES_OAEP_SHA_256"

encrypt-text:
aws kms encrypt --key-id ${KMS_KEY} --plaintext ${SECRET_STRING} --query CiphertextBlob --output text --cli-binary-format raw-in-base64-out

decrypt-text:
aws kms decrypt --key-id ${KMS_KEY} --ciphertext-blob ${CIPHERTEXT_BLOB} --query Plaintext --output text \
  --profile ${PROFILE} --region ${PROFILE} --encryption-algorithm ${ALGORITHM} | base64 -d

# Use it in terraform:
## example like from the terraform docs
environment.tfvars
kms_password_phrase = "1235jFCFui9IzEWhXSrkM5IQl6sQsveW3jlyQ/eEVvX0m6XFk8L25mFhMZX7UQeKm0mFFQM93I123456789HSaEd1WnrAL7Qirs7iQ1n2nEUkFn8tcoVZVMgxJq2Qpw2gn6qfv1th0BefRMKJU4uWSHdWYKfz8I63ezlErQF9uIMWVQkxtmhrSKjVfwbCFMP4IGl7SfsNwrH7G+XYaaVY+lBWmEfuCHHTD68GAvK5IGwkGUDEnzd36MkZz9+Eg9HDOdR9kZ2LgJkMeB9vYfDRKfZz+f9qsuwmdFAbVPd/i7v/sc82rH3BzbgGoXpKLvULCAqc1f6ZoMTtjGdpaaPOo3vRBGLvJJxHDHd18IuV+suwE9LUkO3wE1U68VhlGK81aj+snZ1zyBuUn2s7QCUDSSl2xtYXhne9oTtZlLoRwT7h7bCRsdUn7L8pEg6CwnPxIwrhMsTRcvkNNZrP6zXgpO+IbwqTyEO88eeKYulgZfJoDKSdBRe52oV0a3do0w9PXDw1/8eu1nS4IKxyrLzlYMvRVo5HxFT8cg1zIjQfu1vwgKUwB43GtS81DS0n/1234567891bQC8SNNYN1EGFojVRZfF7whkeoXToWqFrBQXRUZJR4ZXssH5/eSaHeEaq6uwPPm/1234567898/CO1jG3DMnzoT2OZgskzaeRaE="

data "aws_kms_secrets" "my_kms_key" {
  secret {
    name    = "db_password"
    payload = var.kms_password_phrase
  }
}

resource "aws_db_instance" "my_rds_db" {
  # ... other configuration ...
  password = data.aws_kms_secrets.example.plaintext["db_password"]
}
	# How to encrypt/decrypt your text secret with AWS KMS in AWS cli
	## NOTE: the encrypted string is only a dummy for documentation ;)

	KMS_KEY="alias/aws_kms_key"
	SECRET_STRING="super_safe_string"
	PROFILE="my-aws-profile-to-use"
	CIPHERTEXT_BLOB="1235jFCFui9IzEWhXSrkM5IQl6sQsveW3jlyQ/eEVvX0m6XFk8L25mFhMZX7UQeKm0mFFQM93I123456789HSaEd1WnrAL7Qirs7iQ1n2nEUkFn8tcoVZVMgxJq2Qpw2gn6qfv1th0BefRMKJU4uWSHdWYKfz8I63ezlErQF9uIMWVQkxtmhrSKjVfwbCFMP4IGl7SfsNwrH7G+XYaaVY+lBWmEfuCHHTD68GAvK5IGwkGUDEnzd36MkZz9+Eg9HDOdR9kZ2LgJkMeB9vYfDRKfZz+f9qsuwmdFAbVPd/i7v/sc82rH3BzbgGoXpKLvULCAqc1f6ZoMTtjGdpaaPOo3vRBGLvJJxHDHd18IuV+suwE9LUkO3wE1U68VhlGK81aj+snZ1zyBuUn2s7QCUDSSl2xtYXhne9oTtZlLoRwT7h7bCRsdUn7L8pEg6CwnPxIwrhMsTRcvkNNZrP6zXgpO+IbwqTyEO88eeKYulgZfJoDKSdBRe52oV0a3do0w9PXDw1/8eu1nS4IKxyrLzlYMvRVo5HxFT8cg1zIjQfu1vwgKUwB43GtS81DS0n/1234567891bQC8SNNYN1EGFojVRZfF7whkeoXToWqFrBQXRUZJR4ZXssH5/eSaHeEaq6uwPPm/1234567898/CO1jG3DMnzoT2OZgskzaeRaE="

	# if not set in config use manual region
	#REGION="eu-central-1"

	# in case of not standard algorithm
	#ALGORITHM="RSAES_OAEP_SHA_256"

	encrypt-text:
	aws kms encrypt --key-id ${KMS_KEY} --plaintext ${SECRET_STRING} --query CiphertextBlob --output text --cli-binary-format raw-in-base64-out

	decrypt-text:
	aws kms decrypt --key-id ${KMS_KEY} --ciphertext-blob ${CIPHERTEXT_BLOB} --query Plaintext --output text \
	--profile ${PROFILE} --region ${PROFILE} --encryption-algorithm ${ALGORITHM} \| base64 -d

	# Use it in terraform:
	## example like from the terraform docs
	environment.tfvars
	kms_password_phrase = "1235jFCFui9IzEWhXSrkM5IQl6sQsveW3jlyQ/eEVvX0m6XFk8L25mFhMZX7UQeKm0mFFQM93I123456789HSaEd1WnrAL7Qirs7iQ1n2nEUkFn8tcoVZVMgxJq2Qpw2gn6qfv1th0BefRMKJU4uWSHdWYKfz8I63ezlErQF9uIMWVQkxtmhrSKjVfwbCFMP4IGl7SfsNwrH7G+XYaaVY+lBWmEfuCHHTD68GAvK5IGwkGUDEnzd36MkZz9+Eg9HDOdR9kZ2LgJkMeB9vYfDRKfZz+f9qsuwmdFAbVPd/i7v/sc82rH3BzbgGoXpKLvULCAqc1f6ZoMTtjGdpaaPOo3vRBGLvJJxHDHd18IuV+suwE9LUkO3wE1U68VhlGK81aj+snZ1zyBuUn2s7QCUDSSl2xtYXhne9oTtZlLoRwT7h7bCRsdUn7L8pEg6CwnPxIwrhMsTRcvkNNZrP6zXgpO+IbwqTyEO88eeKYulgZfJoDKSdBRe52oV0a3do0w9PXDw1/8eu1nS4IKxyrLzlYMvRVo5HxFT8cg1zIjQfu1vwgKUwB43GtS81DS0n/1234567891bQC8SNNYN1EGFojVRZfF7whkeoXToWqFrBQXRUZJR4ZXssH5/eSaHeEaq6uwPPm/1234567898/CO1jG3DMnzoT2OZgskzaeRaE="

	data "aws_kms_secrets" "my_kms_key" {
	secret {
	name = "db_password"
	payload = var.kms_password_phrase
	}
	}

	resource "aws_db_instance" "my_rds_db" {
	# ... other configuration ...
	password = data.aws_kms_secrets.example.plaintext["db_password"]
	}