Confused on accessing secrets using locals, function, user variables

terramax · January 20, 2022, 8:35pm

If I am using HCL template, what method should I be using to access secrets from AWS Secrets Manager? I’d like to retrieve the secret and set an environment variable MY_SECRET with the value of the secret? There are multiple documents referencing examples on how to retrieve secrets but I am a bit confused on the difference between locals, function within locals and user variables.

#1)  using locals and data source

# https://www.packer.io/plugins/datasources/amazon/secretsmanager

data "amazon-secretsmanager" "basic-example" {

  name = "packer_test_secret"

  key  = "packer_test_key"

  version_stage = "example"

}

locals {

  value         = data.amazon-secretsmanager.basic-example.value

  secret_string = data.amazon-secretsmanager.basic-example.secret_string

  version_id    = data.amazon-secretsmanager.basic-example.version_id

  secret_value  = jsondecode(data.amazon-secretsmanager.basic-example.secret_string)["packer_test_key"]

}

# 2) using function

# https://www.packer.io/docs/templates/hcl_templates/functions/contextual/aws_secretsmanager

locals {

  secret = aws_secretsmanager("my_secret", null)

}

source "null" "first-example" {

  communicator = "none"

}

build {

  name = "my-build-name"

  sources = ["null.first-example"]

  provisioner "shell-local" {

    environment_vars = ["MY_SECRET=${local.secret}"]

  }

}

# 3) using user variables

# https://www.packer.io/docs/templates/legacy_json_templates/user-variables

{

  "variables": {

    "password": "{{ aws_secretsmanager `globalpassword` }}"

  }

}}

nywilken · January 21, 2022, 5:47pm

Hi @terramax thanks for such a great question. We will work on updating the documentation to help make things less confusing for other folks.

In the meantime, the approach you want to take here is the datasource with a HCL2 template, as JSON templates are considered legacy and because the datasource is the preferred way to access secretsmanager in HCL2 templates.

The secretsmanager function in HCL2 (your option 2) was rewritten to work with the locals and local blocks to have parity with the JSON templates (your option 3). But the use of the aws_secretsmanager is also considered legacy with the creation of the datasource.

That said if you are using JSON templates the datassource will not work with JSON. So you will need to migrate your template over to HCL2. You can achieve this using the packer hcl2_upgrade command.

If you can not use HCL2 templates and must use JSON your third of using user variables in JSON is the only supported way in JSON.

Please let me know if this helps bring some clarity around the options you listed above.

terramax · January 24, 2022, 1:02am

This was helpful, thanks!

Topic		Replies	Views
AWS secrets in packer HCL template with vault function Packer vault	2	708	June 17, 2022
Aws_secretsmanager saying ResourceNotFoundException Packer	5	5312	September 10, 2021
How to get values from Data Sources with local variables with Python & CDKTF CDK for Terraform	4	1182	January 23, 2023
How to handle Dynamic Secrets and Parameters for Container Definitions in ECS at same time Terraform ecs	2	2140	February 8, 2022
Packer Configuration HCP Vault hcp-terraform	13	1497	December 10, 2021

Confused on accessing secrets using locals, function, user variables

Related topics