forked from nanuchi/wrongsecrets
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsecrets.tf
More file actions
98 lines (82 loc) · 2.07 KB
/
Copy pathsecrets.tf
File metadata and controls
98 lines (82 loc) · 2.07 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
###############################
# Secrets manager challenge 1 #
###############################
resource "aws_secretsmanager_secret" "secret" {
name = "wrongsecret"
recovery_window_in_days = 0
}
resource "aws_secretsmanager_secret_version" "secret" {
secret_id = aws_secretsmanager_secret.secret.id
secret_string = random_password.password.result
}
resource "random_password" "password" {
length = 24
special = true
override_special = "_%@"
}
resource "aws_secretsmanager_secret_policy" "policy" {
block_public_policy = true
secret_arn = aws_secretsmanager_secret.secret.arn
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnableAllPermissions",
"Effect": "Allow",
"Principal": {
"AWS": "${aws_iam_role.irsa_role.arn}"
},
"Action": "secretsmanager:*",
"Resource": "*"
}
]
}
POLICY
}
###############################
# Secrets manager challenge 2 #
###############################
resource "aws_secretsmanager_secret" "secret_2" {
name = "wrongsecret-2"
recovery_window_in_days = 0
}
resource "aws_secretsmanager_secret_policy" "policy_2" {
block_public_policy = true
secret_arn = aws_secretsmanager_secret.secret_2.arn
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnableAllPermissions",
"Effect": "Allow",
"Principal": {
"AWS": "${aws_iam_role.irsa_role.arn}"
},
"Action": "secretsmanager:*",
"Resource": "*"
}
]
}
POLICY
}
###############################
# Parameter store challenge 1 #
###############################
resource "random_password" "password2" {
length = 24
special = true
override_special = "_%@"
}
resource "aws_ssm_parameter" "secret" {
name = "wrongsecretvalue"
description = "A secret "
type = "SecureString"
value = random_password.password2.result # Bootstrap something, not used in challenge
lifecycle {
ignore_changes = [
value
]
}
}