AWS Code Signing with Terraform

Karl Cardenas
The Startup
Published in
7 min readDec 6, 2020

--

Photo by 戸山 神奈 on Unsplash

If you are reading this then chances are you are one of the many builders who have eagerly anticipated a code signing functionality to be released from AWS. For those that are a bit unsure of what exactly code signing is, just think of it as a mechanism that verifies the executable code is authored from a trusted source. This is similar to how people in earlier times would seal their letters with a wax seal containing their unique seal. That way the reader would know that the letter came from said person and that it was unaltered.

AWS Signing is the name of the service and at the time of this writing it supports code signing for AWS Lambda and AWS IoT. This article will focus on code signing for AWS Lambda and how to integrate into your Terraform. All example code can be found in this Github project. So on that note let’s just dive into it.

In this article there are three options for leveraging AWS Code Signing with Terraform. When you make the decision to leverage code signing with AWS Lambda understand that you are accepting the following requirements:

  • The Lambda binary/zip must be sourced from S3
  • Inline editing is no longer enabled
  • All Lambda binaries/zip files must be signed by AWS Signer service
  • An inactivated code signer profile will be deleted after two…

--

--

Karl Cardenas
The Startup

is a Software Developer with a passion in automation and teaching others the art of "DevOps". https://crazykarlcodes.dev