{"id":24310583,"url":"https://github.com/sweetops/terraform-aws-secretsmanager","last_synced_at":"2025-09-26T15:31:42.845Z","repository":{"id":44727683,"uuid":"412013282","full_name":"SweetOps/terraform-aws-secretsmanager","owner":"SweetOps","description":"Terraform module to provision and manage AWS Secrets Manager","archived":false,"fork":false,"pushed_at":"2024-08-27T23:13:03.000Z","size":49,"stargazers_count":3,"open_issues_count":0,"forks_count":5,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-08-28T17:11:20.626Z","etag":null,"topics":["terraform-aws","terraform-module","terraform-modules"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SweetOps.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-09-30T10:04:35.000Z","updated_at":"2024-08-27T23:12:55.000Z","dependencies_parsed_at":"2024-08-27T17:07:28.709Z","dependency_job_id":null,"html_url":"https://github.com/SweetOps/terraform-aws-secretsmanager","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":"SweetOps/terraform-module-template","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SweetOps%2Fterraform-aws-secretsmanager","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SweetOps%2Fterraform-aws-secretsmanager/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SweetOps%2Fterraform-aws-secretsmanager/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SweetOps%2Fterraform-aws-secretsmanager/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SweetOps","download_url":"https://codeload.github.com/SweetOps/terraform-aws-secretsmanager/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":234319591,"owners_count":18813552,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["terraform-aws","terraform-module","terraform-modules"],"created_at":"2025-01-17T06:16:57.768Z","updated_at":"2025-09-26T15:31:42.832Z","avatar_url":"https://github.com/SweetOps.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"## terraform-aws-secretsmanager\nTerraform module to provision and manage AWS Secrets Manager.\n\n## Usage\n\n```hcl\nmodule \"label\" {\n  source  = \"cloudposse/label/null\"\n  version = \"0.25.0\"\n\n  name      = \"alpha\"\n  namespace = \"so\"\n  stage     = \"staging\"\n}\n\nmodule \"ssh_key_pair\" {\n  source  = \"cloudposse/key-pair/aws\"\n  version = \"0.18.1\"\n\n  ssh_public_key_path = \"keys/\"\n  generate_ssh_key    = \"true\"\n\n  context = module.label.context\n}\n\nmodule \"secrets\" {\n  source  = \"SweetOps/secretsmanager/aws\"\n  version = \"0.1.0\"\n\n  secret_version = {\n    secret_string = jsonencode(\n      {\n        ssh_public_key  = base64encode(module.ssh_key_pair.public_key)\n        ssh_private_key = base64encode(module.ssh_key_pair.private_key)\n      }\n    )\n  }\n\n  context = module.label.context\n}\n```\n\n\u003c!-- BEGIN_TF_DOCS --\u003e\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 1.10 |\n| \u003ca name=\"requirement_aws\"\u003e\u003c/a\u003e [aws](#requirement\\_aws) | \u003e= 5 |\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | \u003e= 5 |\n\n## Modules\n\n| Name | Source | Version |\n|------|--------|---------|\n| \u003ca name=\"module_kms_key\"\u003e\u003c/a\u003e [kms\\_key](#module\\_kms\\_key) | cloudposse/kms-key/aws | 0.12.2 |\n| \u003ca name=\"module_this\"\u003e\u003c/a\u003e [this](#module\\_this) | cloudposse/label/null | 0.25.0 |\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [aws_secretsmanager_secret.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |\n| [aws_secretsmanager_secret_rotation.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_rotation) | resource |\n| [aws_secretsmanager_secret_version.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |\n| [aws_secretsmanager_secret_version.ignore_changes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_additional_tag_map\"\u003e\u003c/a\u003e [additional\\_tag\\_map](#input\\_additional\\_tag\\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.\u003cbr/\u003eThis is for some rare cases where resources want additional configuration of tags\u003cbr/\u003eand therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |\n| \u003ca name=\"input_attributes\"\u003e\u003c/a\u003e [attributes](#input\\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,\u003cbr/\u003ein the order they appear in the list. New attributes are appended to the\u003cbr/\u003eend of the list. The elements of the list are joined by the `delimiter`\u003cbr/\u003eand treated as a single ID element. | `list(string)` | `[]` | no |\n| \u003ca name=\"input_context\"\u003e\u003c/a\u003e [context](#input\\_context) | Single object for setting entire context at once.\u003cbr/\u003eSee description of individual variables for details.\u003cbr/\u003eLeave string and numeric variables as `null` to use default value.\u003cbr/\u003eIndividual variable settings (non-null) override settings in context object,\u003cbr/\u003eexcept for attributes, tags, and additional\\_tag\\_map, which are merged. | `any` | \u003cpre\u003e{\u003cbr/\u003e  \"additional_tag_map\": {},\u003cbr/\u003e  \"attributes\": [],\u003cbr/\u003e  \"delimiter\": null,\u003cbr/\u003e  \"descriptor_formats\": {},\u003cbr/\u003e  \"enabled\": true,\u003cbr/\u003e  \"environment\": null,\u003cbr/\u003e  \"id_length_limit\": null,\u003cbr/\u003e  \"label_key_case\": null,\u003cbr/\u003e  \"label_order\": [],\u003cbr/\u003e  \"label_value_case\": null,\u003cbr/\u003e  \"labels_as_tags\": [\u003cbr/\u003e    \"unset\"\u003cbr/\u003e  ],\u003cbr/\u003e  \"name\": null,\u003cbr/\u003e  \"namespace\": null,\u003cbr/\u003e  \"regex_replace_chars\": null,\u003cbr/\u003e  \"stage\": null,\u003cbr/\u003e  \"tags\": {},\u003cbr/\u003e  \"tenant\": null\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_delimiter\"\u003e\u003c/a\u003e [delimiter](#input\\_delimiter) | Delimiter to be used between ID elements.\u003cbr/\u003eDefaults to `-` (hyphen). Set to `\"\"` to use no delimiter at all. | `string` | `null` | no |\n| \u003ca name=\"input_description\"\u003e\u003c/a\u003e [description](#input\\_description) | Description of the secret. | `string` | `\"Managed by Terraform\"` | no |\n| \u003ca name=\"input_descriptor_formats\"\u003e\u003c/a\u003e [descriptor\\_formats](#input\\_descriptor\\_formats) | Describe additional descriptors to be output in the `descriptors` output map.\u003cbr/\u003eMap of maps. Keys are names of descriptors. Values are maps of the form\u003cbr/\u003e`{\u003cbr/\u003e   format = string\u003cbr/\u003e   labels = list(string)\u003cbr/\u003e}`\u003cbr/\u003e(Type is `any` so the map values can later be enhanced to provide additional options.)\u003cbr/\u003e`format` is a Terraform format string to be passed to the `format()` function.\u003cbr/\u003e`labels` is a list of labels, in order, to pass to `format()` function.\u003cbr/\u003eLabel values will be normalized before being passed to `format()` so they will be\u003cbr/\u003eidentical to how they appear in `id`.\u003cbr/\u003eDefault is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |\n| \u003ca name=\"input_enabled\"\u003e\u003c/a\u003e [enabled](#input\\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |\n| \u003ca name=\"input_environment\"\u003e\u003c/a\u003e [environment](#input\\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |\n| \u003ca name=\"input_force_overwrite_replica_secret\"\u003e\u003c/a\u003e [force\\_overwrite\\_replica\\_secret](#input\\_force\\_overwrite\\_replica\\_secret) | Whether to overwrite a secret with the same name in the destination Region. | `bool` | `true` | no |\n| \u003ca name=\"input_id_length_limit\"\u003e\u003c/a\u003e [id\\_length\\_limit](#input\\_id\\_length\\_limit) | Limit `id` to this many characters (minimum 6).\u003cbr/\u003eSet to `0` for unlimited length.\u003cbr/\u003eSet to `null` for keep the existing setting, which defaults to `0`.\u003cbr/\u003eDoes not affect `id_full`. | `number` | `null` | no |\n| \u003ca name=\"input_kms_key\"\u003e\u003c/a\u003e [kms\\_key](#input\\_kms\\_key) | enabled:\u003cbr/\u003e    Whether to create KSM key.\u003cbr/\u003edescription:\u003cbr/\u003e    The description of the key as viewed in AWS console.\u003cbr/\u003ealias:\u003cbr/\u003e    The display name of the alias. The name must start with the word alias followed by a forward slash. \u003cbr/\u003e    If not specified, the alias name will be auto-generated.\u003cbr/\u003edeletion\\_window\\_in\\_days:\u003cbr/\u003e    Duration in days after which the key is deleted after destruction of the resource\u003cbr/\u003eenable\\_key\\_rotation:\u003cbr/\u003e    Specifies whether key rotation is enabled. | \u003cpre\u003eobject({\u003cbr/\u003e    enabled                 = optional(bool, true)\u003cbr/\u003e    description             = optional(string, \"Managed by Terraform\")\u003cbr/\u003e    alias                   = optional(string)\u003cbr/\u003e    deletion_window_in_days = optional(number, 30)\u003cbr/\u003e    enable_key_rotation     = optional(bool, true)\u003cbr/\u003e  })\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_kms_key_id\"\u003e\u003c/a\u003e [kms\\_key\\_id](#input\\_kms\\_key\\_id) | ARN or Id of the AWS KMS customer master key (CMK) to be used to encrypt the secret values in the versions stored in this secret. \u003cbr/\u003eIf you don't specify this value, then Secrets Manager defaults to using the AWS account's default CMK (the one named `aws/secretsmanager`). | `string` | `null` | no |\n| \u003ca name=\"input_label_key_case\"\u003e\u003c/a\u003e [label\\_key\\_case](#input\\_label\\_key\\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.\u003cbr/\u003eDoes not affect keys of tags passed in via the `tags` input.\u003cbr/\u003ePossible values: `lower`, `title`, `upper`.\u003cbr/\u003eDefault value: `title`. | `string` | `null` | no |\n| \u003ca name=\"input_label_order\"\u003e\u003c/a\u003e [label\\_order](#input\\_label\\_order) | The order in which the labels (ID elements) appear in the `id`.\u003cbr/\u003eDefaults to [\"namespace\", \"environment\", \"stage\", \"name\", \"attributes\"].\u003cbr/\u003eYou can omit any of the 6 labels (\"tenant\" is the 6th), but at least one must be present. | `list(string)` | `null` | no |\n| \u003ca name=\"input_label_value_case\"\u003e\u003c/a\u003e [label\\_value\\_case](#input\\_label\\_value\\_case) | Controls the letter case of ID elements (labels) as included in `id`,\u003cbr/\u003eset as tag values, and output by this module individually.\u003cbr/\u003eDoes not affect values of tags passed in via the `tags` input.\u003cbr/\u003ePossible values: `lower`, `title`, `upper` and `none` (no transformation).\u003cbr/\u003eSet this to `title` and set `delimiter` to `\"\"` to yield Pascal Case IDs.\u003cbr/\u003eDefault value: `lower`. | `string` | `null` | no |\n| \u003ca name=\"input_labels_as_tags\"\u003e\u003c/a\u003e [labels\\_as\\_tags](#input\\_labels\\_as\\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.\u003cbr/\u003eDefault is to include all labels.\u003cbr/\u003eTags with empty values will not be included in the `tags` output.\u003cbr/\u003eSet to `[]` to suppress all generated tags.\u003cbr/\u003e**Notes:**\u003cbr/\u003e  The value of the `name` tag, if included, will be the `id`, not the `name`.\u003cbr/\u003e  Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be\u003cbr/\u003e  changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | \u003cpre\u003e[\u003cbr/\u003e  \"default\"\u003cbr/\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_name\"\u003e\u003c/a\u003e [name](#input\\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.\u003cbr/\u003eThis is the only ID element not also included as a `tag`.\u003cbr/\u003eThe \"name\" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |\n| \u003ca name=\"input_namespace\"\u003e\u003c/a\u003e [namespace](#input\\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |\n| \u003ca name=\"input_policy\"\u003e\u003c/a\u003e [policy](#input\\_policy) | Valid JSON document representing a resource policy. | `string` | `null` | no |\n| \u003ca name=\"input_recovery_window_in_days\"\u003e\u003c/a\u003e [recovery\\_window\\_in\\_days](#input\\_recovery\\_window\\_in\\_days) | Valid JSON document representing a resource policy. | `number` | `30` | no |\n| \u003ca name=\"input_regex_replace_chars\"\u003e\u003c/a\u003e [regex\\_replace\\_chars](#input\\_regex\\_replace\\_chars) | Terraform regular expression (regex) string.\u003cbr/\u003eCharacters matching the regex will be removed from the ID elements.\u003cbr/\u003eIf not set, `\"/[^a-zA-Z0-9-]/\"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |\n| \u003ca name=\"input_replicas\"\u003e\u003c/a\u003e [replicas](#input\\_replicas) | kms\\_key\\_id:\u003cbr/\u003e    ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to.\u003cbr/\u003eregion:\u003cbr/\u003e    Region for replicating the secret. | \u003cpre\u003elist(\u003cbr/\u003e    object(\u003cbr/\u003e      {\u003cbr/\u003e        kms_key_id = string\u003cbr/\u003e        region     = string\u003cbr/\u003e      }\u003cbr/\u003e    )\u003cbr/\u003e  )\u003c/pre\u003e | `[]` | no |\n| \u003ca name=\"input_rotation\"\u003e\u003c/a\u003e [rotation](#input\\_rotation) | enabled:\u003cbr/\u003e    Whether to create secret rotation rule. \u003cbr/\u003e    Default value: `false`\u003cbr/\u003elambda\\_arn:\u003cbr/\u003e    Specifies the ARN of the Lambda function that can rotate the secret.\u003cbr/\u003eautomatically\\_after\\_days:\u003cbr/\u003e    Specifies the number of days between automatic scheduled rotations of the secret.\u003cbr/\u003eduration:\u003cbr/\u003e    The length of the rotation window in hours. For example, `3h` for a three hour window.\u003cbr/\u003eschedule\\_expression:\u003cbr/\u003e    A `cron()` or `rate()` expression that defines the schedule for rotating your secret. Either `automatically_after_days` or `schedule_expression` must be specified. | \u003cpre\u003eobject({\u003cbr/\u003e    enabled                  = optional(bool, false)\u003cbr/\u003e    lambda_arn               = string\u003cbr/\u003e    automatically_after_days = optional(number, null)\u003cbr/\u003e    duration                 = optional(string, null)\u003cbr/\u003e    schedule_expression      = optional(string, null)\u003cbr/\u003e  })\u003c/pre\u003e | \u003cpre\u003e{\u003cbr/\u003e  \"lambda_arn\": \"\"\u003cbr/\u003e}\u003c/pre\u003e | no |\n| \u003ca name=\"input_secret_version\"\u003e\u003c/a\u003e [secret\\_version](#input\\_secret\\_version) | ignore\\_changes\\_enabled:\u003cbr/\u003e    Whether to ignore changes in `secret_string` and `secret_binary`.\u003cbr/\u003e    Default value: `false`\u003cbr/\u003esecret\\_string:\u003cbr/\u003e    Specifies text data that you want to encrypt and store in this version of the secret. \u003cbr/\u003e    This is required if `secret_binary` is not set.\u003cbr/\u003esecret\\_binary:\u003cbr/\u003e    Specifies binary data that you want to encrypt and store in this version of the secret. \u003cbr/\u003e    This is required if `secret_string` is not set. \u003cbr/\u003e    Needs to be encoded to base64.\u003cbr/\u003eephemeral:\u003cbr/\u003e    Whether to create an ephemeral secret version.\u003cbr/\u003eephemeral\\_version:\u003cbr/\u003e    If `ephemeral` is set to `true`, increment this value when an update is made to the secret version. | \u003cpre\u003eobject(\u003cbr/\u003e    {\u003cbr/\u003e      secret_string          = optional(string, \"{}\")\u003cbr/\u003e      secret_binary          = optional(string)\u003cbr/\u003e      ignore_changes_enabled = optional(bool, false)\u003cbr/\u003e      ephemeral              = optional(bool, false)\u003cbr/\u003e      ephemeral_version      = optional(number, 0)\u003cbr/\u003e    }\u003cbr/\u003e  )\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_stage\"\u003e\u003c/a\u003e [stage](#input\\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |\n| \u003ca name=\"input_tags\"\u003e\u003c/a\u003e [tags](#input\\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).\u003cbr/\u003eNeither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |\n| \u003ca name=\"input_tenant\"\u003e\u003c/a\u003e [tenant](#input\\_tenant) | ID element \\_(Rarely used, not included by default)\\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_arn\"\u003e\u003c/a\u003e [arn](#output\\_arn) | ARN of the secret |\n| \u003ca name=\"output_id\"\u003e\u003c/a\u003e [id](#output\\_id) | ID of the secret |\n| \u003ca name=\"output_kms_key_alias_arn\"\u003e\u003c/a\u003e [kms\\_key\\_alias\\_arn](#output\\_kms\\_key\\_alias\\_arn) | KMS key alias ARN |\n| \u003ca name=\"output_kms_key_alias_name\"\u003e\u003c/a\u003e [kms\\_key\\_alias\\_name](#output\\_kms\\_key\\_alias\\_name) | KMS key alias name |\n| \u003ca name=\"output_kms_key_arn\"\u003e\u003c/a\u003e [kms\\_key\\_arn](#output\\_kms\\_key\\_arn) | KMS key ARN |\n| \u003ca name=\"output_kms_key_id\"\u003e\u003c/a\u003e [kms\\_key\\_id](#output\\_kms\\_key\\_id) | KMS key ID |\n| \u003ca name=\"output_name\"\u003e\u003c/a\u003e [name](#output\\_name) | Name of the secret |\n| \u003ca name=\"output_version_id\"\u003e\u003c/a\u003e [version\\_id](#output\\_version\\_id) | The unique identifier of the version of the secret |\n\u003c!-- END_TF_DOCS --\u003e \n\n## License\nThe Apache-2.0 license","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsweetops%2Fterraform-aws-secretsmanager","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsweetops%2Fterraform-aws-secretsmanager","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsweetops%2Fterraform-aws-secretsmanager/lists"}