Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/terraform-aws-modules/terraform-aws-secrets-manager

Terraform module to create AWS Secrets Manager resources 🇺🇦
https://github.com/terraform-aws-modules/terraform-aws-secrets-manager

aws aws-secrets-manager secrets-manager terraform terraform-module terraform-modules

Last synced: about 7 hours ago
JSON representation

Terraform module to create AWS Secrets Manager resources 🇺🇦

Host: GitHub
URL: https://github.com/terraform-aws-modules/terraform-aws-secrets-manager
Owner: terraform-aws-modules
License: apache-2.0
Created: 2023-07-13T11:35:54.000Z (about 1 year ago)
Default Branch: master
Last Pushed: 2024-09-19T19:11:31.000Z (7 days ago)
Last Synced: 2024-09-22T04:30:28.794Z (5 days ago)
Topics: aws, aws-secrets-manager, secrets-manager, terraform, terraform-module, terraform-modules
Language: HCL
Homepage: https://registry.terraform.io/modules/terraform-aws-modules/secrets-manager/aws
Size: 36.1 KB
Stars: 29
Watchers: 2
Forks: 21
Open Issues: 0
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE

Awesome Lists containing this project

README

        # AWS Secrets Manager Terraform module

Terraform module which creates AWS Secrets Manager resources.

[![SWUbanner](https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/banner2-direct.svg)](https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md)

## Usage

See [`examples`](https://github.com/terraform-aws-modules/terraform-aws-secrets-manager/tree/master/examples) directory for working examples to reference:

### Standard

```hcl

module "secrets_manager" {

  source = "terraform-aws-modules/secrets-manager/aws"

  # Secret

  name_prefix             = "example"

  description             = "Example Secrets Manager secret"

  recovery_window_in_days = 30

  # Policy

  create_policy       = true

  block_public_policy = true

  policy_statements = {

    read = {

      sid = "AllowAccountRead"

      principals = [{

        type        = "AWS"

        identifiers = ["arn:aws:iam::1234567890:root"]

      }]

      actions   = ["secretsmanager:GetSecretValue"]

      resources = ["*"]

    }

  }

  # Version

  create_random_password           = true

  random_password_length           = 64

  random_password_override_special = "!@#$%^&*()_+"

  tags = {

    Environment = "Development"

    Project     = "Example"

  }

}

```

### w/ Rotation

```hcl

module "secrets_manager" {

  source = "terraform-aws-modules/secrets-manager/aws"

  # Secret

  name_prefix             = "rotated-example"

  description             = "Rotated example Secrets Manager secret"

  recovery_window_in_days = 7

  # Policy

  create_policy       = true

  block_public_policy = true

  policy_statements = {

    lambda = {

      sid = "LambdaReadWrite"

      principals = [{

        type        = "AWS"

        identifiers = ["arn:aws:iam:1234567890:role/lambda-function"]

      }]

      actions = [

        "secretsmanager:DescribeSecret",

        "secretsmanager:GetSecretValue",

        "secretsmanager:PutSecretValue",

        "secretsmanager:UpdateSecretVersionStage",

      ]

      resources = ["*"]

    }

    read = {

      sid = "AllowAccountRead"

      principals = [{

        type        = "AWS"

        identifiers = ["arn:aws:iam::1234567890:root"]

      }]

      actions   = ["secretsmanager:DescribeSecret"]

      resources = ["*"]

    }

  }

  # Version

  ignore_secret_changes = true

  secret_string = jsonencode({

    engine   = "mariadb",

    host     = "mydb.cluster-123456789012.us-east-1.rds.amazonaws.com",

    username = "Bill",

    password = "Initial"

    dbname   = "ThisIsMySuperSecretString12356!&*()",

    port     = 3306

  })

  # Rotation

  enable_rotation     = true

  rotation_lambda_arn = "arn:aws:lambda:us-east-1:123456789012:function:my-function"

  rotation_rules = {

    # This should be more sensible in production

    schedule_expression = "rate(1 minute)"

  }

  tags = {

    Environment = "Development"

    Project     = "Example"

  }

}

```

## Examples

Examples codified under the [`examples`](https://github.com/terraform-aws-modules/terraform-aws-secrets-manager/tree/master/examples) are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!

- [Complete](https://github.com/terraform-aws-modules/terraform-aws-secrets-manager/tree/master/examples/complete)

## Requirements

| Name | Version |

|------|---------|

|  [terraform](#requirement\_terraform) | >= 1.0 |

|  [aws](#requirement\_aws) | >= 5.0 |

|  [random](#requirement\_random) | >= 3.0 |

## Providers

| Name | Version |

|------|---------|

|  [aws](#provider\_aws) | >= 5.0 |

|  [random](#provider\_random) | >= 3.0 |

## Modules

No modules.

## Resources

| Name | Type |

|------|------|

| [aws_secretsmanager_secret.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |

| [aws_secretsmanager_secret_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_policy) | resource |

| [aws_secretsmanager_secret_rotation.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_rotation) | resource |

| [aws_secretsmanager_secret_version.ignore_changes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |

| [aws_secretsmanager_secret_version.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |

| [random_password.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |

| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

## Inputs

| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [block\_public\_policy](#input\_block\_public\_policy) | Makes an optional API call to Zelkova to validate the Resource Policy to prevent broad access to your secret | `bool` | `null` | no |

|  [create](#input\_create) | Determines whether resources will be created (affects all resources) | `bool` | `true` | no |

|  [create\_policy](#input\_create\_policy) | Determines whether a policy will be created | `bool` | `false` | no |

|  [create\_random\_password](#input\_create\_random\_password) | Determines whether a random password will be generated | `bool` | `false` | no |

|  [description](#input\_description) | A description of the secret | `string` | `null` | no |

|  [enable\_rotation](#input\_enable\_rotation) | Determines whether secret rotation is enabled | `bool` | `false` | no |

|  [force\_overwrite\_replica\_secret](#input\_force\_overwrite\_replica\_secret) | Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region | `bool` | `null` | no |

|  [ignore\_secret\_changes](#input\_ignore\_secret\_changes) | Determines whether or not Terraform will ignore changes made externally to `secret_string` or `secret_binary`. Changing this value after creation is a destructive operation | `bool` | `false` | no |

|  [kms\_key\_id](#input\_kms\_key\_id) | ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named `aws/secretsmanager` | `string` | `null` | no |

|  [name](#input\_name) | Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: `/_+=.@-` | `string` | `null` | no |

|  [name\_prefix](#input\_name\_prefix) | Creates a unique name beginning with the specified prefix | `string` | `null` | no |

|  [override\_policy\_documents](#input\_override\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid` | `list(string)` | `[]` | no |

|  [policy\_statements](#input\_policy\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | `map(any)` | `{}` | no |

|  [random\_password\_length](#input\_random\_password\_length) | The length of the generated random password | `number` | `32` | no |

|  [random\_password\_override\_special](#input\_random\_password\_override\_special) | Supply your own list of special characters to use for string generation. This overrides the default character list in the special argument | `string` | `"!@#$%&*()-_=+[]{}<>:?"` | no |

|  [recovery\_window\_in\_days](#input\_recovery\_window\_in\_days) | Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be `0` to force deletion without recovery or range from `7` to `30` days. The default value is `30` | `number` | `null` | no |

|  [replica](#input\_replica) | Configuration block to support secret replication | `map(any)` | `{}` | no |

|  [rotation\_lambda\_arn](#input\_rotation\_lambda\_arn) | Specifies the ARN of the Lambda function that can rotate the secret | `string` | `""` | no |

|  [rotation\_rules](#input\_rotation\_rules) | A structure that defines the rotation configuration for this secret | `map(any)` | `{}` | no |

|  [secret\_binary](#input\_secret\_binary) | Specifies binary data that you want to encrypt and store in this version of the secret. This is required if `secret_string` is not set. Needs to be encoded to base64 | `string` | `null` | no |

|  [secret\_string](#input\_secret\_string) | Specifies text data that you want to encrypt and store in this version of the secret. This is required if `secret_binary` is not set | `string` | `null` | no |

|  [source\_policy\_documents](#input\_source\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s | `list(string)` | `[]` | no |

|  [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |

|  [version\_stages](#input\_version\_stages) | Specifies a list of staging labels that are attached to this version of the secret. A staging label must be unique to a single version of the secret | `list(string)` | `null` | no |

## Outputs

| Name | Description |

|------|-------------|

|  [secret\_arn](#output\_secret\_arn) | The ARN of the secret |

|  [secret\_binary](#output\_secret\_binary) | The secret binary |

|  [secret\_id](#output\_secret\_id) | The ID of the secret |

|  [secret\_replica](#output\_secret\_replica) | Attributes of the replica created |

|  [secret\_string](#output\_secret\_string) | The secret string |

|  [secret\_version\_id](#output\_secret\_version\_id) | The unique identifier of the version of the secret |

## License

Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-secrets-manager/blob/master/LICENSE).