initial commit
This commit is contained in:
@@ -0,0 +1,29 @@
|
||||
# secretsmanager-secret module
|
||||
This module creates an entry in secretsmanager, attaching a default access policy if one is
|
||||
not provided from root module. A random suffix is assigned to every secret, as AWS may delay
|
||||
creation of secrets with the same name, after the old one has been destroyed that is.
|
||||
|
||||
The default policy attached to secretsmanager prevents cross-account access.
|
||||
|
||||
To have this module generate a random password, set ```generate_secret``` to true.
|
||||
|
||||
To tag resources, please use provider default_tags.
|
||||
|
||||
## Example
|
||||
```hcl
|
||||
module "secret1" {
|
||||
source = "../../modules/security_identity_compliance/secretsmanager-secret"
|
||||
|
||||
secret_name = "test-secret-name-1"
|
||||
secret_description = "test-secret-desc-1"
|
||||
secret_value = "test-secret-value"
|
||||
}
|
||||
|
||||
module "secret2" {
|
||||
source = "../../modules/security_identity_compliance/secretsmanager-secret"
|
||||
|
||||
secret_name = "test-secret-name-2"
|
||||
secret_description = "test-secret-desc-3"
|
||||
generate_secret = true
|
||||
}
|
||||
```
|
||||
@@ -0,0 +1,15 @@
|
||||
module "secret1" {
|
||||
source = "../"
|
||||
|
||||
secret_name = "test-secret-name-1"
|
||||
secret_description = "test-secret-desc-1"
|
||||
secret_value = "test-secret-value"
|
||||
}
|
||||
|
||||
module "secret2" {
|
||||
source = "../"
|
||||
|
||||
secret_name = "test-secret-name-2"
|
||||
secret_description = "test-secret-desc-3"
|
||||
generate_secret = true
|
||||
}
|
||||
@@ -0,0 +1,59 @@
|
||||
data "aws_caller_identity" "this" {}
|
||||
|
||||
resource "random_id" "rid" {
|
||||
byte_length = 2
|
||||
}
|
||||
|
||||
resource "aws_secretsmanager_secret" "secret1" {
|
||||
name = "${var.secret_name}-${random_id.rid.dec}"
|
||||
description = var.secret_description
|
||||
kms_key_id = var.kms_key_id == null ? null : var.kms_key_id
|
||||
}
|
||||
|
||||
resource "aws_secretsmanager_secret_version" "this" {
|
||||
secret_id = aws_secretsmanager_secret.secret1.id
|
||||
secret_string = var.generate_secret ? data.aws_secretsmanager_random_password.this.random_password : var.secret_value
|
||||
}
|
||||
|
||||
data "aws_secretsmanager_random_password" "this" {
|
||||
password_length = 22
|
||||
exclude_numbers = false
|
||||
exclude_characters = "o![]\\"
|
||||
exclude_lowercase = false
|
||||
exclude_punctuation = false
|
||||
exclude_uppercase = false
|
||||
include_space = false
|
||||
require_each_included_type = true
|
||||
}
|
||||
|
||||
# resource "random_password" "this" {
|
||||
# count = var.generate_secret ? 1 : 0
|
||||
# length = 22
|
||||
# special = true
|
||||
# }
|
||||
|
||||
resource "aws_secretsmanager_secret_policy" "policy" {
|
||||
secret_arn = aws_secretsmanager_secret.secret1.arn
|
||||
policy = var.secret_policy != null ? var.secret_policy : data.aws_iam_policy_document.policy-file.json
|
||||
}
|
||||
|
||||
data "aws_iam_policy_document" "policy-file" {
|
||||
statement {
|
||||
sid = "DenyCrossAccountAccess"
|
||||
effect = "Deny"
|
||||
|
||||
principals {
|
||||
identifiers = ["*"]
|
||||
type = "AWS"
|
||||
}
|
||||
|
||||
condition {
|
||||
test = "StringNotEquals"
|
||||
values = [data.aws_caller_identity.this.account_id]
|
||||
variable = "aws:PrincipalAccount"
|
||||
}
|
||||
|
||||
actions = ["secretsmanager:GetSecretValue"]
|
||||
resources = [aws_secretsmanager_secret.secret1.arn]
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,12 @@
|
||||
output "secret_arn" {
|
||||
value = aws_secretsmanager_secret.secret1.arn
|
||||
}
|
||||
|
||||
output "secret_id" {
|
||||
value = "${var.secret_name}-${random_id.rid.dec}"
|
||||
}
|
||||
|
||||
# output "generated_password" {
|
||||
# value = try(random_password.this[0].result, "None")
|
||||
# sensitive = true
|
||||
# }
|
||||
@@ -0,0 +1,9 @@
|
||||
terraform {
|
||||
required_version = ">= 1.3.0"
|
||||
required_providers {
|
||||
aws = {
|
||||
source = "hashicorp/aws"
|
||||
version = ">= 5.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,23 @@
|
||||
variable "secret_description" {}
|
||||
variable "secret_name" {}
|
||||
variable "secret_value" {
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
variable "secret_policy" {
|
||||
type = string
|
||||
default = null
|
||||
description = "By default, cross-account access is denied"
|
||||
}
|
||||
|
||||
variable "generate_secret" {
|
||||
type = bool
|
||||
default = false
|
||||
description = "If set to true, a secure password will be generated and saved."
|
||||
}
|
||||
|
||||
variable kms_key_id {
|
||||
type = string
|
||||
default = null
|
||||
description = "Custom kms key id. If not specified, the default key aws/secretmanager key will be used."
|
||||
}
|
||||
Reference in New Issue
Block a user