initial commit
This commit is contained in:
@@ -0,0 +1,59 @@
|
||||
data "aws_caller_identity" "this" {}
|
||||
|
||||
resource "random_id" "rid" {
|
||||
byte_length = 2
|
||||
}
|
||||
|
||||
resource "aws_secretsmanager_secret" "secret1" {
|
||||
name = "${var.secret_name}-${random_id.rid.dec}"
|
||||
description = var.secret_description
|
||||
kms_key_id = var.kms_key_id == null ? null : var.kms_key_id
|
||||
}
|
||||
|
||||
resource "aws_secretsmanager_secret_version" "this" {
|
||||
secret_id = aws_secretsmanager_secret.secret1.id
|
||||
secret_string = var.generate_secret ? data.aws_secretsmanager_random_password.this.random_password : var.secret_value
|
||||
}
|
||||
|
||||
data "aws_secretsmanager_random_password" "this" {
|
||||
password_length = 22
|
||||
exclude_numbers = false
|
||||
exclude_characters = "o![]\\"
|
||||
exclude_lowercase = false
|
||||
exclude_punctuation = false
|
||||
exclude_uppercase = false
|
||||
include_space = false
|
||||
require_each_included_type = true
|
||||
}
|
||||
|
||||
# resource "random_password" "this" {
|
||||
# count = var.generate_secret ? 1 : 0
|
||||
# length = 22
|
||||
# special = true
|
||||
# }
|
||||
|
||||
resource "aws_secretsmanager_secret_policy" "policy" {
|
||||
secret_arn = aws_secretsmanager_secret.secret1.arn
|
||||
policy = var.secret_policy != null ? var.secret_policy : data.aws_iam_policy_document.policy-file.json
|
||||
}
|
||||
|
||||
data "aws_iam_policy_document" "policy-file" {
|
||||
statement {
|
||||
sid = "DenyCrossAccountAccess"
|
||||
effect = "Deny"
|
||||
|
||||
principals {
|
||||
identifiers = ["*"]
|
||||
type = "AWS"
|
||||
}
|
||||
|
||||
condition {
|
||||
test = "StringNotEquals"
|
||||
values = [data.aws_caller_identity.this.account_id]
|
||||
variable = "aws:PrincipalAccount"
|
||||
}
|
||||
|
||||
actions = ["secretsmanager:GetSecretValue"]
|
||||
resources = [aws_secretsmanager_secret.secret1.arn]
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user