feat: updated secertsmanager-secret to use emphemeral resource

modules/security_identity_compliance/secretsmanager-secret/README.md

@@ -1,29 +1,59 @@
-# secretsmanager-secret module
+<!-- This readme file is generated with terraform-docs -->
-This module creates an entry in secretsmanager, attaching a default access policy if one is
+# secretsmanager-secret
-not provided from root module. A random suffix is assigned to every secret, as AWS may delay
-creation of secrets with the same name, after the old one has been destroyed that is.
 
-The default policy attached to secretsmanager prevents cross-account access.
+Create secretsmanager secret. Specify secret\_version if you do not want
+terraform to recreate the secret everytime terraform applies. Otherwise,
+becuase this module uses emphemeral resource, the secret will be regenerated
+and replaced every time.
 
-To have this module generate a random password, set ```generate_secret``` to true.
+## Requirements
 
-To tag resources, please use provider default_tags.
+| Name | Version |
+|------|---------|
+| terraform | >= 1.3.0 |
+| aws | >= 5.0 |
 
-## Example
+## Providers
-```hcl
-module "secret1" {
-  source = "../../modules/security_identity_compliance/secretsmanager-secret"
 
-  secret_name        = "test-secret-name-1"
+| Name | Version |
-  secret_description = "test-secret-desc-1"
+|------|---------|
-  secret_value       = "test-secret-value"
+| aws | >= 5.0 |
-}
+| random | n/a |
 
-module "secret2" {
+## Modules
-  source = "../../modules/security_identity_compliance/secretsmanager-secret"
 
-  secret_name        = "test-secret-name-2"
+No modules.
-  secret_description = "test-secret-desc-3"
+
-  generate_secret    = true
+## Resources
-}
+
-```
+| Name | Type |
+|------|------|
+| [aws_secretsmanager_secret.secret1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
+| [aws_secretsmanager_secret_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_policy) | resource |
+| [aws_secretsmanager_secret_version.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
+| [random_id.rid](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.policy-file](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| generate\_secret | If set to true, a secure password will be generated and saved. | `bool` | `false` | no |
+| kms\_key\_id | Custom kms key id. If not specified, the default key aws/secretmanager key will be used. | `string` | `null` | no |
+| secret\_description | n/a | `any` | n/a | yes |
+| secret\_name | n/a | `any` | n/a | yes |
+| secret\_policy | By default, cross-account access is denied | `string` | `null` | no |
+| secret\_value | n/a | `string` | `null` | no |
+| secret\_version | Secret version number. Increment to modify secret, or leave this unset to have your secret updated everytime terraform applies | `number` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| secret\_arn | n/a |
+| secret\_id | n/a |
+ 
+---
+## Authorship
+This module was developed by UPDATE_THIS.

modules/security_identity_compliance/secretsmanager-secret/example/main.tf

@@ -12,4 +12,13 @@ module "secret2" {
   secret_name        = "test-secret-name-2"
   secret_description = "test-secret-desc-3"
   generate_secret    = true
+}
+
+module "secret3" {
+  source = "../"
+
+  secret_name        = "test-secret-name-2"
+  secret_description = "test-secret-desc-3"
+  generate_secret    = true
+  secret_version     = 1 # increment to update secret value
 }

modules/security_identity_compliance/secretsmanager-secret/main.tf

@@ -1,3 +1,13 @@
+/**
+* # secretsmanager-secret
+*
+* Create secretsmanager secret. Specify secret_version if you do not want
+* terraform to recreate the secret everytime terraform applies. Otherwise,
+* becuase this module uses emphemeral resource, the secret will be regenerated
+* and replaced every time.
+*/
+
+
 data "aws_caller_identity" "this" {}
 
 resource "random_id" "rid" {
@@ -11,11 +21,12 @@ resource "aws_secretsmanager_secret" "secret1" {
 }
 
 resource "aws_secretsmanager_secret_version" "this" {
-  secret_id     = aws_secretsmanager_secret.secret1.id
+  secret_id                = aws_secretsmanager_secret.secret1.id
-  secret_string = var.generate_secret ? data.aws_secretsmanager_random_password.this.random_password : var.secret_value
+  secret_string_wo         = var.generate_secret ? ephemeral.aws_secretsmanager_random_password.this.random_password : var.secret_value
+  secret_string_wo_version = coalesce(var.secret_version, formatdate("YYYYMMDDhhmmss", timestamp()))
 }
 
-data "aws_secretsmanager_random_password" "this" {
+ephemeral "aws_secretsmanager_random_password" "this" {
   password_length            = 22
   exclude_numbers            = false
   exclude_characters         = "o![]\\"

modules/security_identity_compliance/secretsmanager-secret/variables.tf

@@ -16,8 +16,14 @@ variable "generate_secret" {
   description = "If set to true, a secure password will be generated and saved."
 }
 
-variable kms_key_id {
+variable "kms_key_id" {
-  type = string
+  type        = string
-  default = null
+  default     = null
   description = "Custom kms key id. If not specified, the default key aws/secretmanager key will be used."
+}
+
+variable "secret_version" {
+  type        = number
+  description = "Secret version number. Increment to modify secret, or leave this unset to have your secret updated everytime terraform applies"
+  default     = null
 }