feat: updated secertsmanager-secret to use emphemeral resource

2026-02-19 22:16:09 +08:00
parent d87e5dcc1f
commit 133c3cca12
4 changed files with 84 additions and 28 deletions
@@ -1,29 +1,59 @@
-# secretsmanager-secret module
-This module creates an entry in secretsmanager, attaching a default access policy if one is
-not provided from root module. A random suffix is assigned to every secret, as AWS may delay
-creation of secrets with the same name, after the old one has been destroyed that is.
+<!-- This readme file is generated with terraform-docs -->
+# secretsmanager-secret

-The default policy attached to secretsmanager prevents cross-account access.
+Create secretsmanager secret. Specify secret\_version if you do not want
+terraform to recreate the secret everytime terraform applies. Otherwise,
+becuase this module uses emphemeral resource, the secret will be regenerated
+and replaced every time.

-To have this module generate a random password, set ```generate_secret``` to true.
+## Requirements

-To tag resources, please use provider default_tags.
+| Name | Version |
+|------|---------|
+| terraform | >= 1.3.0 |
+| aws | >= 5.0 |

-## Example
-```hcl
-module "secret1" {
-  source = "../../modules/security_identity_compliance/secretsmanager-secret"
+## Providers

-  secret_name        = "test-secret-name-1"
-  secret_description = "test-secret-desc-1"
-  secret_value       = "test-secret-value"
-}
+| Name | Version |
+|------|---------|
+| aws | >= 5.0 |
+| random | n/a |

-module "secret2" {
-  source = "../../modules/security_identity_compliance/secretsmanager-secret"
+## Modules

-  secret_name        = "test-secret-name-2"
-  secret_description = "test-secret-desc-3"
-  generate_secret    = true
-}
-```
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_secretsmanager_secret.secret1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
+| [aws_secretsmanager_secret_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_policy) | resource |
+| [aws_secretsmanager_secret_version.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
+| [random_id.rid](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.policy-file](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| generate\_secret | If set to true, a secure password will be generated and saved. | `bool` | `false` | no |
+| kms\_key\_id | Custom kms key id. If not specified, the default key aws/secretmanager key will be used. | `string` | `null` | no |
+| secret\_description | n/a | `any` | n/a | yes |
+| secret\_name | n/a | `any` | n/a | yes |
+| secret\_policy | By default, cross-account access is denied | `string` | `null` | no |
+| secret\_value | n/a | `string` | `null` | no |
+| secret\_version | Secret version number. Increment to modify secret, or leave this unset to have your secret updated everytime terraform applies | `number` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| secret\_arn | n/a |
+| secret\_id | n/a |
+ 
+---
+## Authorship
+This module was developed by UPDATE_THIS.
@@ -13,3 +13,12 @@ module "secret2" {
  secret_description = "test-secret-desc-3"
  generate_secret    = true
 }
+
+module "secret3" {
+  source = "../"
+
+  secret_name        = "test-secret-name-2"
+  secret_description = "test-secret-desc-3"
+  generate_secret    = true
+  secret_version     = 1 # increment to update secret value
+}
@@ -1,3 +1,13 @@
+/**
+* # secretsmanager-secret
+*
+* Create secretsmanager secret. Specify secret_version if you do not want
+* terraform to recreate the secret everytime terraform applies. Otherwise,
+* becuase this module uses emphemeral resource, the secret will be regenerated
+* and replaced every time.
+*/
+
+
 data "aws_caller_identity" "this" {}

 resource "random_id" "rid" {
@@ -11,11 +21,12 @@ resource "aws_secretsmanager_secret" "secret1" {
 }

 resource "aws_secretsmanager_secret_version" "this" {
-  secret_id     = aws_secretsmanager_secret.secret1.id
-  secret_string = var.generate_secret ? data.aws_secretsmanager_random_password.this.random_password : var.secret_value
+  secret_id                = aws_secretsmanager_secret.secret1.id
+  secret_string_wo         = var.generate_secret ? ephemeral.aws_secretsmanager_random_password.this.random_password : var.secret_value
+  secret_string_wo_version = coalesce(var.secret_version, formatdate("YYYYMMDDhhmmss", timestamp()))
 }

-data "aws_secretsmanager_random_password" "this" {
+ephemeral "aws_secretsmanager_random_password" "this" {
  password_length            = 22
  exclude_numbers            = false
  exclude_characters         = "o![]\\"
@@ -16,8 +16,14 @@ variable "generate_secret" {
  description = "If set to true, a secure password will be generated and saved."
 }

-variable kms_key_id {
-  type = string
-  default = null
+variable "kms_key_id" {
+  type        = string
+  default     = null
  description = "Custom kms key id. If not specified, the default key aws/secretmanager key will be used."
 }
+
+variable "secret_version" {
+  type        = number
+  description = "Secret version number. Increment to modify secret, or leave this unset to have your secret updated everytime terraform applies"
+  default     = null
+}