diff --git a/modules/security_identity_compliance/iam-user/README.md b/modules/security_identity_compliance/iam-user/README.md index 5413b10..9875e84 100644 --- a/modules/security_identity_compliance/iam-user/README.md +++ b/modules/security_identity_compliance/iam-user/README.md @@ -1,4 +1,47 @@ +## Example + +```hcl +module "example" { + source = "../" + user_name = "example-user" + create_group_name = "example-group" + create_access_key = false + enable_console_access = true + custom_iam_policy_json = data.aws_iam_policy_document.ec2-restart.json + secretsmanager_kms_arn = "arn:aws:kms:ap-east-1:000011112222:key/0000" +} + +data "aws_iam_policy_document" "ec2-restart" { + statement { + sid = "StartStopEc2Instances" + + actions = [ + "ec2:StartInstances", + "ec2:StopInstances", + "ec2:Describe*" + ] + + resources = [ + "arn:aws:ec2:ap-east-1:${data.aws_caller_identity.this.account_id}:instance/i-00001", + "arn:aws:ec2:ap-east-1:${data.aws_caller_identity.this.account_id}:instance/i-00002" + ] + + effect = "Allow" + } +} +``` + +# iam-user module +Creates iam user. If new group will be created for this user, use custom\_iam\_policy\_json to +attach iam policy to the group. You can also use attach\_iam\_policies to attach AWS-managed policies. + +## Security requirements +IAM policies must be attached to iam group, not directly to iam user. +This module requires a new group be created, or an existing group for the user to be added to. + +User credentials are saved in secretsmanager, which must be encrypted with CMK + ## Requirements No requirements. @@ -6,51 +49,47 @@ No requirements. ## Providers | Name | Version | -|------|---------| +| ---- | ------- | | aws | n/a | -| random | n/a | ## Modules -No modules. +| Name | Source | Version | +| ---- | ------ | ------- | +| UserCredentials | ../secretsmanager-2025 | n/a | ## Resources | Name | Type | -|------|------| -| [aws_iam_access_key.iam-user-access-key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource | -| [aws_iam_group_membership.group-membership](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership) | resource | -| [aws_iam_user.iam-user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource | -| [aws_iam_user_login_profile.iam-user-profile](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile) | resource | -| [aws_iam_user_policy.iam-user-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource | -| [aws_iam_user_policy.iam-user-selfservice-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource | -| [aws_iam_user_policy_attachment.iam-user-managed-policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource | -| [aws_secretsmanager_secret.secretmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | -| [aws_secretsmanager_secret_version.iam-user-secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | -| [random_id.secrets-random-id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | -| [random_password.iam-user-pass](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | -| [aws_iam_policy_document.user-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| ---- | ---- | +| [aws_iam_access_key.AccessKey](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource | +| [aws_iam_group.group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group) | resource | +| [aws_iam_group_membership.membership](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership) | resource | +| [aws_iam_group_policy_attachment.ManagedPolicies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource | +| [aws_iam_group_policy_attachment.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource | +| [aws_iam_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_user.user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource | +| [aws_iam_user_login_profile.profile](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile) | resource | +| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs | Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| add-to-groups | n/a | `list(string)` | `[]` | no | -| create-access-key | n/a | `bool` | n/a | yes | -| create-password | n/a | `bool` | n/a | yes | -| iam-user-name | n/a | `any` | n/a | yes | -| iam-user-policy | n/a | `string` | `""` | no | -| iam-user-policy-name | n/a | `string` | `""` | no | -| managed-policy-arns | n/a | `any` | n/a | yes | +| ---- | ----------- | ---- | ------- | :------: | +| attach\_iam\_policies | Aws-Managed iam policies to be attached | `list(string)` | `[]` | no | +| create\_access\_key | Create access key for user | `bool` | n/a | yes | +| create\_group\_name | Name of new group to be created and add user to | `string` | `null` | no | +| custom\_iam\_policy\_json | Json encoded aws\_iam\_policy\_document, only applicable when create\_group\_name is used. | `string` | n/a | yes | +| enable\_console\_access | Enable console access | `bool` | n/a | yes | +| existing\_group\_name | Name of existing group to add user to | `string` | `null` | no | +| secretsmanager\_kms\_arn | KMS key arn of secretsmanager | `string` | n/a | yes | +| user\_name | Name of IAM user | `string` | n/a | yes | ## Outputs -| Name | Description | -|------|-------------| -| iam-user-access-key | n/a | -| iam-user-arn | n/a | -| iam-user-name | n/a | +No outputs. --- ## Authorship -This module was developed by xpk. \ No newline at end of file +This module was developed by Rackspace. \ No newline at end of file diff --git a/modules/security_identity_compliance/iam-user/example/main.tf b/modules/security_identity_compliance/iam-user/example/main.tf new file mode 100644 index 0000000..9e70ec8 --- /dev/null +++ b/modules/security_identity_compliance/iam-user/example/main.tf @@ -0,0 +1,28 @@ +module "example" { + source = "../" + user_name = "example-user" + create_group_name = "example-group" + create_access_key = false + enable_console_access = true + custom_iam_policy_json = data.aws_iam_policy_document.ec2-restart.json + secretsmanager_kms_arn = "arn:aws:kms:ap-east-1:000011112222:key/0000" +} + +data "aws_iam_policy_document" "ec2-restart" { + statement { + sid = "StartStopEc2Instances" + + actions = [ + "ec2:StartInstances", + "ec2:StopInstances", + "ec2:Describe*" + ] + + resources = [ + "arn:aws:ec2:ap-east-1:${data.aws_caller_identity.this.account_id}:instance/i-00001", + "arn:aws:ec2:ap-east-1:${data.aws_caller_identity.this.account_id}:instance/i-00002" + ] + + effect = "Allow" + } +} \ No newline at end of file diff --git a/modules/security_identity_compliance/iam-user/main.tf b/modules/security_identity_compliance/iam-user/main.tf index 2f91eec..aa6dd5e 100644 --- a/modules/security_identity_compliance/iam-user/main.tf +++ b/modules/security_identity_compliance/iam-user/main.tf @@ -1,27 +1,90 @@ -resource "aws_iam_user" "iam-user" { - name = var.iam-user-name +/** +* # iam-user module +* Creates iam user. If new group will be created for this user, use custom_iam_policy_json to +* attach iam policy to the group. You can also use attach_iam_policies to attach AWS-managed policies. +* +* ## Security requirements +* IAM policies must be attached to iam group, not directly to iam user. +* This module requires a new group be created, or an existing group for the user to be added to. +* +* User credentials are saved in secretsmanager, which must be encrypted with CMK +*/ + +resource "aws_iam_group" "group" { + count = var.create_group_name != null ? 1 : 0 + name = var.create_group_name +} + +resource "aws_iam_user" "user" { + name = var.user_name force_destroy = true } -resource "aws_iam_access_key" "iam-user-access-key" { - count = var.create-access-key ? 1 : 0 - user = aws_iam_user.iam-user.name +resource "aws_iam_group_membership" "membership" { + group = coalesce(var.create_group_name, var.existing_group_name) + users = [aws_iam_user.user.name] + name = "${var.user_name} membership" + + lifecycle { + precondition { + condition = var.create_group_name != null || var.existing_group_name != null + error_message = "You must provide either 'create_group_name' or 'existing_group_name'." + } + + precondition { + condition = !(var.create_group_name != null && var.existing_group_name != null) + error_message = "You cannot provide both 'create_group_name' and 'existing_group_name' at the same time." + } + } } -resource "aws_iam_user_policy" "iam-user-policy" { - count = var.iam-user-policy != "" ? 1 : 0 - name = var.iam-user-policy-name - user = aws_iam_user.iam-user.name - policy = var.iam-user-policy +resource "aws_iam_user_login_profile" "profile" { + count = var.enable_console_access ? 1 : 0 + user = var.user_name } -resource "aws_iam_user_policy" "iam-user-selfservice-policy" { - name = "SelfServicePermissions" - user = aws_iam_user.iam-user.name - policy = data.aws_iam_policy_document.user-policy.json +resource "aws_iam_policy" "policy" { + name_prefix = var.user_name + description = "Policy for ${var.user_name}" + policy = data.aws_iam_policy_document.policy.json } -data "aws_iam_policy_document" "user-policy" { +resource "aws_iam_group_policy_attachment" "policy" { + depends_on = [aws_iam_group.group] # attach policy only to new group + group = var.create_group_name + policy_arn = aws_iam_policy.policy.arn +} + +resource "aws_iam_group_policy_attachment" "ManagedPolicies" { + for_each = toset(var.attach_iam_policies) + group = coalesce(var.create_group_name, var.existing_group_name) + policy_arn = each.value +} + +resource "aws_iam_access_key" "AccessKey" { + count = var.create_access_key ? 1 : 0 + user = aws_iam_user.user.name +} + +module "UserCredentials" { + source = "../secretsmanager-2025" + + name = "${var.user_name}-IamUser-Credentials" + description = "Credentials for iam user ${var.user_name}" + generate_secret = false + secret = jsonencode( + { + "ConsolePassword" : var.enable_console_access ? aws_iam_user_login_profile.profile[0].password : "NotSet" + "AccessKeyId" : var.create_access_key ? aws_iam_access_key.AccessKey[0].id : "NotSet" + "SecretKey" : var.create_access_key ? aws_iam_access_key.AccessKey[0].secret : "NotSet" + } + ) + kms_key_id = var.secretsmanager_kms_arn +} + +data "aws_iam_policy_document" "policy" { + source_policy_documents = [var.custom_iam_policy_json] + statement { sid = "ManageOwnCredentials" @@ -42,58 +105,4 @@ data "aws_iam_policy_document" "user-policy" { effect = "Allow" resources = ["arn:aws:iam::*:user/$${aws:username}"] } - - statement { - sid = "GetBasicUserInfo" - actions = [ - "iam:GetAccountPasswordPolicy", - "iam:GetAccessKeyLastUsed", - "iam:GetUserPolicy" - ] - effect = "Allow" - resources = ["*"] - } -} - -resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" { - count = length(var.add-to-groups) > 0 ? 0 : length(var.managed-policy-arns) - user = aws_iam_user.iam-user.name - policy_arn = var.managed-policy-arns[count.index] -} - -resource "aws_iam_user_login_profile" "iam-user-profile" { - count = var.create-password ? 1 : 0 - user = aws_iam_user.iam-user.name - password_length = 20 - pgp_key = null -} - -resource "random_id" "secrets-random-id" { - byte_length = 2 -} - -resource "aws_secretsmanager_secret" "secretmanager" { - count = var.create-access-key || var.create-password ? 1 : 0 - name = "IamUserCredential-${random_id.secrets-random-id.dec}-${var.iam-user-name}" - description = "AWS resource credential" -} - -resource "aws_secretsmanager_secret_version" "iam-user-secret" { - count = var.create-access-key || var.create-password ? 1 : 0 - secret_id = aws_secretsmanager_secret.secretmanager[0].id - secret_string = jsonencode( - { - "ConsolePassword" : length(aws_iam_user_login_profile.iam-user-profile[0].password) > 0 ? aws_iam_user_login_profile.iam-user-profile[0].password : "NotSet", - "AccessKeyId" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].id : "NotSet", - "KeySecret" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].secret : "NotSet" - } - ) -} - -resource "aws_iam_group_membership" "group-membership" { - for_each = toset(var.add-to-groups) - name = "MembershipToExistingGroups" - group = each.value - users = [aws_iam_user.iam-user.name] -} - +} \ No newline at end of file diff --git a/modules/security_identity_compliance/iam-user/outputs.tf b/modules/security_identity_compliance/iam-user/outputs.tf deleted file mode 100644 index 7ba13f8..0000000 --- a/modules/security_identity_compliance/iam-user/outputs.tf +++ /dev/null @@ -1,15 +0,0 @@ -output "iam-user-name" { - value = aws_iam_user.iam-user.name -} - -output "iam-user-arn" { - value = aws_iam_user.iam-user.arn -} - -output "iam-user-access-key" { - value = try(aws_iam_access_key.iam-user-access-key[0].id, "none") -} - -output "iam-user-secret-arn" { - value = try(aws_secretsmanager_secret_version.iam-user-secret[0].arn, "none") -} \ No newline at end of file diff --git a/modules/security_identity_compliance/iam-user/variables.tf b/modules/security_identity_compliance/iam-user/variables.tf index e4a04db..134146f 100644 --- a/modules/security_identity_compliance/iam-user/variables.tf +++ b/modules/security_identity_compliance/iam-user/variables.tf @@ -1,20 +1,44 @@ -variable "iam-user-name" {} -variable "iam-user-policy" { - type = string - default = "" +variable "create_group_name" { + type = string + description = "Name of new group to be created and add user to" + default = null } -variable "iam-user-policy-name" { - type = string - default = "" + +variable "user_name" { + type = string + description = "Name of IAM user" } -variable "create-access-key" { - type = bool + +variable "existing_group_name" { + type = string + description = "Name of existing group to add user to" + default = null } -variable "create-password" { - type = bool + +variable "enable_console_access" { + type = bool + description = "Enable console access" } -variable "managed-policy-arns" {} -variable "add-to-groups" { - type = list(string) - default = [] -} \ No newline at end of file + +variable "custom_iam_policy_json" { + type = string + description = "Json encoded aws_iam_policy_document, only applicable when create_group_name is used." +} + +variable "attach_iam_policies" { + type = list(string) + description = "Aws-Managed iam policies to be attached" + default = [] +} + +variable "create_access_key" { + type = bool + description = "Create access key for user" +} + +variable "secretsmanager_kms_arn" { + type = string + description = "KMS key arn of secretsmanager" +} + +data "aws_caller_identity" "this" {} diff --git a/modules/security_identity_compliance/iam-user/versions.tf b/modules/security_identity_compliance/iam-user/versions.tf deleted file mode 100644 index de677fa..0000000 --- a/modules/security_identity_compliance/iam-user/versions.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = ">= 1.3.9" - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 5.0" - } - } -} \ No newline at end of file diff --git a/modules/security_identity_compliance/secretsmanager-2025/README.md b/modules/security_identity_compliance/secretsmanager-2025/README.md new file mode 100644 index 0000000..ebd2590 --- /dev/null +++ b/modules/security_identity_compliance/secretsmanager-2025/README.md @@ -0,0 +1,63 @@ + +# secretsmanager-2025 +This module creates an entry on secretsmanager. It uses ephemeral resources +such that the generated password is not stored in terraform state. + +## Requirements + +| Name | Version | +|------|---------| +| terraform | >= 1.10 | + +## Providers + +| Name | Version | +|------|---------| +| aws | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_secretsmanager_secret.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource | +| [aws_secretsmanager_secret_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_policy) | resource | +| [aws_secretsmanager_secret_rotation.rotation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_rotation) | resource | +| [aws_secretsmanager_secret_version.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource | +| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.policy-file](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| auto-rotation-days | Days to rotate secret | `number` | `365` | no | +| description | description of secret | `string` | `null` | no | +| enable-auto-rotation | Enable automatic rotation | `bool` | `false` | no | +| generate\_secret | If set to true, a secure password will be generated and saved. | `bool` | `false` | no | +| kms\_key\_id | Custom kms key id. If not specified, the default key aws/secretmanager key will be used. | `string` | `null` | no | +| name | name of secret | `string` | `null` | no | +| policy | access policy to the secret | `string` | `null` | no | +| recovery\_window\_in\_days | Number of days that AWS Secrets Manager waits before it can delete the secret | `number` | `30` | no | +| rotation-lambda-arn | ARN of lambda function for auto secret rotation | `string` | `null` | no | +| secret | the secret you want to store | `any` | `null` | no | +| secret\_use\_special\_char | Set false to not use special characters | `bool` | `true` | no | +| secret\_version | Secret version, default to 1. For subsequent update, set it to more than 1. | `number` | `1` | no | +| tags | (Optional) A mapping of tags to assign to the AWS Secrets Manager. | `map(string)` | `{}` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| arn | The id of the secret. | +| id | Secret of Authenticate Token of elasticcache | +| secret\_arn | The ARN of the secret. | +| secret\_id | The id of the secret. | +| secret\_string | The decrypted secret string of the secret. | + +--- +## Authorship +This module was developed by Rackspace. \ No newline at end of file diff --git a/modules/security_identity_compliance/secretsmanager-2025/example/main.tf b/modules/security_identity_compliance/secretsmanager-2025/example/main.tf new file mode 100644 index 0000000..dd32aa2 --- /dev/null +++ b/modules/security_identity_compliance/secretsmanager-2025/example/main.tf @@ -0,0 +1,6 @@ +module "secret" { + source = "../" + name = "TestSecret" + description = "Terraform module example" + generate_secret = true +} \ No newline at end of file diff --git a/modules/security_identity_compliance/secretsmanager-2025/main.tf b/modules/security_identity_compliance/secretsmanager-2025/main.tf new file mode 100644 index 0000000..73ba9c5 --- /dev/null +++ b/modules/security_identity_compliance/secretsmanager-2025/main.tf @@ -0,0 +1,69 @@ +/** +* # secretsmanager-2025 +* This module creates an entry on secretsmanager. It uses ephemeral resources +* such that the generated password is not stored in terraform state. +*/ + +resource "aws_secretsmanager_secret" "this" { + name = var.name + + kms_key_id = var.kms_key_id + description = var.description + policy = var.policy + recovery_window_in_days = var.recovery_window_in_days + tags = var.tags +} + +resource "aws_secretsmanager_secret_version" "this" { + secret_id = aws_secretsmanager_secret.this.id + secret_string_wo_version = var.secret_version + secret_string_wo = var.generate_secret ? ephemeral.aws_secretsmanager_random_password.this[0].random_password : var.secret +} + +ephemeral "aws_secretsmanager_random_password" "this" { + count = var.generate_secret ? 1 : 0 + password_length = 32 + exclude_characters = "\\&'\"" + include_space = false + exclude_punctuation = var.secret_use_special_char ? false : true +} + +resource "aws_secretsmanager_secret_policy" "policy" { + secret_arn = aws_secretsmanager_secret.this.arn + policy = var.policy != null ? var.policy : data.aws_iam_policy_document.policy-file.json +} + +data "aws_iam_policy_document" "policy-file" { + statement { + sid = "DenyCrossAccountAccess" + effect = "Deny" + + principals { + identifiers = ["*"] + type = "*" + } + + condition { + test = "StringNotEquals" + values = [data.aws_caller_identity.this.account_id] + variable = "aws:PrincipalAccount" + } + + actions = ["secretsmanager:GetSecretValue"] + resources = ["*"] + } +} + + +resource "aws_secretsmanager_secret_rotation" "rotation" { + count = var.enable-auto-rotation ? 1 : 0 + secret_id = aws_secretsmanager_secret.this.id + rotation_lambda_arn = var.rotation-lambda-arn + rotate_immediately = var.rotate-immediately + rotation_rules { + automatically_after_days = var.auto-rotation-days + schedule_expression = var.auto-rotation-schedule-expression + } +} + +data "aws_caller_identity" "this" {} \ No newline at end of file diff --git a/modules/security_identity_compliance/secretsmanager-2025/outputs.tf b/modules/security_identity_compliance/secretsmanager-2025/outputs.tf new file mode 100644 index 0000000..f814436 --- /dev/null +++ b/modules/security_identity_compliance/secretsmanager-2025/outputs.tf @@ -0,0 +1,26 @@ +output "secret_id" { + description = "The id of the secret." + value = aws_secretsmanager_secret.this.id +} + +output "secret_arn" { + description = "The ARN of the secret." + value = aws_secretsmanager_secret.this.arn +} + +output "id" { + description = "Secret of Authenticate Token of elasticcache" + value = aws_secretsmanager_secret.this.id + sensitive = true +} + +output "arn" { + description = "The id of the secret." + value = aws_secretsmanager_secret.this.arn +} + +output "secret_string" { + description = "The decrypted secret string of the secret." + value = aws_secretsmanager_secret_version.this.secret_string + sensitive = true +} \ No newline at end of file diff --git a/modules/security_identity_compliance/secretsmanager-2025/variables.tf b/modules/security_identity_compliance/secretsmanager-2025/variables.tf new file mode 100644 index 0000000..56c9c2c --- /dev/null +++ b/modules/security_identity_compliance/secretsmanager-2025/variables.tf @@ -0,0 +1,89 @@ +variable "name" { + description = "name of secret" + type = string + default = null +} + +variable "description" { + description = "description of secret" + type = string + default = null +} + +variable "policy" { + description = "access policy to the secret" + type = string + default = null +} + +variable "secret" { + description = "the secret you want to store" + type = any + default = null +} + +variable "recovery_window_in_days" { + description = "Number of days that AWS Secrets Manager waits before it can delete the secret" + type = number + default = 30 +} + +variable "tags" { + description = "(Optional) A mapping of tags to assign to the AWS Secrets Manager." + type = map(string) + default = {} +} + +variable "generate_secret" { + type = bool + default = false + description = "If set to true, a secure password will be generated and saved." +} + +variable "kms_key_id" { + type = string + default = null + description = "Custom kms key id. If not specified, the default key aws/secretmanager key will be used." +} + +variable "secret_use_special_char" { + type = bool + default = true + description = "Set false to not use special characters" +} + +variable "secret_version" { + type = number + description = "Secret version, default to 1. For subsequent update, set it to more than 1." + default = 1 +} + +variable "auto-rotation-days" { + type = number + description = "Days to auto rotate secret" + default = null +} + +variable "auto-rotation-schedule-expression" { + type = string + description = "Schedule expression for auto secret rotation" + default = null +} + +variable "rotation-lambda-arn" { + type = string + description = "ARN of lambda secret rotation function" + default = null +} + +variable "enable-auto-rotation" { + type = bool + description = "Set true to enable auto rotation" + default = false +} + +variable "rotate-immediately" { + type = bool + default = false + description = "Rotate secret immediately" +} \ No newline at end of file diff --git a/modules/security_identity_compliance/secretsmanager-2025/version.tf b/modules/security_identity_compliance/secretsmanager-2025/version.tf new file mode 100644 index 0000000..b271e70 --- /dev/null +++ b/modules/security_identity_compliance/secretsmanager-2025/version.tf @@ -0,0 +1,4 @@ +# ephemeral resources are supported since terraform 1.10 +terraform { + required_version = ">= 1.10" +} \ No newline at end of file