feat: new iam-user module and secretsmanager-2025 module
This commit is contained in:
@@ -0,0 +1,63 @@
|
||||
<!-- This readme file is generated with terraform-docs -->
|
||||
# secretsmanager-2025
|
||||
This module creates an entry on secretsmanager. It uses ephemeral resources
|
||||
such that the generated password is not stored in terraform state.
|
||||
|
||||
## Requirements
|
||||
|
||||
| Name | Version |
|
||||
|------|---------|
|
||||
| terraform | >= 1.10 |
|
||||
|
||||
## Providers
|
||||
|
||||
| Name | Version |
|
||||
|------|---------|
|
||||
| aws | n/a |
|
||||
|
||||
## Modules
|
||||
|
||||
No modules.
|
||||
|
||||
## Resources
|
||||
|
||||
| Name | Type |
|
||||
|------|------|
|
||||
| [aws_secretsmanager_secret.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
|
||||
| [aws_secretsmanager_secret_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_policy) | resource |
|
||||
| [aws_secretsmanager_secret_rotation.rotation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_rotation) | resource |
|
||||
| [aws_secretsmanager_secret_version.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
|
||||
| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
|
||||
| [aws_iam_policy_document.policy-file](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
|
||||
|
||||
## Inputs
|
||||
|
||||
| Name | Description | Type | Default | Required |
|
||||
|------|-------------|------|---------|:--------:|
|
||||
| auto-rotation-days | Days to rotate secret | `number` | `365` | no |
|
||||
| description | description of secret | `string` | `null` | no |
|
||||
| enable-auto-rotation | Enable automatic rotation | `bool` | `false` | no |
|
||||
| generate\_secret | If set to true, a secure password will be generated and saved. | `bool` | `false` | no |
|
||||
| kms\_key\_id | Custom kms key id. If not specified, the default key aws/secretmanager key will be used. | `string` | `null` | no |
|
||||
| name | name of secret | `string` | `null` | no |
|
||||
| policy | access policy to the secret | `string` | `null` | no |
|
||||
| recovery\_window\_in\_days | Number of days that AWS Secrets Manager waits before it can delete the secret | `number` | `30` | no |
|
||||
| rotation-lambda-arn | ARN of lambda function for auto secret rotation | `string` | `null` | no |
|
||||
| secret | the secret you want to store | `any` | `null` | no |
|
||||
| secret\_use\_special\_char | Set false to not use special characters | `bool` | `true` | no |
|
||||
| secret\_version | Secret version, default to 1. For subsequent update, set it to more than 1. | `number` | `1` | no |
|
||||
| tags | (Optional) A mapping of tags to assign to the AWS Secrets Manager. | `map(string)` | `{}` | no |
|
||||
|
||||
## Outputs
|
||||
|
||||
| Name | Description |
|
||||
|------|-------------|
|
||||
| arn | The id of the secret. |
|
||||
| id | Secret of Authenticate Token of elasticcache |
|
||||
| secret\_arn | The ARN of the secret. |
|
||||
| secret\_id | The id of the secret. |
|
||||
| secret\_string | The decrypted secret string of the secret. |
|
||||
|
||||
---
|
||||
## Authorship
|
||||
This module was developed by Rackspace.
|
||||
@@ -0,0 +1,6 @@
|
||||
module "secret" {
|
||||
source = "../"
|
||||
name = "TestSecret"
|
||||
description = "Terraform module example"
|
||||
generate_secret = true
|
||||
}
|
||||
@@ -0,0 +1,69 @@
|
||||
/**
|
||||
* # secretsmanager-2025
|
||||
* This module creates an entry on secretsmanager. It uses ephemeral resources
|
||||
* such that the generated password is not stored in terraform state.
|
||||
*/
|
||||
|
||||
resource "aws_secretsmanager_secret" "this" {
|
||||
name = var.name
|
||||
|
||||
kms_key_id = var.kms_key_id
|
||||
description = var.description
|
||||
policy = var.policy
|
||||
recovery_window_in_days = var.recovery_window_in_days
|
||||
tags = var.tags
|
||||
}
|
||||
|
||||
resource "aws_secretsmanager_secret_version" "this" {
|
||||
secret_id = aws_secretsmanager_secret.this.id
|
||||
secret_string_wo_version = var.secret_version
|
||||
secret_string_wo = var.generate_secret ? ephemeral.aws_secretsmanager_random_password.this[0].random_password : var.secret
|
||||
}
|
||||
|
||||
ephemeral "aws_secretsmanager_random_password" "this" {
|
||||
count = var.generate_secret ? 1 : 0
|
||||
password_length = 32
|
||||
exclude_characters = "\\&'\""
|
||||
include_space = false
|
||||
exclude_punctuation = var.secret_use_special_char ? false : true
|
||||
}
|
||||
|
||||
resource "aws_secretsmanager_secret_policy" "policy" {
|
||||
secret_arn = aws_secretsmanager_secret.this.arn
|
||||
policy = var.policy != null ? var.policy : data.aws_iam_policy_document.policy-file.json
|
||||
}
|
||||
|
||||
data "aws_iam_policy_document" "policy-file" {
|
||||
statement {
|
||||
sid = "DenyCrossAccountAccess"
|
||||
effect = "Deny"
|
||||
|
||||
principals {
|
||||
identifiers = ["*"]
|
||||
type = "*"
|
||||
}
|
||||
|
||||
condition {
|
||||
test = "StringNotEquals"
|
||||
values = [data.aws_caller_identity.this.account_id]
|
||||
variable = "aws:PrincipalAccount"
|
||||
}
|
||||
|
||||
actions = ["secretsmanager:GetSecretValue"]
|
||||
resources = ["*"]
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
resource "aws_secretsmanager_secret_rotation" "rotation" {
|
||||
count = var.enable-auto-rotation ? 1 : 0
|
||||
secret_id = aws_secretsmanager_secret.this.id
|
||||
rotation_lambda_arn = var.rotation-lambda-arn
|
||||
rotate_immediately = var.rotate-immediately
|
||||
rotation_rules {
|
||||
automatically_after_days = var.auto-rotation-days
|
||||
schedule_expression = var.auto-rotation-schedule-expression
|
||||
}
|
||||
}
|
||||
|
||||
data "aws_caller_identity" "this" {}
|
||||
@@ -0,0 +1,26 @@
|
||||
output "secret_id" {
|
||||
description = "The id of the secret."
|
||||
value = aws_secretsmanager_secret.this.id
|
||||
}
|
||||
|
||||
output "secret_arn" {
|
||||
description = "The ARN of the secret."
|
||||
value = aws_secretsmanager_secret.this.arn
|
||||
}
|
||||
|
||||
output "id" {
|
||||
description = "Secret of Authenticate Token of elasticcache"
|
||||
value = aws_secretsmanager_secret.this.id
|
||||
sensitive = true
|
||||
}
|
||||
|
||||
output "arn" {
|
||||
description = "The id of the secret."
|
||||
value = aws_secretsmanager_secret.this.arn
|
||||
}
|
||||
|
||||
output "secret_string" {
|
||||
description = "The decrypted secret string of the secret."
|
||||
value = aws_secretsmanager_secret_version.this.secret_string
|
||||
sensitive = true
|
||||
}
|
||||
@@ -0,0 +1,89 @@
|
||||
variable "name" {
|
||||
description = "name of secret"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "description" {
|
||||
description = "description of secret"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "policy" {
|
||||
description = "access policy to the secret"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "secret" {
|
||||
description = "the secret you want to store"
|
||||
type = any
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "recovery_window_in_days" {
|
||||
description = "Number of days that AWS Secrets Manager waits before it can delete the secret"
|
||||
type = number
|
||||
default = 30
|
||||
}
|
||||
|
||||
variable "tags" {
|
||||
description = "(Optional) A mapping of tags to assign to the AWS Secrets Manager."
|
||||
type = map(string)
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "generate_secret" {
|
||||
type = bool
|
||||
default = false
|
||||
description = "If set to true, a secure password will be generated and saved."
|
||||
}
|
||||
|
||||
variable "kms_key_id" {
|
||||
type = string
|
||||
default = null
|
||||
description = "Custom kms key id. If not specified, the default key aws/secretmanager key will be used."
|
||||
}
|
||||
|
||||
variable "secret_use_special_char" {
|
||||
type = bool
|
||||
default = true
|
||||
description = "Set false to not use special characters"
|
||||
}
|
||||
|
||||
variable "secret_version" {
|
||||
type = number
|
||||
description = "Secret version, default to 1. For subsequent update, set it to more than 1."
|
||||
default = 1
|
||||
}
|
||||
|
||||
variable "auto-rotation-days" {
|
||||
type = number
|
||||
description = "Days to auto rotate secret"
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "auto-rotation-schedule-expression" {
|
||||
type = string
|
||||
description = "Schedule expression for auto secret rotation"
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "rotation-lambda-arn" {
|
||||
type = string
|
||||
description = "ARN of lambda secret rotation function"
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "enable-auto-rotation" {
|
||||
type = bool
|
||||
description = "Set true to enable auto rotation"
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "rotate-immediately" {
|
||||
type = bool
|
||||
default = false
|
||||
description = "Rotate secret immediately"
|
||||
}
|
||||
@@ -0,0 +1,4 @@
|
||||
# ephemeral resources are supported since terraform 1.10
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
}
|
||||
Reference in New Issue
Block a user