feat: new iam-user module and secretsmanager-2025 module

modules/security_identity_compliance/secretsmanager-2025/main.tf

@@ -0,0 +1,69 @@
+/**
+* # secretsmanager-2025
+* This module creates an entry on secretsmanager. It uses ephemeral resources
+* such that the generated password is not stored in terraform state.
+*/
+
+resource "aws_secretsmanager_secret" "this" {
+  name = var.name
+
+  kms_key_id              = var.kms_key_id
+  description             = var.description
+  policy                  = var.policy
+  recovery_window_in_days = var.recovery_window_in_days
+  tags                    = var.tags
+}
+
+resource "aws_secretsmanager_secret_version" "this" {
+  secret_id                = aws_secretsmanager_secret.this.id
+  secret_string_wo_version = var.secret_version
+  secret_string_wo         = var.generate_secret ? ephemeral.aws_secretsmanager_random_password.this[0].random_password : var.secret
+}
+
+ephemeral "aws_secretsmanager_random_password" "this" {
+  count               = var.generate_secret ? 1 : 0
+  password_length     = 32
+  exclude_characters  = "\\&'\""
+  include_space       = false
+  exclude_punctuation = var.secret_use_special_char ? false : true
+}
+
+resource "aws_secretsmanager_secret_policy" "policy" {
+  secret_arn = aws_secretsmanager_secret.this.arn
+  policy     = var.policy != null ? var.policy : data.aws_iam_policy_document.policy-file.json
+}
+
+data "aws_iam_policy_document" "policy-file" {
+  statement {
+    sid    = "DenyCrossAccountAccess"
+    effect = "Deny"
+
+    principals {
+      identifiers = ["*"]
+      type        = "*"
+    }
+
+    condition {
+      test     = "StringNotEquals"
+      values   = [data.aws_caller_identity.this.account_id]
+      variable = "aws:PrincipalAccount"
+    }
+
+    actions   = ["secretsmanager:GetSecretValue"]
+    resources = ["*"]
+  }
+}
+
+
+resource "aws_secretsmanager_secret_rotation" "rotation" {
+  count               = var.enable-auto-rotation ? 1 : 0
+  secret_id           = aws_secretsmanager_secret.this.id
+  rotation_lambda_arn = var.rotation-lambda-arn
+  rotate_immediately  = var.rotate-immediately
+  rotation_rules {
+    automatically_after_days = var.auto-rotation-days
+    schedule_expression      = var.auto-rotation-schedule-expression
+  }
+}
+
+data "aws_caller_identity" "this" {}