feat: new iam-user module and secretsmanager-2025 module

EksIp6Nginxpod/main.tf

@@ -186,6 +186,17 @@ module "eks" {
     eks-pod-identity-agent = {
       preserve       = false
       before_compute = true
+      # If your nodes does not allow ipv6, use the following to force the agent to bind to ipv4 only
+      # https://docs.aws.amazon.com/eks/latest/userguide/pod-id-agent-config-ipv6.html
+      # configuration_values = jsonencode(
+      #   {
+      #     "agent": {
+      #       "additionalArgs": {
+      #         "-b": "169.254.170.23"
+      #       }
+      #     }
+      #   }
+      # )
     }
     kube-proxy = {}
     aws-ebs-csi-driver = {

modules/security_identity_compliance/iam-user/README.md

@@ -1,4 +1,47 @@
 <!-- This readme file is generated with terraform-docs -->
+## Example
+
+```hcl
+module "example" {
+  source                   = "../"
+  user_name                = "example-user"
+  create_group_name        = "example-group"
+  create_access_key        = false
+  enable_console_access    = true
+  custom_iam_policy_json = data.aws_iam_policy_document.ec2-restart.json
+  secretsmanager_kms_arn   = "arn:aws:kms:ap-east-1:000011112222:key/0000"
+}
+
+data "aws_iam_policy_document" "ec2-restart" {
+  statement {
+    sid = "StartStopEc2Instances"
+
+    actions = [
+      "ec2:StartInstances",
+      "ec2:StopInstances",
+      "ec2:Describe*"
+    ]
+
+    resources = [
+      "arn:aws:ec2:ap-east-1:${data.aws_caller_identity.this.account_id}:instance/i-00001",
+      "arn:aws:ec2:ap-east-1:${data.aws_caller_identity.this.account_id}:instance/i-00002"
+    ]
+
+    effect = "Allow"
+  }
+}
+```
+
+# iam-user module
+Creates iam user. If new group will be created for this user, use custom\_iam\_policy\_json to
+attach iam policy to the group. You can also use attach\_iam\_policies to attach AWS-managed policies.
+
+## Security requirements
+IAM policies must be attached to iam group, not directly to iam user.
+This module requires a new group be created, or an existing group for the user to be added to.
+
+User credentials are saved in secretsmanager, which must be encrypted with CMK
+
 ## Requirements
 
 No requirements.
@@ -6,51 +49,47 @@ No requirements.
 ## Providers
 
 | Name | Version |
-|------|---------|
+| ---- | ------- |
 | aws | n/a |
-| random | n/a |
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+| ---- | ------ | ------- |
+| UserCredentials | ../secretsmanager-2025 | n/a |
 
 ## Resources
 
 | Name | Type |
-|------|------|
+| ---- | ---- |
-| [aws_iam_access_key.iam-user-access-key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
+| [aws_iam_access_key.AccessKey](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
-| [aws_iam_group_membership.group-membership](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership) | resource |
+| [aws_iam_group.group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group) | resource |
-| [aws_iam_user.iam-user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
+| [aws_iam_group_membership.membership](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership) | resource |
-| [aws_iam_user_login_profile.iam-user-profile](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile) | resource |
+| [aws_iam_group_policy_attachment.ManagedPolicies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
-| [aws_iam_user_policy.iam-user-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
+| [aws_iam_group_policy_attachment.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_policy_attachment) | resource |
-| [aws_iam_user_policy.iam-user-selfservice-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
+| [aws_iam_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
-| [aws_iam_user_policy_attachment.iam-user-managed-policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
+| [aws_iam_user.user](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
-| [aws_secretsmanager_secret.secretmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
+| [aws_iam_user_login_profile.profile](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_login_profile) | resource |
-| [aws_secretsmanager_secret_version.iam-user-secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
+| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [random_id.secrets-random-id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [aws_iam_policy_document.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [random_password.iam-user-pass](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
-| [aws_iam_policy_document.user-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
+| ---- | ----------- | ---- | ------- | :------: |
-| add-to-groups | n/a | `list(string)` | `[]` | no |
+| attach\_iam\_policies | Aws-Managed iam policies to be attached | `list(string)` | `[]` | no |
-| create-access-key | n/a | `bool` | n/a | yes |
+| create\_access\_key | Create access key for user | `bool` | n/a | yes |
-| create-password | n/a | `bool` | n/a | yes |
+| create\_group\_name | Name of new group to be created and add user to | `string` | `null` | no |
-| iam-user-name | n/a | `any` | n/a | yes |
+| custom\_iam\_policy\_json | Json encoded aws\_iam\_policy\_document, only applicable when create\_group\_name is used. | `string` | n/a | yes |
-| iam-user-policy | n/a | `string` | `""` | no |
+| enable\_console\_access | Enable console access | `bool` | n/a | yes |
-| iam-user-policy-name | n/a | `string` | `""` | no |
+| existing\_group\_name | Name of existing group to add user to | `string` | `null` | no |
-| managed-policy-arns | n/a | `any` | n/a | yes |
+| secretsmanager\_kms\_arn | KMS key arn of secretsmanager | `string` | n/a | yes |
+| user\_name | Name of IAM user | `string` | n/a | yes |
 
 ## Outputs
 
-| Name | Description |
+No outputs.
-|------|-------------|
-| iam-user-access-key | n/a |
-| iam-user-arn | n/a |
-| iam-user-name | n/a |
  
 ---
 ## Authorship
-This module was developed by xpk.
+This module was developed by Rackspace.

modules/security_identity_compliance/iam-user/example/main.tf

@@ -0,0 +1,28 @@
+module "example" {
+  source                   = "../"
+  user_name                = "example-user"
+  create_group_name        = "example-group"
+  create_access_key        = false
+  enable_console_access    = true
+  custom_iam_policy_json = data.aws_iam_policy_document.ec2-restart.json
+  secretsmanager_kms_arn   = "arn:aws:kms:ap-east-1:000011112222:key/0000"
+}
+
+data "aws_iam_policy_document" "ec2-restart" {
+  statement {
+    sid = "StartStopEc2Instances"
+
+    actions = [
+      "ec2:StartInstances",
+      "ec2:StopInstances",
+      "ec2:Describe*"
+    ]
+
+    resources = [
+      "arn:aws:ec2:ap-east-1:${data.aws_caller_identity.this.account_id}:instance/i-00001",
+      "arn:aws:ec2:ap-east-1:${data.aws_caller_identity.this.account_id}:instance/i-00002"
+    ]
+
+    effect = "Allow"
+  }
+}

modules/security_identity_compliance/iam-user/main.tf

@@ -1,27 +1,90 @@
-resource "aws_iam_user" "iam-user" {
+/**
-  name          = var.iam-user-name
+* # iam-user module
+* Creates iam user. If new group will be created for this user, use custom_iam_policy_json to
+* attach iam policy to the group. You can also use attach_iam_policies to attach AWS-managed policies.
+*
+* ## Security requirements
+* IAM policies must be attached to iam group, not directly to iam user.
+* This module requires a new group be created, or an existing group for the user to be added to.
+*
+* User credentials are saved in secretsmanager, which must be encrypted with CMK
+*/
+
+resource "aws_iam_group" "group" {
+  count = var.create_group_name != null ? 1 : 0
+  name  = var.create_group_name
+}
+
+resource "aws_iam_user" "user" {
+  name          = var.user_name
   force_destroy = true
 }
 
-resource "aws_iam_access_key" "iam-user-access-key" {
+resource "aws_iam_group_membership" "membership" {
-  count = var.create-access-key ? 1 : 0
+  group = coalesce(var.create_group_name, var.existing_group_name)
-  user  = aws_iam_user.iam-user.name
+  users = [aws_iam_user.user.name]
+  name  = "${var.user_name} membership"
+
+  lifecycle {
+    precondition {
+      condition     = var.create_group_name != null || var.existing_group_name != null
+      error_message = "You must provide either 'create_group_name' or 'existing_group_name'."
     }
 
-resource "aws_iam_user_policy" "iam-user-policy" {
+    precondition {
-  count  = var.iam-user-policy != "" ? 1 : 0
+      condition     = !(var.create_group_name != null && var.existing_group_name != null)
-  name   = var.iam-user-policy-name
+      error_message = "You cannot provide both 'create_group_name' and 'existing_group_name' at the same time."
-  user   = aws_iam_user.iam-user.name
+    }
-  policy = var.iam-user-policy
+  }
 }
 
-resource "aws_iam_user_policy" "iam-user-selfservice-policy" {
+resource "aws_iam_user_login_profile" "profile" {
-  name   = "SelfServicePermissions"
+  count = var.enable_console_access ? 1 : 0
-  user   = aws_iam_user.iam-user.name
+  user  = var.user_name
-  policy = data.aws_iam_policy_document.user-policy.json
 }
 
-data "aws_iam_policy_document" "user-policy" {
+resource "aws_iam_policy" "policy" {
+  name_prefix = var.user_name
+  description = "Policy for ${var.user_name}"
+  policy      = data.aws_iam_policy_document.policy.json
+}
+
+resource "aws_iam_group_policy_attachment" "policy" {
+  depends_on = [aws_iam_group.group] # attach policy only to new group
+  group      = var.create_group_name
+  policy_arn = aws_iam_policy.policy.arn
+}
+
+resource "aws_iam_group_policy_attachment" "ManagedPolicies" {
+  for_each   = toset(var.attach_iam_policies)
+  group      = coalesce(var.create_group_name, var.existing_group_name)
+  policy_arn = each.value
+}
+
+resource "aws_iam_access_key" "AccessKey" {
+  count = var.create_access_key ? 1 : 0
+  user  = aws_iam_user.user.name
+}
+
+module "UserCredentials" {
+  source = "../secretsmanager-2025"
+
+  name            = "${var.user_name}-IamUser-Credentials"
+  description     = "Credentials for iam user ${var.user_name}"
+  generate_secret = false
+  secret = jsonencode(
+    {
+      "ConsolePassword" : var.enable_console_access ? aws_iam_user_login_profile.profile[0].password : "NotSet"
+      "AccessKeyId" : var.create_access_key ? aws_iam_access_key.AccessKey[0].id : "NotSet"
+      "SecretKey" : var.create_access_key ? aws_iam_access_key.AccessKey[0].secret : "NotSet"
+    }
+  )
+  kms_key_id = var.secretsmanager_kms_arn
+}
+
+data "aws_iam_policy_document" "policy" {
+  source_policy_documents = [var.custom_iam_policy_json]
+
   statement {
     sid = "ManageOwnCredentials"
 
@@ -42,58 +105,4 @@ data "aws_iam_policy_document" "user-policy" {
     effect    = "Allow"
     resources = ["arn:aws:iam::*:user/$${aws:username}"]
   }
-
-  statement {
-    sid = "GetBasicUserInfo"
-    actions = [
-      "iam:GetAccountPasswordPolicy",
-      "iam:GetAccessKeyLastUsed",
-      "iam:GetUserPolicy"
-    ]
-    effect    = "Allow"
-    resources = ["*"]
 }
-}
-
-resource "aws_iam_user_policy_attachment" "iam-user-managed-policies" {
-  count      = length(var.add-to-groups) > 0 ? 0 : length(var.managed-policy-arns)
-  user       = aws_iam_user.iam-user.name
-  policy_arn = var.managed-policy-arns[count.index]
-}
-
-resource "aws_iam_user_login_profile" "iam-user-profile" {
-  count           = var.create-password ? 1 : 0
-  user            = aws_iam_user.iam-user.name
-  password_length = 20
-  pgp_key         = null
-}
-
-resource "random_id" "secrets-random-id" {
-  byte_length = 2
-}
-
-resource "aws_secretsmanager_secret" "secretmanager" {
-  count       = var.create-access-key || var.create-password ? 1 : 0
-  name        = "IamUserCredential-${random_id.secrets-random-id.dec}-${var.iam-user-name}"
-  description = "AWS resource credential"
-}
-
-resource "aws_secretsmanager_secret_version" "iam-user-secret" {
-  count     = var.create-access-key || var.create-password ? 1 : 0
-  secret_id = aws_secretsmanager_secret.secretmanager[0].id
-  secret_string = jsonencode(
-    {
-      "ConsolePassword" : length(aws_iam_user_login_profile.iam-user-profile[0].password) > 0 ? aws_iam_user_login_profile.iam-user-profile[0].password : "NotSet",
-      "AccessKeyId" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].id : "NotSet",
-      "KeySecret" : length(aws_iam_access_key.iam-user-access-key) > 0 ? aws_iam_access_key.iam-user-access-key[0].secret : "NotSet"
-    }
-  )
-}
-
-resource "aws_iam_group_membership" "group-membership" {
-  for_each = toset(var.add-to-groups)
-  name     = "MembershipToExistingGroups"
-  group    = each.value
-  users    = [aws_iam_user.iam-user.name]
-}
-

modules/security_identity_compliance/iam-user/outputs.tf

@@ -1,15 +0,0 @@
-output "iam-user-name" {
-  value = aws_iam_user.iam-user.name
-}
-
-output "iam-user-arn" {
-  value = aws_iam_user.iam-user.arn
-}
-
-output "iam-user-access-key" {
-  value = try(aws_iam_access_key.iam-user-access-key[0].id, "none")
-}
-
-output "iam-user-secret-arn" {
-  value = try(aws_secretsmanager_secret_version.iam-user-secret[0].arn, "none")
-}

modules/security_identity_compliance/iam-user/variables.tf

@@ -1,20 +1,44 @@
-variable "iam-user-name" {}
+variable "create_group_name" {
-variable "iam-user-policy" {
   type        = string
-  default = ""
+  description = "Name of new group to be created and add user to"
+  default     = null
 }
-variable "iam-user-policy-name" {
+
+variable "user_name" {
   type        = string
-  default = ""
+  description = "Name of IAM user"
 }
-variable "create-access-key" {
+
+variable "existing_group_name" {
+  type        = string
+  description = "Name of existing group to add user to"
+  default     = null
+}
+
+variable "enable_console_access" {
   type        = bool
+  description = "Enable console access"
 }
-variable "create-password" {
+
-  type = bool
+variable "custom_iam_policy_json" {
+  type        = string
+  description = "Json encoded aws_iam_policy_document, only applicable when create_group_name is used."
 }
-variable "managed-policy-arns" {}
+
-variable "add-to-groups" {
+variable "attach_iam_policies" {
   type        = list(string)
+  description = "Aws-Managed iam policies to be attached"
   default     = []
 }
+
+variable "create_access_key" {
+  type        = bool
+  description = "Create access key for user"
+}
+
+variable "secretsmanager_kms_arn" {
+  type        = string
+  description = "KMS key arn of secretsmanager"
+}
+
+data "aws_caller_identity" "this" {}

modules/security_identity_compliance/iam-user/versions.tf

@@ -1,9 +0,0 @@
-terraform {
-  required_version = ">= 1.3.9"
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = ">= 5.0"
-    }
-  }
-}

modules/security_identity_compliance/secretsmanager-2025/README.md

@@ -0,0 +1,63 @@
+<!-- This readme file is generated with terraform-docs -->
+# secretsmanager-2025
+This module creates an entry on secretsmanager. It uses ephemeral resources
+such that the generated password is not stored in terraform state.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 1.10 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_secretsmanager_secret.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
+| [aws_secretsmanager_secret_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_policy) | resource |
+| [aws_secretsmanager_secret_rotation.rotation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_rotation) | resource |
+| [aws_secretsmanager_secret_version.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
+| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.policy-file](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| auto-rotation-days | Days to rotate secret | `number` | `365` | no |
+| description | description of secret | `string` | `null` | no |
+| enable-auto-rotation | Enable automatic rotation | `bool` | `false` | no |
+| generate\_secret | If set to true, a secure password will be generated and saved. | `bool` | `false` | no |
+| kms\_key\_id | Custom kms key id. If not specified, the default key aws/secretmanager key will be used. | `string` | `null` | no |
+| name | name of secret | `string` | `null` | no |
+| policy | access policy to the secret | `string` | `null` | no |
+| recovery\_window\_in\_days | Number of days that AWS Secrets Manager waits before it can delete the secret | `number` | `30` | no |
+| rotation-lambda-arn | ARN of lambda function for auto secret rotation | `string` | `null` | no |
+| secret | the secret you want to store | `any` | `null` | no |
+| secret\_use\_special\_char | Set false to not use special characters | `bool` | `true` | no |
+| secret\_version | Secret version, default to 1. For subsequent update, set it to more than 1. | `number` | `1` | no |
+| tags | (Optional) A mapping of tags to assign to the AWS Secrets Manager. | `map(string)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| arn | The id of the secret. |
+| id | Secret of Authenticate Token of elasticcache |
+| secret\_arn | The ARN of the secret. |
+| secret\_id | The id of the secret. |
+| secret\_string | The decrypted secret string of the secret. |
+ 
+---
+## Authorship
+This module was developed by Rackspace.

modules/security_identity_compliance/secretsmanager-2025/example/main.tf

@@ -0,0 +1,6 @@
+module "secret" {
+  source          = "../"
+  name            = "TestSecret"
+  description     = "Terraform module example"
+  generate_secret = true
+}

modules/security_identity_compliance/secretsmanager-2025/main.tf

@@ -0,0 +1,69 @@
+/**
+* # secretsmanager-2025
+* This module creates an entry on secretsmanager. It uses ephemeral resources
+* such that the generated password is not stored in terraform state.
+*/
+
+resource "aws_secretsmanager_secret" "this" {
+  name = var.name
+
+  kms_key_id              = var.kms_key_id
+  description             = var.description
+  policy                  = var.policy
+  recovery_window_in_days = var.recovery_window_in_days
+  tags                    = var.tags
+}
+
+resource "aws_secretsmanager_secret_version" "this" {
+  secret_id                = aws_secretsmanager_secret.this.id
+  secret_string_wo_version = var.secret_version
+  secret_string_wo         = var.generate_secret ? ephemeral.aws_secretsmanager_random_password.this[0].random_password : var.secret
+}
+
+ephemeral "aws_secretsmanager_random_password" "this" {
+  count               = var.generate_secret ? 1 : 0
+  password_length     = 32
+  exclude_characters  = "\\&'\""
+  include_space       = false
+  exclude_punctuation = var.secret_use_special_char ? false : true
+}
+
+resource "aws_secretsmanager_secret_policy" "policy" {
+  secret_arn = aws_secretsmanager_secret.this.arn
+  policy     = var.policy != null ? var.policy : data.aws_iam_policy_document.policy-file.json
+}
+
+data "aws_iam_policy_document" "policy-file" {
+  statement {
+    sid    = "DenyCrossAccountAccess"
+    effect = "Deny"
+
+    principals {
+      identifiers = ["*"]
+      type        = "*"
+    }
+
+    condition {
+      test     = "StringNotEquals"
+      values   = [data.aws_caller_identity.this.account_id]
+      variable = "aws:PrincipalAccount"
+    }
+
+    actions   = ["secretsmanager:GetSecretValue"]
+    resources = ["*"]
+  }
+}
+
+
+resource "aws_secretsmanager_secret_rotation" "rotation" {
+  count               = var.enable-auto-rotation ? 1 : 0
+  secret_id           = aws_secretsmanager_secret.this.id
+  rotation_lambda_arn = var.rotation-lambda-arn
+  rotate_immediately  = var.rotate-immediately
+  rotation_rules {
+    automatically_after_days = var.auto-rotation-days
+    schedule_expression      = var.auto-rotation-schedule-expression
+  }
+}
+
+data "aws_caller_identity" "this" {}

modules/security_identity_compliance/secretsmanager-2025/outputs.tf

@@ -0,0 +1,26 @@
+output "secret_id" {
+  description = "The id of the secret."
+  value       = aws_secretsmanager_secret.this.id
+}
+
+output "secret_arn" {
+  description = "The ARN of the secret."
+  value       = aws_secretsmanager_secret.this.arn
+}
+
+output "id" {
+  description = "Secret of Authenticate Token of elasticcache"
+  value       = aws_secretsmanager_secret.this.id
+  sensitive   = true
+}
+
+output "arn" {
+  description = "The id of the secret."
+  value       = aws_secretsmanager_secret.this.arn
+}
+
+output "secret_string" {
+  description = "The decrypted secret string of the secret."
+  value       = aws_secretsmanager_secret_version.this.secret_string
+  sensitive   = true
+}

modules/security_identity_compliance/secretsmanager-2025/variables.tf

@@ -0,0 +1,89 @@
+variable "name" {
+  description = "name of secret"
+  type        = string
+  default     = null
+}
+
+variable "description" {
+  description = "description of secret"
+  type        = string
+  default     = null
+}
+
+variable "policy" {
+  description = "access policy to the secret"
+  type        = string
+  default     = null
+}
+
+variable "secret" {
+  description = "the secret you want to store"
+  type        = any
+  default     = null
+}
+
+variable "recovery_window_in_days" {
+  description = "Number of days that AWS Secrets Manager waits before it can delete the secret"
+  type        = number
+  default     = 30
+}
+
+variable "tags" {
+  description = "(Optional) A mapping of tags to assign to the AWS Secrets Manager."
+  type        = map(string)
+  default     = {}
+}
+
+variable "generate_secret" {
+  type        = bool
+  default     = false
+  description = "If set to true, a secure password will be generated and saved."
+}
+
+variable "kms_key_id" {
+  type        = string
+  default     = null
+  description = "Custom kms key id. If not specified, the default key aws/secretmanager key will be used."
+}
+
+variable "secret_use_special_char" {
+  type        = bool
+  default     = true
+  description = "Set false to not use special characters"
+}
+
+variable "secret_version" {
+  type        = number
+  description = "Secret version, default to 1. For subsequent update, set it to more than 1."
+  default     = 1
+}
+
+variable "auto-rotation-days" {
+  type        = number
+  description = "Days to auto rotate secret"
+  default     = null
+}
+
+variable "auto-rotation-schedule-expression" {
+  type        = string
+  description = "Schedule expression for auto secret rotation"
+  default     = null
+}
+
+variable "rotation-lambda-arn" {
+  type        = string
+  description = "ARN of lambda secret rotation function"
+  default     = null
+}
+
+variable "enable-auto-rotation" {
+  type        = bool
+  description = "Set true to enable auto rotation"
+  default     = false
+}
+
+variable "rotate-immediately" {
+  type        = bool
+  default     = false
+  description = "Rotate secret immediately"
+}

modules/security_identity_compliance/secretsmanager-2025/version.tf

@@ -0,0 +1,4 @@
+# ephemeral resources are supported since terraform 1.10
+terraform {
+  required_version = ">= 1.10"
+}

modules/storage/S3Bucket/variables.tf

@@ -67,7 +67,7 @@ variable "replication_dest_bucket_name" {
 }
 
 variable "replication_destination_aws_account_id" {
-  type        = number
+  type        = string
   default     = null
   description = "AWS account id of replica bucket"
 }