/** * # secretsmanager-2025 * This module creates an entry on secretsmanager. It uses ephemeral resources * such that the generated password is not stored in terraform state. */ resource "aws_secretsmanager_secret" "this" { name = var.name kms_key_id = var.kms_key_id description = var.description policy = var.policy recovery_window_in_days = var.recovery_window_in_days tags = var.tags } resource "aws_secretsmanager_secret_version" "this" { secret_id = aws_secretsmanager_secret.this.id secret_string_wo_version = var.secret_version secret_string_wo = var.generate_secret ? ephemeral.aws_secretsmanager_random_password.this[0].random_password : var.secret } ephemeral "aws_secretsmanager_random_password" "this" { count = var.generate_secret ? 1 : 0 password_length = 32 exclude_characters = "\\&'\"" include_space = false exclude_punctuation = var.secret_use_special_char ? false : true } resource "aws_secretsmanager_secret_policy" "policy" { secret_arn = aws_secretsmanager_secret.this.arn policy = var.policy != null ? var.policy : data.aws_iam_policy_document.policy-file.json } data "aws_iam_policy_document" "policy-file" { statement { sid = "DenyCrossAccountAccess" effect = "Deny" principals { identifiers = ["*"] type = "*" } condition { test = "StringNotEquals" values = [data.aws_caller_identity.this.account_id] variable = "aws:PrincipalAccount" } actions = ["secretsmanager:GetSecretValue"] resources = ["*"] } } resource "aws_secretsmanager_secret_rotation" "rotation" { count = var.enable-auto-rotation ? 1 : 0 secret_id = aws_secretsmanager_secret.this.id rotation_lambda_arn = var.rotation-lambda-arn rotate_immediately = var.rotate-immediately rotation_rules { automatically_after_days = var.auto-rotation-days schedule_expression = var.auto-rotation-schedule-expression } } data "aws_caller_identity" "this" {}