/** * # secretsmanager-secret * * Create secretsmanager secret. Specify secret_version if you do not want * terraform to recreate the secret everytime terraform applies. Otherwise, * becuase this module uses emphemeral resource, the secret will be regenerated * and replaced every time. */ data "aws_caller_identity" "this" {} resource "random_id" "rid" { byte_length = 2 } resource "aws_secretsmanager_secret" "secret1" { name = "${var.secret_name}-${random_id.rid.dec}" description = var.secret_description kms_key_id = var.kms_key_id == null ? null : var.kms_key_id } resource "aws_secretsmanager_secret_version" "this" { secret_id = aws_secretsmanager_secret.secret1.id secret_string_wo = var.generate_secret ? ephemeral.aws_secretsmanager_random_password.this.random_password : var.secret_value secret_string_wo_version = coalesce(var.secret_version, formatdate("YYYYMMDDhhmmss", timestamp())) } ephemeral "aws_secretsmanager_random_password" "this" { password_length = 22 exclude_numbers = false exclude_characters = "o![]\\" exclude_lowercase = false exclude_punctuation = false exclude_uppercase = false include_space = false require_each_included_type = true } # resource "random_password" "this" { # count = var.generate_secret ? 1 : 0 # length = 22 # special = true # } resource "aws_secretsmanager_secret_policy" "policy" { secret_arn = aws_secretsmanager_secret.secret1.arn policy = var.secret_policy != null ? var.secret_policy : data.aws_iam_policy_document.policy-file.json } data "aws_iam_policy_document" "policy-file" { statement { sid = "DenyCrossAccountAccess" effect = "Deny" principals { identifiers = ["*"] type = "AWS" } condition { test = "StringNotEquals" values = [data.aws_caller_identity.this.account_id] variable = "aws:PrincipalAccount" } actions = ["secretsmanager:GetSecretValue"] resources = [aws_secretsmanager_secret.secret1.arn] } }