70 lines
2.1 KiB
Terraform
70 lines
2.1 KiB
Terraform
/**
|
|
* # secretsmanager-secret
|
|
*
|
|
* Create secretsmanager secret. Specify secret_version if you do not want
|
|
* terraform to recreate the secret everytime terraform applies. Otherwise,
|
|
* becuase this module uses emphemeral resource, the secret will be regenerated
|
|
* and replaced every time.
|
|
*/
|
|
|
|
|
|
data "aws_caller_identity" "this" {}
|
|
|
|
resource "random_id" "rid" {
|
|
byte_length = 2
|
|
}
|
|
|
|
resource "aws_secretsmanager_secret" "secret1" {
|
|
name = "${var.secret_name}-${random_id.rid.dec}"
|
|
description = var.secret_description
|
|
kms_key_id = var.kms_key_id == null ? null : var.kms_key_id
|
|
}
|
|
|
|
resource "aws_secretsmanager_secret_version" "this" {
|
|
secret_id = aws_secretsmanager_secret.secret1.id
|
|
secret_string_wo = var.generate_secret ? ephemeral.aws_secretsmanager_random_password.this.random_password : var.secret_value
|
|
secret_string_wo_version = coalesce(var.secret_version, formatdate("YYYYMMDDhhmmss", timestamp()))
|
|
}
|
|
|
|
ephemeral "aws_secretsmanager_random_password" "this" {
|
|
password_length = 22
|
|
exclude_numbers = false
|
|
exclude_characters = "o![]\\"
|
|
exclude_lowercase = false
|
|
exclude_punctuation = false
|
|
exclude_uppercase = false
|
|
include_space = false
|
|
require_each_included_type = true
|
|
}
|
|
|
|
# resource "random_password" "this" {
|
|
# count = var.generate_secret ? 1 : 0
|
|
# length = 22
|
|
# special = true
|
|
# }
|
|
|
|
resource "aws_secretsmanager_secret_policy" "policy" {
|
|
secret_arn = aws_secretsmanager_secret.secret1.arn
|
|
policy = var.secret_policy != null ? var.secret_policy : data.aws_iam_policy_document.policy-file.json
|
|
}
|
|
|
|
data "aws_iam_policy_document" "policy-file" {
|
|
statement {
|
|
sid = "DenyCrossAccountAccess"
|
|
effect = "Deny"
|
|
|
|
principals {
|
|
identifiers = ["*"]
|
|
type = "AWS"
|
|
}
|
|
|
|
condition {
|
|
test = "StringNotEquals"
|
|
values = [data.aws_caller_identity.this.account_id]
|
|
variable = "aws:PrincipalAccount"
|
|
}
|
|
|
|
actions = ["secretsmanager:GetSecretValue"]
|
|
resources = [aws_secretsmanager_secret.secret1.arn]
|
|
}
|
|
} |