Creates an AWS Secrets Manager secret with an initial value. A unique KMS is key is created with a policy that allows consumers to decrypt and allows the rotation function to encrypt.
Example:
module "auth_token" {
source = "github.com/thoughtbot/terraform-aws-secrets//secret"
description = "Auth token for managing client keys"
initial_value = random_string.auth_token.result
name = "auth-token"
}You can provide administrative and consumer principals:
admin_principals = [data.aws_iam_role.sso_admin_user.arn]
read_principals = [aws_iam_role.myservice.arn]If you don't provide principals, permissions will be delegated to IAM, meaning
that any user or role with the correct secretsmanager:* permissions will be
able to use the secret.
You can also implement tag-based ABAC by providing trust tags:
trust_tags = { Service = "myservice" }This will include a condition in the trust policy that denies reading unless the principal has the corresponding tags.
Rotation is not configured, but a role suitable for a rotation function is created and available in the outputs. You can create your own rotation function using the secret rotation function module.
| Name | Version |
|---|---|
| terraform | >= 0.15.0 |
| aws | ~> 5.0 |
| Name | Version |
|---|---|
| aws | ~> 5.0 |
| Name | Type |
|---|---|
| aws_iam_policy.rotation | resource |
| aws_iam_role.rotation | resource |
| aws_iam_role_policy_attachment.rotation | resource |
| aws_kms_alias.this | resource |
| aws_kms_key.this | resource |
| aws_secretsmanager_secret.this | resource |
| aws_secretsmanager_secret_policy.this | resource |
| aws_secretsmanager_secret_version.initial | resource |
| aws_caller_identity.this | data source |
| aws_iam_policy_document.key | data source |
| aws_iam_policy_document.read_secret | data source |
| aws_iam_policy_document.rotation | data source |
| aws_iam_policy_document.rotation_assume_role | data source |
| aws_iam_policy_document.secret | data source |
| aws_iam_role.rotation | data source |
| aws_region.this | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| admin_principals | Principals allowed to peform admin actions (default: current account) | list(string) |
null |
no |
| create_rotation_policy | Set to false to disable creation of an IAM policy for rotation | bool |
true |
no |
| create_rotation_role | Set to false to use an existing IAM role for rotation | bool |
true |
no |
| description | Description for this secret | string |
null |
no |
| initial_value | Initial value for this secret | string |
n/a | yes |
| name | Name for this secret | string |
n/a | yes |
| read_principals | Principals allowed to read the secret (default: current account) | list(string) |
null |
no |
| readwrite_principals | Principals allowed to both read and write secrets | list(string) |
[] |
no |
| resource_tags | Tags to be applied to created resources | map(string) |
{} |
no |
| rotation_role_name | Override the name for the rotation role | string |
null |
no |
| rotation_trust_policies | Overrides for the rotation role trust policies | list(string) |
[] |
no |
| secret_policies | Overrides for the secret resource policies | list(string) |
[] |
no |
| trust_tags | Tags required on principals accessing the secret | map(string) |
{} |
no |
| Name | Description |
|---|---|
| arn | ARN of the created secret |
| environment_variables | Environment variables provided by this secret |
| id | Id of the created secret |
| kms_key_alias | Alias of the KMS key encrypting the secret |
| kms_key_arn | Alias of the KMS key encrypting the secret |
| name | Name of the created secret |
| policy_json | Policy json for consuming this secret |
| rotation_role_arn | ARN of the IAM role allowed to rotate this secret |
| rotation_role_name | Name of the IAM role allowed to rotate this secret |
| secret_name | Name of the created secret |