AWS Secrets Manager Terraform module

Terraform module which creates AWS Secrets Manager resources.

Usage

See examples directory for working examples to reference:

Standard

module "secrets_manager" {
  source = "terraform-aws-modules/secrets-manager/aws"

  # Secret
  name_prefix             = "example"
  description             = "Example Secrets Manager secret"
  recovery_window_in_days = 30

  # Policy
  create_policy       = true
  block_public_policy = true
  policy_statements = {
    read = {
      sid = "AllowAccountRead"
      principals = [{
        type        = "AWS"
        identifiers = ["arn:aws:iam::1234567890:root"]
      }]
      actions   = ["secretsmanager:GetSecretValue"]
      resources = ["*"]
    }
  }

  # Version
  create_random_password           = true
  random_password_length           = 64
  random_password_override_special = "!@#$%^&*()_+"

  tags = {
    Environment = "Development"
    Project     = "Example"
  }
}

w/ Rotation

module "secrets_manager" {
  source = "terraform-aws-modules/secrets-manager/aws"

  # Secret
  name_prefix             = "rotated-example"
  description             = "Rotated example Secrets Manager secret"
  recovery_window_in_days = 7

  # Policy
  create_policy       = true
  block_public_policy = true
  policy_statements = {
    lambda = {
      sid = "LambdaReadWrite"
      principals = [{
        type        = "AWS"
        identifiers = ["arn:aws:iam:1234567890:role/lambda-function"]
      }]
      actions = [
        "secretsmanager:DescribeSecret",
        "secretsmanager:GetSecretValue",
        "secretsmanager:PutSecretValue",
        "secretsmanager:UpdateSecretVersionStage",
      ]
      resources = ["*"]
    }
    read = {
      sid = "AllowAccountRead"
      principals = [{
        type        = "AWS"
        identifiers = ["arn:aws:iam::1234567890:root"]
      }]
      actions   = ["secretsmanager:DescribeSecret"]
      resources = ["*"]
    }
  }

  # Version
  ignore_secret_changes = true
  secret_string = jsonencode({
    engine   = "mariadb",
    host     = "mydb.cluster-123456789012.us-east-1.rds.amazonaws.com",
    username = "Bill",
    password = "Initial"
    dbname   = "ThisIsMySuperSecretString12356!&*()",
    port     = 3306
  })

  # Rotation
  enable_rotation     = true
  rotation_lambda_arn = "arn:aws:lambda:us-east-1:123456789012:function:my-function"
  rotation_rules = {
    # This should be more sensible in production
    schedule_expression = "rate(1 minute)"
  }

  tags = {
    Environment = "Development"
    Project     = "Example"
  }
}

Examples

Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!

Complete

Requirements

Name	Version
terraform	>= 1.0
aws	>= 5.0
random	>= 3.0

Providers

Name	Version
aws	>= 5.0
random	>= 3.0

Modules

No modules.

Resources

Name	Type
aws_secretsmanager_secret.this	resource
aws_secretsmanager_secret_policy.this	resource
aws_secretsmanager_secret_rotation.this	resource
aws_secretsmanager_secret_version.ignore_changes	resource
aws_secretsmanager_secret_version.this	resource
random_password.this	resource
aws_iam_policy_document.this	data source

Inputs

Name	Description	Type	Default	Required
block_public_policy	Makes an optional API call to Zelkova to validate the Resource Policy to prevent broad access to your secret	`bool`	`null`	no
create	Determines whether resources will be created (affects all resources)	`bool`	`true`	no
create_policy	Determines whether a policy will be created	`bool`	`false`	no
create_random_password	Determines whether a random password will be generated	`bool`	`false`	no
description	A description of the secret	`string`	`null`	no
enable_rotation	Determines whether secret rotation is enabled	`bool`	`false`	no
force_overwrite_replica_secret	Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region	`bool`	`null`	no
ignore_secret_changes	Determines whether or not Terraform will ignore changes made externally to `secret_string` or `secret_binary`. Changing this value after creation is a destructive operation	`bool`	`false`	no
kms_key_id	ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named `aws/secretsmanager`	`string`	`null`	no
name	Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: `/_+=.@-`	`string`	`null`	no
name_prefix	Creates a unique name beginning with the specified prefix	`string`	`null`	no
override_policy_documents	List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid`	`list(string)`	`[]`	no
policy_statements	A map of IAM policy statements for custom permission usage	`map(any)`	`{}`	no
random_password_length	The length of the generated random password	`number`	`32`	no
random_password_override_special	Supply your own list of special characters to use for string generation. This overrides the default character list in the special argument	`string`	`"!@#$%&*()-_=+[]{}<>:?"`	no
recovery_window_in_days	Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be `0` to force deletion without recovery or range from `7` to `30` days. The default value is `30`	`number`	`null`	no
replica	Configuration block to support secret replication	`map(any)`	`{}`	no
rotation_lambda_arn	Specifies the ARN of the Lambda function that can rotate the secret	`string`	`""`	no
rotation_rules	A structure that defines the rotation configuration for this secret	`map(any)`	`{}`	no
secret_binary	Specifies binary data that you want to encrypt and store in this version of the secret. This is required if `secret_string` is not set. Needs to be encoded to base64	`string`	`null`	no
secret_string	Specifies text data that you want to encrypt and store in this version of the secret. This is required if `secret_binary` is not set	`string`	`null`	no
source_policy_documents	List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s	`list(string)`	`[]`	no
tags	A map of tags to add to all resources	`map(string)`	`{}`	no
version_stages	Specifies a list of staging labels that are attached to this version of the secret. A staging label must be unique to a single version of the secret	`list(string)`	`null`	no

Outputs

Name	Description
secret_arn	The ARN of the secret
secret_binary	The secret binary
secret_id	The ID of the secret
secret_name	The name of the secret
secret_replica	Attributes of the replica created
secret_string	The secret string
secret_version_id	The unique identifier of the version of the secret

License

Apache-2.0 Licensed. See LICENSE.

terraform-aws-modules/terraform-aws-secrets-manager