This module creates secrets in AWS Secrets Manager. The varible names is a list that will be used to create secrets for however many values are passed into the list.
No dependencies.
- Secrets Manager Secret
- Secret Policy
- Secret Version
This module can be called as outlined below.
- Change directories to the directory that requires secrets and source the module as shown below.
- From the directory run
terraform init. - Run
terraform planto review the resources being created. - If everything looks correct in the plan output, run
terraform apply.
The below example is how you can call secrets manager module to create secrets as needed. One important note is ensuring you exclude any characters for systems such as PGSQL. As there can be issues with the characters accepted by it. It's best to exclude #$/_%&"'=
If secrets need to be shared between AWS accounts, set "shared = true" and also provide "cross_account_ids".
locals{
secrets = [
{
secret_name = "test123"
secret_description = "test service account for the 123 service"
},
{
secret_name = "svc_test456"
secret_description = ""
}
]
}
module "secrets" {
source = "github.com/Coalfire-CF/terraform-aws-secretsmanager"
partition = var.partition
secrets = local.secrets
length = 15
special = true
override_special = "$%&!"
kms_key_id = data.terraform_remote_state.setup.sm_kms_key_id
path = ""
shared = false
cross_account_ids = [""]
}| Name | Version |
|---|---|
| terraform | >=1.5.0 |
| aws | ~> 5.0 |
| random | ~> 3.0 |
| Name | Version |
|---|---|
| aws | ~> 5.0 |
| random | ~> 3.0 |
No modules.
| Name | Type |
|---|---|
| aws_secretsmanager_secret.this | resource |
| aws_secretsmanager_secret_policy.shared | resource |
| aws_secretsmanager_secret_version.this | resource |
| random_password.password | resource |
| aws_iam_policy_document.resource_policy_MA | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cross_account_ids | A list of strings containing the account IDs of AWS accounts that should have cross-account access to this secret | list(string) |
null |
no |
| empty_value | Whether the secret should be generated without a value | bool |
false |
no |
| global_tags | a map of strings that contains global level tags | map(string) |
{} |
no |
| kms_key_id | Specifies the ARN or alias of the AWS KMS customer master key (CMK) to be used to encrypt the secret values in the versions stored in this secret. | string |
n/a | yes |
| length | The length of the password to be generated | number |
15 |
no |
| min_lower | Minimum number of lower case characters | number |
1 |
no |
| min_numeric | Minimum number of numeric characters | number |
1 |
no |
| min_special | Minimum number of special characters | number |
1 |
no |
| min_upper | Minimum number of upper case characters | number |
1 |
no |
| override_special | Provide your own list of special characters | string |
"_%@!" |
no |
| partition | The AWS partition to use | string |
n/a | yes |
| path | Path to organize secrets | string |
n/a | yes |
| recovery_window_in_days | Number of days that AWS Secrets Manager waits before it can delete the secret. | number |
30 |
no |
| regional_tags | a map of strings that contains regional level tags | map(string) |
{} |
no |
| secrets | Specifies the friendly name of the new secrets to be created as key and an optional value field for descriptions | list(map(string)) |
n/a | yes |
| shared | Whether secrets should be shared across accounts. | bool |
false |
no |
| special | Include special characters in random password string | bool |
true |
no |
| tags | A mapping of tags to assign to the resource | map(string) |
{} |
no |
| Name | Description |
|---|---|
| names | Returns list of secret names to be created. |
| path | Path to secret values |
| secret_arns | The ARN values of the generated secrets |
| secret_iam_policy_doc_json | JSON doc of the policy output to use on roles if desired |
| secrets | Returns all secrets generated by the secrets manager module |
If you're interested in contributing to our projects, please review the Contributing Guidelines. And send an email to our team to receive a copy of our CLA and start the onboarding process.
Copyright © 2023 Coalfire Systems Inc.
| Name | Version |
|---|---|
| terraform | >=1.5.0 |
| aws | ~> 5.0 |
| random | ~> 3.0 |
| Name | Version |
|---|---|
| aws | ~> 5.0 |
| random | ~> 3.0 |
No modules.
| Name | Type |
|---|---|
| aws_secretsmanager_secret.this | resource |
| aws_secretsmanager_secret_policy.shared | resource |
| aws_secretsmanager_secret_version.this | resource |
| random_password.password | resource |
| aws_iam_policy_document.resource_policy_MA | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cross_account_ids | A list of strings containing the account IDs of AWS accounts that should have cross-account access to this secret | list(string) |
null |
no |
| empty_value | Whether the secret should be generated without a value | bool |
false |
no |
| global_tags | a map of strings that contains global level tags | map(string) |
{} |
no |
| kms_key_id | Specifies the ARN or alias of the AWS KMS customer master key (CMK) to be used to encrypt the secret values in the versions stored in this secret. | string |
n/a | yes |
| length | The length of the password to be generated | number |
15 |
no |
| min_lower | Minimum number of lower case characters | number |
1 |
no |
| min_numeric | Minimum number of numeric characters | number |
1 |
no |
| min_special | Minimum number of special characters | number |
1 |
no |
| min_upper | Minimum number of upper case characters | number |
1 |
no |
| names | Specifies the friendly name of the new secrets to be created | list(string) |
n/a | yes |
| override_special | Provide your own list of special characters | string |
"_%@!" |
no |
| partition | The AWS partition to use | string |
n/a | yes |
| path | Path to organize secrets | string |
n/a | yes |
| recovery_window_in_days | Number of days that AWS Secrets Manager waits before it can delete the secret. | number |
30 |
no |
| regional_tags | a map of strings that contains regional level tags | map(string) |
{} |
no |
| shared | Whether secrets should be shared across accounts. | bool |
false |
no |
| special | Include special characters in random password string | bool |
true |
no |
| tags | A mapping of tags to assign to the resource | map(string) |
{} |
no |
| Name | Description |
|---|---|
| names | Returns list of secret names to be created. |
| path | Path to secret values |
| secret_arns | The ARN values of the generated secrets |
| secret_iam_policy_doc_json | JSON doc of the policy output to use on roles if desired |
| secrets | Returns all secrets generated by the secrets manager module |