Merge pull request Coalfire-CF#9 from Coalfire-CF/issue8

Author: douglas-f

README.md

@@ -33,17 +33,31 @@ The below example is how you can call secrets manager module to create secrets a
 If secrets need to be shared between AWS accounts, set "shared = true" and also provide "cross_account_ids".
 
 ```hcl
+locals{
+  secrets = [
+    {
+    secret_name = "test123"
+    secret_description = "test service account for the 123 service"
+    }, 
+    {
+     secret_name = "svc_test456"
+    secret_description = ""
+    }
+  ]
+}
+
+
 module "secrets" {
   source = "github.com/Coalfire-CF/terraform-aws-secretsmanager"
   
   partition = var.partition
-  names = [""]
+  secrets = local.secrets
   length = 15
-  special = ""
+  special = true
   override_special = "$%&!"
   kms_key_id = data.terraform_remote_state.setup.sm_kms_key_id
   path = ""
-  shared = true
+  shared = false
   cross_account_ids = [""]
 }
 ```
@@ -91,12 +105,12 @@ No modules.
 | <a name="input_min_numeric"></a> [min\_numeric](#input\_min\_numeric) | Minimum number of numeric characters | `number` | `1` | no |
 | <a name="input_min_special"></a> [min\_special](#input\_min\_special) | Minimum number of special characters | `number` | `1` | no |
 | <a name="input_min_upper"></a> [min\_upper](#input\_min\_upper) | Minimum number of upper case characters | `number` | `1` | no |
-| <a name="input_names"></a> [names](#input\_names) | Specifies the friendly name of the new secrets to be created | `list(string)` | n/a | yes |
 | <a name="input_override_special"></a> [override\_special](#input\_override\_special) | Provide your own list of special characters | `string` | `"_%@!"` | no |
 | <a name="input_partition"></a> [partition](#input\_partition) | The AWS partition to use | `string` | n/a | yes |
 | <a name="input_path"></a> [path](#input\_path) | Path to organize secrets | `string` | n/a | yes |
 | <a name="input_recovery_window_in_days"></a> [recovery\_window\_in\_days](#input\_recovery\_window\_in\_days) | Number of days that AWS Secrets Manager waits before it can delete the secret. | `number` | `30` | no |
 | <a name="input_regional_tags"></a> [regional\_tags](#input\_regional\_tags) | a map of strings that contains regional level tags | `map(string)` | `{}` | no |
+| <a name="input_secrets"></a> [secrets](#input\_secrets) | Specifies the friendly name of the new secrets to be created as key and an optional value field for descriptions | `list(map(string))` | n/a | yes |
 | <a name="input_shared"></a> [shared](#input\_shared) | Whether secrets should be shared across accounts. | `bool` | `false` | no |
 | <a name="input_special"></a> [special](#input\_special) | Include special characters in random password string | `bool` | `true` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A mapping of tags to assign to the resource | `map(string)` | `{}` | no |

locals.tf

@@ -0,0 +1,3 @@
+#locals {
+#  secret_input = [for k, v in var.secret_naming_descrip : v if length(regexall(".*", k)) > 0]
+#}

main.tf

@@ -1,15 +1,17 @@
 resource "aws_secretsmanager_secret" "this" {
-  for_each                = toset(var.names)
-  name                    = "${var.path}${each.value}"
+  for_each                = {for s in var.secrets : s.secret_name => s}
+  name                    = "${var.path}${each.key}"
+  description             = coalesce(each.value.secret_description, "secret for ${each.key}")
   kms_key_id              = var.kms_key_id
   tags                    = merge(var.tags, var.global_tags, var.regional_tags)
   policy                  = var.shared ? null : "{}"
   recovery_window_in_days = var.recovery_window_in_days
 }
+
 resource "aws_secretsmanager_secret_policy" "shared" {
-  for_each = var.shared ? toset(var.names) : []
+  for_each = var.shared ? {for s in var.secrets : s.secret_name => s} : {}
 
-  secret_arn = aws_secretsmanager_secret.this[each.key].arn
+  secret_arn = aws_secretsmanager_secret.this["${each.key}"].arn
 
   policy = data.aws_iam_policy_document.resource_policy_MA.json
 }
@@ -23,20 +25,18 @@ data "aws_iam_policy_document" "resource_policy_MA" {
         "secretsmanager:ListSecrets",
         "secretsmanager:GetSecretValue",
         "secretsmanager:DescribeSecret",
-        "secretsmanager:ListSecretVersionIds"
-      ]
+        "secretsmanager:ListSecretVersionIds" ]
       resources = values(aws_secretsmanager_secret.this)[*].arn
       principals {
-        identifiers = [
-        "arn:${var.partition}:iam::${statement.value}:root"]
+        identifiers = [ "arn:${var.partition}:iam::${statement.value}:root"]
         type = "AWS"
       }
     }
   }
 }
 
 resource "aws_secretsmanager_secret_version" "this" {
-  for_each      = var.empty_value ? [] : toset(var.names)
+  for_each      = var.empty_value ? {} : {for s in var.secrets : s.secret_name => s}
   secret_id     = aws_secretsmanager_secret.this[each.key].id
   secret_string = random_password.password[each.key].result
 
@@ -48,7 +48,7 @@ resource "aws_secretsmanager_secret_version" "this" {
 }
 
 resource "random_password" "password" {
-  for_each         = var.empty_value ? [] : toset(var.names)
+  for_each         = var.empty_value ? {} : {for s in var.secrets : s.secret_name => s}
   length           = var.length
   special          = var.special
   override_special = var.override_special

outputs.tf

@@ -14,7 +14,7 @@ output "secrets" {
 }
 
 output "names" {
-  value       = var.names
+  value       = values(aws_secretsmanager_secret.this)[*].name
   description = "Returns list of secret names to be created."
 }
 

variables.tf

@@ -1,6 +1,6 @@
-variable "names" {
-  type        = list(string)
-  description = "Specifies the friendly name of the new secrets to be created"
+variable "secrets" {
+  type        = list(map(string))
+  description = "Specifies the friendly name of the new secrets to be created as key and an optional value field for descriptions"
 }
 
 variable "length" {