Skip to content

terraform-aws-modules/terraform-aws-secrets-manager

AWS Secrets Manager Terraform module

Terraform module which creates AWS Secrets Manager resources.

SWUbanner

Usage

See examples directory for working examples to reference:

Standard

module "secrets_manager" {
  source = "terraform-aws-modules/secrets-manager/aws"

  # Secret
  name_prefix             = "example"
  description             = "Example Secrets Manager secret"
  recovery_window_in_days = 30

  # Policy
  create_policy       = true
  block_public_policy = true
  policy_statements = {
    read = {
      sid = "AllowAccountRead"
      principals = [{
        type        = "AWS"
        identifiers = ["arn:aws:iam::1234567890:root"]
      }]
      actions   = ["secretsmanager:GetSecretValue"]
      resources = ["*"]
    }
  }

  # Version
  create_random_password           = true
  random_password_length           = 64
  random_password_override_special = "!@#$%^&*()_+"

  tags = {
    Environment = "Development"
    Project     = "Example"
  }
}

w/ Rotation

module "secrets_manager" {
  source = "terraform-aws-modules/secrets-manager/aws"

  # Secret
  name_prefix             = "rotated-example"
  description             = "Rotated example Secrets Manager secret"
  recovery_window_in_days = 7

  # Policy
  create_policy       = true
  block_public_policy = true
  policy_statements = {
    lambda = {
      sid = "LambdaReadWrite"
      principals = [{
        type        = "AWS"
        identifiers = ["arn:aws:iam:1234567890:role/lambda-function"]
      }]
      actions = [
        "secretsmanager:DescribeSecret",
        "secretsmanager:GetSecretValue",
        "secretsmanager:PutSecretValue",
        "secretsmanager:UpdateSecretVersionStage",
      ]
      resources = ["*"]
    }
    read = {
      sid = "AllowAccountRead"
      principals = [{
        type        = "AWS"
        identifiers = ["arn:aws:iam::1234567890:root"]
      }]
      actions   = ["secretsmanager:DescribeSecret"]
      resources = ["*"]
    }
  }

  # Version
  ignore_secret_changes = true
  secret_string = jsonencode({
    engine   = "mariadb",
    host     = "mydb.cluster-123456789012.us-east-1.rds.amazonaws.com",
    username = "Bill",
    password = "Initial"
    dbname   = "ThisIsMySuperSecretString12356!&*()",
    port     = 3306
  })

  # Rotation
  enable_rotation     = true
  rotation_lambda_arn = "arn:aws:lambda:us-east-1:123456789012:function:my-function"
  rotation_rules = {
    # This should be more sensible in production
    schedule_expression = "rate(1 minute)"
  }

  tags = {
    Environment = "Development"
    Project     = "Example"
  }
}

Examples

Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!

Requirements

Name Version
terraform >= 1.0
aws >= 5.0
random >= 3.0

Providers

Name Version
aws >= 5.0
random >= 3.0

Modules

No modules.

Resources

Name Type
aws_secretsmanager_secret.this resource
aws_secretsmanager_secret_policy.this resource
aws_secretsmanager_secret_rotation.this resource
aws_secretsmanager_secret_version.ignore_changes resource
aws_secretsmanager_secret_version.this resource
random_password.this resource
aws_iam_policy_document.this data source

Inputs

Name Description Type Default Required
block_public_policy Makes an optional API call to Zelkova to validate the Resource Policy to prevent broad access to your secret bool null no
create Determines whether resources will be created (affects all resources) bool true no
create_policy Determines whether a policy will be created bool false no
create_random_password Determines whether a random password will be generated bool false no
description A description of the secret string null no
enable_rotation Determines whether secret rotation is enabled bool false no
force_overwrite_replica_secret Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region bool null no
ignore_secret_changes Determines whether or not Terraform will ignore changes made externally to secret_string or secret_binary. Changing this value after creation is a destructive operation bool false no
kms_key_id ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager string null no
name Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- string null no
name_prefix Creates a unique name beginning with the specified prefix string null no
override_policy_documents List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank sids will override statements with the same sid list(string) [] no
policy_statements A map of IAM policy statements for custom permission usage map(any) {} no
random_password_length The length of the generated random password number 32 no
random_password_override_special Supply your own list of special characters to use for string generation. This overrides the default character list in the special argument string "!@#$%&*()-_=+[]{}<>:?" no
recovery_window_in_days Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30 number null no
replica Configuration block to support secret replication map(any) {} no
rotation_lambda_arn Specifies the ARN of the Lambda function that can rotate the secret string "" no
rotation_rules A structure that defines the rotation configuration for this secret map(any) {} no
secret_binary Specifies binary data that you want to encrypt and store in this version of the secret. This is required if secret_string is not set. Needs to be encoded to base64 string null no
secret_string Specifies text data that you want to encrypt and store in this version of the secret. This is required if secret_binary is not set string null no
source_policy_documents List of IAM policy documents that are merged together into the exported document. Statements must have unique sids list(string) [] no
tags A map of tags to add to all resources map(string) {} no
version_stages Specifies a list of staging labels that are attached to this version of the secret. A staging label must be unique to a single version of the secret list(string) null no

Outputs

Name Description
secret_arn The ARN of the secret
secret_binary The secret binary
secret_id The ID of the secret
secret_name The name of the secret
secret_replica Attributes of the replica created
secret_string The secret string
secret_version_id The unique identifier of the version of the secret

License

Apache-2.0 Licensed. See LICENSE.