From 97b6f4dc44c2530cd1c043fff8367c18992d1629 Mon Sep 17 00:00:00 2001 From: Serhii Kaidalov Date: Wed, 1 Mar 2023 08:33:02 +0100 Subject: [PATCH] separate secrets replication configuration --- README.md | 46 ++++++++++++++++++++++++++++++++++++++++++++-- main.tf | 2 +- variables.tf | 6 ------ 3 files changed, 45 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 6ab72b6..82efe90 100644 --- a/README.md +++ b/README.md @@ -211,6 +211,49 @@ module "secrets-manager-5" { } ``` +## Secrets replication + +You can define different type of secrets (string, key/value or binary) in the same `secrets` or `rotate_secrets` map: + +``` +module "secrets-manager-6" { + + source = "lgallard/secrets-manager/aws" + + secrets = { + secret-plain = { + description = "My plain text secret" + recovery_window_in_days = 7 + secret_string = "This is an example" + replica_regions = { + us-west-2 = "arn:aws:kms:us-west-2:1234567890:key/12345678-1234-1234-1234-123456789012" + } + }, + secret-key-value = { + description = "This is a key/value secret" + secret_key_value = { + username = "user" + password = "topsecret" + } + replica_regions = { + us-west-1 = "arn:aws:kms:us-west-1:1234567890:key/12345678-1234-1234-1234-123456789012" + } + tags = { + app = "web" + } + recovery_window_in_days = 7 + }, + } + + tags = { + Owner = "DevOps team" + Environment = "dev" + Terraform = true + } + +} +``` + ## Version 0.5.0+ breaking changes Issue [#13](https://github.com/lgallard/terraform-aws-secrets-manager/issues/13) highlighted the fact that changing the secrets order will recreate the secrets (for example, adding a new secret in the top of the list o removing a secret that is not the last one). The suggested approach to tackle this issue was to use `for_each` to iterate over a map of secrets. @@ -283,7 +326,7 @@ Successfully moved 1 object(s). | Name | Version | |------|---------| -| [aws](#provider\_aws) | 4.28.0 | +| [aws](#provider\_aws) | 4.56.0 | ## Modules @@ -307,7 +350,6 @@ No modules. |------|-------------|------|---------|:--------:| | [automatically\_after\_days](#input\_automatically\_after\_days) | Specifies the number of days between automatic scheduled rotations of the secret. | `number` | `30` | no | | [recovery\_window\_in\_days](#input\_recovery\_window\_in\_days) | Specifies the number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. | `number` | `30` | no | -| [replica\_regions](#input\_replica\_regions) | Map of regions to replicate the secret as the key and related kms\_key\_id as the value | `map(any)` | `{}` | no | | [rotate\_secrets](#input\_rotate\_secrets) | Map of secrets to keep and rotate in AWS Secrets Manager | `any` | `{}` | no | | [secrets](#input\_secrets) | Map of secrets to keep in AWS Secrets Manager | `any` | `{}` | no | | [tags](#input\_tags) | Specifies a key-value map of user-defined tags that are attached to the secret. | `any` | `{}` | no | diff --git a/main.tf b/main.tf index 3d83f56..63769c0 100644 --- a/main.tf +++ b/main.tf @@ -8,7 +8,7 @@ resource "aws_secretsmanager_secret" "sm" { recovery_window_in_days = lookup(each.value, "recovery_window_in_days", var.recovery_window_in_days) tags = merge(var.tags, lookup(each.value, "tags", null)) dynamic "replica" { - for_each = var.replica_regions + for_each = lookup(each.value, "replica_regions", {}) content { region = replica.key kms_key_id = replica.value diff --git a/variables.tf b/variables.tf index 456f49f..607379d 100644 --- a/variables.tf +++ b/variables.tf @@ -18,12 +18,6 @@ variable "secrets" { default = {} } -variable "replica_regions" { - description = "Map of regions to replicate the secret as the key and related kms_key_id as the value" - type = map(any) - default = {} -} - variable "unmanaged" { description = "Terraform must ignore secrets lifecycle. Using this option you can initialize the secrets and rotate them outside Terraform, thus, avoiding other users to change or rotate the secrets by subsequent runs of Terraform" type = bool