2023-06-13 15:32:02 +08:00
|
|
|
data "aws_caller_identity" "this" {}
|
|
|
|
|
|
|
|
resource "random_id" "rid" {
|
|
|
|
byte_length = 2
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "aws_secretsmanager_secret" "secret1" {
|
|
|
|
name = "test-secret-${random_id.rid.dec}"
|
|
|
|
description = var.secret_description
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "aws_secretsmanager_secret_version" "this" {
|
|
|
|
secret_id = aws_secretsmanager_secret.secret1.id
|
2023-06-13 15:38:56 +08:00
|
|
|
secret_string = var.secret_value
|
2023-06-13 15:32:02 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
data "aws_iam_policy_document" "policy-file" {
|
|
|
|
statement {
|
|
|
|
sid = "DefaultAllowReadFromSameAccount"
|
|
|
|
effect = "Allow"
|
|
|
|
|
|
|
|
principals {
|
|
|
|
type = "AWS"
|
|
|
|
identifiers = ["arn:aws:iam::${data.aws_caller_identity.this.account_id}:root"]
|
|
|
|
}
|
|
|
|
|
|
|
|
actions = ["secretsmanager:GetSecretValue"]
|
|
|
|
resources = ["*"]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "aws_secretsmanager_secret_policy" "policy" {
|
|
|
|
secret_arn = aws_secretsmanager_secret.secret1.arn
|
|
|
|
policy = var.secret_policy != null ? var.secret_policy : data.aws_iam_policy_document.policy-file.json
|
|
|
|
}
|