FEAT: generate_secret is now supported
This commit is contained in:
parent
7af398e6fc
commit
03f2c0c711
GPG Key ID:
CD4FF6793F09AB86
@ -3,14 +3,27 @@ This module creates an entry in secretsmanager, attaching a default access polic
|
|||||||
not provided from root module. A random suffix is assigned to every secret, as AWS may delay
|
not provided from root module. A random suffix is assigned to every secret, as AWS may delay
|
||||||
creation of secrets with the same name, after the old one has been destroyed that is.
|
creation of secrets with the same name, after the old one has been destroyed that is.
|
||||||
|
|
||||||
|
The default policy attached to secretsmanager prevents cross-account access.
|
||||||
|
|
||||||
|
To have this module generate a random password, set ```generate_secret``` to true.
|
||||||
|
|
||||||
To tag resources, please use provider default_tags.
|
To tag resources, please use provider default_tags.
|
||||||
|
|
||||||
## Example
|
## Example
|
||||||
```hcl
|
```hcl
|
||||||
module secret_item {
|
module "secret1" {
|
||||||
source = "../../modules/security_identity_compliance/secretsmanager-secret"
|
source = "../../modules/security_identity_compliance/secretsmanager-secret"
|
||||||
|
|
||||||
secret_description = "test-secret-desc"
|
secret_name = "test-secret-name-1"
|
||||||
|
secret_description = "test-secret-desc-1"
|
||||||
secret_value = "test-secret-value"
|
secret_value = "test-secret-value"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
module "secret2" {
|
||||||
|
source = "../../modules/security_identity_compliance/secretsmanager-secret"
|
||||||
|
|
||||||
|
secret_name = "test-secret-name-2"
|
||||||
|
secret_description = "test-secret-desc-3"
|
||||||
|
generate_secret = true
|
||||||
|
}
|
||||||
```
|
```
|
||||||
@ -11,22 +11,13 @@ resource "aws_secretsmanager_secret" "secret1" {
|
|||||||
|
|
||||||
resource "aws_secretsmanager_secret_version" "this" {
|
resource "aws_secretsmanager_secret_version" "this" {
|
||||||
secret_id = aws_secretsmanager_secret.secret1.id
|
secret_id = aws_secretsmanager_secret.secret1.id
|
||||||
secret_string = var.secret_value
|
secret_string = var.generate_secret ? random_password.this[0].result : var.secret_value
|
||||||
}
|
}
|
||||||
|
|
||||||
data "aws_iam_policy_document" "policy-file" {
|
resource "random_password" "this" {
|
||||||
statement {
|
count = var.generate_secret ? 1 : 0
|
||||||
sid = "DefaultAllowReadFromSameAccount"
|
length = 22
|
||||||
effect = "Allow"
|
special = true
|
||||||
|
|
||||||
principals {
|
|
||||||
type = "AWS"
|
|
||||||
identifiers = ["arn:aws:iam::${data.aws_caller_identity.this.account_id}:root"]
|
|
||||||
}
|
|
||||||
|
|
||||||
actions = ["secretsmanager:GetSecretValue"]
|
|
||||||
resources = ["*"]
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "aws_secretsmanager_secret_policy" "policy" {
|
resource "aws_secretsmanager_secret_policy" "policy" {
|
||||||
@ -34,3 +25,23 @@ resource "aws_secretsmanager_secret_policy" "policy" {
|
|||||||
policy = var.secret_policy != null ? var.secret_policy : data.aws_iam_policy_document.policy-file.json
|
policy = var.secret_policy != null ? var.secret_policy : data.aws_iam_policy_document.policy-file.json
|
||||||
}
|
}
|
||||||
|
|
||||||
|
data "aws_iam_policy_document" "policy-file" {
|
||||||
|
statement {
|
||||||
|
sid = "DenyCrossAccountAccess"
|
||||||
|
effect = "Deny"
|
||||||
|
|
||||||
|
principals {
|
||||||
|
identifiers = ["*"]
|
||||||
|
type = "AWS"
|
||||||
|
}
|
||||||
|
|
||||||
|
condition {
|
||||||
|
test = "StringNotEquals"
|
||||||
|
values = [data.aws_caller_identity.this.account_id]
|
||||||
|
variable = "aws:PrincipalAccount"
|
||||||
|
}
|
||||||
|
|
||||||
|
actions = ["secretsmanager:GetSecretValue"]
|
||||||
|
resources = [aws_secretsmanager_secret.secret1.arn]
|
||||||
|
}
|
||||||
|
}
|
||||||
@ -1,6 +1,12 @@
|
|||||||
output secret_arn {
|
output "secret_arn" {
|
||||||
value = aws_secretsmanager_secret.secret1.arn
|
value = aws_secretsmanager_secret.secret1.arn
|
||||||
}
|
}
|
||||||
output secret_id {
|
|
||||||
|
output "secret_id" {
|
||||||
value = "${var.secret_name}-${random_id.rid.dec}"
|
value = "${var.secret_name}-${random_id.rid.dec}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
output "generated_password" {
|
||||||
|
value = try(random_password.this[0].result, "None")
|
||||||
|
sensitive = true
|
||||||
|
}
|
||||||
@ -1,7 +1,17 @@
|
|||||||
variable "secret_description" {}
|
variable "secret_description" {}
|
||||||
variable "secret_name" {}
|
variable "secret_name" {}
|
||||||
variable "secret_value" {}
|
variable "secret_value" {
|
||||||
variable "secret_policy" {
|
|
||||||
type = string
|
type = string
|
||||||
default = null
|
default = null
|
||||||
}
|
}
|
||||||
|
variable "secret_policy" {
|
||||||
|
type = string
|
||||||
|
default = null
|
||||||
|
description = "By default, cross-account access is denied"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "generate_secret" {
|
||||||
|
type = bool
|
||||||
|
default = false
|
||||||
|
description = "If set to true, a secure password will be generated and saved."
|
||||||
|
}
|
||||||
Loading…
Reference in New Issue
Block a user