FEAT: generate_secret is now supported

This commit is contained in:
xpk 2023-12-21 17:47:41 +08:00
parent 7af398e6fc
commit 03f2c0c711
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
4 changed files with 60 additions and 20 deletions

View File

@ -3,14 +3,27 @@ This module creates an entry in secretsmanager, attaching a default access polic
not provided from root module. A random suffix is assigned to every secret, as AWS may delay not provided from root module. A random suffix is assigned to every secret, as AWS may delay
creation of secrets with the same name, after the old one has been destroyed that is. creation of secrets with the same name, after the old one has been destroyed that is.
The default policy attached to secretsmanager prevents cross-account access.
To have this module generate a random password, set ```generate_secret``` to true.
To tag resources, please use provider default_tags. To tag resources, please use provider default_tags.
## Example ## Example
```hcl ```hcl
module secret_item { module "secret1" {
source = "../../modules/security_identity_compliance/secretsmanager-secret" source = "../../modules/security_identity_compliance/secretsmanager-secret"
secret_description = "test-secret-desc" secret_name = "test-secret-name-1"
secret_description = "test-secret-desc-1"
secret_value = "test-secret-value" secret_value = "test-secret-value"
} }
module "secret2" {
source = "../../modules/security_identity_compliance/secretsmanager-secret"
secret_name = "test-secret-name-2"
secret_description = "test-secret-desc-3"
generate_secret = true
}
``` ```

View File

@ -11,22 +11,13 @@ resource "aws_secretsmanager_secret" "secret1" {
resource "aws_secretsmanager_secret_version" "this" { resource "aws_secretsmanager_secret_version" "this" {
secret_id = aws_secretsmanager_secret.secret1.id secret_id = aws_secretsmanager_secret.secret1.id
secret_string = var.secret_value secret_string = var.generate_secret ? random_password.this[0].result : var.secret_value
} }
data "aws_iam_policy_document" "policy-file" { resource "random_password" "this" {
statement { count = var.generate_secret ? 1 : 0
sid = "DefaultAllowReadFromSameAccount" length = 22
effect = "Allow" special = true
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.this.account_id}:root"]
}
actions = ["secretsmanager:GetSecretValue"]
resources = ["*"]
}
} }
resource "aws_secretsmanager_secret_policy" "policy" { resource "aws_secretsmanager_secret_policy" "policy" {
@ -34,3 +25,23 @@ resource "aws_secretsmanager_secret_policy" "policy" {
policy = var.secret_policy != null ? var.secret_policy : data.aws_iam_policy_document.policy-file.json policy = var.secret_policy != null ? var.secret_policy : data.aws_iam_policy_document.policy-file.json
} }
data "aws_iam_policy_document" "policy-file" {
statement {
sid = "DenyCrossAccountAccess"
effect = "Deny"
principals {
identifiers = ["*"]
type = "AWS"
}
condition {
test = "StringNotEquals"
values = [data.aws_caller_identity.this.account_id]
variable = "aws:PrincipalAccount"
}
actions = ["secretsmanager:GetSecretValue"]
resources = [aws_secretsmanager_secret.secret1.arn]
}
}

View File

@ -1,6 +1,12 @@
output secret_arn { output "secret_arn" {
value = aws_secretsmanager_secret.secret1.arn value = aws_secretsmanager_secret.secret1.arn
} }
output secret_id {
output "secret_id" {
value = "${var.secret_name}-${random_id.rid.dec}" value = "${var.secret_name}-${random_id.rid.dec}"
}
output "generated_password" {
value = try(random_password.this[0].result, "None")
sensitive = true
} }

View File

@ -1,7 +1,17 @@
variable "secret_description" {} variable "secret_description" {}
variable "secret_name" {} variable "secret_name" {}
variable "secret_value" {} variable "secret_value" {
variable "secret_policy" {
type = string type = string
default = null default = null
}
variable "secret_policy" {
type = string
default = null
description = "By default, cross-account access is denied"
}
variable "generate_secret" {
type = bool
default = false
description = "If set to true, a secure password will be generated and saved."
} }