FEAT: generate_secret is now supported

modules/security_identity_compliance/secretsmanager-secret/README.md

@@ -3,14 +3,27 @@ This module creates an entry in secretsmanager, attaching a default access polic
 not provided from root module. A random suffix is assigned to every secret, as AWS may delay
 creation of secrets with the same name, after the old one has been destroyed that is.
 
+The default policy attached to secretsmanager prevents cross-account access.
+
+To have this module generate a random password, set ```generate_secret``` to true.
+
 To tag resources, please use provider default_tags.
 
 ## Example
 ```hcl
-module secret_item {
+module "secret1" {
   source = "../../modules/security_identity_compliance/secretsmanager-secret"
 
-  secret_description = "test-secret-desc"
+  secret_name        = "test-secret-name-1"
+  secret_description = "test-secret-desc-1"
   secret_value       = "test-secret-value"
 }
+
+module "secret2" {
+  source = "../../modules/security_identity_compliance/secretsmanager-secret"
+
+  secret_name        = "test-secret-name-2"
+  secret_description = "test-secret-desc-3"
+  generate_secret    = true
+}
 ```

modules/security_identity_compliance/secretsmanager-secret/main.tf

@@ -11,22 +11,13 @@ resource "aws_secretsmanager_secret" "secret1" {
 
 resource "aws_secretsmanager_secret_version" "this" {
   secret_id     = aws_secretsmanager_secret.secret1.id
-  secret_string = var.secret_value
+  secret_string = var.generate_secret ? random_password.this[0].result : var.secret_value
 }
 
-data "aws_iam_policy_document" "policy-file" {
-  statement {
-    sid    = "DefaultAllowReadFromSameAccount"
-    effect = "Allow"
-
-    principals {
-      type        = "AWS"
-      identifiers = ["arn:aws:iam::${data.aws_caller_identity.this.account_id}:root"]
-    }
-
-    actions   = ["secretsmanager:GetSecretValue"]
-    resources = ["*"]
-  }
+resource "random_password" "this" {
+  count   = var.generate_secret ? 1 : 0
+  length  = 22
+  special = true
 }
 
 resource "aws_secretsmanager_secret_policy" "policy" {
@@ -34,3 +25,23 @@ resource "aws_secretsmanager_secret_policy" "policy" {
   policy     = var.secret_policy != null ? var.secret_policy : data.aws_iam_policy_document.policy-file.json
 }
 
+data "aws_iam_policy_document" "policy-file" {
+  statement {
+    sid    = "DenyCrossAccountAccess"
+    effect = "Deny"
+
+    principals {
+      identifiers = ["*"]
+      type        = "AWS"
+    }
+
+    condition {
+      test     = "StringNotEquals"
+      values   = [data.aws_caller_identity.this.account_id]
+      variable = "aws:PrincipalAccount"
+    }
+
+    actions   = ["secretsmanager:GetSecretValue"]
+    resources = [aws_secretsmanager_secret.secret1.arn]
+  }
+}

modules/security_identity_compliance/secretsmanager-secret/outputs.tf

@@ -1,6 +1,12 @@
-output secret_arn {
+output "secret_arn" {
   value = aws_secretsmanager_secret.secret1.arn
 }
-output secret_id {
+
+output "secret_id" {
   value = "${var.secret_name}-${random_id.rid.dec}"
 }
+
+output "generated_password" {
+  value     = try(random_password.this[0].result, "None")
+  sensitive = true
+}

modules/security_identity_compliance/secretsmanager-secret/variables.tf

@@ -1,7 +1,17 @@
 variable "secret_description" {}
 variable "secret_name" {}
-variable "secret_value" {}
-variable "secret_policy" {
+variable "secret_value" {
   type    = string
   default = null
 }
+variable "secret_policy" {
+  type        = string
+  default     = null
+  description = "By default, cross-account access is denied"
+}
+
+variable "generate_secret" {
+  type        = bool
+  default     = false
+  description = "If set to true, a secure password will be generated and saved."
+}