From 1c9975d74965c353d86220d9e7a5a437c3da9479 Mon Sep 17 00:00:00 2001
From: xpk <xpk@headdesk.me>
Date: Tue, 13 Jun 2023 15:32:02 +0800
Subject: [PATCH] NEW: simple secretsmanager module

---
 .../secretsmanager-secret/main.tf             | 35 +++++++++++++++++++
 .../secretsmanager-secret/provider.tf         | 15 ++++++++
 .../secretsmanager-secret/variables.tf        |  7 ++++
 3 files changed, 57 insertions(+)
 create mode 100644 modules/security_identity_compliance/secretsmanager-secret/main.tf
 create mode 100644 modules/security_identity_compliance/secretsmanager-secret/provider.tf
 create mode 100644 modules/security_identity_compliance/secretsmanager-secret/variables.tf

diff --git a/modules/security_identity_compliance/secretsmanager-secret/main.tf b/modules/security_identity_compliance/secretsmanager-secret/main.tf
new file mode 100644
index 0000000..2287957
--- /dev/null
+++ b/modules/security_identity_compliance/secretsmanager-secret/main.tf
@@ -0,0 +1,35 @@
+data "aws_caller_identity" "this" {}
+
+resource "random_id" "rid" {
+  byte_length = 2
+}
+
+resource "aws_secretsmanager_secret" "secret1" {
+  name        = "test-secret-${random_id.rid.dec}"
+  description = var.secret_description
+}
+
+resource "aws_secretsmanager_secret_version" "this" {
+  secret_id     = aws_secretsmanager_secret.secret1.id
+  secret_string = jsonencode({ (var.secret_description) : var.secret_value })
+}
+
+data "aws_iam_policy_document" "policy-file" {
+  statement {
+    sid    = "DefaultAllowReadFromSameAccount"
+    effect = "Allow"
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.this.account_id}:root"]
+    }
+
+    actions   = ["secretsmanager:GetSecretValue"]
+    resources = ["*"]
+  }
+}
+
+resource "aws_secretsmanager_secret_policy" "policy" {
+  secret_arn = aws_secretsmanager_secret.secret1.arn
+  policy     = var.secret_policy != null ? var.secret_policy : data.aws_iam_policy_document.policy-file.json
+}
\ No newline at end of file
diff --git a/modules/security_identity_compliance/secretsmanager-secret/provider.tf b/modules/security_identity_compliance/secretsmanager-secret/provider.tf
new file mode 100644
index 0000000..6f10a6e
--- /dev/null
+++ b/modules/security_identity_compliance/secretsmanager-secret/provider.tf
@@ -0,0 +1,15 @@
+provider "aws" {
+  region = var.aws-region
+}
+
+terraform {
+  required_version = ">= 1.3.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.40"
+    }
+  }
+}
+
+resource time_static current_time {}
\ No newline at end of file
diff --git a/modules/security_identity_compliance/secretsmanager-secret/variables.tf b/modules/security_identity_compliance/secretsmanager-secret/variables.tf
new file mode 100644
index 0000000..355a827
--- /dev/null
+++ b/modules/security_identity_compliance/secretsmanager-secret/variables.tf
@@ -0,0 +1,7 @@
+variable "aws-region" {}
+variable "secret_description" {}
+variable "secret_value" {}
+variable "secret_policy" {
+  type    = string
+  default = null
+}
\ No newline at end of file