data "aws_caller_identity" "this" {}

resource "random_id" "rid" {
  byte_length = 2
}

resource "aws_secretsmanager_secret" "secret1" {
  name        = "${var.secret_name}-${random_id.rid.dec}"
  description = var.secret_description
}

resource "aws_secretsmanager_secret_version" "this" {
  secret_id     = aws_secretsmanager_secret.secret1.id
  secret_string = var.generate_secret ? random_password.this[0].result : var.secret_value
}

resource "random_password" "this" {
  count   = var.generate_secret ? 1 : 0
  length  = 22
  special = true
}

resource "aws_secretsmanager_secret_policy" "policy" {
  secret_arn = aws_secretsmanager_secret.secret1.arn
  policy     = var.secret_policy != null ? var.secret_policy : data.aws_iam_policy_document.policy-file.json
}

data "aws_iam_policy_document" "policy-file" {
  statement {
    sid    = "DenyCrossAccountAccess"
    effect = "Deny"

    principals {
      identifiers = ["*"]
      type        = "AWS"
    }

    condition {
      test     = "StringNotEquals"
      values   = [data.aws_caller_identity.this.account_id]
      variable = "aws:PrincipalAccount"
    }

    actions   = ["secretsmanager:GetSecretValue"]
    resources = [aws_secretsmanager_secret.secret1.arn]
  }
}