data "aws_caller_identity" "this" {} resource "random_id" "rid" { byte_length = 2 } resource "aws_secretsmanager_secret" "secret1" { name = "${var.secret_name}-${random_id.rid.dec}" description = var.secret_description kms_key_id = var.kms_key_id == null ? null : var.kms_key_id } resource "aws_secretsmanager_secret_version" "this" { secret_id = aws_secretsmanager_secret.secret1.id secret_string = var.generate_secret ? random_password.this[0].result : var.secret_value } resource "random_password" "this" { count = var.generate_secret ? 1 : 0 length = 22 special = true } resource "aws_secretsmanager_secret_policy" "policy" { secret_arn = aws_secretsmanager_secret.secret1.arn policy = var.secret_policy != null ? var.secret_policy : data.aws_iam_policy_document.policy-file.json } data "aws_iam_policy_document" "policy-file" { statement { sid = "DenyCrossAccountAccess" effect = "Deny" principals { identifiers = ["*"] type = "AWS" } condition { test = "StringNotEquals" values = [data.aws_caller_identity.this.account_id] variable = "aws:PrincipalAccount" } actions = ["secretsmanager:GetSecretValue"] resources = [aws_secretsmanager_secret.secret1.arn] } }