terraform.aws-baseline-infra/modules/security_identity_compliance/secretsmanager-secret/main.tf

48 lines
1.3 KiB
HCL

data "aws_caller_identity" "this" {}
resource "random_id" "rid" {
byte_length = 2
}
resource "aws_secretsmanager_secret" "secret1" {
name = "${var.secret_name}-${random_id.rid.dec}"
description = var.secret_description
kms_key_id = var.kms_key_id == null ? null : var.kms_key_id
}
resource "aws_secretsmanager_secret_version" "this" {
secret_id = aws_secretsmanager_secret.secret1.id
secret_string = var.generate_secret ? random_password.this[0].result : var.secret_value
}
resource "random_password" "this" {
count = var.generate_secret ? 1 : 0
length = 22
special = true
}
resource "aws_secretsmanager_secret_policy" "policy" {
secret_arn = aws_secretsmanager_secret.secret1.arn
policy = var.secret_policy != null ? var.secret_policy : data.aws_iam_policy_document.policy-file.json
}
data "aws_iam_policy_document" "policy-file" {
statement {
sid = "DenyCrossAccountAccess"
effect = "Deny"
principals {
identifiers = ["*"]
type = "AWS"
}
condition {
test = "StringNotEquals"
values = [data.aws_caller_identity.this.account_id]
variable = "aws:PrincipalAccount"
}
actions = ["secretsmanager:GetSecretValue"]
resources = [aws_secretsmanager_secret.secret1.arn]
}
}