From 63a2e0fbd5edbd6723437f7161c79df65fc34ad2 Mon Sep 17 00:00:00 2001 From: "david.elliott" Date: Thu, 7 May 2020 15:35:56 +0100 Subject: [PATCH] Allow secrets to be encrypted with a KMS key and allow for resource policies to be created and associated with the key to allow for controlled access. --- examples/dummy-secret/data.tf | 4 +++ examples/dummy-secret/main.tf | 12 +++------ examples/dummy-secret/outputs.tf | 7 ++++++ main.tf | 43 +++++--------------------------- outputs.tf | 9 +++++++ variables.tf | 32 ++++++++++++++++++++++++ 6 files changed, 61 insertions(+), 46 deletions(-) create mode 100644 examples/dummy-secret/data.tf create mode 100644 examples/dummy-secret/outputs.tf create mode 100644 outputs.tf create mode 100644 variables.tf diff --git a/examples/dummy-secret/data.tf b/examples/dummy-secret/data.tf new file mode 100644 index 0000000..a052d6f --- /dev/null +++ b/examples/dummy-secret/data.tf @@ -0,0 +1,4 @@ +data "template_file" "example" { + template = file("/path/to/json") + +} \ No newline at end of file diff --git a/examples/dummy-secret/main.tf b/examples/dummy-secret/main.tf index 637e073..c752c12 100644 --- a/examples/dummy-secret/main.tf +++ b/examples/dummy-secret/main.tf @@ -7,16 +7,10 @@ module "secret" { name = "dummy-secret" value = "password" + policy = data.template_file.example.rendered # Optional + kms_key_id = "arn:aws:kms:aws-region:account-id:key/key-id" # Optional tags = { whodunnit = "steven" why = "example" } -} - -output "secret" { - value = module.secret.secret -} - -output "secret_version" { - value = module.secret.secret_version -} +} \ No newline at end of file diff --git a/examples/dummy-secret/outputs.tf b/examples/dummy-secret/outputs.tf new file mode 100644 index 0000000..066c763 --- /dev/null +++ b/examples/dummy-secret/outputs.tf @@ -0,0 +1,7 @@ +output "secret" { + value = module.secret.secret +} + +output "secret_version" { + value = module.secret.secret_version +} diff --git a/main.tf b/main.tf index 8368bf9..803f825 100644 --- a/main.tf +++ b/main.tf @@ -1,44 +1,13 @@ -# Variables - -variable "name" { - description = "Name of secret to store" - type = string -} - -variable "value" { - description = "Secret value to store" - type = string -} - -variable "description" { - type = string - default = "terraform-managed secret" -} - -variable "tags" { - description = "User-Defined tags" - type = map(string) - default = {} -} - # Resources resource "aws_secretsmanager_secret" "secret" { - name_prefix = var.name - tags = var.tags + name = var.name + tags = var.tags + policy = var.policy + kms_key_id = var.kms_key_id } resource "aws_secretsmanager_secret_version" "secret" { - secret_id = aws_secretsmanager_secret.secret.id + secret_id = aws_secretsmanager_secret.secret.id secret_string = var.value -} - -# Outputs - -output "secret" { - value = aws_secretsmanager_secret.secret -} - -output "secret_version" { - value = aws_secretsmanager_secret_version.secret -} +} \ No newline at end of file diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 0000000..a775ad5 --- /dev/null +++ b/outputs.tf @@ -0,0 +1,9 @@ +# Outputs + +output "secret" { + value = aws_secretsmanager_secret.secret +} + +output "secret_version" { + value = aws_secretsmanager_secret_version.secret +} diff --git a/variables.tf b/variables.tf new file mode 100644 index 0000000..bfa93c0 --- /dev/null +++ b/variables.tf @@ -0,0 +1,32 @@ +# Variables + +variable "name" { + description = "Name of secret to store" + type = string +} + +variable "value" { + description = "Secret value to store" + type = string +} + +variable "description" { + type = string + default = "terraform-managed secret" +} + +variable "tags" { + description = "User-Defined tags" + type = map(string) + default = {} +} + +variable "policy" { + description = "Optional. The resource policy which controls access to the secret." + default = null +} + +variable "kms_key_id" { + description = "Optional. The KMS Key ID to encrypt the secret. KMS key arn or alias can be used." + default = null +} \ No newline at end of file