From 8c7ad4d72c457e4b88bfbca55a449bb6850b709c Mon Sep 17 00:00:00 2001
From: Vladimir <26582191+SweetOps@users.noreply.github.com>
Date: Fri, 1 Oct 2021 13:30:20 +0300
Subject: [PATCH] fix: introduce enabled flag for secret_version and rotation
(#2)
---
README.md | 7 ++++---
examples/basic/main.tf | 1 +
main.tf | 31 +++++++++++++++++++------------
variables.tf | 5 +++++
4 files changed, 29 insertions(+), 15 deletions(-)
diff --git a/README.md b/README.md
index e9eb4d6..ba5005d 100644
--- a/README.md
+++ b/README.md
@@ -28,6 +28,7 @@ module "secrets" {
version = "0.1.0"
secret_version = {
+ enabled = true
secret_string = jsonencode(
{
ssh_public_key = base64encode(module.ssh_key_pair.public_key)
@@ -52,7 +53,7 @@ module "secrets" {
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | 3.60.0 |
+| [aws](#provider\_aws) | >= 3.0 |
## Modules
@@ -93,8 +94,8 @@ module "secrets" {
| [policy](#input\_policy) | Valid JSON document representing a resource policy. | `string` | `null` | no |
| [recovery\_window\_in\_days](#input\_recovery\_window\_in\_days) | Valid JSON document representing a resource policy. | `number` | `30` | no |
| [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
-| [rotation](#input\_rotation) | enabled:
Whether to create secret rotation rule.
Default value: `false`
lambda\_arn:
Specifies the ARN of the Lambda function that can rotate the secret.
automatically\_after\_days:
Specifies the number of days between automatic scheduled rotations of the secret. | object({
lambda_arn = string
automatically_after_days = number
}) | {
"automatically_after_days": 0,
"lambda_arn": ""
} | no |
-| [secret\_version](#input\_secret\_version) | secret\_string:
Specifies text data that you want to encrypt and store in this version of the secret.
This is required if `secret_binary` is not set.
secret\_binary:
Specifies binary data that you want to encrypt and store in this version of the secret.
This is required if `secret_string` is not set.
Needs to be encoded to base64. | object({
secret_string = optional(string)
secret_binary = optional(string)
}) | `{}` | no |
+| [rotation](#input\_rotation) | enabled:
Whether to create secret rotation rule.
Default value: `false`
lambda\_arn:
Specifies the ARN of the Lambda function that can rotate the secret.
automatically\_after\_days:
Specifies the number of days between automatic scheduled rotations of the secret. | object({
enabled = optional(bool)
lambda_arn = string
automatically_after_days = number
}) | {
"automatically_after_days": 0,
"lambda_arn": ""
} | no |
+| [secret\_version](#input\_secret\_version) | enabled:
Whether to create secret version.
Default value: `false`
secret\_string:
Specifies text data that you want to encrypt and store in this version of the secret.
This is required if `secret_binary` is not set.
secret\_binary:
Specifies binary data that you want to encrypt and store in this version of the secret.
This is required if `secret_string` is not set.
Needs to be encoded to base64. | object({
enabled = optional(bool)
secret_string = optional(string)
secret_binary = optional(string)
}) | `{}` | no |
| [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
| [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
| [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
index 28bfa01..ad821ea 100644
--- a/examples/basic/main.tf
+++ b/examples/basic/main.tf
@@ -22,6 +22,7 @@ module "secrets" {
version = "0.1.0"
secret_version = {
+ enabled = true
secret_string = jsonencode(
{
ssh_public_key = base64encode(module.ssh_key_pair.public_key)
diff --git a/main.tf b/main.tf
index 15c3aac..f0560ea 100644
--- a/main.tf
+++ b/main.tf
@@ -1,15 +1,17 @@
locals {
- enabled = module.this.enabled
- secret_id = one(aws_secretsmanager_secret.default[*].id)
- secret_arn = one(aws_secretsmanager_secret.default[*].arn)
- version_id = one(aws_secretsmanager_secret_version.default[*].version_id)
- secret_version = defaults(var.secret_version, local.secret_version_default)
- secret_version_enabled = local.enabled && (length(local.secret_version["secret_string"]) > 0 || length(local.secret_version["secret_binary"]) > 0)
- secret_string = local.enabled && length(local.secret_version["secret_string"]) > 0 ? local.secret_version["secret_string"] : null
- secret_binary = local.enabled && length(local.secret_version["secret_binary"]) > 0 ? local.secret_version["secret_binary"] : null
- kms_key = defaults(var.kms_key, local.kms_key_default)
- kms_key_enabled = local.enabled && local.kms_key["enabled"]
- kms_key_id = local.kms_key["enabled"] ? module.kms_key.key_id : var.kms_key_id
+ enabled = module.this.enabled
+ secret_id = one(aws_secretsmanager_secret.default[*].id)
+ secret_arn = one(aws_secretsmanager_secret.default[*].arn)
+ version_id = one(aws_secretsmanager_secret_version.default[*].version_id)
+ secret_version = defaults(var.secret_version, local.secret_version_default)
+ secret_version_enabled = local.enabled && local.secret_version["enabled"]
+ secret_string = local.secret_version_enabled && length(local.secret_version["secret_string"]) > 0 ? local.secret_version["secret_string"] : null
+ secret_binary = local.secret_version_enabled && length(local.secret_version["secret_binary"]) > 0 ? local.secret_version["secret_binary"] : null
+ secret_rotation = defaults(var.rotation, local.secret_rotation_default)
+ secret_rotation_enabled = local.enabled && local.secret_rotation["enabled"]
+ kms_key = defaults(var.kms_key, local.kms_key_default)
+ kms_key_enabled = local.enabled && local.kms_key["enabled"]
+ kms_key_id = local.kms_key["enabled"] ? module.kms_key.key_id : var.kms_key_id
kms_key_default = {
deletion_window_in_days = 30
@@ -20,6 +22,11 @@ locals {
secret_version_default = {
secret_string = ""
secret_binary = ""
+ enabled = false
+ }
+
+ secret_rotation_default = {
+ enabled = false
}
}
@@ -56,7 +63,7 @@ resource "aws_secretsmanager_secret_version" "default" {
}
resource "aws_secretsmanager_secret_rotation" "default" {
- count = local.enabled && length(var.rotation["lambda_arn"]) > 0 ? 1 : 0
+ count = local.secret_rotation_enabled ? 1 : 0
secret_id = local.secret_id
rotation_lambda_arn = var.rotation["lambda_arn"]
diff --git a/variables.tf b/variables.tf
index 1b08c3e..04e5d0c 100644
--- a/variables.tf
+++ b/variables.tf
@@ -56,12 +56,16 @@ variable "kms_key" {
variable "secret_version" {
type = object({
+ enabled = optional(bool)
secret_string = optional(string)
secret_binary = optional(string)
})
sensitive = true
default = {}
description = <<-DOC
+ enabled:
+ Whether to create secret version.
+ Default value: `false`
secret_string:
Specifies text data that you want to encrypt and store in this version of the secret.
This is required if `secret_binary` is not set.
@@ -74,6 +78,7 @@ variable "secret_version" {
variable "rotation" {
type = object({
+ enabled = optional(bool)
lambda_arn = string
automatically_after_days = number
})