Closed efernandes-dev-ops closed 3 years ago
@efernandes-dev-ops you can use the module's rotate_secrets
input variable to define secrets to be rotated.
If you need to rotate your secrets, use rotate_secrets
list to define them. Take into account that the lambda function must exist and it must have the right permissions to rotate the secrets in AWS Secret manager:
module "secrets-manager-4" {
source = "lgallard/secrets-manager/aws"
rotate_secrets = [
{
name = "secret-rotate-1"
description = "This is a secret to be rotated by a lambda"
secret_string = "This is an example"
rotation_lambda_arn = "arn:aws:lambda:us-east-1:123455678910:function:lambda-rotate-secret"
recovery_window_in_days = 15
},
{
name = "secret-rotate-2"
description = "This is another secret to be rotated by a lambda"
secret_string = "This is another example"
rotation_lambda_arn = "arn:aws:lambda:us-east-1:123455678910:function:lambda-rotate-secret"
recovery_window_in_days = 7
},
]
tags = {
Owner = "DevOps team"
Environment = "dev"
Terraform = true
}
}
Hi @lgallard, Thanks for the example. I actually just wanted to find out if terraform sees a drift when the secret is rotated. So the second time you run plan/apply would terraform notice a change in the secret as it was rotated?
@efernandes-dev-ops no drifts, that's why you set them in rotate_secrets
.
Awesome, thanks for the clarification. Great module :)
Upon reading the terraform secret manager docs it states that when you enable rotation of a secret it rotates the secret once as soon as the secret is created in aws secret manager.
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret
With that being the case on re-run of the terraform code wouldn't that see a drift between the value of the secret ?