search

lgallard / terraform-aws-secrets-manager

Terraform module to create Amazon Secrets Manager resources.
Apache License 2.0
63 stars 50 forks source link

Question: How does the state handle rotation of a secret? #10

Closed efernandes-dev-ops closed 3 years ago

efernandes-dev-ops commented 3 years ago

Upon reading the terraform secret manager docs it states that when you enable rotation of a secret it rotates the secret once as soon as the secret is created in aws secret manager.

Configuring rotation causes the secret to rotate once as soon as you store the secret. Before you do this, you must ensure that all of your applications that use the credentials stored in the secret are updated to retrieve the secret from AWS Secrets Manager. The old credentials might no longer be usable after the initial rotation and any applications that you fail to update will break as soon as the old credentials are no longer valid.

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret

With that being the case on re-run of the terraform code wouldn't that see a drift between the value of the secret ?

lgallard commented 3 years ago

@efernandes-dev-ops you can use the module's rotate_secrets input variable to define secrets to be rotated.

Secrets Rotation

If you need to rotate your secrets, use rotate_secrets list to define them. Take into account that the lambda function must exist and it must have the right permissions to rotate the secrets in AWS Secret manager:

module "secrets-manager-4" {

  source = "lgallard/secrets-manager/aws"

    rotate_secrets = [
    {
      name                    = "secret-rotate-1"
      description             = "This is a secret to be rotated by a lambda"
      secret_string           = "This is an example"
      rotation_lambda_arn     = "arn:aws:lambda:us-east-1:123455678910:function:lambda-rotate-secret"
      recovery_window_in_days = 15
    },
    {
      name                    = "secret-rotate-2"
      description             = "This is another secret to be rotated by a lambda"
      secret_string           = "This is another example"
      rotation_lambda_arn     = "arn:aws:lambda:us-east-1:123455678910:function:lambda-rotate-secret"
      recovery_window_in_days = 7
    },
  ]

  tags = {
    Owner       = "DevOps team"
    Environment = "dev"
    Terraform   = true
  }

}
efernandes-dev-ops commented 3 years ago

Hi @lgallard, Thanks for the example. I actually just wanted to find out if terraform sees a drift when the secret is rotated. So the second time you run plan/apply would terraform notice a change in the secret as it was rotated?

lgallard commented 3 years ago

@efernandes-dev-ops no drifts, that's why you set them in rotate_secrets.

efernandes-dev-ops commented 3 years ago

Awesome, thanks for the clarification. Great module :)