search

lgallard / terraform-aws-secrets-manager

Terraform module to create Amazon Secrets Manager resources.
Apache License 2.0
63 stars 50 forks source link

Support unmanaged secrets #4

Closed fabio42 closed 4 years ago

fabio42 commented 4 years ago

First thank you for this module, it is quite great!

I have use cases, where I need to prepare some AWS secrets, but I can't have them set randomly or stored inside a shared file.

So I'm looking for a way to be able to enable lifecycle when I have such use case. Unfortunately dynamic does not support lifecycle so this is the solution I ended with.

In case of shared states, this would allow the secret to be initalized, eventually with real secret values through terraform.tfvars, by a first user, but would not prevent another user that don't have access to the secrets to use the state.

module "secrets-manager-2" {

  source = "lgallard/secrets-manager/aws"

  secrets = [
   {
      name                    = "unmanaged-secret-kv-1"
      description             = "This is a key/value secret"
      secret_string           = "Changeme"
      recovery_window_in_days = 7
    },
  ]

  unmanaged = true

  tags = {
    Owner       = "DevOps team"
    Environment = "dev"
    Terraform   = true
  }

}
lgallard commented 4 years ago

So, the idea would be to initialize the secret and then rotate outside Terraform, thus, avoiding other users to change the secret using Terraform?

fabio42 commented 4 years ago

Yes exactly. The secret resource would be created by someone that don't have necessarily access to the real secret, through this resource. Secret management itself would be handled outside of TF.

lgallard commented 4 years ago

@fabio42. I merged and published your changes in release 0.3.0.

Thanks for contributing!