This module manages secrets in AWS through Secrets Manager. It will create a KMS key for encrypting secrets, and optionally create one or more secrets.
Caution
OpenTofu state files are stored as plain text. For this reason it is not
recommended that you pass secret values to this module, unless you expect them
to be rotated immediately. It is safe to use the create_random_password
option, as this value will be generated by AWS and not stored in the state
file.
Add this module to your main.tf (or appropriate) file and configure the inputs
to match your desired configuration. For example:
module "secrets" {
source = "github.com/codeforamerica/tofu-modules-aws-secrets?ref=1.0.0"
project = "my-project"
environment = "dev"
secrets = {
example = {
description = "An example secret."
}
"password/test" = {
create_random_password = true
description = "Random password for testing."
}
named = {
description = "A secret with an explicit name."
name = "my-project/named/secret"
}
}
}Make sure you re-run tofu init after adding the module to your configuration.
tofu init
tofu planTo update the source for this module, pass -upgrade to tofu init:
tofu init -upgrade| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| project | Name of the project. | string |
n/a | yes |
| environment | Environment for the project. | string |
"dev" |
no |
| key_recovery_period | Number of days to recover the KMS key after deletion. | number |
30 |
no |
| secrets | Secrets to be created. | map(object) |
{} |
no |
| service | Optional service that these resources are supporting. Example: "api", "web", "worker" |
string |
n/a | no |
| tags | Optional tags to be applied to all resources. | list |
[] |
no |
An optional map of secrets to be created in AWS Secrets
Manager. Once the secret is created, any changes to the value
will be ignored. For example, to create a secret named example:
secrets = {
example = {
recovery_window = 7
description = "Example credentials for our application."
}
}The actual name of the secret will use the project, environment, and optionally
the service to construct a name prefix for the secret. In the previous example,
the secret would be prefixed with my-project/dev/example-. AWS will add a
random suffix to the name to ensure uniqueness.
If you wish to override the prefix for the name, you can specify a name key
for the secret:
secrets = {
example = {
recovery_window = 7
description = "Example credentials for our application."
name = "my/example/key"
}
}This would result in a key named my/example/key- before the random suffix is
applied.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| description | Description of the secret. | string |
n/a | yes |
| create_random_password | Creates a random password as the staring value. | bool |
false |
no |
| name | Name to use as the prefix for the secret. | string |
"" |
no |
| recovery_window | Number of days that a secret can be recovered after deletion. | string |
30 |
no |
| start_value | Value to be set into the secret at creation. | string |
"{}" |
no |
| Name | Description | Type |
|---|---|---|
| kms_key_alias | Alias for of the KMS key used for encryption. | string |
| kms_key_arn | ARN for of the KMS key used for encryption. | string |
| secrets | A map of created secrets. | map(object} |