Merge pull request #35 from lgallard/feature/force_overwrite_replica_…

…secret Feature/force overwrite replica secret
lgallard · Apr 28, 2023 · 14545c4 · btougeiro · Apr 28, 2023 · 14545c4
2 parents 6b8b232 + a5cd2f4
commit 14545c4
Show file tree

Hide file tree

Showing 6 changed files with 115 additions and 16 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,10 @@
+## 0.8.0 (April 28, 2023)
+
+ENHANCEMENTS:
+
+* Add ´force_overwrite_replica_secret´ (thanks @btougeiro)
+* Add replication example
+
 ## 0.7.0 (April 5, 2023)
 
 ENHANCEMENTS:

diff --git a/README.md b/README.md
@@ -228,6 +228,7 @@ module "secrets-manager-6" {
       replica_regions = {
         us-west-2 = "arn:aws:kms:us-west-2:1234567890:key/12345678-1234-1234-1234-123456789012"
       }
+      force_overwrite_replica_secret = true
     },
     secret-key-value = {
       description = "This is a key/value secret"
@@ -238,6 +239,7 @@ module "secrets-manager-6" {
       replica_regions = {
         us-west-1 = "arn:aws:kms:us-west-1:1234567890:key/12345678-1234-1234-1234-123456789012"
       }
+      force_overwrite_replica_secret = false
       tags = {
         app = "web"
       }

diff --git a/examples/replication/README.md b/examples/replication/README.md
@@ -0,0 +1,45 @@
+# Plain text example
+```
+module "secrets-manager-1" {
+
+  #source = "lgallard/secrets-manager/aws"
+  source = "../../"
+
+  secrets = {
+    secret-1 = {
+      description             = "My secret 1"
+      recovery_window_in_days = 7
+      secret_string           = "This is an example"
+      policy                  = <<POLICY
+				{
+					"Version": "2012-10-17",
+					"Statement": [
+						{
+							"Sid": "EnableAllPermissions",
+							"Effect": "Allow",
+							"Principal": {
+								"AWS": "*"
+							},
+							"Action": "secretsmanager:GetSecretValue",
+							"Resource": "*"
+						}
+					]
+				}
+				POLICY
+    },
+    secret-2 = {
+      description             = "My secret 2"
+      recovery_window_in_days = 7
+      secret_string           = "This is another example"
+      policy                  = null
+    }
+  }
+
+  tags = {
+    Owner       = "DevOps team"
+    Environment = "dev"
+    Terraform   = true
+
+  }
+}
+```
diff --git a/examples/replication/main.tf b/examples/replication/main.tf
@@ -0,0 +1,39 @@
+module "secrets-manager-6" {
+
+  #source = "lgallard/secrets-manager/aws"
+  source = "../../"
+
+  secrets = {
+    secret-plain = {
+      description             = "My plain text secret"
+      recovery_window_in_days = 7
+      secret_string           = "This is an example"
+      replica_regions = {
+        us-west-2 = "arn:aws:kms:us-west-2:1234567890:key/12345678-1234-1234-1234-123456789012"
+      }
+      force_overwrite_replica_secret = true
+    },
+    secret-key-value = {
+      description = "This is a key/value secret"
+      secret_key_value = {
+        username = "user"
+        password = "topsecret"
+      }
+      replica_regions = {
+        us-west-1 = "arn:aws:kms:us-west-1:1234567890:key/12345678-1234-1234-1234-123456789012"
+      }
+      force_overwrite_replica_secret = false
+      tags = {
+        app = "web"
+      }
+      recovery_window_in_days = 7
+    },
+  }
+
+  tags = {
+    Owner       = "DevOps team"
+    Environment = "dev"
+    Terraform   = true
+  }
+
+}
diff --git a/examples/replication/provider.tf b/examples/replication/provider.tf
@@ -0,0 +1,4 @@
+provider "aws" {
+  profile = "default"
+  region  = "us-east-1"
+}
diff --git a/main.tf b/main.tf
@@ -1,12 +1,13 @@
 resource "aws_secretsmanager_secret" "sm" {
-  for_each                = var.secrets
-  name                    = lookup(each.value, "name_prefix", null) == null ? each.key : null
-  name_prefix             = lookup(each.value, "name_prefix", null) != null ? lookup(each.value, "name_prefix") : null
-  description             = lookup(each.value, "description", null)
-  kms_key_id              = lookup(each.value, "kms_key_id", null)
-  policy                  = lookup(each.value, "policy", null)
-  recovery_window_in_days = lookup(each.value, "recovery_window_in_days", var.recovery_window_in_days)
-  tags                    = merge(var.tags, lookup(each.value, "tags", null))
+  for_each                       = var.secrets
+  name                           = lookup(each.value, "name_prefix", null) == null ? each.key : null
+  name_prefix                    = lookup(each.value, "name_prefix", null) != null ? lookup(each.value, "name_prefix") : null
+  description                    = lookup(each.value, "description", null)
+  kms_key_id                     = lookup(each.value, "kms_key_id", null)
+  policy                         = lookup(each.value, "policy", null)
+  force_overwrite_replica_secret = lookup(each.value, "force_overwrite_replica_secret", false)
+  recovery_window_in_days        = lookup(each.value, "recovery_window_in_days", var.recovery_window_in_days)
+  tags                           = merge(var.tags, lookup(each.value, "tags", null))
   dynamic "replica" {
     for_each = lookup(each.value, "replica_regions", {})
     content {
@@ -47,14 +48,15 @@ resource "aws_secretsmanager_secret_version" "sm-svu" {
 
 # Rotate secrets
 resource "aws_secretsmanager_secret" "rsm" {
-  for_each                = var.rotate_secrets
-  name                    = lookup(each.value, "name_prefix", null) == null ? each.key : null
-  name_prefix             = lookup(each.value, "name_prefix", null) != null ? lookup(each.value, "name_prefix") : null
-  description             = lookup(each.value, "description")
-  kms_key_id              = lookup(each.value, "kms_key_id", null)
-  policy                  = lookup(each.value, "policy", null)
-  recovery_window_in_days = lookup(each.value, "recovery_window_in_days", var.recovery_window_in_days)
-  tags                    = merge(var.tags, lookup(each.value, "tags", null))
+  for_each                       = var.rotate_secrets
+  name                           = lookup(each.value, "name_prefix", null) == null ? each.key : null
+  name_prefix                    = lookup(each.value, "name_prefix", null) != null ? lookup(each.value, "name_prefix") : null
+  description                    = lookup(each.value, "description")
+  kms_key_id                     = lookup(each.value, "kms_key_id", null)
+  policy                         = lookup(each.value, "policy", null)
+  force_overwrite_replica_secret = lookup(each.value, "force_overwrite_replica_secret", false)
+  recovery_window_in_days        = lookup(each.value, "recovery_window_in_days", var.recovery_window_in_days)
+  tags                           = merge(var.tags, lookup(each.value, "tags", null))
 }
 
 resource "aws_secretsmanager_secret_version" "rsm-sv" {