Skip to content

Luscii/terraform-aws-service-secrets

BranchesTags

Repository files navigation

terraform-aws-service-secrets

Module to handle secrets for AWS (ECS) services

Example

module "service_secrets" {
  source = "./"

  kms_key_id = "<KMS_KEY_ID>"
  secrets = {
    db_pass = {
      value       = "DatabaseP@ssw0rd!"
      description = "Password for the Database"
    }
    use_already_set_secret = {
      value_from_arn = "arn:aws:secretsmanager:<REGION>:<ACCOUNT_ID>:secret:<SECRET_NAME>"
      description    = "Secret that has already been set can also be reused"
    }
  }
}

data "aws_iam_policy_document" "secrets" {
  statement {
    sid       = "GetSecrets"
    effect    = "Allow"
    actions   = [
      "secretsmanager:GetSecretValue"
    ]
    resources = module.service_secrets.arns
  }
  statement {
    sid       = "kmsDecrypt"
    effect    = "Allow"
    actions   = [
      "kms:Decrypt"
    ]
    resources = [
      module.service_secrets.kms_key_arn
    ]
  }
}

module "container_definition" {
  source  = "cloudposse/ecs-container-definition/aws"
  version = "0.61.1"

  container_name = "service"
  container_image = "docker/service-image"

  environment = [
    {
      name  = "ENVIRONMENT",
      value = "production"
    }
  ]
  secrets     = module.service_secrets.container_definition
}

Configuration

Requirements

Name Version
terraform >= 1.3
aws >= 4.9

Providers

Name Version
aws 5.90.0

Modules

Name Source Version
path cloudposse/label/null 0.25.0
secret_path cloudposse/label/null 0.25.0

Resources

Name Type
aws_secretsmanager_secret.secrets resource
aws_secretsmanager_secret_version.secrets resource
aws_kms_key.kms_key data source
aws_secretsmanager_secret.existing data source

Inputs

Name Description Type Default Required
context Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as null to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged.		 any 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
 no
kms_key_id KMS Key identifier to be used to encrypt the secret values in the versions stored in this secret. Can be in any of the formats: Key ID, Key ARN, Alias Name, Alias ARN string n/a yes
path_delimiter Delimiter to use in the path creation string "/" no
path_tags Additional tags for appending to the context and label tags for the path map(string) {} no
secrets Map of secrets, each key will be the name. When the value is set, a secret is created. Otherwise the arn of existing secret is added to the outputs. 
map(object({
    value          = optional(string)
    description    = optional(string)
    value_from_arn = optional(string)
  }))
 n/a yes

Outputs

Name Description
arns List of ARNs of the secrets - to use in IAM policies
container_definition List of secrets maps in the format: { name = , valueFrom = } - to use in container definitions
kms_key_arn ARN of the KMS key used to encrypt the secret values
kms_key_id ID of the KMS key used to encrypt the secret values
secret_version_ids Map of secret version IDs, each key is the name, the value is the secret version ID
secrets Map of secrets, each key is the name, the value is the secret resource

About

Module to handle secrets for (ECS) services

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 2

v1.0.0 Latest
Apr 8, 2025
+ 1 release

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages