Security Modules 0.75.0Last updated in version 0.69.2
View Source
Release Notes
Resource-based policies for Secrets Manager secrets
This module manages resource-based policies on AWS Secrets Manager secrets.
The module accepts a secret_policies
variable containing a map of objects containing the ARN and a few options for customizing the resource-based policy. These options include:
- To provide read only access to the secret value (e.g. the
secretsmanager:GetSecretValue
IAM action), use theiam_entities_with_read_access
attribute. - To provide full access to the secret value (e.g.
secretsmanager:*
IAM actions), use theiam_entities_with_full_access
attribute. - If neither of these canned options are desired, use the
policy_statement_json
attribute to provide a completely custom policy. The value should be a JSON string generated by theaws_iam_policy_document
data source.
Note that iam_entities_with_read_access
and iam_entities_with_full_access
are convenient shortcuts. They are mutually exclusive with policy_statement_json
, which gives you full control over the policy. If the latter is provided, the former will be ignored.
Note also that you should only manage the policy for any given secret one time. That is, do not pass the same arn
value more than once. Doing so will result in an non-deterministic policy on that secret.
Sample Usage
- Terraform
- Terragrunt
main.tf
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S SECRETS-MANAGER-RESOURCE-POLICIES MODULE
# ------------------------------------------------------------------------------------------------------
module "secrets_manager_resource_policies" {
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/secrets-manager-resource-policies?ref=v0.75.0"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
secret_policies = <map(object(
arn = string
iam_entities_with_read_access = list(string)
iam_entities_with_full_access = list(string)
policy_statement_json = string
))>
}
terragrunt.hcl
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S SECRETS-MANAGER-RESOURCE-POLICIES MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/secrets-manager-resource-policies?ref=v0.75.0"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
secret_policies = <map(object(
arn = string
iam_entities_with_read_access = list(string)
iam_entities_with_full_access = list(string)
policy_statement_json = string
))>
}