Security Modules 0.72.0Last updated in version 0.69.2
Resource-based policies for Secrets Manager secrets
View SourceRelease NotesThis module manages resource-based policies on AWS Secrets Manager secrets.
The module accepts a secret_policies variable containing a map of objects containing the ARN and a few options for customizing the resource-based policy. These options include:
- To provide read only access to the secret value (e.g. the
secretsmanager:GetSecretValueIAM action), use theiam_entities_with_read_accessattribute. - To provide full access to the secret value (e.g.
secretsmanager:*IAM actions), use theiam_entities_with_full_accessattribute. - If neither of these canned options are desired, use the
policy_statement_jsonattribute to provide a completely custom policy. The value should be a JSON string generated by theaws_iam_policy_documentdata source.
Note that iam_entities_with_read_access and iam_entities_with_full_access are convenient shortcuts. They are mutually exclusive with policy_statement_json, which gives you full control over the policy. If the latter is provided, the former will be ignored.
Note also that you should only manage the policy for any given secret one time. That is, do not pass the same arn value more than once. Doing so will result in an non-deterministic policy on that secret.
Sample Usage
- Terraform
- Terragrunt
main.tf
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S SECRETS-MANAGER-RESOURCE-POLICIES MODULE
# ------------------------------------------------------------------------------------------------------
module "secrets_manager_resource_policies" {
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/secrets-manager-resource-policies?ref=v0.72.0"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
secret_policies = <map(object(
arn = string
iam_entities_with_read_access = list(string)
iam_entities_with_full_access = list(string)
policy_statement_json = string
))>
}
terragrunt.hcl
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S SECRETS-MANAGER-RESOURCE-POLICIES MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/secrets-manager-resource-policies?ref=v0.72.0"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
secret_policies = <map(object(
arn = string
iam_entities_with_read_access = list(string)
iam_entities_with_full_access = list(string)
policy_statement_json = string
))>
}