Combine all modules into one

pogosoftware · Apr 22, 2022 · efa20d3 · efa20d3
1 parent 453fba6
commit efa20d3
Show file tree

Hide file tree

Showing 12 changed files with 249 additions and 15 deletions.
diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
diff --git a/README.md b/README.md
@@ -1 +1,55 @@
-# terraform-aws-secrets-manager
+# terraform-aws-secrets-manager
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.0 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_secret"></a> [secret](#module\_secret) | ./modules/secret | n/a |
+| <a name="module_secret_policy"></a> [secret\_policy](#module\_secret\_policy) | ./modules/secret_policy | n/a |
+| <a name="module_secret_rotation"></a> [secret\_rotation](#module\_secret\_rotation) | ./modules/secret_rotation | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_create_secret"></a> [create\_secret](#input\_create\_secret) | Whether to create this resource or not? | `bool` | `true` | no |
+| <a name="input_create_secret_policy"></a> [create\_secret\_policy](#input\_create\_secret\_policy) | Whether to create this resource or not? | `bool` | `true` | no |
+| <a name="input_create_secret_rotation"></a> [create\_secret\_rotation](#input\_create\_secret\_rotation) | Whether to create this resource or not? | `bool` | `true` | no |
+| <a name="input_description"></a> [description](#input\_description) | Description of the secret | `string` | `null` | no |
+| <a name="input_force_overwrite_replica_secret"></a> [force\_overwrite\_replica\_secret](#input\_force\_overwrite\_replica\_secret) | Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region | `bool` | `null` | no |
+| <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named `aws/secretsmanager`). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time. | `string` | `null` | no |
+| <a name="input_name"></a> [name](#input\_name) | Required if `create_secret` is `true`. Friendly name of the new secret | `string` | `null` | no |
+| <a name="input_policy"></a> [policy](#input\_policy) | Required if `create_secret_policy` is `true`. Valid JSON document representing a resource policy | `string` | n/a | yes |
+| <a name="input_recovery_window_in_days"></a> [recovery\_window\_in\_days](#input\_recovery\_window\_in\_days) | Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from `7` to `30` days. The default value is `30` | `number` | `30` | no |
+| <a name="input_replica"></a> [replica](#input\_replica) | Configuration block to support secret replication | `map(any)` | `{}` | no |
+| <a name="input_rotation_lambda_arn"></a> [rotation\_lambda\_arn](#input\_rotation\_lambda\_arn) | Required if `create_secret_rotation` is `true`. Specifies the ARN of the Lambda function that can rotate the secret | `string` | n/a | yes |
+| <a name="input_rotation_rules"></a> [rotation\_rules](#input\_rotation\_rules) | Required if `create_secret_rotation` is `true`. A structure that defines the rotation configuration for this secret | <pre>map(object({<br>    automatically_after_days = number<br>  }))</pre> | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to assign to the resource | `map(string)` | `{}` | no |
+| <a name="input_use_name_prefix"></a> [use\_name\_prefix](#input\_use\_name\_prefix) | Determines whether to use `name` as is or create a unique name beginning with `name` as the specified prefix | `bool` | `true` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_secret_arn"></a> [secret\_arn](#output\_secret\_arn) | The ARN of the secret |
+| <a name="output_secret_id"></a> [secret\_id](#output\_secret\_id) | The ID of the secret |
+| <a name="output_secret_policy_id"></a> [secret\_policy\_id](#output\_secret\_policy\_id) | The ID of the secret policy |
+| <a name="output_secret_replica"></a> [secret\_replica](#output\_secret\_replica) | Attributes of a replica |
+| <a name="output_secret_rotation_enabled"></a> [secret\_rotation\_enabled](#output\_secret\_rotation\_enabled) | Specifies whether automatic rotation is enabled for this secret |
+| <a name="output_secret_rotation_id"></a> [secret\_rotation\_id](#output\_secret\_rotation\_id) | Amazon Resource Name (ARN) of the secret |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/main.tf b/main.tf
@@ -0,0 +1,34 @@
+module "secret" {
+  source = "./modules/secret"
+
+  create = var.create_secret
+
+  name                           = var.name
+  use_name_prefix                = var.use_name_prefix
+  description                    = var.description
+  kms_key_id                     = var.kms_key_id
+  recovery_window_in_days        = var.recovery_window_in_days
+  replica                        = var.replica
+  force_overwrite_replica_secret = var.force_overwrite_replica_secret
+
+  tags = var.tags
+}
+
+module "secret_policy" {
+  source = "./modules/secret_policy"
+
+  create = var.create_secret_policy
+
+  secret_arn = module.secret.arn
+  policy     = var.policy
+}
+
+module "secret_rotation" {
+  source = "./modules/secret_rotation"
+
+  create = var.create_secret_rotation
+
+  secret_id           = module.secret.id
+  rotation_lambda_arn = var.rotation_lambda_arn
+  rotation_rules      = var.rotation_rules
+}
diff --git a/modules/secret/README.md b/modules/secret/README.md
@@ -35,7 +35,6 @@ No modules.
 | <a name="input_force_overwrite_replica_secret"></a> [force\_overwrite\_replica\_secret](#input\_force\_overwrite\_replica\_secret) | Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region | `bool` | `null` | no |
 | <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named `aws/secretsmanager`). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time. | `string` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Friendly name of the new secret | `string` | n/a | yes |
-| <a name="input_policy"></a> [policy](#input\_policy) | Valid JSON document representing a resource policy | `string` | `null` | no |
 | <a name="input_recovery_window_in_days"></a> [recovery\_window\_in\_days](#input\_recovery\_window\_in\_days) | Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from `7` to `30` days. The default value is `30` | `number` | `30` | no |
 | <a name="input_replica"></a> [replica](#input\_replica) | Configuration block to support secret replication | `map(any)` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to assign to the resource | `map(string)` | `{}` | no |

diff --git a/modules/secret/main.tf b/modules/secret/main.tf
@@ -5,7 +5,6 @@ resource "aws_secretsmanager_secret" "this" {
   name_prefix                    = local.name_prefix
   description                    = var.description
   kms_key_id                     = var.kms_key_id
-  policy                         = var.policy
   recovery_window_in_days        = var.recovery_window_in_days
   force_overwrite_replica_secret = var.force_overwrite_replica_secret
 

diff --git a/modules/secret/outputs.tf b/modules/secret/outputs.tf
@@ -1,14 +1,14 @@
 output "id" {
   description = "The ID of the secret"
-  value       = aws_secretsmanager_secret.this[0].id
+  value       = try(aws_secretsmanager_secret.this[0].id, "")
 }
 
 output "arn" {
   description = "The ARN of the secret"
-  value       = aws_secretsmanager_secret.this[0].arn
+  value       = try(aws_secretsmanager_secret.this[0].arn, "")
 }
 
 output "replica" {
   description = "Attributes of a replica"
-  value       = aws_secretsmanager_secret.this[0].replica
+  value       = try(aws_secretsmanager_secret.this[0].replica, "")
 }
diff --git a/modules/secret/variables.tf b/modules/secret/variables.tf
@@ -27,12 +27,6 @@ variable "kms_key_id" {
   type        = string
 }
 
-variable "policy" {
-  default     = null
-  description = "Valid JSON document representing a resource policy"
-  type        = string
-}
-
 variable "recovery_window_in_days" {
   default     = 30
   description = "Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from `7` to `30` days. The default value is `30`"

diff --git a/modules/secret_policy/outputs.tf b/modules/secret_policy/outputs.tf
@@ -1,4 +1,4 @@
 output "id" {
   description = "The ID of the secret policy"
-  value       = aws_secretsmanager_secret_policy.this[0].id
+  value       = try(aws_secretsmanager_secret_policy.this[0].id, "")
 }
diff --git a/modules/secret_rotation/outputs.tf b/modules/secret_rotation/outputs.tf
@@ -1,9 +1,9 @@
 output "id" {
   description = "Amazon Resource Name (ARN) of the secret"
-  value       = aws_secretsmanager_secret_rotation.this[0].id
+  value       = try(aws_secretsmanager_secret_rotation.this[0].id, "")
 }
 
 output "rotation_enabled" {
   description = "Specifies whether automatic rotation is enabled for this secret"
-  value       = aws_secretsmanager_secret_rotation.this[0].rotation_enabled
+  value       = try(aws_secretsmanager_secret_rotation.this[0].rotation_enabled, "")
 }
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,38 @@
+##########################################################################
+### secret
+##########################################################################
+output "secret_id" {
+  description = "The ID of the secret"
+  value       = try(module.secret.this[0].id, "")
+}
+
+output "secret_arn" {
+  description = "The ARN of the secret"
+  value       = try(module.secret.this[0].arn, "")
+}
+
+output "secret_replica" {
+  description = "Attributes of a replica"
+  value       = try(module.secret.this[0].replica, "")
+}
+
+##########################################################################
+### secret_policy
+##########################################################################
+output "secret_policy_id" {
+  description = "The ID of the secret policy"
+  value       = try(module.secret_policy.this[0].id, "")
+}
+
+##########################################################################
+### secret_rotation
+##########################################################################
+output "secret_rotation_id" {
+  description = "Amazon Resource Name (ARN) of the secret"
+  value       = try(module.secret_rotation.this[0].id, "")
+}
+
+output "secret_rotation_enabled" {
+  description = "Specifies whether automatic rotation is enabled for this secret"
+  value       = try(module.secret_rotation.this[0].rotation_enabled, "")
+}
diff --git a/terraform.tf b/terraform.tf
@@ -0,0 +1,3 @@
+terraform {
+  required_version = "~> 1.0"
+}
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,91 @@
+##########################################################################
+### secret
+##########################################################################
+variable "name" {
+  default     = null
+  description = "Required if `create_secret` is `true`. Friendly name of the new secret"
+  type        = string
+}
+
+variable "create_secret" {
+  default     = true
+  description = "Whether to create this resource or not?"
+  type        = bool
+}
+
+variable "description" {
+  default     = null
+  description = "Description of the secret"
+  type        = string
+}
+
+variable "kms_key_id" {
+  default     = null
+  description = "ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named `aws/secretsmanager`). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time."
+  type        = string
+}
+
+variable "recovery_window_in_days" {
+  default     = 30
+  description = "Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from `7` to `30` days. The default value is `30`"
+  type        = number
+}
+
+variable "replica" {
+  default     = {}
+  description = "Configuration block to support secret replication"
+  type        = map(any)
+}
+
+variable "force_overwrite_replica_secret" {
+  default     = null
+  description = "Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region"
+  type        = bool
+}
+
+variable "tags" {
+  default     = {}
+  description = "A map of tags to assign to the resource"
+  type        = map(string)
+}
+
+variable "use_name_prefix" {
+  default     = true
+  description = "Determines whether to use `name` as is or create a unique name beginning with `name` as the specified prefix"
+  type        = bool
+}
+
+##########################################################################
+### secret_policy
+##########################################################################
+variable "create_secret_policy" {
+  default     = true
+  description = "Whether to create this resource or not?"
+  type        = bool
+}
+
+variable "policy" {
+  description = "Required if `create_secret_policy` is `true`. Valid JSON document representing a resource policy"
+  type        = string
+}
+
+##########################################################################
+### secret_rotation
+##########################################################################
+variable "create_secret_rotation" {
+  default     = true
+  description = "Whether to create this resource or not?"
+  type        = bool
+}
+
+variable "rotation_lambda_arn" {
+  description = "Required if `create_secret_rotation` is `true`. Specifies the ARN of the Lambda function that can rotate the secret"
+  type        = string
+}
+
+variable "rotation_rules" {
+  description = "Required if `create_secret_rotation` is `true`. A structure that defines the rotation configuration for this secret"
+  type = map(object({
+    automatically_after_days = number
+  }))
+}