Secrets Manager

module "secrets_encryption_key" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/kms-key/aws"
  version = "1.0.0"

  alias       = "alias/secrets-manager"
  description = "Encryption key for Secrets Manager secrets"
}

resource "aws_secretsmanager_secret" "database_credentials" {
  name       = "prod/database/credentials"
  kms_key_id = module.secrets_encryption_key.key_arn

  description = "Database credentials for production environment"

  tags = {
    Environment = "production"
  }
}

resource "aws_secretsmanager_secret_version" "database_credentials" {
  secret_id = aws_secretsmanager_secret.database_credentials.id
  secret_string = jsonencode({
    username = "admin"
    password = var.db_password
    host     = var.db_host
    port     = 5432
  })
}

# IAM policy for applications to access the secret
data "aws_iam_policy_document" "secrets_access" {
  statement {
    effect = "Allow"
    actions = [
      "secretsmanager:GetSecretValue",
      "secretsmanager:DescribeSecret"
    ]
    resources = [aws_secretsmanager_secret.database_credentials.arn]
  }

  statement {
    effect = "Allow"
    actions = [
      "kms:Decrypt"
    ]
    resources = [module.secrets_encryption_key.key_arn]
  }
}

output "secret_arn" {
  value = aws_secretsmanager_secret.database_credentials.arn
}

output "encryption_key_arn" {
  value = module.secrets_encryption_key.key_arn
}