secrets-manager

Category Security
Latest Version 0.1.0current

Terraform module for secrets-manager on aws

Add to your Terraform configuration
module "secrets_manager" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/secrets-manager/aws"
  version = "0.1.0"

  # Required inputs
  name = "..."
}

Overview

The secrets-manager module creates AWS Secrets Manager secrets with production-ready defaults including:

  • Automatic secret rotation with Lambda integration
  • Customer-managed KMS key encryption
  • Cross-account access via resource policies
  • Configurable recovery window for deletion protection
  • Version tracking and management

Category: Security Provider: AWS Latest Version: 2.1.0

Quick Start

module "db_credentials" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/secrets-manager/aws"
  version = "2.1.0"

  name          = "prod/database/credentials"
  secret_string = jsonencode({
    username = "admin"
    password = random_password.db.result
  })
}

Key Features

KMS Encryption

Use customer-managed KMS keys for enhanced security:

module "encrypted_secret" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/secrets-manager/aws"
  version = "2.1.0"

  name          = "prod/api/credentials"
  secret_string = var.api_key
  kms_key_id    = module.kms.key_id
}

Recovery Window

Configure the deletion recovery period:

module "critical_secret" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/secrets-manager/aws"
  version = "2.1.0"

  name                    = "prod/critical/credentials"
  secret_string           = var.secret_value
  recovery_window_in_days = 30
}

JSON Structured Secrets

Store complex credential sets as JSON:

module "app_config" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/secrets-manager/aws"
  version = "2.1.0"

  name          = "prod/app/config"
  secret_string = jsonencode({
    database_host     = "db.example.com"
    database_port     = 5432
    database_username = "app_user"
    database_password = var.db_password
    api_key           = var.api_key
  })
}

Documentation

Registry

View specification on Registry

Inputs

name Required
string

Name of the secret

secret_string
string

Secret value as a string

kms_key_id
string

KMS key ID for encryption. If not specified, AWS uses the default service key.

recovery_window_in_days
number Default: 30

Number of days before permanent deletion. Use 0 for immediate deletion (cannot be recovered).

Outputs

secret_arn

ARN of the secret

secret_id

ID of the secret

secret_version_id

Version ID of the secret

Related Resources
Inputs Reference Outputs Reference Examples Changelog