Examples | Patterned Designs Documentation

These examples demonstrate practical, real-world usage patterns for the secrets-manager module. Each example is self-contained and ready to run—simply copy the configuration, customize the values for your environment, and apply.

Getting Started

To run any example, follow these steps:

Authenticate with the registry: terraform login registry.patterneddesigns.ca
Initialize the working directory: terraform init
Review the execution plan: terraform plan
Apply the configuration: terraform apply

Usage Examples

Basic Usage

Store database credentials in Secrets Manager

module "db_credentials" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/secrets-manager/aws"
  version = "2.1.0"

  name          = "prod/database/credentials"
  secret_string = jsonencode({
    username = "admin"
    password = random_password.db.result
  })
}

Database Credentials

Store database credentials with structured JSON format

module "db_credentials" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/secrets-manager/aws"
  version = "2.1.0"

  name          = "prod/rds/postgres/credentials"
  secret_string = jsonencode({
    engine   = "postgres"
    host     = aws_db_instance.main.endpoint
    port     = 5432
    username = "app_user"
    password = random_password.db.result
    dbname   = "application"
  })

  kms_key_id              = module.kms.key_id
  recovery_window_in_days = 14
}

resource "random_password" "db" {
  length  = 32
  special = true
}

API Keys Storage

Store API keys for external service integrations

module "stripe_api_key" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/secrets-manager/aws"
  version = "2.1.0"

  name          = "prod/integrations/stripe"
  secret_string = jsonencode({
    publishable_key = var.stripe_publishable_key
    secret_key      = var.stripe_secret_key
    webhook_secret  = var.stripe_webhook_secret
  })

  kms_key_id              = module.kms.key_id
  recovery_window_in_days = 7
}

module "sendgrid_api_key" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/secrets-manager/aws"
  version = "2.1.0"

  name          = "prod/integrations/sendgrid"
  secret_string = var.sendgrid_api_key

  kms_key_id = module.kms.key_id
}

Automatic Rotation

Configure automatic secret rotation with Lambda

module "rotated_credentials" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/secrets-manager/aws"
  version = "2.1.0"

  name          = "prod/database/rotated-credentials"
  secret_string = jsonencode({
    engine   = "mysql"
    host     = aws_db_instance.main.endpoint
    port     = 3306
    username = "app_user"
    password = random_password.initial.result
    dbname   = "application"
  })

  kms_key_id              = module.kms.key_id
  recovery_window_in_days = 30
}

resource "aws_secretsmanager_secret_rotation" "rotation" {
  secret_id           = module.rotated_credentials.secret_id
  rotation_lambda_arn = module.rotation_lambda.function_arn

  rotation_rules {
    automatically_after_days = 30
  }
}

resource "random_password" "initial" {
  length  = 32
  special = false
}

JSON Structured Secrets

Store complex configuration as JSON-structured secrets

module "app_config" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/secrets-manager/aws"
  version = "2.1.0"

  name = "prod/app/configuration"
  secret_string = jsonencode({
    database = {
      host     = "db.example.com"
      port     = 5432
      username = "app_user"
      password = var.db_password
      ssl      = true
    }
    redis = {
      host     = "redis.example.com"
      port     = 6379
      password = var.redis_password
    }
    oauth = {
      client_id     = var.oauth_client_id
      client_secret = var.oauth_client_secret
      redirect_uri  = "https://app.example.com/callback"
    }
    feature_flags = {
      enable_beta    = true
      max_batch_size = 100
    }
  })

  kms_key_id = module.kms.key_id
}

Cross-Account Access

Share secrets across AWS accounts with resource policies

module "shared_credentials" {
  source  = "registry.patterneddesigns.ca/patterneddesigns/secrets-manager/aws"
  version = "2.1.0"

  name          = "shared/database/credentials"
  secret_string = jsonencode({
    host     = "shared-db.example.com"
    port     = 5432
    username = "shared_user"
    password = var.shared_db_password
  })

  kms_key_id              = module.kms.key_id
  recovery_window_in_days = 30
}

resource "aws_secretsmanager_secret_policy" "cross_account" {
  secret_arn = module.shared_credentials.secret_arn

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "AllowCrossAccountAccess"
        Effect = "Allow"
        Principal = {
          AWS = [
            "arn:aws:iam::111122223333:root",
            "arn:aws:iam::444455556666:role/ApplicationRole"
          ]
        }
        Action = [
          "secretsmanager:GetSecretValue",
          "secretsmanager:DescribeSecret"
        ]
        Resource = "*"
      }
    ]
  })
}