-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsecrets.tf
More file actions
30 lines (24 loc) · 1.14 KB
/
secrets.tf
File metadata and controls
30 lines (24 loc) · 1.14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
locals {
// secret_refs is prepared in the form [{ name = "", valueFrom = "<arn>" }, ...] for injection into ECS services
secret_refs = [for key in local.secret_keys : { name = key, valueFrom = aws_secretsmanager_secret.app_secret[key].arn }]
all_secret_refs = concat(local.secret_refs, local.existing_secret_refs)
}
resource "aws_secretsmanager_secret" "app_secret" {
# bridgecrew:skip=CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled". We cannot automatically rotate user secrets.
for_each = local.secret_keys
name_prefix = "${local.block_name}/${each.value}/"
tags = local.tags
kms_key_id = aws_kms_alias.this.arn
recovery_window_in_days = 0 // force delete so that re-adding the secret doesn't cause issues
lifecycle {
create_before_destroy = true
}
}
resource "aws_secretsmanager_secret_version" "app_secret" {
for_each = local.secret_keys
secret_id = aws_secretsmanager_secret.app_secret[each.value].id
secret_string = local.all_secrets[each.value]
lifecycle {
create_before_destroy = true
}
}