Merge pull request #256 from ministryofjustice/DSOS-2406-align-secret…

…smanager-options-with-ssm DSOS-2406: align secretsmanager options with ssm
ministryofjustice · Nov 30, 2023 · f677bd8 · f677bd8
2 parents cc4e8af + 01e2451
commit f677bd8
Show file tree

Hide file tree

Showing 4 changed files with 76 additions and 10 deletions.
diff --git a/locals.tf b/locals.tf
@@ -28,6 +28,25 @@ locals {
     }) if value.value == null && value.random == null
   }
 
+  secretsmanager_random_passwords = {
+    for key, value in var.secretsmanager_secrets != null ? var.secretsmanager_secrets : {} :
+    key => value.random if value.random != null
+  }
+  secretsmanager_secrets_value = {
+    for key, value in var.secretsmanager_secrets != null ? var.secretsmanager_secrets : {} :
+    key => value if value.value != null
+  }
+  secretsmanager_secrets_random = {
+    for key, value in var.secretsmanager_secrets != null ? var.secretsmanager_secrets : {} :
+    key => merge(value, {
+      value = random_password.secrets[key].result
+    }) if value.value == null && value.random != null
+  }
+  secretsmanager_secrets_default = {
+    for key, value in var.secretsmanager_secrets != null ? var.secretsmanager_secrets : {} :
+    key => value if value.value == null && value.random == null
+  }
+
   ami_block_device_mappings = {
     for bdm in data.aws_ami.this.block_device_mappings : bdm.device_name => bdm
   }

diff --git a/main.tf b/main.tf
@@ -230,15 +230,54 @@ resource "aws_ssm_parameter" "placeholder" {
   }
 }
 
+#------------------------------------------------------------------------------
+# SecretManager Secrets
+#------------------------------------------------------------------------------
+
+resource "random_password" "secrets" {
+  for_each = local.secretsmanager_random_passwords
+
+  length  = each.value.length
+  special = each.value.special
+}
+
+resource "aws_secretsmanager_secret" "fixed" {
+  # skipped check as the secret value is defined by terraform so cannot be rotated by AWS
+  #checkov:skip=CKV2_AWS_57: Ensure Secrets Manager secrets should have automatic rotation enabled
+  for_each = merge(
+    local.secretsmanager_secrets_value,
+    local.secretsmanager_secrets_random,
+  )
+
+  name                    = "/${var.secretsmanager_secrets_prefix}${var.name}/${each.key}"
+  description             = each.value.description
+  kms_key_id              = each.value.kms_key_id
+  recovery_window_in_days = each.value.recovery_window_in_days
+
+  tags = merge(local.tags, {
+    Name = "${var.name}-${each.key}"
+  })
+}
+
+resource "aws_secretsmanager_secret_version" "fixed" {
+  for_each = merge(
+    local.secretsmanager_secrets_value,
+    local.secretsmanager_secrets_random,
+  )
+
+  secret_id     = aws_secretsmanager_secret.fixed[each.key].id
+  secret_string = each.value.value
+}
+
 resource "aws_secretsmanager_secret" "placeholder" {
-  # skipped check to keep consistent behaviour between ssm params and secrets
-  # Rotation can be added later as a configurable option. Some will want it, for some it will break things
+  # Rotation can be added later as a configurable option
   #checkov:skip=CKV2_AWS_57: Ensure Secrets Manager secrets should have automatic rotation enabled
-  for_each = var.secretsmanager_secrets
+  for_each = local.secretsmanager_secrets_default
 
-  name        = "/${var.secretsmanager_secrets_prefix}${var.name}/${each.key}"
-  description = each.value.description
-  kms_key_id  = each.value.kms_key_id
+  name                    = "/${var.secretsmanager_secrets_prefix}${var.name}/${each.key}"
+  description             = each.value.description
+  kms_key_id              = each.value.kms_key_id
+  recovery_window_in_days = each.value.recovery_window_in_days
 
   tags = merge(local.tags, {
     Name = "${var.name}-${each.key}"

diff --git a/test/unit-test/main.tf b/test/unit-test/main.tf
@@ -20,6 +20,8 @@ module "ec2_test_instance" {
   ebs_volume_config             = lookup(each.value, "ebs_volume_config", {})
   ebs_volumes                   = lookup(each.value, "ebs_volumes", {})
   ebs_volume_tags               = lookup(each.value, "ebs_volume_tags", {})
+  secretsmanager_secrets_prefix = lookup(each.value, "secretsmanager_secrets_prefix", "test/")
+  secretsmanager_secrets        = lookup(each.value, "secretsmanager_secrets", null)
   ssm_parameters_prefix         = lookup(each.value, "ssm_parameters_prefix", "test/")
   ssm_parameters                = lookup(each.value, "ssm_parameters", null)
   route53_records               = merge(local.ec2_test.route53_records, lookup(each.value, "route53_records", {}))

diff --git a/variables.tf b/variables.tf
@@ -197,12 +197,18 @@ variable "ssm_parameters" {
 }
 
 variable "secretsmanager_secrets" {
-  description = "A map of secretsmanager secrets to create. No value is created, add a value outside of terraform"
+  description = "A map of secretsmanager secrets to create. Set a specific value or a randomly generated value.  If neither random or value are set, a placeholder value is created which can be updated outside of terraform"
   type = map(object({
-    description = optional(string)
-    kms_key_id  = optional(string)
+    description             = optional(string)
+    kms_key_id              = optional(string)
+    recovery_window_in_days = optional(number)
+    random = optional(object({
+      length  = number
+      special = optional(bool)
+    }))
+    value = optional(string)
   }))
-  default = {}
+  default = null
 }
 
 variable "cloudwatch_metric_alarms" {