Merge pull request #316 from dasmeta/DMVP-2690

fix( DMVP-2690) : Added kms key support
dasmeta · Sep 18, 2023 · 07ecf03 · 07ecf03
2 parents 65c08fc + 434829b
commit 07ecf03
Show file tree

Hide file tree

Showing 7 changed files with 102 additions and 2 deletions.
diff --git a/modules/secret/README.md b/modules/secret/README.md
@@ -3,7 +3,7 @@
 
 ## Example usage 1 (when the secret is a value)
 module test-secret {
-  source  = "dasmeta/modules/aws//modules/cloudwatch"
+  source  = "dasmeta/modules/aws//modules/secret"
 
   name = "test-secret"
   value = "test-secret-value"
@@ -12,7 +12,7 @@ module test-secret {
 
 ## Example usage 2 (when the secret is a key-value pair)
 module test-secret {
-  source  = "dasmeta/modules/aws//modules/cloudwatch"
+  source  = "dasmeta/modules/aws//modules/secret"
 
   name = "test-secret"
   value = {
@@ -23,6 +23,19 @@ module test-secret {
 }
 ```
 
+## Example usage 3 (when the secret is a key-value pair)
+module test-secret {
+  source  = "dasmeta/modules/aws//modules/secret"
+
+  name = "test-secret"
+  value = {
+    "key1": "value1"
+    "key2": "value2"
+    "key3": "value3"
+  }
+  kms_key_id = "arn:aws:kms:us-east-1:<account_id>:key/<kms_key_id>"
+}
+```
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
@@ -51,6 +64,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. | `any` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Secret name | `string` | n/a | yes |
 | <a name="input_recovery_window_in_days"></a> [recovery\_window\_in\_days](#input\_recovery\_window\_in\_days) | (Optional) Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30 | `number` | `30` | no |
 | <a name="input_value"></a> [value](#input\_value) | Secret value | `any` | `null` | no |

diff --git a/modules/secret/secret.tf b/modules/secret/secret.tf
@@ -1,6 +1,7 @@
 resource "aws_secretsmanager_secret" "secret" {
   name                    = var.name
   recovery_window_in_days = var.recovery_window_in_days
+  kms_key_id              = var.kms_key_id
 }
 
 resource "aws_secretsmanager_secret_version" "value" {

diff --git a/modules/secret/tests/kms_encrypted/0-setup.tf b/modules/secret/tests/kms_encrypted/0-setup.tf
@@ -0,0 +1,24 @@
+terraform {
+  required_providers {
+    test = {
+      source = "terraform.io/builtin/test"
+    }
+
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.41"
+    }
+  }
+
+  required_version = ">= 1.3.0"
+}
+
+/**
+ * set the following env vars so that aws provider will get authenticated before apply:
+
+ export AWS_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxxxxxxxx
+ export AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxx
+*/
+provider "aws" {
+  region = "eu-central-1"
+}
diff --git a/modules/secret/tests/kms_encrypted/1-example.tf b/modules/secret/tests/kms_encrypted/1-example.tf
@@ -0,0 +1,10 @@
+module "this" {
+  source = "../../"
+
+  name = "test-secret"
+  value = {
+    my_super_secret_key = "my_super_secret_value"
+  }
+  recovery_window_in_days = 0 # to destroy the secret immediately and not wait some days(default is 30) for recovery
+  kms_key_id              = "arn:aws:kms:us-east-1:000000000000:key/0000000000000"
+}
diff --git a/modules/secret/tests/kms_encrypted/2-assert.tf b/modules/secret/tests/kms_encrypted/2-assert.tf
@@ -0,0 +1,9 @@
+resource "test_assertions" "dummy" {
+  component = "this"
+
+  equal "scheme" {
+    description = "As module does not have any output and data just make sure the case runs. Probably can be thrown away."
+    got         = "all good"
+    want        = "all good"
+  }
+}
diff --git a/modules/secret/tests/kms_encrypted/README.md b/modules/secret/tests/kms_encrypted/README.md
@@ -0,0 +1,36 @@
+# basic
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.41 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_test"></a> [test](#provider\_test) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_this"></a> [this](#module\_this) | ../../ | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| test_assertions.dummy | resource |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/secret/variables.tf b/modules/secret/variables.tf
@@ -9,6 +9,12 @@ variable "value" {
   description = "Secret value"
 }
 
+variable "kms_key_id" {
+  type        = any
+  default     = null
+  description = "ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret."
+}
+
 variable "recovery_window_in_days" {
   type        = number
   default     = 30