From ac4f7ad46da04333eafbeab85900108922f156c2 Mon Sep 17 00:00:00 2001 From: Julieta Aghamyan Date: Mon, 18 Sep 2023 12:14:55 +0400 Subject: [PATCH 1/5] fix(DMVP-2690): Added kms key support --- modules/secret/README.md | 1 + modules/secret/secret.tf | 1 + modules/secret/variables.tf | 7 +++++++ 3 files changed, 9 insertions(+) diff --git a/modules/secret/README.md b/modules/secret/README.md index 95a78b39..1ac4ac6e 100644 --- a/modules/secret/README.md +++ b/modules/secret/README.md @@ -51,6 +51,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [kms\_key\_id](#input\_kms\_key\_id) | ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. | `any` | `null` | no | | [name](#input\_name) | Secret name | `string` | n/a | yes | | [recovery\_window\_in\_days](#input\_recovery\_window\_in\_days) | (Optional) Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30 | `number` | `30` | no | | [value](#input\_value) | Secret value | `any` | `null` | no | diff --git a/modules/secret/secret.tf b/modules/secret/secret.tf index 90882d93..0776aa54 100644 --- a/modules/secret/secret.tf +++ b/modules/secret/secret.tf @@ -8,4 +8,5 @@ resource "aws_secretsmanager_secret_version" "value" { secret_id = aws_secretsmanager_secret.secret.id secret_string = jsonencode(var.value) + kms_key_id = var.kms_key_id } diff --git a/modules/secret/variables.tf b/modules/secret/variables.tf index 9b9cbd6d..f1f654e4 100644 --- a/modules/secret/variables.tf +++ b/modules/secret/variables.tf @@ -9,6 +9,13 @@ variable "value" { description = "Secret value" } +variable "kms_key_id" { + type = any + default = null + description = "ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret." +} + + variable "recovery_window_in_days" { type = number default = 30 From d3ceac63ca1524180dc8d1e463bbd1e5caf0a8c2 Mon Sep 17 00:00:00 2001 From: Julieta Aghamyan Date: Mon, 18 Sep 2023 12:18:54 +0400 Subject: [PATCH 2/5] fix(DMVP-2690): Added kms key support --- modules/secret/secret.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/secret/secret.tf b/modules/secret/secret.tf index 0776aa54..ce51d66b 100644 --- a/modules/secret/secret.tf +++ b/modules/secret/secret.tf @@ -1,6 +1,7 @@ resource "aws_secretsmanager_secret" "secret" { name = var.name recovery_window_in_days = var.recovery_window_in_days + kms_key_id = var.kms_key_id } resource "aws_secretsmanager_secret_version" "value" { @@ -8,5 +9,4 @@ resource "aws_secretsmanager_secret_version" "value" { secret_id = aws_secretsmanager_secret.secret.id secret_string = jsonencode(var.value) - kms_key_id = var.kms_key_id } From 330c5cb2aebbe1c0a8ef258d129a3c9c6b448eb1 Mon Sep 17 00:00:00 2001 From: Julieta Aghamyan Date: Mon, 18 Sep 2023 13:09:12 +0400 Subject: [PATCH 3/5] fix(DMVP-2690): Added kms key support --- modules/secret/README.md | 17 +++++++-- modules/secret/tests/kms_encripted/0-setup.tf | 24 +++++++++++++ .../secret/tests/kms_encripted/1-example.tf | 10 ++++++ .../secret/tests/kms_encripted/2-assert.tf | 9 +++++ modules/secret/tests/kms_encripted/README.md | 36 +++++++++++++++++++ 5 files changed, 94 insertions(+), 2 deletions(-) create mode 100644 modules/secret/tests/kms_encripted/0-setup.tf create mode 100644 modules/secret/tests/kms_encripted/1-example.tf create mode 100644 modules/secret/tests/kms_encripted/2-assert.tf create mode 100644 modules/secret/tests/kms_encripted/README.md diff --git a/modules/secret/README.md b/modules/secret/README.md index 1ac4ac6e..0107eb88 100644 --- a/modules/secret/README.md +++ b/modules/secret/README.md @@ -3,7 +3,7 @@ ## Example usage 1 (when the secret is a value) module test-secret { - source = "dasmeta/modules/aws//modules/cloudwatch" + source = "dasmeta/modules/aws//modules/secret" name = "test-secret" value = "test-secret-value" @@ -12,7 +12,7 @@ module test-secret { ## Example usage 2 (when the secret is a key-value pair) module test-secret { - source = "dasmeta/modules/aws//modules/cloudwatch" + source = "dasmeta/modules/aws//modules/secret" name = "test-secret" value = { @@ -23,6 +23,19 @@ module test-secret { } ``` +## Example usage 3 (when the secret is a key-value pair) +module test-secret { + source = "dasmeta/modules/aws//modules/secret" + + name = "test-secret" + value = { + "key1": "value1" + "key2": "value2" + "key3": "value3" + } + kms_key_id = "arn:aws:kms:us-east-1::key/" +} +``` ## Requirements diff --git a/modules/secret/tests/kms_encripted/0-setup.tf b/modules/secret/tests/kms_encripted/0-setup.tf new file mode 100644 index 00000000..9c765878 --- /dev/null +++ b/modules/secret/tests/kms_encripted/0-setup.tf @@ -0,0 +1,24 @@ +terraform { + required_providers { + test = { + source = "terraform.io/builtin/test" + } + + aws = { + source = "hashicorp/aws" + version = ">= 3.41" + } + } + + required_version = ">= 1.3.0" +} + +/** + * set the following env vars so that aws provider will get authenticated before apply: + + export AWS_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxxxxxxxx + export AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxx +*/ +provider "aws" { + region = "eu-central-1" +} diff --git a/modules/secret/tests/kms_encripted/1-example.tf b/modules/secret/tests/kms_encripted/1-example.tf new file mode 100644 index 00000000..5d037969 --- /dev/null +++ b/modules/secret/tests/kms_encripted/1-example.tf @@ -0,0 +1,10 @@ +module "this" { + source = "../../" + + name = "test-secret" + value = { + my_super_secret_key = "my_super_secret_value" + } + recovery_window_in_days = 0 # to destroy the secret immediately and not wait some days(default is 30) for recovery + kms_key_id = "arn:aws:kms:us-east-1:000000000000:key/0000000000000" +} diff --git a/modules/secret/tests/kms_encripted/2-assert.tf b/modules/secret/tests/kms_encripted/2-assert.tf new file mode 100644 index 00000000..99458cab --- /dev/null +++ b/modules/secret/tests/kms_encripted/2-assert.tf @@ -0,0 +1,9 @@ +resource "test_assertions" "dummy" { + component = "this" + + equal "scheme" { + description = "As module does not have any output and data just make sure the case runs. Probably can be thrown away." + got = "all good" + want = "all good" + } +} diff --git a/modules/secret/tests/kms_encripted/README.md b/modules/secret/tests/kms_encripted/README.md new file mode 100644 index 00000000..08dd5972 --- /dev/null +++ b/modules/secret/tests/kms_encripted/README.md @@ -0,0 +1,36 @@ +# basic + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.3.0 | +| [aws](#requirement\_aws) | >= 3.41 | + +## Providers + +| Name | Version | +|------|---------| +| [test](#provider\_test) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [this](#module\_this) | ../../ | n/a | + +## Resources + +| Name | Type | +|------|------| +| test_assertions.dummy | resource | + +## Inputs + +No inputs. + +## Outputs + +No outputs. + From 513d3c59e1e3bb902d1d0943890c9a1830e37d3b Mon Sep 17 00:00:00 2001 From: Julieta Aghamyan Date: Mon, 18 Sep 2023 13:14:29 +0400 Subject: [PATCH 4/5] fix(DMVP-2690): Added kms key support --- modules/secret/tests/{kms_encripted => kms_encrypted}/0-setup.tf | 0 .../secret/tests/{kms_encripted => kms_encrypted}/1-example.tf | 0 modules/secret/tests/{kms_encripted => kms_encrypted}/2-assert.tf | 0 modules/secret/tests/{kms_encripted => kms_encrypted}/README.md | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename modules/secret/tests/{kms_encripted => kms_encrypted}/0-setup.tf (100%) rename modules/secret/tests/{kms_encripted => kms_encrypted}/1-example.tf (100%) rename modules/secret/tests/{kms_encripted => kms_encrypted}/2-assert.tf (100%) rename modules/secret/tests/{kms_encripted => kms_encrypted}/README.md (100%) diff --git a/modules/secret/tests/kms_encripted/0-setup.tf b/modules/secret/tests/kms_encrypted/0-setup.tf similarity index 100% rename from modules/secret/tests/kms_encripted/0-setup.tf rename to modules/secret/tests/kms_encrypted/0-setup.tf diff --git a/modules/secret/tests/kms_encripted/1-example.tf b/modules/secret/tests/kms_encrypted/1-example.tf similarity index 100% rename from modules/secret/tests/kms_encripted/1-example.tf rename to modules/secret/tests/kms_encrypted/1-example.tf diff --git a/modules/secret/tests/kms_encripted/2-assert.tf b/modules/secret/tests/kms_encrypted/2-assert.tf similarity index 100% rename from modules/secret/tests/kms_encripted/2-assert.tf rename to modules/secret/tests/kms_encrypted/2-assert.tf diff --git a/modules/secret/tests/kms_encripted/README.md b/modules/secret/tests/kms_encrypted/README.md similarity index 100% rename from modules/secret/tests/kms_encripted/README.md rename to modules/secret/tests/kms_encrypted/README.md From 434829ba98cfbb9502817a0577422952192b05ea Mon Sep 17 00:00:00 2001 From: Julieta Aghamyan Date: Mon, 18 Sep 2023 15:22:52 +0400 Subject: [PATCH 5/5] fix(DMVP-2690): Added kms key support --- modules/secret/variables.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/secret/variables.tf b/modules/secret/variables.tf index f1f654e4..0fef6e28 100644 --- a/modules/secret/variables.tf +++ b/modules/secret/variables.tf @@ -15,7 +15,6 @@ variable "kms_key_id" { description = "ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret." } - variable "recovery_window_in_days" { type = number default = 30