AWS Secrets Manager Terraform module
Upstream version 2.1.0
0 controls from Registry requirements
Terraform Module Source
registry.compliance.tf/terraform-aws-modules/secrets-manager/aws28 unique
| Name | Type | Default | Description |
|---|---|---|---|
| Optional | |||
block_public_policy | bool | null | Makes an optional API call to Zelkova to validate the Resource Policy to prevent broad access to your secret |
create | bool | true | Determines whether resources will be created (affects all resources) |
create_policy | bool | false | Determines whether a policy will be created |
create_random_password | bool | false | Determines whether an ephemeral random password will be generated for `secret_string_wo` |
description | string | null | A description of the secret |
enable_rotation | bool | false | Determines whether secret rotation is enabled |
force_overwrite_replica_secret | bool | null | Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region |
ignore_secret_changes | bool | false | Determines whether or not Terraform will ignore changes made externally to `secret_string` or `secret_binary`. Changing this value after creation is a destructive operation |
kms_key_id | string | null | ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named `aws/secretsmanager` |
name | string | null | Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: `/_+=.@-` |
name_prefix | string | null | Creates a unique name beginning with the specified prefix |
override_policy_documents | list(string) | [] | List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid` |
policy_statements | map({...}) | null | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage |
random_password_length | number | 32 | The length of the generated random password |
random_password_override_special | string | "!@#$%&*()-_=+[]{}<>:?" | Supply your own list of special characters to use for string generation. This overrides the default character list in the special argument |
recovery_window_in_days | number | null | Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be `0` to force deletion without recovery or range from `7` to `30` days. The default value is `30` |
region | string | null | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration |
replica | map({...}) | null | Configuration block to support secret replication |
rotate_immediately | bool | null | Specifies whether to rotate the secret immediately or wait until the next scheduled rotation window. The rotation schedule is defined in `rotation_rules` |
rotation_lambda_arn | string | "" | Specifies the ARN of the Lambda function that can rotate the secret |
rotation_rules | object({...}) | null | A structure that defines the rotation configuration for this secret |
secret_binary | string | null | Specifies binary data that you want to encrypt and store in this version of the secret. This is required if `secret_string` or `secret_string_wo` is not set. Needs to be encoded to base64 |
secret_string | string | null | Specifies text data that you want to encrypt and store in this version of the secret. This is required if `secret_binary` or `secret_string_wo` is not set |
secret_string_wo | string | null | Specifies text data that you want to encrypt and store in this version of the secret. This is required if `secret_binary` or `secret_string` is not set |
secret_string_wo_version | string | null | Used together with `secret_string_wo` to trigger an update. Increment this value when an update to `secret_string_wo` is required |
source_policy_documents | list(string) | [] | List of IAM policy documents that are merged together into the exported document. Statements must have unique `sid`s |
tags | map(string) | {} | A map of tags to add to all resources |
version_stages | list(string) | null | Specifies a list of staging labels that are attached to this version of the secret. A staging label must be unique to a single version of the secret |