Creates a rotation function for a Secrets Manager secret. You can combine this
with the secret module to create a secret with automatic rotation. You can
read more about secret rotation in the Secrets Manager developer guide.
Example:
module "auth_token_rotation" {
source = "github.com/thoughtbot/terraform-aws-secrets//secret-rotation-function"
# Provide these outputs from the secret module
role_arn = module.auth_token.rotation_role_arn
secret_arn = module.auth_token.arn
# Tune these to match your handler function
handler = "lambda_function.lambda_handler"
runtime = "python3.8"
source_file = "${path.module}/myfunction.py"
# Configure security groups and subnets for your VPC
security_group_ids = [aws_security_group.function.id]
subnet_ids = aws_subnet.private.*.id
# You can provide Lambda layers as a map of archives
dependencies = {
postgres = "${path.module}/postgres.zip"
}
# Environment variables to add to the created function
variables = {
ACCOUNT_URL = "https://example.com"
}
}
| Name |
Description |
Type |
Default |
Required |
| dependencies |
Map of zip archives containing dependencies |
map(string) |
{} |
no |
| handler |
Handler to invoke in the function package |
string |
n/a |
yes |
| role_arn |
ARN of the IAM role capable of rotating the secret |
string |
n/a |
yes |
| rotation_days |
Number of days after which the secret is rotated |
number |
30 |
no |
| runtime |
Runtime of the rotation function |
string |
n/a |
yes |
| secret_arn |
ARN of the secret to rotate |
string |
n/a |
yes |
| security_group_ids |
Security groups which the rotation function should use |
list(string) |
[] |
no |
| source_file |
File containing the rotatation handler |
string |
n/a |
yes |
| subnet_ids |
Subnets in which this function should run |
list(string) |
[] |
no |
| variables |
Environment variables for the rotation function |
map(string) |
{} |
no |
| Name |
Description |
| arn |
ARN of the function which will rotate this secret |