Skip to content

Latest commit

 

History

History
89 lines (70 loc) · 4.48 KB

README.md

File metadata and controls

89 lines (70 loc) · 4.48 KB

Rotating Secret

Creates a rotation function for a Secrets Manager secret. You can combine this with the secret module to create a secret with automatic rotation. You can read more about secret rotation in the Secrets Manager developer guide.

Example:

module "auth_token_rotation" {
  source = "github.com/thoughtbot/terraform-aws-secrets//secret-rotation-function"

  # Provide these outputs from the secret module
  role_arn           = module.auth_token.rotation_role_arn
  secret_arn         = module.auth_token.arn

  # Tune these to match your handler function
  handler            = "lambda_function.lambda_handler"
  runtime            = "python3.8"
  source_file        = "${path.module}/myfunction.py"

  # Configure security groups and subnets for your VPC
  security_group_ids = [aws_security_group.function.id]
  subnet_ids         = aws_subnet.private.*.id

  # You can provide Lambda layers as a map of archives
  dependencies = {
    postgres = "${path.module}/postgres.zip"
  }

  # Environment variables to add to the created function
  variables = {
    ACCOUNT_URL = "https://example.com"
  }
}

Requirements

Name Version
terraform >= 0.14.0
archive ~> 2.2
aws ~> 5.0

Providers

Name Version
archive ~> 2.2
aws ~> 5.0

Resources

Name Type
aws_iam_role_policy_attachment.function_vpc resource
aws_lambda_function.rotation resource
aws_lambda_layer_version.dependencies resource
aws_lambda_permission.secretsmanager resource
aws_secretsmanager_secret_rotation.this resource
archive_file.function data source
aws_region.this data source

Inputs

Name Description Type Default Required
dependencies Map of zip archives containing dependencies map(string) {} no
handler Handler to invoke in the function package string n/a yes
role_arn ARN of the IAM role capable of rotating the secret string n/a yes
rotation_days Number of days after which the secret is rotated number 30 no
runtime Runtime of the rotation function string n/a yes
secret_arn ARN of the secret to rotate string n/a yes
security_group_ids Security groups which the rotation function should use list(string) [] no
source_file File containing the rotatation handler string n/a yes
subnet_ids Subnets in which this function should run list(string) [] no
variables Environment variables for the rotation function map(string) {} no

Outputs

Name Description
arn ARN of the function which will rotate this secret