feat: add configuration block to support secret replication (#6)

SweetOps · web-flow · commit e833eb723919 · 2023-03-06T12:49:42.000-05:00
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -18,6 +18,14 @@ jobs:
           output-file: README.md
           config-file: ".terraform-docs.yml"
 
+      - name: Render terraform docs inside the examples/basic/README.md
+        uses: terraform-docs/gh-actions@v0.11.0
+        with:
+          working-dir: ./examples/replicated/
+          git-push: "false"
+          output-file: README.md
+          config-file: ".terraform-docs.yml"
+
       - name: Render terraform docs inside the README.md
         uses: terraform-docs/gh-actions@v0.11.0
         with:
diff --git a/README.md b/README.md
@@ -81,6 +81,7 @@ module "secrets" {
 | <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br>   format = string<br>   labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
+| <a name="input_force_overwrite_replica_secret"></a> [force\_overwrite\_replica\_secret](#input\_force\_overwrite\_replica\_secret) | Whether to overwrite a secret with the same name in the destination Region. | `bool` | `true` | no |
 | <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
 | <a name="input_kms_key"></a> [kms\_key](#input\_kms\_key) | enabled:<br>    Whether to create KSM key.<br>description:<br>    The description of the key as viewed in AWS console.<br>alias:<br>    The display name of the alias. The name must start with the word alias followed by a forward slash. <br>    If not specified, the alias name will be auto-generated.<br>deletion\_window\_in\_days:<br>    Duration in days after which the key is deleted after destruction of the resource<br>enable\_key\_rotation:<br>    Specifies whether key rotation is enabled. | <pre>object({<br>    enabled                 = optional(bool, true)<br>    description             = optional(string, "Managed by Terraform")<br>    alias                   = optional(string)<br>    deletion_window_in_days = optional(number, 30)<br>    enable_key_rotation     = optional(bool, true)<br>  })</pre> | `{}` | no |
 | <a name="input_kms_key_id"></a> [kms\_key\_id](#input\_kms\_key\_id) | ARN or Id of the AWS KMS customer master key (CMK) to be used to encrypt the secret values in the versions stored in this secret. <br>If you don't specify this value, then Secrets Manager defaults to using the AWS account's default CMK (the one named `aws/secretsmanager`). | `string` | `null` | no |
@@ -93,6 +94,7 @@ module "secrets" {
 | <a name="input_policy"></a> [policy](#input\_policy) | Valid JSON document representing a resource policy. | `string` | `null` | no |
 | <a name="input_recovery_window_in_days"></a> [recovery\_window\_in\_days](#input\_recovery\_window\_in\_days) | Valid JSON document representing a resource policy. | `number` | `30` | no |
 | <a name="input_regex_replace_chars"></a> [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.<br>Characters matching the regex will be removed from the ID elements.<br>If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
+| <a name="input_replicas"></a> [replicas](#input\_replicas) | kms\_key\_id:<br>    ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to.<br>region:<br>    Region for replicating the secret. | <pre>list(<br>    object(<br>      {<br>        kms_key_id = string<br>        region     = string<br>      }<br>    )<br>  )</pre> | `[]` | no |
 | <a name="input_rotation"></a> [rotation](#input\_rotation) | enabled:<br>    Whether to create secret rotation rule. <br>    Default value: `false`<br>lambda\_arn:<br>    Specifies the ARN of the Lambda function that can rotate the secret.<br>automatically\_after\_days:<br>    Specifies the number of days between automatic scheduled rotations of the secret. | <pre>object({<br>    enabled                  = optional(bool, false)<br>    lambda_arn               = string<br>    automatically_after_days = number<br>  })</pre> | <pre>{<br>  "automatically_after_days": 0,<br>  "lambda_arn": ""<br>}</pre> | no |
 | <a name="input_secret_version"></a> [secret\_version](#input\_secret\_version) | enabled:<br>    Whether to create secret version. <br>    Default value: `false`<br>secret\_string:<br>    Specifies text data that you want to encrypt and store in this version of the secret. <br>    This is required if `secret_binary` is not set.<br>secret\_binary:<br>    Specifies binary data that you want to encrypt and store in this version of the secret. <br>    This is required if `secret_string` is not set. <br>    Needs to be encoded to base64. | <pre>object({<br>    enabled       = optional(bool, true)<br>    secret_string = optional(string)<br>    secret_binary = optional(string)<br>  })</pre> | `{}` | no |
 | <a name="input_stage"></a> [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
@@ -29,5 +29,6 @@ module "secrets" {
       }
     )
   }
-  context = module.label.context
+  recovery_window_in_days = 0
+  context                 = module.label.context
 }
diff --git a/examples/replicated/.terraform-docs.yml b/examples/replicated/.terraform-docs.yml
@@ -0,0 +1,30 @@
+formatter: markdown
+
+output:
+  file: README.md
+  mode: replace
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS --> 
+
+    ## License
+    The Apache-2.0 license
+
+sort:
+  enabled: true
+  by: required
+
+settings:
+  anchor: true
+  color: true
+  default: true
+  description: false
+  escape: true
+  hide-empty: false
+  html: true
+  indent: 2
+  lockfile: true
+  required: true
+  sensitive: true
+  type: true
diff --git a/examples/replicated/README.md b/examples/replicated/README.md
@@ -0,0 +1,84 @@
+## terraform-aws-secretsmanager
+Terraform module to provision and manage AWS Secrets Manager.
+
+## Usage
+
+```hcl
+module "label" {
+  source  = "cloudposse/label/null"
+  version = "0.25.0"
+
+  name      = "alpha"
+  namespace = "so"
+  stage     = "staging"
+}
+
+module "ssh_key_pair" {
+  source  = "cloudposse/key-pair/aws"
+  version = "0.18.1"
+
+  ssh_public_key_path = "keys/"
+  generate_ssh_key    = "true"
+
+  context = module.label.context
+}
+
+module "secrets" {
+  source  = "SweetOps/secretsmanager/aws"
+  version = "0.1.0"
+
+  secret_version = {
+    secret_string = jsonencode(
+      {
+        ssh_public_key  = base64encode(module.ssh_key_pair.public_key)
+        ssh_private_key = base64encode(module.ssh_key_pair.private_key)
+      }
+    )
+  }
+
+  context = module.label.context
+}
+```
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws.ohio"></a> [aws.ohio](#provider\_aws.ohio) | >= 3.0 |
+| <a name="provider_aws.virginia"></a> [aws.virginia](#provider\_aws.virginia) | >= 3.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_kms_key"></a> [kms\_key](#module\_kms\_key) | cloudposse/kms-key/aws | 0.12.1 |
+| <a name="module_label"></a> [label](#module\_label) | cloudposse/label/null | 0.25.0 |
+| <a name="module_secrets"></a> [secrets](#module\_secrets) | ../../ | n/a |
+| <a name="module_ssh_key_pair"></a> [ssh\_key\_pair](#module\_ssh\_key\_pair) | cloudposse/key-pair/aws | 0.18.1 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_kms_replica_key.ohio](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_replica_key) | resource |
+| [aws_kms_replica_key.virginia](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_replica_key) | resource |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS --> 
+
+## License
+The Apache-2.0 license
diff --git a/examples/replicated/main.tf b/examples/replicated/main.tf
@@ -0,0 +1,87 @@
+provider "aws" {
+  region = "us-east-1"
+  alias  = "virginia"
+}
+
+provider "aws" {
+  region = "us-east-2"
+  alias  = "ohio"
+}
+
+module "label" {
+  source  = "cloudposse/label/null"
+  version = "0.25.0"
+
+  name      = "replicated"
+  namespace = "so"
+  stage     = "staging"
+}
+
+module "ssh_key_pair" {
+  source  = "cloudposse/key-pair/aws"
+  version = "0.18.1"
+
+  ssh_public_key_path = "keys/"
+  generate_ssh_key    = "true"
+
+  context = module.label.context
+}
+
+module "kms_key" {
+  source  = "cloudposse/kms-key/aws"
+  version = "0.12.1"
+
+  multi_region = true
+
+  context = module.label.context
+}
+
+resource "aws_kms_replica_key" "virginia" {
+  provider = aws.virginia
+
+  description             = "Multi-Region replica key"
+  deletion_window_in_days = 7
+  primary_key_arn         = module.kms_key.key_arn
+}
+
+resource "aws_kms_replica_key" "ohio" {
+  provider = aws.ohio
+
+  description             = "Multi-Region replica key"
+  deletion_window_in_days = 7
+  primary_key_arn         = module.kms_key.key_arn
+}
+
+module "secrets" {
+  source = "../../"
+
+  secret_version = {
+    enabled = true
+    secret_string = jsonencode(
+      {
+        ssh_public_key  = base64encode(module.ssh_key_pair.public_key)
+        ssh_private_key = base64encode(module.ssh_key_pair.private_key)
+      }
+    )
+  }
+
+  recovery_window_in_days = 0
+  kms_key_id              = module.kms_key.key_id
+
+  kms_key = {
+    enabled = false
+  }
+
+  replicas = [
+    {
+      region     = "us-east-1"
+      kms_key_id = aws_kms_replica_key.virginia.key_id
+    },
+    {
+      region     = "us-east-2"
+      kms_key_id = aws_kms_replica_key.ohio.key_id
+    }
+  ]
+
+  context = module.label.context
+}
diff --git a/examples/replicated/versions.tf b/examples/replicated/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.0"
+    }
+  }
+}
diff --git a/main.tf b/main.tf
@@ -26,12 +26,22 @@ module "kms_key" {
 resource "aws_secretsmanager_secret" "default" {
   count = local.enabled ? 1 : 0
 
-  name                    = module.this.id
-  description             = var.description
-  policy                  = var.policy
-  tags                    = module.this.tags
-  recovery_window_in_days = var.recovery_window_in_days
-  kms_key_id              = local.kms_key_id
+  name                           = module.this.id
+  description                    = var.description
+  policy                         = var.policy
+  tags                           = module.this.tags
+  recovery_window_in_days        = var.recovery_window_in_days
+  kms_key_id                     = local.kms_key_id
+  force_overwrite_replica_secret = var.force_overwrite_replica_secret
+
+  dynamic "replica" {
+    for_each = var.replicas
+
+    content {
+      kms_key_id = replica.value.kms_key_id
+      region     = replica.value.region
+    }
+  }
 }
 
 resource "aws_secretsmanager_secret_version" "default" {
diff --git a/variables.tf b/variables.tf
@@ -16,6 +16,30 @@ variable "recovery_window_in_days" {
   description = "Valid JSON document representing a resource policy."
 }
 
+variable "force_overwrite_replica_secret" {
+  type        = bool
+  default     = true
+  description = "Whether to overwrite a secret with the same name in the destination Region."
+}
+
+variable "replicas" {
+  type = list(
+    object(
+      {
+        kms_key_id = string
+        region     = string
+      }
+    )
+  )
+  default     = []
+  description = <<-DOC
+    kms_key_id:
+        ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to.
+    region:
+        Region for replicating the secret.
+  DOC
+}
+
 variable "kms_key_id" {
   type        = string
   default     = null

Original file line number	Diff line number	Diff line change
`@@ -29,5 +29,6 @@ module "secrets" {`
`29`	`29`	`}`
`30`	`30`	`)`
`31`	`31`	`}`
`32`		`- context = module.label.context`
	`32`	`+ recovery_window_in_days = 0`
	`33`	`+ context = module.label.context`
`33`	`34`	`}`