diff --git a/README.md b/README.md index 6dca812..f38c15f 100644 --- a/README.md +++ b/README.md @@ -64,17 +64,18 @@ kms_key_arn = aws_kms_key.example.arn ## Inputs -| Name | Description | Type | Default | Required | -| ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ------- | ----------- | -| project | Name of the project. | `string` | n/a | yes | -| kms_key_arn | ARN for an existing KMS key to use for encryption. Required if `create_kms_key` is set to `false`; ignored otherwise. | `string` | `null` | conditional | -| add_suffix | Apply a random suffix to the secret name. Useful when secrets may need to be replaced, but makes identify secrets by name alone more difficult. | `bool` | `true` | no | -| create_kms_key | Whether to create a new KMS key for encrypting secrets. If set to `false`, `kms_key_arn` must be provided. | `bool` | `true` | no | -| environment | Environment for the project. | `string` | `"dev"` | no | -| key_recovery_period | Recovery period for deleted KMS keys in days. Must be between 7 and 30. Only used if `create_kms_key` is set to `true`. | `number` | `30` | no | -| [secrets] | Secrets to be created. | `map(object)` | `{}` | no | -| service | Optional service that these resources are supporting. Example: `"api"`, `"web"`, `"worker"` | `string` | n/a | no | -| tags | Optional tags to be applied to all resources. | `list` | `[]` | no | +| Name | Description | Type | Default | Required | +| ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ------- | ----------- | +| project | Name of the project. | `string` | n/a | yes | +| kms_key_arn | ARN for an existing KMS key to use for encryption. Required if `create_kms_key` is set to `false`; ignored otherwise. | `string` | `null` | conditional | +| add_suffix | Apply a random suffix to the secret name. Useful when secrets may need to be replaced, but makes identify secrets by name alone more difficult. | `bool` | `true` | no | +| create_kms_key | Whether to create a new KMS key for encrypting secrets. If set to `false`, `kms_key_arn` must be provided. | `bool` | `true` | no | +| environment | Environment for the project. | `string` | `"dev"` | no | +| key_recovery_period | Recovery period for deleted KMS keys in days. Must be between 7 and 30. Only used if `create_kms_key` is set to `true`. | `number` | `30` | no | +| recovery_window | Recovery window for deleted secrets, in days. Must be between 7 and 30, or 0 to disable recovery when the secret is deleted. This value can be overridden for each secret by setting the `recovery_window` for the secret. | `number` | `30` | no | +| [secrets] | Secrets to be created. | `map(object)` | `{}` | no | +| service | Optional service that these resources are supporting. Example: `"api"`, `"web"`, `"worker"` | `string` | n/a | no | +| tags | Optional tags to be applied to all resources. | `list` | `[]` | no | ### secrets @@ -112,13 +113,13 @@ secrets = { This would result in a key named `my/example/key-` before the random suffix is applied. -| Name | Description | Type | Default | Required | -| ---------------------- | ------------------------------------------------------------- | -------- | ------- | -------- | -| description | Description of the secret. | `string` | n/a | yes | -| create_random_password | Creates a random password as the staring value. | `bool` | `false` | no | -| name | Name to use as the prefix for the secret. | `string` | `""` | no | -| recovery_window | Number of days that a secret can be recovered after deletion. | `string` | `30` | no | -| start_value | Value to be set into the secret at creation. | `string` | `"{}"` | no | +| Name | Description | Type | Default | Required | +| ---------------------- | -------------------------------------------------------------------------------------------------------------------- | -------- | ------- | -------- | +| description | Description of the secret. | `string` | n/a | yes | +| create_random_password | Creates a random password as the staring value. | `bool` | `false` | no | +| name | Name to use as the prefix for the secret. | `string` | `""` | no | +| recovery_window | Override the default recovery window. Must be between 7 and 30, or 0 to disable recovery when the secret is deleted. | `number` | `null` | no | +| start_value | Value to be set into the secret at creation. | `string` | `"{}"` | no | ## Outputs diff --git a/main.tf b/main.tf index 52a19f1..d7ee865 100644 --- a/main.tf +++ b/main.tf @@ -14,7 +14,7 @@ module "secrets_manager" { ) create_random_password = each.value.create_random_password description = each.value.description - recovery_window_in_days = each.value.recovery_window + recovery_window_in_days = coalesce(each.value.recovery_window, var.recovery_window) kms_key_id = local.kms_key_id secret_string = each.value.start_value diff --git a/variables.tf b/variables.tf index 3fa2c58..fb46ca7 100644 --- a/variables.tf +++ b/variables.tf @@ -29,7 +29,7 @@ variable "key_recovery_period" { validation { condition = var.key_recovery_period > 6 && var.key_recovery_period < 31 - error_message = "Recovery period must be between 7 and 30." + error_message = "Key recovery period must be between 7 and 30." } } @@ -47,6 +47,21 @@ variable "project" { description = "Project that these resources are supporting." } +variable "recovery_window" { + type = number + default = 30 + description = <<-EOT + Recovery window for deleted secrets, in days. Must be between 7 and 30, or 0 + to disable recovery when the secret is deleted. This value can be overridden + for each secret by setting the `recovery_window` for the secret. + EOT + + validation { + condition = var.recovery_window == 0 || (var.recovery_window > 6 && var.recovery_window < 31) + error_message = "Recovery window must be between 7 and 30, or 0 to disable recovery." + } +} + # TODO: Support rotation. variable "secrets" { type = map(object({ @@ -54,7 +69,7 @@ variable "secrets" { create_random_password = optional(bool, false) description = string name = optional(string, null) - recovery_window = optional(number, 30) + recovery_window = optional(number, null) start_value = optional(string, "{}") }))