Add replica options to support secret replication across regions

elasticache-redis/auth-token/README.md

@@ -48,6 +48,7 @@ token is changed.
 | <a name="input_admin_principals"></a> [admin\_principals](#input\_admin\_principals) | Principals allowed to peform admin actions (default: current account) | `list(string)` | `null` | no |
 | <a name="input_initial_auth_token"></a> [initial\_auth\_token](#input\_initial\_auth\_token) | Inital auth token passed when the group was created | `string` | n/a | yes |
 | <a name="input_read_principals"></a> [read\_principals](#input\_read\_principals) | Principals allowed to read the secret (default: current account) | `list(string)` | `null` | no |
+| <a name="input_replica_regions"></a> [replica\_regions](#input\_replica\_regions) | List of regions to replicate the secret to | <pre>list(object({<br>    region     = string<br>    kms_key_id = optional(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_replication_group_id"></a> [replication\_group\_id](#input\_replication\_group\_id) | ID of the group for which the auth token will be managed | `string` | n/a | yes |
 | <a name="input_secret_name"></a> [secret\_name](#input\_secret\_name) | Override the name for this secret | `string` | `null` | no |
 | <a name="input_security_group_ids"></a> [security\_group\_ids](#input\_security\_group\_ids) | Security groups to attach to the rotation function | `list(string)` | `[]` | no |

elasticache-redis/auth-token/main.tf

@@ -7,6 +7,7 @@ module "secret" {
   read_principals  = var.read_principals
   resource_tags    = var.tags
   trust_tags       = var.trust_tags
+  replica_regions  = var.replica_regions
 
   initial_value = jsonencode({
     host  = data.aws_elasticache_replication_group.this.primary_endpoint_address

elasticache-redis/auth-token/variables.tf

@@ -4,6 +4,16 @@ variable "admin_principals" {
   default     = null
 }
 
+variable "replica_regions" {
+  description = "List of regions to replicate the secret to"
+  type = list(object({
+    region     = string
+    kms_key_id = optional(string)
+  }))
+  default = []
+}
+
+
 variable "replication_group_id" {
   description = "ID of the group for which the auth token will be managed"
   type        = string

rds-postgres/admin-login/main.tf

@@ -7,6 +7,7 @@ module "secret" {
   read_principals  = var.read_principals
   resource_tags    = var.tags
   trust_tags       = var.trust_tags
+  replica_regions  = var.replica_regions
 
   initial_value = jsonencode({
     dbname   = var.database_name

rds-postgres/admin-login/variables.tf

@@ -4,6 +4,15 @@ variable "admin_principals" {
   default     = null
 }
 
+variable "replica_regions" {
+  description = "List of regions to replicate the secret to"
+  type = list(object({
+    region     = string
+    kms_key_id = optional(string)
+  }))
+  default = []
+}
+
 variable "alternate_username" {
   description = "Username for the alternate login used during rotation"
   type        = string

rds-postgres/rds-postgres-login/README.md

@@ -88,6 +88,7 @@ module "rds_admin_password" {
 | <a name="input_grants"></a> [grants](#input\_grants) | List of GRANT statements for this user | `list(string)` | n/a | yes |
 | <a name="input_read_principals"></a> [read\_principals](#input\_read\_principals) | Principals allowed to read the secret (default: current account) | `list(string)` | `null` | no |
 | <a name="input_replica"></a> [replica](#input\_replica) | Whether the login is for a replica instance | `bool` | `false` | no |
+| <a name="input_replica_regions"></a> [replica\_regions](#input\_replica\_regions) | List of regions to replicate the secret to | <pre>list(object({<br>    region     = string<br>    kms_key_id = optional(string)<br>  }))</pre> | `[]` | no |
 | <a name="input_secret_name"></a> [secret\_name](#input\_secret\_name) | Override the name for this secret | `string` | `null` | no |
 | <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | Subnets in which the rotation function should run | `list(string)` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to be applied to created resources | `map(string)` | `{}` | no |

rds-postgres/rds-postgres-login/main.tf

@@ -7,6 +7,7 @@ module "secret" {
   read_principals  = var.read_principals
   resource_tags    = var.tags
   trust_tags       = var.trust_tags
+  replica_regions  = var.replica_regions
 
   initial_value = jsonencode({
     dbname   = var.database.db_name

rds-postgres/rds-postgres-login/variables.tf

@@ -4,6 +4,15 @@ variable "admin_login_secret_arn" {
   default     = null
 }
 
+variable "replica_regions" {
+  description = "List of regions to replicate the secret to"
+  type = list(object({
+    region     = string
+    kms_key_id = optional(string)
+  }))
+  default = []
+}
+
 variable "admin_login_kms_key_id" {
   type        = string
   description = "ARN of the KMS key used to encrypt the admin login"