Skip to main content

AWS Secrets Manager

Overview

The AWS Secrets Manager Module provides a reusable and secure way to provision and manage secrets in AWS Secrets Manager using Terraform.
It simplifies storing, rotating, and retrieving sensitive information such as database credentials, API keys, and tokens while following AWS best practices.

This module supports both resource creation and data sources for securely managing secrets and their policies in a consistent and modular way.

Features

  • 🚀 Reusable & Modular – Predefined structure for creating and referencing secrets.
  • 🔐 Security Best Practices – Supports encryption with AWS KMS and fine-grained IAM policies.
  • 🔄 Automatic Rotation – Enable secret rotation with AWS Lambda integration.
  • 📜 Policy Management – Attach custom resource-based policies to secrets.
  • 📊 Auditing Support – Integrates with AWS CloudTrail for monitoring secret usage.
  • 🧩 Extensible – Easy to integrate with other Terraform modules and AWS services.

Core Concepts

  1. Resources Module

    • Creates and manages secrets in AWS Secrets Manager.
    • Includes support for:
      • Secret string/JSON values
      • KMS encryption
      • Rotation rules
      • Resource-based policies

  2. Data Module

    • Fetches information about existing secrets.
    • Useful for referencing secret values in other Terraform resources or applications.

  3. Rotation Management

    • Supports automated rotation of credentials.
    • Can be integrated with AWS Lambda for custom rotation logic.

  4. Separation of Concerns

    • resources/ handles secret creation and configuration.
    • data/ is focused on reading and referencing existing secrets.
    • This separation ensures clarity, reusability, and modular design.

Sample Usage

# DEPLOY ANANTA CLOUD'S SECRETS MANAGER MODULE

module "secrets_manager" {
  source = "github.com/anantacloud/terraform-aws-secrets-manager-module/modules/resources"

  # ==========================
  # REQUIRED VARIABLES
  # ==========================
  name  = "my-app-secret"
  value = jsonencode({
    username = "admin"
    password = "supersecret"
  })

  # ==========================
  # OPTIONAL VARIABLES
  # ==========================
  description = "Application database credentials"
  kms_key_id  = "arn:aws:kms:us-east-1:123456789012:key/abcd-1234-efgh-5678"
  
  rotation = {
    enabled          = true
    rotation_lambda_arn = "arn:aws:lambda:us-east-1:123456789012:function:rotate-secret"
    rotation_days    = 30
  }

  tags = {
    Environment = "dev"
    Project     = "my-app"
  }
}

Required

NameDescriptionTypeExample
nameName of the secretstring"my-app-secret"
valueSecret value (string or JSON)stringjsonencode({username="admin"})

Optional

NameDescriptionTypeDefault
descriptionDescription of the secretstringnull
kms_key_idKMS key ARN for encryptionstringnull
rotationConfiguration for secret rotationobject{}
tagsAdd custom tags to the secretmap{}