From 555d9db14d884ad4bb4b360deb75204287d16d07 Mon Sep 17 00:00:00 2001 From: Vadim Kadnikov Date: Thu, 4 Apr 2024 15:24:08 +0200 Subject: [PATCH 1/2] feat: Add delete_in argument --- main.tf | 2 ++ variables.tf | 12 ++++++++++++ 2 files changed, 14 insertions(+) diff --git a/main.tf b/main.tf index 350de64..73305b9 100644 --- a/main.tf +++ b/main.tf @@ -24,6 +24,8 @@ resource "aws_secretsmanager_secret" "app" { policy = lookup(local.arns, each.key, null) == null ? null : data.aws_iam_policy_document.access[each.key].json + recovery_window_in_days = var.delete_in + tags = merge(var.tags, { "service" = var.app_name }) } diff --git a/variables.tf b/variables.tf index abde8c1..b4fd13e 100644 --- a/variables.tf +++ b/variables.tf @@ -21,6 +21,18 @@ variable "secrets" { ) } +variable "delete_in" { + description = "Number of days to wait before secret deletion" + type = number + + default = 30 + + validation { + condition = var.delete_in == 0 || contains(range(7, 30), var.delete_in) + error_message = "The delete_in value must be 0 or between 7 and 30." + } +} + variable "tags" { description = "Key-value map of tags" type = map(string) From 483985ac90d1985781f78b443a96398f42e5aa19 Mon Sep 17 00:00:00 2001 From: Vadim Kadnikov Date: Thu, 4 Apr 2024 15:24:16 +0200 Subject: [PATCH 2/2] chore: Update README --- README.md | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index bb0283d..bd6cf3b 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,7 @@ A module to create application secrets stored in [AWS Secrets Manager](https://a * [Cross-account secrets](#cross-account-secrets) * [Inputs](#inputs) * [Secrets](#secrets) + * [Recovery window](#recovery-window) * [Outputs](#outputs) * [Release](#release) * [Maintainers](#maintainers) @@ -210,12 +211,13 @@ module "user" { ## Inputs -| Name | Description | Type | Default | Required | -|:-------------|:---------------------------------------|:-------------|:------------|:---------| -| `app_name` | Application name | string | `null` | yes | -| `aws_region` | AWS region | string | `us-east-2` | no | -| `secrets` | List of objects of [secrets](#secrets) | list(object) | `null` | yes | -| `tags` | Key-value map of tags | map(string) | `{}` | no | +| Name | Description | Type | Default | Required | +|:-------------|:------------------------------------------------------------------|:-------------|:------------|:---------| +| `app_name` | Application name | string | `null` | yes | +| `aws_region` | AWS region | string | `us-east-2` | no | +| `secrets` | List of objects of [secrets](#secrets) | list(object) | `null` | yes | +| `delete_in` | [Number of days](#recovery-window) to wait before secret deletion | number | `30` | no | +| `tags` | Key-value map of tags | map(string) | `{}` | no | ### Secrets @@ -225,6 +227,10 @@ module "user" { | `value` | Secret value | string | `null` | | `allowed_arns` | List of principal ARNs that have access to the secret | list | `null` | +### Recovery window + +Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be `0` to force deletion without recovery or range from `7` to `30` days. The default value is `30`. + ## Outputs | Name | Description | Sensitive |