Skip to main content
Security Modules 0.67.2

Resource-based policies for Secrets Manager secrets

View SourceRelease Notes

This module manages resource-based policies on AWS Secrets Manager secrets.

The module accepts a secret_policies variable containing a map of objects containing the ARN and a few options for customizing the resource-based policy. These options include:

  1. To provide read only access to the secret value (e.g. the secretsmanager:GetSecretValue IAM action), use the iam_entities_with_read_access attribute.
  2. To provide full access to the secret value (e.g. secretsmanager:* IAM actions), use the iam_entities_with_full_access attribute.
  3. If neither of these canned options are desired, use the policy_statement_json attribute to provide a completely custom policy. The value should be a JSON string generated by the aws_iam_policy_document data source.

Note that iam_entities_with_read_access and iam_entities_with_full_access are convenient shortcuts. They are mutually exclusive with policy_statement_json, which gives you full control over the policy. If the latter is provided, the former will be ignored.

Note also that you should only manage the policy for any given secret one time. That is, do not pass the same arn value more than once. Doing so will result in an non-deterministic policy on that secret.

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S SECRETS-MANAGER-RESOURCE-POLICIES MODULE
# ------------------------------------------------------------------------------------------------------

module "secrets_manager_resource_policies" {

  source = "git::git@github.com:gruntwork-io/terraform-aws-security.git//modules/secrets-manager-resource-policies?ref=v0.67.2"

  # ----------------------------------------------------------------------------------------------------
  # REQUIRED VARIABLES
  # ----------------------------------------------------------------------------------------------------

  secret_policies = <INPUT REQUIRED>

}