Generates and stores a random string in Secrets Manager.
Example:
module "random_password" {
source = "git::https://github.com/rhythmictech/terraform-aws-secretsmanager-secret"
name_prefix = "RDSPassword"
description = "RDS instance master password"
length = 20
override_special = "@#$%^*()-=_+[]{};<>?,./"
}
| Name | Version |
|---|---|
| random | >= 2.2.0 |
| Name | Version |
|---|---|
| aws | n/a |
| random | >= 2.2.0 |
| Name | Type |
|---|---|
| aws_cloudwatch_log_metric_filter.secret_access | resource |
| aws_cloudwatch_metric_alarm.unauthorized_cloudtrail_calls | resource |
| aws_secretsmanager_secret.secret | resource |
| aws_secretsmanager_secret_version.secret_val | resource |
| random_password.random_string | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cloudtrail_log_group | Cloudtrail Log Group name (required if enable_secret_access_notification=true) |
string |
"change_me" |
no |
| create_secret | If false, this module does nothing (since tf doesn't support conditional modules) | bool |
true |
no |
| description | Description to add to Secret | string |
"" |
no |
| enable_secret_access_notification | Notify SNS topic on secret access (not recommended for most use cases) | bool |
false |
no |
| kms_key_id | Optional. The KMS Key ID to encrypt the secret. KMS key arn or alias can be used. | any |
null |
no |
| length | Length of string | number |
n/a | yes |
| min_lower | Minimum number of lower case characters | number |
0 |
no |
| min_numeric | Minimum number of numbers | number |
0 |
no |
| min_special | Minimum number of special characters | number |
0 |
no |
| min_upper | Minimum number of upper case characters | number |
0 |
no |
| name | Name (omit to use name_prefix) | string |
"" |
no |
| name_prefix | Name Prefix (not used if name specified) | string |
"terraform" |
no |
| override_special | n/a | string |
"" |
no |
| pass_version | Password version. Increment this to trigger a new password. | number |
1 |
no |
| recovery_window_in_days | Number of days that AWS Secrets Manager waits before it can delete the secret. | number |
30 |
no |
| secret_access_metric_namespace | Metric namespace to use for CloudWatch metric | string |
"SecretsManager" |
no |
| secret_access_notification_arn | SNS topic to notify on secret access (required if enable_secret_access_notification=true) |
string |
"" |
no |
| tags | Tags to add to supported resources | map(string) |
{} |
no |
| use_lower | Use lower case characters | bool |
true |
no |
| use_number | Use numbers | bool |
true |
no |
| use_special | Use special characters | bool |
true |
no |
| use_upper | Use upper case characters | bool |
true |
no |
| Name | Description |
|---|---|
| secret | Generated secret |
| secret_arn | The ARN of the secret |
| version_id | The unique identifier of the version of the secret. |
Secrets are generated using the random provider and are stored in the tfstate in plaintext.