Skip to content

Commit

Permalink
Merge pull request #45 from magmax/master
Browse files Browse the repository at this point in the history 
Allow to use `version_stages` on secret versions
  • Loading branch information
@lgallard
lgallard authored Dec 19, 2023
2 parents c4be9eb + 89f736e commit 29ebce4
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 20 deletions.
44 changes: 24 additions & 20 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,12 @@ resource "aws_secretsmanager_secret" "sm" {
}

resource "aws_secretsmanager_secret_version" "sm-sv" {
for_each = { for k, v in var.secrets : k => v if !var.unmanaged }
secret_id = aws_secretsmanager_secret.sm[each.key].arn
secret_string = lookup(each.value, "secret_string", null) != null ? lookup(each.value, "secret_string", null) : (lookup(each.value, "secret_key_value", null) != null ? jsonencode(lookup(each.value, "secret_key_value", {})) : null)
secret_binary = lookup(each.value, "secret_binary", null) != null ? base64encode(lookup(each.value, "secret_binary")) : null
depends_on = [aws_secretsmanager_secret.sm]
for_each = { for k, v in var.secrets : k => v if !var.unmanaged }
secret_id = aws_secretsmanager_secret.sm[each.key].arn
secret_string = lookup(each.value, "secret_string", null) != null ? lookup(each.value, "secret_string", null) : (lookup(each.value, "secret_key_value", null) != null ? jsonencode(lookup(each.value, "secret_key_value", {})) : null)
secret_binary = lookup(each.value, "secret_binary", null) != null ? base64encode(lookup(each.value, "secret_binary")) : null
version_stages = var.version_stages
depends_on = [aws_secretsmanager_secret.sm]
lifecycle {
ignore_changes = [
secret_id,
Expand All @@ -31,11 +32,12 @@ resource "aws_secretsmanager_secret_version" "sm-sv" {
}

resource "aws_secretsmanager_secret_version" "sm-svu" {
for_each = { for k, v in var.secrets : k => v if var.unmanaged }
secret_id = aws_secretsmanager_secret.sm[each.key].arn
secret_string = lookup(each.value, "secret_string", null) != null ? lookup(each.value, "secret_string") : (lookup(each.value, "secret_key_value", null) != null ? jsonencode(lookup(each.value, "secret_key_value", {})) : null)
secret_binary = lookup(each.value, "secret_binary", null) != null ? base64encode(lookup(each.value, "secret_binary")) : null
depends_on = [aws_secretsmanager_secret.sm]
for_each = { for k, v in var.secrets : k => v if var.unmanaged }
secret_id = aws_secretsmanager_secret.sm[each.key].arn
secret_string = lookup(each.value, "secret_string", null) != null ? lookup(each.value, "secret_string") : (lookup(each.value, "secret_key_value", null) != null ? jsonencode(lookup(each.value, "secret_key_value", {})) : null)
secret_binary = lookup(each.value, "secret_binary", null) != null ? base64encode(lookup(each.value, "secret_binary")) : null
version_stages = var.version_stages
depends_on = [aws_secretsmanager_secret.sm]

lifecycle {
ignore_changes = [
Expand All @@ -60,11 +62,12 @@ resource "aws_secretsmanager_secret" "rsm" {
}

resource "aws_secretsmanager_secret_version" "rsm-sv" {
for_each = { for k, v in var.rotate_secrets : k => v if !var.unmanaged }
secret_id = aws_secretsmanager_secret.rsm[each.key].arn
secret_string = lookup(each.value, "secret_string", null) != null ? lookup(each.value, "secret_string") : (lookup(each.value, "secret_key_value", null) != null ? jsonencode(lookup(each.value, "secret_key_value", {})) : null)
secret_binary = lookup(each.value, "secret_binary", null) != null ? base64encode(lookup(each.value, "secret_binary")) : null
depends_on = [aws_secretsmanager_secret.rsm]
for_each = { for k, v in var.rotate_secrets : k => v if !var.unmanaged }
secret_id = aws_secretsmanager_secret.rsm[each.key].arn
secret_string = lookup(each.value, "secret_string", null) != null ? lookup(each.value, "secret_string") : (lookup(each.value, "secret_key_value", null) != null ? jsonencode(lookup(each.value, "secret_key_value", {})) : null)
secret_binary = lookup(each.value, "secret_binary", null) != null ? base64encode(lookup(each.value, "secret_binary")) : null
version_stages = var.version_stages
depends_on = [aws_secretsmanager_secret.rsm]
lifecycle {
ignore_changes = [
secret_id,
Expand All @@ -73,11 +76,12 @@ resource "aws_secretsmanager_secret_version" "rsm-sv" {
}

resource "aws_secretsmanager_secret_version" "rsm-svu" {
for_each = { for k, v in var.rotate_secrets : k => v if var.unmanaged }
secret_id = aws_secretsmanager_secret.rsm[each.key].arn
secret_string = lookup(each.value, "secret_string", null) != null ? lookup(each.value, "secret_string") : (lookup(each.value, "secret_key_value", null) != null ? jsonencode(lookup(each.value, "secret_key_value", {})) : null)
secret_binary = lookup(each.value, "secret_binary", null) != null ? base64encode(lookup(each.value, "secret_binary")) : null
depends_on = [aws_secretsmanager_secret.rsm]
for_each = { for k, v in var.rotate_secrets : k => v if var.unmanaged }
secret_id = aws_secretsmanager_secret.rsm[each.key].arn
secret_string = lookup(each.value, "secret_string", null) != null ? lookup(each.value, "secret_string") : (lookup(each.value, "secret_key_value", null) != null ? jsonencode(lookup(each.value, "secret_key_value", {})) : null)
secret_binary = lookup(each.value, "secret_binary", null) != null ? base64encode(lookup(each.value, "secret_binary")) : null
version_stages = var.version_stages
depends_on = [aws_secretsmanager_secret.rsm]

lifecycle {
ignore_changes = [
Expand Down
6 changes: 6 additions & 0 deletions variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,12 @@ variable "automatically_after_days" {
default = 30
}

variable "version_stages" {
description = "List of version stages to be handled. Kept as null for backwards compatibility."
type = list(string)
default = null
}

# Tags
variable "tags" {
description = "Specifies a key-value map of user-defined tags that are attached to the secret."
Expand Down

0 comments on commit 29ebce4

Please sign in to comment.