AWS · AWS · AWS Secrets Manager
Secrets Manager Secret
Secrets with versioning, resource policies, replication, and optional Lambda rotation scaffolding.
Compare Secrets & Key Management across clouds →
Verification
Live-testedReally deployed, verified, idempotent and destroyed in a cloud sandbox.
Conformance
- Static validation (fmt · validate · tflint)
- Security scan clean (Checkov)
- Plan tests (mocked: validation rules · outputs)
Provenance
- SHA-256 checksum
- Signature (pending)
Functional
- Live-tested — applied, verified, destroyed
Last verified 2026-06-11 · how we verify
Details
- Type
- tf_module
- Provider / collection
- hashicorp/aws
- Target clouds
- aws
- Target OS
- —
- Version
- v1.0.0
- License
- LicenseRef-IaCBazaar-Commercial
$49.00
one-time · perpetual license + 12 months of updates
Included in the builder+ subscription.
Documentation
aws-secrets-manager
Secrets Manager secret with CMK-capable encryption, a TLS-only resource
policy, optional cross-region replication, an optional initial version, and
Lambda rotation scaffolding. Works with Terraform and OpenTofu
(>= 1.6), AWS provider >= 6.0, < 7.0. The default posture creates no
initial version — the value is managed out of band — and when you do seed a
value the write-only path (secret_string_wo, Terraform 1.11+) keeps it
out of state entirely.
Status: static-validated, live-test pending. Ships under live-test quarantine — validated with
tofu fmt,tofu validate, andtflint. Real apply → read → destroy against an AWS account is pending a cloud sandbox. Live tests will setrecovery_window_in_days = 0for a clean (immediate, irrecoverable) destroy; production keeps the default 30-day recovery window. A standing secret costs ~$0.40/secret/month.
What you get:
aws_secretsmanager_secret— CMK or AWS-managed encryption, recovery window, cross-region replicas.aws_secretsmanager_secret_version— optional initial version, with a state-stored (secret_string) or write-only (secret_string_wo) value.aws_secretsmanager_secret_policy— a generated TLS-only resource policy withblock_public_policyon (override with a fullpolicyJSON string).aws_secretsmanager_secret_rotation— opt-in Lambda rotation on a days or cron/rate schedule.
Secure defaults
- Always encrypted: AWS-managed
aws/secretsmanagerkey by default; pass a CMK viakms_key_id(recommended for cross-account or replica access). - Values kept out of state by default: no initial version is created
(
create_initial_versiononly seeds when you supply a value). When seeding, prefersecret_string_wo(Terraform 1.11+) so the plaintext never enters state;secret_stringis the state-stored fallback and is markedsensitive. - TLS-only resource policy denying any
secretsmanager:*call over a non-TLS connection, withblock_public_policy = trueso a misconfigured policy can never make the secret world-readable. Cross-account read is off unless you namereader_principal_arns. - 30-day recovery window by default — a deleted secret is recoverable;
recovery_window_in_days = 0(immediate, irrecoverable) is reserved for disposable test secrets.
Usage
module "secret" {
source = "./aws-secrets-manager"
name = "app/db-credentials"
kms_key_id = module.kms.key_arn
# Seed without touching state (Terraform 1.11+):
secret_string_wo = jsonencode({ username = "app", password = var.db_password })
secret_string_wo_version = 1
reader_principal_arns = [aws_iam_role.app.arn]
tags = { Environment = "prod" }
}
Rotation
module "secret" {
source = "./aws-secrets-manager"
name = "app/api-key"
enable_rotation = true
rotation_lambda_arn = aws_lambda_function.rotator.arn
rotation_automatically_after_days = 30
}
Inputs
| Name | Type | Default | Description |
|---|---|---|---|
name / name_prefix | string | null | Secret name (set exactly one) |
description | string | (set) | Secret description |
kms_key_id | string | null | CMK; null = AWS-managed key |
recovery_window_in_days | number | 30 | 0 (immediate) or 7–30 |
force_overwrite_replica_secret | bool | false | Clobber a same-named replica |
secret_string | string (sensitive) | null | State-stored initial value |
secret_string_wo (+ _version) | string (sensitive) | null | Write-only initial value (TF 1.11+) |
create_initial_version | bool | true | Seed a version when a value is given |
create_resource_policy | bool | true | Attach the TLS-only resource policy |
policy | string | null | Full JSON policy override |
block_public_policy | bool | true | Reject a public resource policy |
reader_principal_arns | list(string) | [] | Cross-account read principals |
replica_regions | map(string) | {} | region → CMK (null = managed key) |
enable_rotation | bool | false | Lambda-driven rotation |
rotation_lambda_arn | string | null | Rotation Lambda (required to rotate) |
rotation_automatically_after_days | number | null | Rotate every N days |
rotation_schedule_expression | string | null | cron()/rate() schedule (alt to days) |
rotation_duration | string | null | Rotation window, e.g. 3h |
rotate_immediately | bool | false | Rotate once on apply |
tags | map(string) | {} | Tags for the secret |
Outputs
secret_arn, secret_id, secret_name, version_id, replica_regions,
rotation_enabled.
Provider pin
aws = {
source = "hashicorp/aws"
version = ">= 6.0, < 7.0"
}
License
Commercial — LicenseRef-IaCBazaar-Commercial. © IaC Bazaar. Original work
(not derived from a third-party module).