▰▰IaC Bazaar

AWS · AWS · AWS Secrets Manager

Secrets Manager Secret

Terraform / OpenTofuLive-tested

Secrets with versioning, resource policies, replication, and optional Lambda rotation scaffolding.

Compare Secrets & Key Management across clouds →

Verification

Live-tested

Really deployed, verified, idempotent and destroyed in a cloud sandbox.

Conformance

  • Static validation (fmt · validate · tflint)
  • Security scan clean (Checkov)
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live-tested — applied, verified, destroyed

Last verified 2026-06-11 · how we verify

Details

Type
tf_module
Provider / collection
hashicorp/aws
Target clouds
aws
Target OS
Version
v1.0.0
License
LicenseRef-IaCBazaar-Commercial

$49.00

one-time · perpetual license + 12 months of updates

Included in the builder+ subscription.

Documentation

aws-secrets-manager

Secrets Manager secret with CMK-capable encryption, a TLS-only resource policy, optional cross-region replication, an optional initial version, and Lambda rotation scaffolding. Works with Terraform and OpenTofu (>= 1.6), AWS provider >= 6.0, < 7.0. The default posture creates no initial version — the value is managed out of band — and when you do seed a value the write-only path (secret_string_wo, Terraform 1.11+) keeps it out of state entirely.

Status: static-validated, live-test pending. Ships under live-test quarantine — validated with tofu fmt, tofu validate, and tflint. Real apply → read → destroy against an AWS account is pending a cloud sandbox. Live tests will set recovery_window_in_days = 0 for a clean (immediate, irrecoverable) destroy; production keeps the default 30-day recovery window. A standing secret costs ~$0.40/secret/month.

What you get:

  • aws_secretsmanager_secret — CMK or AWS-managed encryption, recovery window, cross-region replicas.
  • aws_secretsmanager_secret_version — optional initial version, with a state-stored (secret_string) or write-only (secret_string_wo) value.
  • aws_secretsmanager_secret_policy — a generated TLS-only resource policy with block_public_policy on (override with a full policy JSON string).
  • aws_secretsmanager_secret_rotation — opt-in Lambda rotation on a days or cron/rate schedule.

Secure defaults

  • Always encrypted: AWS-managed aws/secretsmanager key by default; pass a CMK via kms_key_id (recommended for cross-account or replica access).
  • Values kept out of state by default: no initial version is created (create_initial_version only seeds when you supply a value). When seeding, prefer secret_string_wo (Terraform 1.11+) so the plaintext never enters state; secret_string is the state-stored fallback and is marked sensitive.
  • TLS-only resource policy denying any secretsmanager:* call over a non-TLS connection, with block_public_policy = true so a misconfigured policy can never make the secret world-readable. Cross-account read is off unless you name reader_principal_arns.
  • 30-day recovery window by default — a deleted secret is recoverable; recovery_window_in_days = 0 (immediate, irrecoverable) is reserved for disposable test secrets.

Usage

module "secret" {
  source = "./aws-secrets-manager"

  name       = "app/db-credentials"
  kms_key_id = module.kms.key_arn

  # Seed without touching state (Terraform 1.11+):
  secret_string_wo         = jsonencode({ username = "app", password = var.db_password })
  secret_string_wo_version = 1

  reader_principal_arns = [aws_iam_role.app.arn]

  tags = { Environment = "prod" }
}
Rotation
module "secret" {
  source = "./aws-secrets-manager"
  name   = "app/api-key"

  enable_rotation                   = true
  rotation_lambda_arn               = aws_lambda_function.rotator.arn
  rotation_automatically_after_days = 30
}

Inputs

NameTypeDefaultDescription
name / name_prefixstringnullSecret name (set exactly one)
descriptionstring(set)Secret description
kms_key_idstringnullCMK; null = AWS-managed key
recovery_window_in_daysnumber300 (immediate) or 7–30
force_overwrite_replica_secretboolfalseClobber a same-named replica
secret_stringstring (sensitive)nullState-stored initial value
secret_string_wo (+ _version)string (sensitive)nullWrite-only initial value (TF 1.11+)
create_initial_versionbooltrueSeed a version when a value is given
create_resource_policybooltrueAttach the TLS-only resource policy
policystringnullFull JSON policy override
block_public_policybooltrueReject a public resource policy
reader_principal_arnslist(string)[]Cross-account read principals
replica_regionsmap(string){}region → CMK (null = managed key)
enable_rotationboolfalseLambda-driven rotation
rotation_lambda_arnstringnullRotation Lambda (required to rotate)
rotation_automatically_after_daysnumbernullRotate every N days
rotation_schedule_expressionstringnullcron()/rate() schedule (alt to days)
rotation_durationstringnullRotation window, e.g. 3h
rotate_immediatelyboolfalseRotate once on apply
tagsmap(string){}Tags for the secret

Outputs

secret_arn, secret_id, secret_name, version_id, replica_regions, rotation_enabled.

Provider pin

aws = {
  source  = "hashicorp/aws"
  version = ">= 6.0, < 7.0"
}

License

Commercial — LicenseRef-IaCBazaar-Commercial. © IaC Bazaar. Original work (not derived from a third-party module).