Merge pull request #7 from scribd/SEC-696

[SEC-696] Support policies for secrets for cross-account access

Author: terranisu

README.md

@@ -8,6 +8,7 @@ A module to create application secrets stored in [AWS Secrets Manager](https://a
 * [Prerequisites](#prerequisites)
 * [Example usage](#example-usage)
 * [Inputs](#inputs)
+  * [Secrets](#secrets)
 * [Outputs](#outputs)
 * [Release](#release)
 * [Maintainers](#maintainers)
@@ -24,15 +25,43 @@ module "secrets" {
   source = "git::ssh://git@github.com/scribd/terraform-aws-app-secrets.git?ref=main"
 
   app_name = "go-chassis"
-  secrets = {
-    "app-env"               = "development"
-    "app-settings-name"     = "go-chassis"
-    "app-database-host"     = "[value required]"
-    "app-database-port"     = "3306"
-    "app-database-name"     = "[value required]"
-    "app-database-username" = "[value required]"
-    "app-database-password" = "[value required]"
-  }
+  secrets = [
+    {
+      name         = "app-env"
+      value        = "development"
+      allowed_arns = []
+    },
+    {
+      name         = "app-settings-name"
+      value        = "go-chassis"
+      allowed_arns = []
+    },
+    {
+      name        = "app-database-host"
+      value       = "[value required]"
+      allowed_arn = ["arn:aws:iam::1234567890:role/theirRole"]
+    },
+    {
+      name         = "app-database-port"
+      value        = "3306"
+      allowed_arns = []
+    },
+    {
+      name         = "app-database-username"
+      value        = "[value required]"
+      allowed_arns = []
+    },
+    {
+      name         = "app-database-password"
+      value        = "[value required]"
+      allowed_arns = []
+    },
+    {
+      name         = "app-database-name"
+      value        = "[value required]"
+      allowed_arns = []
+    }
+  ]
 
   tags = {
     department = "engineering"
@@ -49,11 +78,20 @@ module "secrets" {
 
 ## Inputs
 
-| Name        | Description              | Type        | Default | Required  |
-| ----------- | ------------------------ | ----------- | ------- | :-------: |
-| app_name    | Application name         | string      | `null`  | yes       |
-| secrets     | Key-value map of secrets | map(string) | `null`  | yes       |
-| tags        | Key-value map of tags    | map(string) | `{}`    | no        |
+| Name         | Description                            | Type         | Default     | Required  |
+| ------------ | -------------------------------------- | ------------ | ----------- | --------- |
+| `app_name`   | Application name                       | string       | `null`      | yes       |
+| `aws_region` | AWS region                             | string       | `us-east-2` | no        |
+| `secrets`    | List of objects of [secrets](#secrets) | list(object) | `null`      | yes       |
+| `tags`       | Key-value map of tags                  | map(string)  | `{}`        | no        |
+
+### Secrets
+
+| Name           | Description                                           | Type   | Default |
+| -------------- | ----------------------------------------------------- | ------ | ------- |
+| `name`         | Secret name                                           | string | `null`  |
+| `value`        | Secret value                                          | string | `null`  |
+| `allowed_arns` | List of principal ARNs that have access to the secret | list   | `null`  |
 
 ## Outputs
 

locals.tf

@@ -0,0 +1,4 @@
+locals {
+  secrets = { for secret in var.secrets : secret.name => secret.value }
+  arns    = { for secret in var.secrets : secret.name => secret.allowed_arns if length(secret.allowed_arns) > 0 }
+}

main.tf

@@ -1,17 +1,35 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_iam_policy_document" "access" {
+  for_each = local.arns
+
+  statement {
+    principals {
+      type        = "AWS"
+      identifiers = each.value
+    }
+
+    actions   = ["secretsmanager:GetSecretValue"]
+    resources = ["arn:aws:secretsmanager:${var.aws_region}:${data.aws_caller_identity.current.account_id}:secret:${var.app_name}-${each.key}*"]
+  }
+}
+
 resource "aws_secretsmanager_secret" "app" {
-  for_each = var.secrets
+  for_each = local.secrets
 
   name_prefix = "${var.app_name}-${each.key}"
   description = "The ${title(replace(each.key, "-", " "))} secret for ${var.app_name} application"
 
+  policy = lookup(local.arns, each.key, null) == null ? null : data.aws_iam_policy_document.access[each.key].json
+
   tags = merge(var.tags, { "service" = var.app_name })
 }
 
 resource "aws_secretsmanager_secret_version" "app" {
-  for_each = var.secrets
+  for_each = local.secrets
 
   secret_id     = aws_secretsmanager_secret.app[each.key].id
-  secret_string = each.value
+  secret_string = each.value != "" ? each.value : "[value required]"
 
   lifecycle {
     ignore_changes = [secret_string]

outputs.tf

@@ -1,9 +1,9 @@
 output "all" {
   description = "Map of names and arns of created secrets"
   value = [
-    for k in keys(var.secrets) : {
-      name = upper(replace(k, "-", "_"))
-      arn  = aws_secretsmanager_secret.app[k].id
+    for name in keys(local.secrets) : {
+      name = upper(replace(name, "-", "_"))
+      arn  = aws_secretsmanager_secret.app[name].id
     }
   ]
 }

variables.tf

@@ -3,9 +3,22 @@ variable "app_name" {
   type        = string
 }
 
+variable "aws_region" {
+  description = "AWS region"
+  type        = string
+
+  default = "us-east-2"
+}
+
 variable "secrets" {
-  description = "Key-value map of secrets"
-  type        = map(string)
+  description = "List of objects of secrets"
+  type = list(
+    object({
+      name         = string
+      value        = string
+      allowed_arns = list(string)
+    })
+  )
 }
 
 variable "tags" {