refactor: use custom KMS and region replication

edersonbrilhante · edersonbrilhante · commit fbfe057a4eb3 · 2025-06-03T11:52:49.000+02:00
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -125,7 +125,7 @@ repos:
       - id: terraform_tflint
         args:
           - --hook-config=--tf-path=tofu
-        exclude: (modules/integrations/splunk_cloud_data_manager|modules/infra/forge_subscription/)
+        exclude: (modules/integrations/splunk_cloud_data_manager|modules/infra/forge_subscription|modules/integrations/splunk_secrets/)
         always_run: true
       - id: terraform_validate
         args:
@@ -140,7 +140,7 @@ repos:
         args:
           - --hook-config=--tf-path=tofu
           - --args=--config=.terraform-docs.yml
-        exclude: (modules/integrations/splunk_cloud_data_manager|modules/infra/forge_subscription/)
+        exclude: (modules/integrations/splunk_cloud_data_manager|modules/infra/forge_subscription|modules/integrations/splunk_secrets/)
 
   # Security Hooks
   - repo: https://github.com/gitleaks/gitleaks
diff --git a/modules/integrations/splunk_secrets/main.tf b/modules/integrations/splunk_secrets/main.tf
@@ -1,60 +1,45 @@
 locals {
   cicd_secrets_prefix = "/cicd/common"
-  app_tf_prefix       = "/app/tf"
 
   secrets = [
-
-    {
-      name          = "${local.cicd_secrets_prefix}/github_repo_access"
-      description   = "GitHub personal access token (PAT) for pulling repos from GitHub Cloud."
-      recovery_days = 7
-    },
     {
-      name          = "${local.cicd_secrets_prefix}/github_private_ssh_key"
-      description   = "GitHub private SSH key used for pushing and signing commits in GitHub Cloud."
-      recovery_days = 7
-    },
-    {
-      name          = "${local.app_tf_prefix}/splunk_access_ingest_token"
+      name          = "${local.cicd_secrets_prefix}/splunk_access_ingest_token"
       description   = "Splunk Observability Cloud Access Token for Ingest"
       recovery_days = 7
     },
     {
-      name          = "${local.app_tf_prefix}/splunk_access_api_token"
-      description   = "Splunk Observability Cloud Access Token for API"
-      recovery_days = 7
-    },
-    {
-      name          = "${local.app_tf_prefix}/splunk_o11y_username"
+      name          = "${local.cicd_secrets_prefix}/splunk_o11y_username"
       description   = "Splunk o11y Username"
       recovery_days = 7
     },
     {
-      name          = "${local.app_tf_prefix}/splunk_o11y_password"
+      name          = "${local.cicd_secrets_prefix}/splunk_o11y_password"
       description   = "Splunk o11y Password"
       recovery_days = 7
     },
     {
-      name          = "${local.app_tf_prefix}/splunk_cloud_username"
+      name          = "${local.cicd_secrets_prefix}/splunk_cloud_username"
       description   = "Splunk Cloud Username"
       recovery_days = 7
     },
     {
-      name          = "${local.app_tf_prefix}/splunk_cloud_password"
+      name          = "${local.cicd_secrets_prefix}/splunk_cloud_password"
       description   = "Splunk Cloud Password"
       recovery_days = 7
     },
     {
-      name          = "${local.app_tf_prefix}/splunk_cloud_api_token"
+      name          = "${local.cicd_secrets_prefix}/splunk_cloud_api_token"
       description   = "Splunk Cloud API token"
       recovery_days = 7
     },
     {
-      name          = "${local.app_tf_prefix}/splunk_cloud_hec_token_eks"
+      name          = "${local.cicd_secrets_prefix}/splunk_cloud_hec_token_eks"
       description   = "Splunk Cloud HEC token for eks"
       recovery_days = 7
     },
   ]
+
+  all_regions = toset(concat([var.aws_region], var.replica_regions))
 }
 
 # Psuedo-random seeds we use for initializing the secrets. If we don't do this,
@@ -68,6 +53,14 @@ data "aws_secretsmanager_random_password" "secret_seeds" {
   password_length = 16
 }
 
+resource "aws_kms_key" "regional" {
+  for_each = local.all_regions
+  provider = aws.by_region[each.value]
+
+  description         = "Customer managed CMK for SecretsManager in ${each.key}"
+  enable_key_rotation = true
+}
+
 # Actual object containing the secret.
 resource "aws_secretsmanager_secret" "cicd_secrets" {
   for_each = {
@@ -76,26 +69,35 @@ resource "aws_secretsmanager_secret" "cicd_secrets" {
 
   name                    = each.value.name
   description             = each.value.description
+  kms_key_id              = aws_kms_key.regional[var.aws_region].arn
   recovery_window_in_days = each.value.recovery_days
   tags                    = local.all_security_tags
   tags_all                = local.all_security_tags
 
+  dynamic "replica" {
+    for_each = var.replica_regions
+    content {
+      region     = replica.value
+      kms_key_id = aws_kms_key.regional[replica.value].arn
+    }
+  }
+
 }
 
 # Force a delay between secret creation and seeding. We only need a few
 # seconds, but if we don't do this, we get into a bad state requiring manual
 # intervention and/or manual forced-deletion of secrets.
-resource "time_sleep" "wait_30_seconds" {
+resource "time_sleep" "wait_60_seconds" {
   depends_on = [
     aws_secretsmanager_secret.cicd_secrets,
   ]
-  create_duration = "30s"
+  create_duration = "60s"
 }
 
 # Only used for seeding purposes. Will not clobber/overwrite secrets afterward
 # (i.e. if/when we set them manually via the AWS CLI or management console).
 resource "aws_secretsmanager_secret_version" "cicd_secrets" {
-  depends_on = [time_sleep.wait_30_seconds]
+  depends_on = [time_sleep.wait_60_seconds]
   for_each = {
     for key, val in local.secrets : val.name => val
   }
diff --git a/modules/integrations/splunk_secrets/providers.tf b/modules/integrations/splunk_secrets/providers.tf
@@ -8,3 +8,17 @@ provider "aws" {
     tags = var.default_tags
   }
 }
+
+
+provider "aws" {
+  alias = "by_region"
+  # supported by opentofu >= 1.9.0
+  for_each = toset(local.all_regions)
+  profile  = var.aws_profile
+  region   = each.key
+
+  # Required, as per security guidelines.
+  default_tags {
+    tags = var.default_tags
+  }
+}
diff --git a/modules/integrations/splunk_secrets/variables.tf b/modules/integrations/splunk_secrets/variables.tf
@@ -4,8 +4,15 @@ variable "aws_profile" {
 }
 
 variable "aws_region" {
-  description = "Default AWS region."
   type        = string
+  description = "Default AWS region."
+  default     = "us-east-1"
+}
+
+variable "replica_regions" {
+  description = "List of regions to replicate the secret"
+  type        = list(string)
+  default     = ["value"]
 }
 
 variable "tags" {
diff --git a/scripts/update-terraform-docs.sh b/scripts/update-terraform-docs.sh
@@ -19,4 +19,5 @@ find modules/* -type f -name "*.tf" \
     -not -path '*/.*' \
     -not -path 'modules/integrations/splunk_cloud_data_manager/*' \
     -not -path 'modules/infra/forge_subscription/*' \
+    -not -path 'modules/integrations/splunk_secrets/*' \
     -exec dirname {} \; | sort -u | xargs -I {} terraform-docs -c .terraform-docs.yml {}
