feat: Add support for random password generation and Terragrunt wrapper (#1)

Author: bryantbiggs

.pre-commit-config.yaml

@@ -3,6 +3,7 @@ repos:
     rev: v1.81.0
     hooks:
       - id: terraform_fmt
+      - id: terraform_wrapper_module_for_each
       - id: terraform_validate
       - id: terraform_docs
         args:

README.md

@@ -35,7 +35,9 @@ module "secrets_manager" {
   }
 
   # Version
-  secret_string = "ThisIsMySuperSecretString12356!&*()"
+  create_random_password           = true
+  random_password_length           = 64
+  random_password_override_special = "!@#$%^&*()_+"
 
   tags = {
     Environment = "Development"
@@ -123,12 +125,14 @@ Examples codified under the [`examples`](https://github.com/terraform-aws-module
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.0 |
 
 ## Modules
 
@@ -143,6 +147,7 @@ No modules.
 | [aws_secretsmanager_secret_rotation.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_rotation) | resource |
 | [aws_secretsmanager_secret_version.ignore_changes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
 | [aws_secretsmanager_secret_version.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
+| [random_password.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
 | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs
@@ -152,6 +157,7 @@ No modules.
 | <a name="input_block_public_policy"></a> [block\_public\_policy](#input\_block\_public\_policy) | Makes an optional API call to Zelkova to validate the Resource Policy to prevent broad access to your secret | `bool` | `null` | no |
 | <a name="input_create"></a> [create](#input\_create) | Determines whether resources will be created (affects all resources) | `bool` | `true` | no |
 | <a name="input_create_policy"></a> [create\_policy](#input\_create\_policy) | Determines whether a policy will be created | `bool` | `false` | no |
+| <a name="input_create_random_password"></a> [create\_random\_password](#input\_create\_random\_password) | Determines whether a random password will be generated | `bool` | `false` | no |
 | <a name="input_description"></a> [description](#input\_description) | A description of the secret | `string` | `null` | no |
 | <a name="input_enable_rotation"></a> [enable\_rotation](#input\_enable\_rotation) | Determines whether secret rotation is enabled | `bool` | `false` | no |
 | <a name="input_force_overwrite_replica_secret"></a> [force\_overwrite\_replica\_secret](#input\_force\_overwrite\_replica\_secret) | Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region | `bool` | `null` | no |
@@ -161,6 +167,8 @@ No modules.
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | Creates a unique name beginning with the specified prefix | `string` | `null` | no |
 | <a name="input_override_policy_documents"></a> [override\_policy\_documents](#input\_override\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid` | `list(string)` | `[]` | no |
 | <a name="input_policy_statements"></a> [policy\_statements](#input\_policy\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | `any` | `{}` | no |
+| <a name="input_random_password_length"></a> [random\_password\_length](#input\_random\_password\_length) | The length of the generated random password | `number` | `32` | no |
+| <a name="input_random_password_override_special"></a> [random\_password\_override\_special](#input\_random\_password\_override\_special) | Supply your own list of special characters to use for string generation. This overrides the default character list in the special argument | `string` | `"!@#$%&*()-_=+[]{}<>:?"` | no |
 | <a name="input_recovery_window_in_days"></a> [recovery\_window\_in\_days](#input\_recovery\_window\_in\_days) | Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be `0` to force deletion without recovery or range from `7` to `30` days. The default value is `30` | `number` | `null` | no |
 | <a name="input_replica"></a> [replica](#input\_replica) | Configuration block to support secret replication | `any` | `{}` | no |
 | <a name="input_rotation_lambda_arn"></a> [rotation\_lambda\_arn](#input\_rotation\_lambda\_arn) | Specifies the ARN of the Lambda function that can rotate the secret | `string` | `""` | no |

examples/complete/main.tf

@@ -51,7 +51,9 @@ module "secrets_manager" {
   }
 
   # Version
-  secret_string = "ThisIsMySuperSecretString12356!&*()"
+  create_random_password           = true
+  random_password_length           = 64
+  random_password_override_special = "!@#$%^&*()_+"
 
   tags = local.tags
 }

main.tf

@@ -93,7 +93,7 @@ resource "aws_secretsmanager_secret_version" "this" {
   count = var.create && !(var.enable_rotation || var.ignore_secret_changes) ? 1 : 0
 
   secret_id      = aws_secretsmanager_secret.this[0].id
-  secret_string  = var.secret_string
+  secret_string  = var.create_random_password ? random_password.this[0].result : var.secret_string
   secret_binary  = var.secret_binary
   version_stages = var.version_stages
 }
@@ -102,7 +102,7 @@ resource "aws_secretsmanager_secret_version" "ignore_changes" {
   count = var.create && (var.enable_rotation || var.ignore_secret_changes) ? 1 : 0
 
   secret_id      = aws_secretsmanager_secret.this[0].id
-  secret_string  = var.secret_string
+  secret_string  = var.create_random_password ? random_password.this[0].result : var.secret_string
   secret_binary  = var.secret_binary
   version_stages = var.version_stages
 
@@ -115,6 +115,14 @@ resource "aws_secretsmanager_secret_version" "ignore_changes" {
   }
 }
 
+resource "random_password" "this" {
+  count = var.create && var.create_random_password ? 1 : 0
+
+  length           = var.random_password_length
+  special          = true
+  override_special = var.random_password_override_special
+}
+
 ################################################################################
 # Rotation
 ################################################################################

variables.tf

@@ -118,6 +118,24 @@ variable "version_stages" {
   default     = null
 }
 
+variable "create_random_password" {
+  description = "Determines whether a random password will be generated"
+  type        = bool
+  default     = false
+}
+
+variable "random_password_length" {
+  description = "The length of the generated random password"
+  type        = number
+  default     = 32
+}
+
+variable "random_password_override_special" {
+  description = "Supply your own list of special characters to use for string generation. This overrides the default character list in the special argument"
+  type        = string
+  default     = "!@#$%&*()-_=+[]{}<>:?"
+}
+
 ################################################################################
 # Rotation
 ################################################################################

versions.tf

@@ -6,5 +6,9 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 5.0"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.0"
+    }
   }
 }

wrappers/README.md

@@ -0,0 +1,100 @@
+# Wrapper for the root module
+
+The configuration in this directory contains an implementation of a single module wrapper pattern, which allows managing several copies of a module in places where using the native Terraform 0.13+ `for_each` feature is not feasible (e.g., with Terragrunt).
+
+You may want to use a single Terragrunt configuration file to manage multiple resources without duplicating `terragrunt.hcl` files for each copy of the same module.
+
+This wrapper does not implement any extra functionality.
+
+## Usage with Terragrunt
+
+`terragrunt.hcl`:
+
+```hcl
+terraform {
+  source = "tfr:///terraform-aws-modules/secrets-manager/aws//wrappers"
+  # Alternative source:
+  # source = "git::[email protected]:terraform-aws-modules/terraform-aws-secrets-manager.git//wrappers?ref=master"
+}
+
+inputs = {
+  defaults = { # Default values
+    create = true
+    tags = {
+      Terraform   = "true"
+      Environment = "dev"
+    }
+  }
+
+  items = {
+    my-item = {
+      # omitted... can be any argument supported by the module
+    }
+    my-second-item = {
+      # omitted... can be any argument supported by the module
+    }
+    # omitted...
+  }
+}
+```
+
+## Usage with Terraform
+
+```hcl
+module "wrapper" {
+  source = "terraform-aws-modules/secrets-manager/aws//wrappers"
+
+  defaults = { # Default values
+    create = true
+    tags = {
+      Terraform   = "true"
+      Environment = "dev"
+    }
+  }
+
+  items = {
+    my-item = {
+      # omitted... can be any argument supported by the module
+    }
+    my-second-item = {
+      # omitted... can be any argument supported by the module
+    }
+    # omitted...
+  }
+}
+```
+
+## Example: Manage multiple S3 buckets in one Terragrunt layer
+
+`eu-west-1/s3-buckets/terragrunt.hcl`:
+
+```hcl
+terraform {
+  source = "tfr:///terraform-aws-modules/s3-bucket/aws//wrappers"
+  # Alternative source:
+  # source = "git::[email protected]:terraform-aws-modules/terraform-aws-s3-bucket.git//wrappers?ref=master"
+}
+
+inputs = {
+  defaults = {
+    force_destroy = true
+
+    attach_elb_log_delivery_policy        = true
+    attach_lb_log_delivery_policy         = true
+    attach_deny_insecure_transport_policy = true
+    attach_require_latest_tls_policy      = true
+  }
+
+  items = {
+    bucket1 = {
+      bucket = "my-random-bucket-1"
+    }
+    bucket2 = {
+      bucket = "my-random-bucket-2"
+      tags = {
+        Secure = "probably"
+      }
+    }
+  }
+}
+```

wrappers/main.tf

@@ -0,0 +1,30 @@
+module "wrapper" {
+  source = "../"
+
+  for_each = var.items
+
+  create                           = try(each.value.create, var.defaults.create, true)
+  tags                             = try(each.value.tags, var.defaults.tags, {})
+  description                      = try(each.value.description, var.defaults.description, null)
+  force_overwrite_replica_secret   = try(each.value.force_overwrite_replica_secret, var.defaults.force_overwrite_replica_secret, null)
+  kms_key_id                       = try(each.value.kms_key_id, var.defaults.kms_key_id, null)
+  name                             = try(each.value.name, var.defaults.name, null)
+  name_prefix                      = try(each.value.name_prefix, var.defaults.name_prefix, null)
+  recovery_window_in_days          = try(each.value.recovery_window_in_days, var.defaults.recovery_window_in_days, null)
+  replica                          = try(each.value.replica, var.defaults.replica, {})
+  create_policy                    = try(each.value.create_policy, var.defaults.create_policy, false)
+  source_policy_documents          = try(each.value.source_policy_documents, var.defaults.source_policy_documents, [])
+  override_policy_documents        = try(each.value.override_policy_documents, var.defaults.override_policy_documents, [])
+  policy_statements                = try(each.value.policy_statements, var.defaults.policy_statements, {})
+  block_public_policy              = try(each.value.block_public_policy, var.defaults.block_public_policy, null)
+  ignore_secret_changes            = try(each.value.ignore_secret_changes, var.defaults.ignore_secret_changes, false)
+  secret_string                    = try(each.value.secret_string, var.defaults.secret_string, null)
+  secret_binary                    = try(each.value.secret_binary, var.defaults.secret_binary, null)
+  version_stages                   = try(each.value.version_stages, var.defaults.version_stages, null)
+  create_random_password           = try(each.value.create_random_password, var.defaults.create_random_password, false)
+  random_password_length           = try(each.value.random_password_length, var.defaults.random_password_length, 32)
+  random_password_override_special = try(each.value.random_password_override_special, var.defaults.random_password_override_special, "!@#$%&*()-_=+[]{}<>:?")
+  enable_rotation                  = try(each.value.enable_rotation, var.defaults.enable_rotation, false)
+  rotation_lambda_arn              = try(each.value.rotation_lambda_arn, var.defaults.rotation_lambda_arn, "")
+  rotation_rules                   = try(each.value.rotation_rules, var.defaults.rotation_rules, {})
+}

wrappers/outputs.tf

@@ -0,0 +1,5 @@
+output "wrapper" {
+  description = "Map of outputs of a wrapper."
+  value       = module.wrapper
+  # sensitive = false # No sensitive module output found
+}

wrappers/variables.tf

@@ -0,0 +1,11 @@
+variable "defaults" {
+  description = "Map of default values which will be used for each item."
+  type        = any
+  default     = {}
+}
+
+variable "items" {
+  description = "Maps of items to create a wrapper from. Values are passed through to the module."
+  type        = any
+  default     = {}
+}