。。。考虑到地形(v.3.23.0(的现有能力
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_rotation
还是到本文撰写之时,它还没有以地形形式提供?显然,这可以在AWS UI中完成,但我有兴趣在TF中编写脚本
我有一个在AWS机密管理器中旋转单个机密的简单示例,但如果我在AWS仪表板中编辑与该机密相关联的创建的旋转,则无法使其成为多用户旋转——UI根本不会将其显示为选项。
resource "aws_secretsmanager_secret_rotation" "rds_postgres_key_rotation" {
secret_id = aws_secretsmanager_secret.rotation_example.id
rotation_lambda_arn = aws_serverlessapplicationrepository_cloudformation_stack.postgres_rotator.outputs["RotationLambdaARN"]
rotation_rules {
automatically_after_days = 1
}
}
resource "aws_secretsmanager_secret" "rotation_example" {
name = "normalusersecret"
kms_key_id = aws_kms_key.my_key.id
}
resource "aws_serverlessapplicationrepository_cloudformation_stack" "postgres_rotator" {
name = "postgres-rotator"
application_id = "arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSPostgreSQLRotationMultiUser"
capabilities = [
"CAPABILITY_IAM",
"CAPABILITY_RESOURCE_POLICY",
]
parameters = {
functionName = "func-postgres-rotator"
#endpoint = "secretsmanager.${data.aws_region.current.name}.${data.aws_partition.current.dns_suffix}"
endpoint = "secretsmanager.us-east-1.lambda.amazonaws.com"
}
}
SecretsManager似乎只是检查masterarn密钥的Secret Value JSON。如果该键存在,则会翻转多用户单选按钮。
例如
单用户
resource "aws_secretsmanager_secret_version" "example" {
secret_id = aws_secretsmanager_secret.example.id
secret_string = tostring(jsonencode({
password = "password"
username = "user"
}))
}
多用户
resource "aws_secretsmanager_secret_version" "example" {
secret_id = aws_secretsmanager_secret.example.id
secret_string = tostring(jsonencode({
masterarn = aws_secretsmanager_secret.master.arn
password = "password"
username = "user"
}))
}