Merge pull request #21 from scribd/vadimka/support-deletion-period

terranisu · web-flow · commit 05641812574e · 2024-04-05T11:15:34.000+02:00
Add delete_in argument
diff --git a/README.md b/README.md
@@ -11,6 +11,7 @@ A module to create application secrets stored in [AWS Secrets Manager](https://a
   * [Cross-account secrets](#cross-account-secrets)
 * [Inputs](#inputs)
   * [Secrets](#secrets)
+  * [Recovery window](#recovery-window)
 * [Outputs](#outputs)
 * [Release](#release)
 * [Maintainers](#maintainers)
@@ -210,12 +211,13 @@ module "user" {
 
 ## Inputs
 
-| Name         | Description                            | Type         | Default     | Required |
-|:-------------|:---------------------------------------|:-------------|:------------|:---------|
-| `app_name`   | Application name                       | string       | `null`      | yes      |
-| `aws_region` | AWS region                             | string       | `us-east-2` | no       |
-| `secrets`    | List of objects of [secrets](#secrets) | list(object) | `null`      | yes      |
-| `tags`       | Key-value map of tags                  | map(string)  | `{}`        | no       |
+| Name         | Description                                                       | Type         | Default     | Required |
+|:-------------|:------------------------------------------------------------------|:-------------|:------------|:---------|
+| `app_name`   | Application name                                                  | string       | `null`      | yes      |
+| `aws_region` | AWS region                                                        | string       | `us-east-2` | no       |
+| `secrets`    | List of objects of [secrets](#secrets)                            | list(object) | `null`      | yes      |
+| `delete_in`  | [Number of days](#recovery-window) to wait before secret deletion | number       | `30`        | no       |
+| `tags`       | Key-value map of tags                                             | map(string)  | `{}`        | no       |
 
 ### Secrets
 
@@ -225,6 +227,10 @@ module "user" {
 | `value`        | Secret value                                          | string | `null`  |
 | `allowed_arns` | List of principal ARNs that have access to the secret | list   | `null`  |
 
+### Recovery window
+
+Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be `0` to force deletion without recovery or range from `7` to `30` days. The default value is `30`.
+
 ## Outputs
 
 | Name            | Description                              | Sensitive |
diff --git a/main.tf b/main.tf
@@ -24,6 +24,8 @@ resource "aws_secretsmanager_secret" "app" {
 
   policy = lookup(local.arns, each.key, null) == null ? null : data.aws_iam_policy_document.access[each.key].json
 
+  recovery_window_in_days = var.delete_in
+
   tags = merge(var.tags, { "service" = var.app_name })
 }
 
diff --git a/variables.tf b/variables.tf
@@ -21,6 +21,18 @@ variable "secrets" {
   )
 }
 
+variable "delete_in" {
+  description = "Number of days to wait before secret deletion"
+  type        = number
+
+  default = 30
+
+  validation {
+    condition     = var.delete_in == 0 || contains(range(7, 30), var.delete_in)
+    error_message = "The delete_in value must be 0 or between 7 and 30."
+  }
+}
+
 variable "tags" {
   description = "Key-value map of tags"
   type        = map(string)

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,8 @@ resource "aws_secretsmanager_secret" "app" {`
`24`	`24`
`25`	`25`	`policy = lookup(local.arns, each.key, null) == null ? null : data.aws_iam_policy_document.access[each.key].json`
`26`	`26`
	`27`	`+ recovery_window_in_days = var.delete_in`
	`28`	`+`
`27`	`29`	`tags = merge(var.tags, { "service" = var.app_name })`
`28`	`30`	`}`
`29`	`31`