Skip to content

Secrets Manager Overview

The Secrets Manager module provides integration with AWS Secrets Manager to retrieve existing secrets for use in Terraform configurations. This module does not create or manage secrets—it only references secrets that already exist in AWS Secrets Manager.

Purpose

This module is designed to retrieve sensitive information (such as passwords, API keys, or credentials) that have been manually created in AWS Secrets Manager by customers or security teams. By referencing secrets rather than hardcoding values, Terraform configurations remain secure and credentials can be rotated independently of infrastructure code.

Primary Use Case: Domain Join Credentials

The most common use case for this module is retrieving domain join credentials for Self-Managed AD Domain Join. In this scenario:

  1. Customer creates a secret in AWS Secrets Manager containing domain service account credentials
  2. Terraform references the secret ARN without ever exposing the actual password
  3. EC2 instances retrieve credentials at runtime via IAM-secured API calls
  4. Credentials can be rotated in Secrets Manager without any Terraform changes

How It Works

The module uses Terraform data sources to retrieve metadata about existing secrets:

  1. References an existing secret by ARN
  2. Optionally specifies a version (stage or ID) to retrieve
  3. Makes secret metadata available to other Terraform resources
  4. Does NOT retrieve actual secret values into Terraform state for security

Module Structure

  • Module: src/modules/secretsmanager_secret/ - Core data source implementation
  • Variables: src/variables.secretsmanager.tf - Input variable definitions
  • Main: src/main.secretsmanager.tf - Module instantiation

Key Characteristics

  • Read-Only - Only retrieves existing secrets, does not create or modify
  • Secure - Secret values are not stored in Terraform state
  • Flexible - Supports versioning for secret rotation scenarios
  • Reference-Based - Provides ARNs and metadata for use by other resources

When to Use

Use this module when: - Referencing customer-managed secrets for domain join - Integrating with secrets created outside of Terraform - Maintaining separation between credential management and infrastructure code - Implementing security patterns where secrets are managed by dedicated teams

Don't use this module when: - You need to create new secrets (use aws_secretsmanager_secret resource directly) - Secret values need to be in Terraform state (security anti-pattern) - Managing secret rotation policies (use AWS Secrets Manager directly)

Next Steps