是否可以使用 Terraform 在 AWS 机密管理器中设置多用户机密轮换？

Question

...鉴于 terraform (v.3.23.0) 的现有功能

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_rotation

或者在写这篇文章的时候它还没有在 terraform 中可用？显然，这可以在 AWS UI 中完成，但我有兴趣在 TF 中编写脚本。

我有一个在 AWS 机密管理器中轮换单个机密的简单示例，但如果我在 AWS 仪表板中编辑与该机密关联的已创建轮换，则无法使其成为多用户轮换 -- UI 根本没有将其显示为一个选项。

    resource "aws_secretsmanager_secret_rotation" "rds_postgres_key_rotation" {
      secret_id           = aws_secretsmanager_secret.rotation_example.id
      rotation_lambda_arn = aws_serverlessapplicationrepository_cloudformation_stack.postgres_rotator.outputs["RotationLambdaARN"]
    
      rotation_rules {
        automatically_after_days = 1
      }
    }
    
    resource "aws_secretsmanager_secret" "rotation_example" {
      name       = "normalusersecret"
      kms_key_id = aws_kms_key.my_key.id
    }

resource "aws_serverlessapplicationrepository_cloudformation_stack" "postgres_rotator" {
  name           = "postgres-rotator"
  application_id = "arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSPostgreSQLRotationMultiUser"
  capabilities = [
    "CAPABILITY_IAM",
    "CAPABILITY_RESOURCE_POLICY",
  ]
  parameters = {
    functionName = "func-postgres-rotator"
    #endpoint     = "secretsmanager.${data.aws_region.current.name}.${data.aws_partition.current.dns_suffix}"
    endpoint = "secretsmanager.us-east-1.lambda.amazonaws.com"
  }
}

Answer 1

似乎 SecretsManager 只是检查了 masterarn 密钥的秘密值 JSON。如果该键存在，它会翻转 多用户 单选按钮。

例如

单用户

resource "aws_secretsmanager_secret_version" "example" {
  secret_id = aws_secretsmanager_secret.example.id
  secret_string = tostring(jsonencode({
    password            = "password"
    username            = "user"
  }))
}

多用户

resource "aws_secretsmanager_secret_version" "example" {
  secret_id = aws_secretsmanager_secret.example.id
  secret_string = tostring(jsonencode({
    masterarn           = aws_secretsmanager_secret.master.arn
    password            = "password"
    username            = "user"
  }))
}