Terraform AWS Secrets Manager

Secrets, secret versions, rotation schedules, KMS encryption, resource policies, replication, and controlled retrieval of database passwords, API keys, and tokens.

Controls enforced

These compliance controls are checked at terraform plan time.

Secrets Manager secrets should be encrypted using CMK(low effort)

Quick start

module "secrets-manager" {
  source  = "cccsmedium.compliance.tf/terraform-aws-modules/secrets-manager/aws"
  version = "1.0"

  # ... your arguments here
}

module "secrets-manager" {
  source  = "cfrpart11.compliance.tf/terraform-aws-modules/secrets-manager/aws"
  version = "1.0"

  # ... your arguments here
}

module "secrets-manager" {
  source  = "eugmpannex11.compliance.tf/terraform-aws-modules/secrets-manager/aws"
  version = "1.0"

  # ... your arguments here
}

module "secrets-manager" {
  source  = "hipaa.compliance.tf/terraform-aws-modules/secrets-manager/aws"
  version = "1.0"

  # ... your arguments here
}

module "secrets-manager" {
  source  = "nist80053.compliance.tf/terraform-aws-modules/secrets-manager/aws"
  version = "1.0"

  # ... your arguments here
}

module "secrets-manager" {
  source  = "nydfs23.compliance.tf/terraform-aws-modules/secrets-manager/aws"
  version = "1.0"

  # ... your arguments here
}

module "secrets-manager" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/secrets-manager/aws"
  version = "1.0"

  # ... your arguments here
}

View this module on the compliance.tf registry — versions, inputs, and outputs →

See the Get Started guide and Registry Endpoints for details on how to customize the module for your requirements.

Migration from upstream

Already using terraform-aws-modules? Change only the source URL:

module "secrets-manager" {
  source  = "terraform-aws-modules/secrets-manager/aws"
  version = "1.0"
}

module "secrets-manager" {
  source  = "soc2.compliance.tf/terraform-aws-modules/secrets-manager/aws"
  version = "1.0"
}

Same arguments. Same outputs. Controls are checked at terraform plan. See the Migration Guide for step-by-step instructions.

Reversibility

No lock-in. Switch back by reverting the source URL:

module "secrets-manager" {
  source  = "terraform-aws-modules/secrets-manager/aws"
}

Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.