feat: Add Support secrets manager

README.md

@@ -44,6 +44,7 @@ Supports all destinations and all Kinesis Firehose Features.
     * [ElasticSearch / Opensearch / Opensearch Serverless](#elasticsearch--opensearch--opensearch-serverless)
     * [Redshift / Splunk](#redshift--splunk)
   * [Application Role](#application-role)
+  * [Secrets Manager](#secrets-manager)
 * [Destinations Mapping](#destinations-mapping)
 * [Examples](#examples)
 * [Requirements](#requirements)
@@ -79,20 +80,31 @@ Supports all destinations and all Kinesis Firehose Features.
     - Dynamic Partition
   - Redshift
     - VPC Support. Security Groups creation supported.
+    - Support to Secrets Manager.
   - ElasticSearch / Opensearch / Opensearch Serverless
     - VPC Support. Security Groups creation supported.
   - Splunk
     - VPC Support. Security Groups creation supported.
+    - Support to Secrets Manager.
   - Snowflake
     - VPCE Support.
+    - Support to Secrets Manager
   - Custom Http Endpoint
+    - Support to Secrets Manager
   - DataDog
+    - Support to Secrets Manager
   - Coralogix
+    - Support to Secrets Manager
   - New Relic
+    - Support to Secrets Manager
   - Dynatrace
+    - Support to Secrets Manager
   - Honeycomb
+    - Support to Secrets Manager
   - Logic Monitor
+    - Support to Secrets Manager
   - MongoDB Cloud
+    - Support to Secrets Manager
   - Sumo Logic
 - Data Transformation With Lambda
 - Original Data Backup in S3
@@ -805,6 +817,32 @@ module "firehose" {
 }
 ```
 
+### Secrets Manager
+
+**Supported By:** Snowflake / Redshift / Splunk and Http Endpoint destinations
+
+**To Enable:** `enable_secrets_manager = true`
+
+**Variables Prefix:** `secret_`
+
+```hcl
+module "firehose" {
+  source                      = "fdmsantos/kinesis-firehose/aws"
+  version                     = "x.x.x"
+  name                        = "firehose-delivery-stream"
+  destination                 = "redshift"
+  s3_bucket_arn               = "<bucket_arn>"
+  redshift_cluster_identifier = "<redshift_cluster_identifier>"
+  redshift_cluster_endpoint   = "<redshift_cluster_endpoint>"
+  redshift_database_name      = "<redshift_cluster_database>"
+  enable_secrets_manager      = true
+  secret_arn                  = "<secret_arn>"
+  secret_kms_key_arn          = "<secret_kms_key_arn>"
+  redshift_table_name         = "<redshift_cluster_table>"
+  redshift_copy_options       = "json 'auto ignorecase'"
+}
+```
+
 ## Destinations Mapping
 
 The destination variable configured in module is mapped to firehose valid destination.
@@ -837,6 +875,7 @@ The destination variable configured in module is mapped to firehose valid destin
 - [MSK Source](https://github.com/fdmsantos/terraform-aws-kinesis-firehose/tree/main/examples/s3/msk-to-s3) - Creates a Kinesis Firehose Stream with MSK Cluster as source and S3 as destination.
 - [S3 Destination Complete](https://github.com/fdmsantos/terraform-aws-kinesis-firehose/tree/main/examples/s3/kinesis-to-s3-complete) - Creates a Kinesis Firehose Stream with all features enabled.
 - [Redshift](https://github.com/fdmsantos/terraform-aws-kinesis-firehose/tree/main/examples/redshift/direct-put-to-redshift) - Creates a Kinesis Firehose Stream with redshift as destination.
+- [Redshift](https://github.com/fdmsantos/terraform-aws-kinesis-firehose/tree/main/examples/redshift/direct-put-to-redshift-with-secrets-manager) - Creates a Kinesis Firehose Stream with redshift as destination using secrets manager.
 - [Redshift In VPC](https://github.com/fdmsantos/terraform-aws-kinesis-firehose/tree/main/examples/redshift/redshift-in-vpc) - Creates a Kinesis Firehose Stream with redshift in VPC as destination.
 - [Public Opensearch](https://github.com/fdmsantos/terraform-aws-kinesis-firehose/tree/main/examples/opensearch/direct-put-to-opensearch) - Creates a Kinesis Firehose Stream with public opensearch as destination.
 - [Public Opensearch Serverless](https://github.com/fdmsantos/terraform-aws-kinesis-firehose/tree/main/examples/opensearch/direct-put-to-opensearchserverless) - Creates a Kinesis Firehose Stream with public serverless opensearch as destination.
@@ -860,13 +899,13 @@ The destination variable configured in module is mapped to firehose valid destin
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.47 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.59 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.47 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.59 |
 
 ## Modules
 
@@ -890,6 +929,8 @@ No modules.
 | [aws_iam_policy.opensearchserverless](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.s3_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.secretsmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.secretsmanager_cmk_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role.application](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role.firehose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
@@ -904,6 +945,8 @@ No modules.
 | [aws_iam_role_policy_attachment.opensearchserverless](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.s3_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.secretsmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.secretsmanager_cmk_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_service_linked_role.opensearch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_service_linked_role) | resource |
 | [aws_iam_service_linked_role.opensearchserverless](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_service_linked_role) | resource |
@@ -932,6 +975,8 @@ No modules.
 | [aws_iam_policy_document.opensearchserverless](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.s3_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.secretsmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.secretsmanager_cmk_encryption](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 | [aws_subnet.subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source |
@@ -1018,6 +1063,7 @@ No modules.
 | <a name="input_enable_lambda_transform"></a> [enable\_lambda\_transform](#input\_enable\_lambda\_transform) | Set it to true to enable data transformation with lambda | `bool` | `false` | no |
 | <a name="input_enable_s3_backup"></a> [enable\_s3\_backup](#input\_enable\_s3\_backup) | The Amazon S3 backup mode | `bool` | `false` | no |
 | <a name="input_enable_s3_encryption"></a> [enable\_s3\_encryption](#input\_enable\_s3\_encryption) | Indicates if want use encryption in S3 bucket. | `bool` | `false` | no |
+| <a name="input_enable_secrets_manager"></a> [enable\_secrets\_manager](#input\_enable\_secrets\_manager) | Enables or disables the Secrets Manager configuration. | `bool` | `false` | no |
 | <a name="input_enable_sse"></a> [enable\_sse](#input\_enable\_sse) | Whether to enable encryption at rest. Only makes sense when source is Direct Put | `bool` | `false` | no |
 | <a name="input_enable_vpc"></a> [enable\_vpc](#input\_enable\_vpc) | Indicates if destination is configured in VPC. Supports Elasticsearch and Opensearch destinations. | `bool` | `false` | no |
 | <a name="input_firehose_role"></a> [firehose\_role](#input\_firehose\_role) | IAM role ARN attached to the Kinesis Firehose Stream. | `string` | `null` | no |
@@ -1092,6 +1138,8 @@ No modules.
 | <a name="input_s3_kms_key_arn"></a> [s3\_kms\_key\_arn](#input\_s3\_kms\_key\_arn) | Specifies the KMS key ARN the stream will use to encrypt data. If not set, no encryption will be used | `string` | `null` | no |
 | <a name="input_s3_own_bucket"></a> [s3\_own\_bucket](#input\_s3\_own\_bucket) | Indicates if you own the bucket. If not, will be configure permissions to grants the bucket owner full access to the objects delivered by Kinesis Data Firehose | `bool` | `true` | no |
 | <a name="input_s3_prefix"></a> [s3\_prefix](#input\_s3\_prefix) | The YYYY/MM/DD/HH time format prefix is automatically used for delivered S3 files. You can specify an extra prefix to be added in front of the time format prefix. Note that if the prefix ends with a slash, it appears as a folder in the S3 bucket | `string` | `null` | no |
+| <a name="input_secret_arn"></a> [secret\_arn](#input\_secret\_arn) | The ARN of the Secrets Manager secret. This value is required if enable\_secrets\_manager is true. | `string` | `null` | no |
+| <a name="input_secret_kms_key_arn"></a> [secret\_kms\_key\_arn](#input\_secret\_kms\_key\_arn) | The ARN of the KMS Key to encrypt the Secret. This value is required if key used to encrypt the Secret is CMK and want the module generates the IAM Policy to access it. | `string` | `null` | no |
 | <a name="input_snowflake_account_identifier"></a> [snowflake\_account\_identifier](#input\_snowflake\_account\_identifier) | The Snowflake account identifier. | `string` | `null` | no |
 | <a name="input_snowflake_content_column_name"></a> [snowflake\_content\_column\_name](#input\_snowflake\_content\_column\_name) | The name of the content column. | `string` | `null` | no |
 | <a name="input_snowflake_data_loading_option"></a> [snowflake\_data\_loading\_option](#input\_snowflake\_data\_loading\_option) | The data loading option. | `string` | `null` | no |

examples/redshift/direct-put-to-redshift-with-secrets-manager/README.md

@@ -0,0 +1,67 @@
+# Kinesis Firehose: Direct Put To Redshift
+
+Configuration in this directory creates kinesis firehose stream with Direct Put as source and Redshift as destination using secrets manager.
+
+This example is ready to be tested with Demo Data in Kinesis Firehose Console.
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which cost money. Run `terraform destroy` when you don't need these resources.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.4 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.4 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_firehose"></a> [firehose](#module\_firehose) | ../../../ | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_s3_bucket.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | Name prefix to use in resources | `string` | `"direct-put-to-s3"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_kinesis_firehose_arn"></a> [kinesis\_firehose\_arn](#output\_kinesis\_firehose\_arn) | The ARN of the Kinesis Firehose Stream |
+| <a name="output_kinesis_firehose_destination_id"></a> [kinesis\_firehose\_destination\_id](#output\_kinesis\_firehose\_destination\_id) | The Destination id of the Kinesis Firehose Stream |
+| <a name="output_kinesis_firehose_role_arn"></a> [kinesis\_firehose\_role\_arn](#output\_kinesis\_firehose\_role\_arn) | The ARN of the IAM role created for Kinesis Firehose Stream |
+| <a name="output_kinesis_firehose_version_id"></a> [kinesis\_firehose\_version\_id](#output\_kinesis\_firehose\_version\_id) | The Version id of the Kinesis Firehose Stream |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/redshift/direct-put-to-redshift-with-secrets-manager/main.tf

@@ -0,0 +1,83 @@
+data "aws_caller_identity" "current" {}
+
+resource "random_pet" "this" {
+  length = 2
+}
+
+resource "aws_s3_bucket" "s3" {
+  bucket        = "${var.name_prefix}-destination-bucket-${random_pet.this.id}"
+  force_destroy = true
+}
+
+resource "aws_redshift_cluster" "this" {
+  cluster_identifier  = "${var.name_prefix}-redshift-cluster"
+  database_name       = "test"
+  master_username     = var.redshift_username
+  master_password     = var.redshift_password
+  node_type           = "dc2.large"
+  cluster_type        = "single-node"
+  skip_final_snapshot = true
+  #   provisioner "local-exec" {
+  #     command = "psql \"postgresql://${self.master_username}:${self.master_password}@${self.endpoint}/${self.database_name}\" -f ./redshift_table.sql"
+  #   }
+}
+
+resource "aws_kms_key" "this" {
+  description             = "${var.name_prefix}-kms-key"
+  deletion_window_in_days = 7
+}
+
+module "firehose" {
+  source                       = "../../../"
+  name                         = "${var.name_prefix}-delivery-stream"
+  destination                  = "redshift"
+  s3_bucket_arn                = aws_s3_bucket.s3.arn
+  buffering_interval           = 60
+  redshift_cluster_identifier  = aws_redshift_cluster.this.cluster_identifier
+  redshift_cluster_endpoint    = aws_redshift_cluster.this.endpoint
+  redshift_database_name       = aws_redshift_cluster.this.database_name
+  enable_secrets_manager       = true
+  secret_arn                   = module.secrets_manager.secret_arn
+  secret_kms_key_arn           = module.secrets_manager.secret_arn
+  redshift_table_name          = "firehose_test_table"
+  redshift_copy_options        = "json 'auto ignorecase'"
+  enable_s3_backup             = true
+  s3_backup_prefix             = "backup/"
+  s3_backup_bucket_arn         = aws_s3_bucket.s3.arn
+  s3_backup_buffering_interval = 100
+  s3_backup_buffering_size     = 100
+  s3_backup_compression        = "GZIP"
+  s3_backup_enable_encryption  = true
+  s3_backup_kms_key_arn        = aws_kms_key.this.arn
+}
+
+
+module "secrets_manager" {
+  source     = "terraform-aws-modules/secrets-manager/aws"
+  version    = "1.1.2"
+  kms_key_id = aws_kms_key.this.id
+
+  # Secret
+  name_prefix             = "${var.name_prefix}-redshift-secret"
+  description             = "Example Secrets Manager secret"
+  recovery_window_in_days = 0
+  # Policy
+  create_policy       = true
+  block_public_policy = true
+  policy_statements = {
+    read = {
+      sid = "AllowAccountRead"
+      principals = [{
+        type        = "AWS"
+        identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+      }]
+      actions   = ["secretsmanager:GetSecretValue"]
+      resources = ["*"]
+    }
+  }
+
+  secret_string = jsonencode({
+    username = var.redshift_username,
+    password = var.redshift_password
+  })
+}

examples/redshift/direct-put-to-redshift-with-secrets-manager/outputs.tf

@@ -0,0 +1,19 @@
+output "kinesis_firehose_arn" {
+  description = "The ARN of the Kinesis Firehose Stream"
+  value       = module.firehose.kinesis_firehose_arn
+}
+
+output "kinesis_firehose_destination_id" {
+  description = "The Destination id of the Kinesis Firehose Stream"
+  value       = module.firehose.kinesis_firehose_destination_id
+}
+
+output "kinesis_firehose_version_id" {
+  description = "The Version id of the Kinesis Firehose Stream"
+  value       = module.firehose.kinesis_firehose_version_id
+}
+
+output "kinesis_firehose_role_arn" {
+  description = "The ARN of the IAM role created for Kinesis Firehose Stream"
+  value       = module.firehose.kinesis_firehose_role_arn
+}

examples/redshift/direct-put-to-redshift-with-secrets-manager/redshift_table.sql

@@ -0,0 +1,7 @@
+Create table firehose_test_table
+(
+    ticker_symbol varchar(4),
+    sector varchar(16),
+    change float,
+    price float
+);

examples/redshift/direct-put-to-redshift-with-secrets-manager/variables.tf

@@ -0,0 +1,17 @@
+variable "name_prefix" {
+  description = "Name prefix to use in resources"
+  type        = string
+  default     = "direct-put-to-redshift"
+}
+
+variable "redshift_username" {
+  description = "The username that the firehose delivery stream will assume. It is strongly recommended that the username and password provided is used exclusively for Amazon Kinesis Firehose purposes, and that the permissions for the account are restricted for Amazon Redshift INSERT permissions"
+  type        = string
+  sensitive   = true
+}
+
+variable "redshift_password" {
+  description = "The password for the redshift username above"
+  type        = string
+  sensitive   = true
+}

examples/redshift/direct-put-to-redshift-with-secrets-manager/versions.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 0.13.1"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 2.0"
+    }
+  }
+}

examples/redshift/direct-put-to-redshift/main.tf

@@ -15,9 +15,9 @@ resource "aws_redshift_cluster" "this" {
   node_type           = "dc2.large"
   cluster_type        = "single-node"
   skip_final_snapshot = true
-  provisioner "local-exec" {
-    command = "psql \"postgresql://${self.master_username}:${self.master_password}@${self.endpoint}/${self.database_name}\" -f ./redshift_table.sql"
-  }
+  #   provisioner "local-exec" {
+  #     command = "psql \"postgresql://${self.master_username}:${self.master_password}@${self.endpoint}/${self.database_name}\" -f ./redshift_table.sql"
+  #   }
 }
 
 resource "aws_kms_key" "this" {