Add option to read license key from secret arn instead of passing the secret as a value

[pragmaticivan]

The value is passed as a variable and possibly stored in the terraform state. This is a lambda after all and it can read from the secret manager instead.

Desired Behavior

Have secret_arn as input that can be used instead of license key value.

Possible Solution

Use ARN when available, and fallback to secret value input.

[losnir]

Hi Ivan, thanks for your suggestion.

I understand the concern for storing secret data in state and unfortunately there is no going around that, especially when developing a module which accepts such secret as input.

This is true even when using a aws_secretsmanager_secret_version data resource, since the value is still kept in state.

The best practice is to always treat your Terraform state itself as a secret and store it encrypted in a remote backend (see here).

Also, I rather not implement any specific solution to retrieve a secret for the license key since not everyone uses AWS Secrets Manager, and I'd like to keep this module agnostic.

However, I believe there's still room for improvement, and therefore will upgrade the module to support Terraform v0.14 which has the ability to declare sensitive input variables.

[pragmaticivan]

I agree with everything above, specially with the need of sensitive input variables.