feat: Make the name suffix optional. (#5)

jamesiarmes · web-flow · commit 1d622a489083 · 2025-08-18T16:45:37.000-04:00
diff --git a/README.md b/README.md
@@ -20,7 +20,7 @@ to match your desired configuration. For example:
 
 ```hcl
 module "secrets" {
-  source = "github.com/codeforamerica/tofu-modules-aws-secrets?ref=1.0.0"
+  source = "github.com/codeforamerica/tofu-modules-aws-secrets?ref=1.1.0"
 
   project     = "my-project"
   environment = "dev"
@@ -56,14 +56,15 @@ tofu init -upgrade
 
 ## Inputs
 
-| Name                | Description                                                                                 | Type          | Default | Required |
-|---------------------|---------------------------------------------------------------------------------------------|---------------|---------|----------|
-| project             | Name of the project.                                                                        | `string`      | n/a     | yes      |
-| environment         | Environment for the project.                                                                | `string`      | `"dev"` | no       |
-| key_recovery_period | Number of days to recover the KMS key after deletion.                                       | `number`      | `30`    | no       |
-| [secrets]           | Secrets to be created.                                                                      | `map(object)` | `{}`    | no       |
-| service             | Optional service that these resources are supporting. Example: `"api"`, `"web"`, `"worker"` | `string`      | n/a     | no       |
-| tags                | Optional tags to be applied to all resources.                                               | `list`        | `[]`    | no       |
+| Name                | Description                                                                                                                                     | Type          | Default | Required |
+|---------------------|-------------------------------------------------------------------------------------------------------------------------------------------------|---------------|---------|----------|
+| project             | Name of the project.                                                                                                                            | `string`      | n/a     | yes      |
+| add_suffix          | Apply a random suffix to the secret name. Useful when secrets may need to be replaced, but makes identify secrets by name alone more difficult. | `bool`        | `true`  | no       |
+| environment         | Environment for the project.                                                                                                                    | `string`      | `"dev"` | no       |
+| key_recovery_period | Number of days to recover the KMS key after deletion.                                                                                           | `number`      | `30`    | no       |
+| [secrets]           | Secrets to be created.                                                                                                                          | `map(object)` | `{}`    | no       |
+| service             | Optional service that these resources are supporting. Example: `"api"`, `"web"`, `"worker"`                                                     | `string`      | n/a     | no       |
+| tags                | Optional tags to be applied to all resources.                                                                                                   | `list`        | `[]`    | no       |
 
 ### secrets
 
diff --git a/main.tf b/main.tf
@@ -4,7 +4,8 @@ module "secrets_manager" {
 
   for_each = var.secrets
 
-  name_prefix             = each.value.name != "" ? "${each.value.name}-" : "${var.project}/${var.environment}/${var.service}/${each.key}-"
+  name                    = coalesce(each.value.add_suffix, var.add_suffix) ? null : coalesce(each.value.name, "${var.project}/${var.environment}/${var.service}/${each.key}")
+  name_prefix             = coalesce(each.value.add_suffix, var.add_suffix) ? "${coalesce(each.value.name, "${var.project}/${var.environment}/${var.service}/${each.key}")}-" : null
   create_random_password  = each.value.create_random_password
   description             = each.value.description
   recovery_window_in_days = each.value.recovery_window
diff --git a/variables.tf b/variables.tf
@@ -1,3 +1,9 @@
+variable "add_suffix" {
+  type        = bool
+  description = "Apply a random suffix to the secret name. Useful when secrets may need to be replaced, but makes identify secrets by name alone more difficult."
+  default     = true
+}
+
 variable "environment" {
   type        = string
   description = "Environment for the deployment."
@@ -23,9 +29,10 @@ variable "project" {
 # TODO: Support rotation.
 variable "secrets" {
   type = map(object({
+    add_suffix             = optional(bool, null)
     create_random_password = optional(bool, false)
     description            = string
-    name                   = optional(string, "")
+    name                   = optional(string, null)
     recovery_window        = optional(number, 30)
     start_value            = optional(string, "{}")
   }))
