Creates an AWS Secrets Manager secret containing a Sentry DSN for submitting errors and events to a Sentry project.
A secret containing a Sentry auth token must be provided. Once active, the secret will automatically rotate credentials every 30 days. In order to avoid gaps between rotating the secret and restarting applications, two client keys will be maintained. Whenever the secret is rotated, the oldest will be deleted and a new DSN will be set.
Example:
module "sentry_dsn" {
source = "github.com/thoughtbot/terraform-aws-sentry-dsn?ref=v0.3.0"
name = "example-staging"
organization_slug = "organization"
project_slug = "example"
subnet_ids = module.network_data.private_subnet_ids
vpc_id = module.network_data.vpc.id
# You can provide the ARN of a secret containing an auth token. If not
# provided, it will look for a secret named ORGNIZATION-PROJECT-NAME-sentry
auth_token_secret_name = "my-secret"
}
The recommended approach to generating an auth token is to create an internal integration for Sentry. In order to manage auth tokens, you will need the following scopes:
project:readproject:writeproject:admin
After creating the integration, copy the auth token and save it in a Secrets Manager secret.
| Name | Version |
|---|---|
| terraform | >= 0.14.0 |
| aws | ~> 5.0 |
| Name | Version |
|---|---|
| aws | ~> 5.0 |
| Name | Source | Version |
|---|---|---|
| rotation | github.com/thoughtbot/terraform-aws-secrets//secret-rotation-function | v0.8.0 |
| secret | github.com/thoughtbot/terraform-aws-secrets//secret | v0.8.0 |
| Name | Type |
|---|---|
| aws_iam_policy.access_auth_token | resource |
| aws_iam_role_policy_attachment.access_auth_token | resource |
| aws_security_group.function | resource |
| aws_security_group_rule.function_egress | resource |
| aws_iam_policy_document.access_auth_token | data source |
| aws_kms_key.auth_token | data source |
| aws_secretsmanager_secret.auth_token | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| admin_principals | Principals allowed to peform admin actions (default: current account) | list(string) |
null |
no |
| auth_token_kms_key_id | ID of the KMS key used to encrypt the auth token | string |
"alias/sentry-auth-token" |
no |
| auth_token_secret_arn | ARN of a SecretsManager secret containing a Sentry auth token | string |
null |
no |
| auth_token_secret_key | Key within secret at which the auth token ca be accessed | string |
"SENTRY_AUTH_TOKEN" |
no |
| auth_token_secret_name | Name of a SecretsManager secret containing a Sentry auth token | string |
"sentry-auth-token" |
no |
| name | Name for the Sentry client key | string |
n/a | yes |
| organization_slug | Slug for the Sentry organization in which the project exists | string |
n/a | yes |
| project_slug | Slug for the Sentry project for which a key should be created | string |
n/a | yes |
| read_principals | Principals allowed to read the secret (default: current account) | list(string) |
null |
no |
| subnet_ids | Subnets in which the rotation function should run | list(string) |
n/a | yes |
| tags | Tags which should be applied to created resources | map(string) |
{} |
no |
| trust_tags | Tags required on principals accessing the secret | map(string) |
{} |
no |
| vpc_id | VPC in which the rotation function should run | string |
n/a | yes |
| Name | Description |
|---|---|
| policy_json | Required IAM policies |
| secret_arn | ARN of the secrets manager secret containing credentials |
| secret_name | Name of the secrets manager secret containing credentials |