From cc779851bfacf261776fc3edc7a931075dbd35b1 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 31 Mar 2026 14:35:33 -0400 Subject: [PATCH 1/3] add secretsmanager --- .../naming-tagging-standard/naming/README.md | 6 +- .../naming/secretsmanager.md | 95 +++++++++++++++++++ 2 files changed, 100 insertions(+), 1 deletion(-) create mode 100644 aws/documentation/naming-tagging-standard/naming/secretsmanager.md diff --git a/aws/documentation/naming-tagging-standard/naming/README.md b/aws/documentation/naming-tagging-standard/naming/README.md index 0eba6a1d..67c1ae46 100644 --- a/aws/documentation/naming-tagging-standard/naming/README.md +++ b/aws/documentation/naming-tagging-standard/naming/README.md @@ -2,12 +2,13 @@ * Host Naming (in need of some modernization) * [TCO Wiki](https://wiki.apps.tco.census.gov/index.php/Networking#Host_Naming) -* [S3](s3.md) * [IAM](iam.md) * [IAM Users](iam.md#iam-users) * [IAM Groups](iam.md#iam-groups) * [IAM Roles](iam.md#iam-roles) * [IAM Policies](iam.md#iam-policies) +* [S3](s3.md) +* [SecretsManager](secretsmanager.md) # CHANGELOG @@ -16,3 +17,6 @@ - 1.0.1 -- 2025-03-04 - add host naming + +- 1.0.2 -- 2026-03-31 + - add secretsmanager diff --git a/aws/documentation/naming-tagging-standard/naming/secretsmanager.md b/aws/documentation/naming-tagging-standard/naming/secretsmanager.md new file mode 100644 index 00000000..57577521 --- /dev/null +++ b/aws/documentation/naming-tagging-standard/naming/secretsmanager.md @@ -0,0 +1,95 @@ +# NTS | SecretsManager + +This document comes primariliy from [Organization Shared Secrets and Parameters] +(https://github.e.it.census.gov/terraform/cloud-information/tree/master/aws/documentation/organizations/shared-secrets-parameters). + +It describe the formats of the SecretsManager Secret name. + +# Naming + +The secretsmanager secret naming will follow this structure. Note by default, we choose not to include the region name in the secret (or SSM +paramater) name. This simplifies the use where the region is not specified. If a secret needs to represent multiple region details (i.e., +data for multiple regions in a secret available to multiple regions), it is recommended to include that within the JSON object of the +secret. However, the region may be used within the name if a use case can be argued where it is necessary. + +## Naming: Enterprise Use + +For deployment to all accounts, defined from the organziation management account, or from the service account within the +core accounts. These are approved for user by the cloud architect before implementation. They will be listed [here](#secrets--enterprise) +as well as documented under [secrets](secrets/). + +Format: /enterprise/{category}/{purpose}/[{region}/]{item} + +* segments will be all in lowercase, consist of the set including letters, digits, and underscore (a-z, 0-9, _) +* {category} + * broad collection of what the secrets apply towards + * examples include: + * terraform: used to distribute settings for Terraform use, though not exclusively +* {purpose} + * more specific smaller collection by which to bundle the secret + * examples include: + * providers: used with _category_ = `terraform` to identify a set of secrets used for Terraform providers +* {region} + * optional, corresponds to the canonical region name + * use of this structure should be rare and generally unneccessary + * examples include: + * us-east-1 + * us-gov-west-1 +* {item} + * specific item for which this secret is used + +## Naming: Local Use + +This is not intended to be usable across all accounts, only within the account where it is defined. With such a secret, access to the +organziation (or other OUs) will not be enabled. This _may_ be used to override an **Enterprise** secret (logic to be defined by the user, but +somethign like "look for /local/X by name, if not found, use /enterprise/X"). + +Format: /local/{category}/{purpose}/[{region}/]{item} + +The same format rules apply as for `/enterprise` above. + +## Naming: Application Specific Use + +This is how application areas will construct SecretsManager secret names. +It uses components of the base label format, and includes the organization or program, project, and environment. + +Format: /app/{organization_program}/{project}/[{environment}/][{region}/]{item} + +The same format rules apply as for `/enterprise` above for the relevant field names. + +* {organization_program} + * the organziation abbreviate or the program name + * examples include: + * adsd (organization) + * ditd (organization) + * dice (program) + * edl (program) +* {project} + * the project under the _organization_program_, specific to the org/program + * examples include: + * mojo, centurion (for dice) + * dapps chec (for adsd) +* {environment} + * optional, if per-environment separation is needed (for a secret, it probably is) + * if defined, one of the defined environments: + * common + * services + * shared + * dev + * test + * ite + * qa + * uat + * stage + * prod + +# Links + +* [Base Label Format](../README.md#base-label-format) + +# CHANGELOG + +- 1.0.0 -- 2026-03-31 + - initial + + From 999456e08f625a01ae8f16c544f65685fc09c5bf Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 31 Mar 2026 14:36:21 -0400 Subject: [PATCH 2/3] fix --- .../naming-tagging-standard/naming/secretsmanager.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/aws/documentation/naming-tagging-standard/naming/secretsmanager.md b/aws/documentation/naming-tagging-standard/naming/secretsmanager.md index 57577521..eded14f6 100644 --- a/aws/documentation/naming-tagging-standard/naming/secretsmanager.md +++ b/aws/documentation/naming-tagging-standard/naming/secretsmanager.md @@ -1,7 +1,6 @@ # NTS | SecretsManager -This document comes primariliy from [Organization Shared Secrets and Parameters] -(https://github.e.it.census.gov/terraform/cloud-information/tree/master/aws/documentation/organizations/shared-secrets-parameters). +This document comes primarily from [Organization Shared Secrets and Parameters](https://github.e.it.census.gov/terraform/cloud-information/tree/master/aws/documentation/organizations/shared-secrets-parameters). It describe the formats of the SecretsManager Secret name. From 6a7091cd1c3dad35c39708dfbfe5b506e2f72ed5 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 31 Mar 2026 14:36:58 -0400 Subject: [PATCH 3/3] update --- .../naming-tagging-standard/naming/secretsmanager.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/aws/documentation/naming-tagging-standard/naming/secretsmanager.md b/aws/documentation/naming-tagging-standard/naming/secretsmanager.md index eded14f6..a15b57fd 100644 --- a/aws/documentation/naming-tagging-standard/naming/secretsmanager.md +++ b/aws/documentation/naming-tagging-standard/naming/secretsmanager.md @@ -17,7 +17,7 @@ For deployment to all accounts, defined from the organziation management account core accounts. These are approved for user by the cloud architect before implementation. They will be listed [here](#secrets--enterprise) as well as documented under [secrets](secrets/). -Format: /enterprise/{category}/{purpose}/[{region}/]{item} +Format: `/enterprise/{category}/{purpose}/[{region}/]{item}` * segments will be all in lowercase, consist of the set including letters, digits, and underscore (a-z, 0-9, _) * {category} @@ -43,7 +43,7 @@ This is not intended to be usable across all accounts, only within the account w organziation (or other OUs) will not be enabled. This _may_ be used to override an **Enterprise** secret (logic to be defined by the user, but somethign like "look for /local/X by name, if not found, use /enterprise/X"). -Format: /local/{category}/{purpose}/[{region}/]{item} +Format: `/local/{category}/{purpose}/[{region}/]{item}` The same format rules apply as for `/enterprise` above. @@ -52,7 +52,7 @@ The same format rules apply as for `/enterprise` above. This is how application areas will construct SecretsManager secret names. It uses components of the base label format, and includes the organization or program, project, and environment. -Format: /app/{organization_program}/{project}/[{environment}/][{region}/]{item} +Format: `/app/{organization_program}/{project}/[{environment}/][{region}/]{item}` The same format rules apply as for `/enterprise` above for the relevant field names.