A Secret is a logical secret whose value and versions can be accessed.
To get more information about Secret, see:
resource "google_secret_manager_secret" "secret-basic" {
secret_id = "secret"
labels = {
label = "my-label"
}
replication {
user_managed {
replicas {
location = "us-central1"
}
replicas {
location = "us-east1"
}
}
}
}
resource "google_secret_manager_secret" "secret-with-annotations" {
secret_id = "secret"
labels = {
label = "my-label"
}
annotations = {
key1 = "someval"
key2 = "someval2"
key3 = "someval3"
key4 = "someval4"
key5 = "someval5"
}
replication {
auto {}
}
}
resource "google_secret_manager_secret" "secret-with-version-destroy-ttl" {
secret_id = "secret"
version_destroy_ttl = "2592000s"
replication {
auto {}
}
}
data "google_project" "project" {}
resource "google_kms_crypto_key_iam_member" "kms-secret-binding" {
crypto_key_id = "kms-key"
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-secretmanager.iam.gserviceaccount.com"
}
resource "google_secret_manager_secret" "secret-with-automatic-cmek" {
secret_id = "secret"
replication {
auto {
customer_managed_encryption {
kms_key_name = "kms-key"
}
}
}
depends_on = [ google_kms_crypto_key_iam_member.kms-secret-binding ]
}
The following arguments are supported:
replication
-
(Required)
The replication policy of the secret data attached to the Secret. It cannot be changed
after the Secret has been created.
Structure is documented below.
secret_id
-
(Required)
This must be unique within the project.
The replication
block supports:
auto
-
(Optional)
The Secret will automatically be replicated without any restrictions.
Structure is documented below.
user_managed
-
(Optional)
The Secret will be replicated to the regions specified by the user.
Structure is documented below.
customer_managed_encryption
-
(Optional)
The customer-managed encryption configuration of the Secret.
If no configuration is provided, Google-managed default
encryption is used.
Structure is documented below.The customer_managed_encryption
block supports:
kms_key_name
-
(Required)
The resource name of the Cloud KMS CryptoKey used to encrypt secret payloads.The user_managed
block supports:
replicas
-
(Required)
The list of Replicas for this Secret. Cannot be empty.
Structure is documented below.location
-
(Required)
The canonical IDs of the location to replicate data. For example: "us-east1".
customer_managed_encryption
-
(Optional)
Customer Managed Encryption for the secret.
Structure is documented below.
The customer_managed_encryption
block supports:
kms_key_name
-
(Required)
Describes the Cloud KMS encryption key that will be used to protect destination secret.labels
-
(Optional)
The labels assigned to this Secret.
Label keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes,
and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}][\p{Ll}\p{Lo}\p{N}_-]{0,62}
Label values must be between 0 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes,
and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}\p{N}_-]{0,63}
No more than 64 labels can be assigned to a given resource.
An object containing a list of "key": value pairs. Example:
{ "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the labels present in your configuration.
Please refer to the field effective_labels
for all of the labels present on the resource.
annotations
-
(Optional)
Custom metadata about the secret.
Annotations are distinct from various forms of labels. Annotations exist to allow
client tools to store their own state information without requiring a database.
Annotation keys must be between 1 and 63 characters long, have a UTF-8 encoding of
maximum 128 bytes, begin and end with an alphanumeric character ([a-z0-9A-Z]), and
may have dashes (-), underscores (_), dots (.), and alphanumerics in between these
symbols.
The total size of annotation keys and values must be less than 16KiB.
An object containing a list of "key": value pairs. Example:
{ "name": "wrench", "mass": "1.3kg", "count": "3" }.
Note: This field is non-authoritative, and will only manage the annotations present in your configuration.
Please refer to the field effective_annotations
for all of the annotations present on the resource.
version_aliases
-
(Optional)
Mapping from version alias to version name.
A version alias is a string with a maximum length of 63 characters and can contain
uppercase and lowercase letters, numerals, and the hyphen (-) and underscore ('_')
characters. An alias string must start with a letter and cannot be the string
'latest' or 'NEW'. No more than 50 aliases can be assigned to a given secret.
An object containing a list of "key": value pairs. Example:
{ "name": "wrench", "mass": "1.3kg", "count": "3" }.
version_destroy_ttl
-
(Optional)
Secret Version TTL after destruction request.
This is a part of the delayed delete feature on Secret Version.
For secret with versionDestroyTtl>0, version destruction doesn't happen immediately
on calling destroy instead the version goes to a disabled state and
the actual destruction happens after this TTL expires.
topics
-
(Optional)
A list of up to 10 Pub/Sub topics to which messages are published when control plane operations are called on the secret or its versions.
Structure is documented below.
expire_time
-
(Optional)
Timestamp in UTC when the Secret is scheduled to expire. This is always provided on output, regardless of what was sent on input.
A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
Only one of expire_time
or ttl
can be provided.
ttl
-
(Optional)
The TTL for the Secret.
A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
Only one of ttl
or expire_time
can be provided.
rotation
-
(Optional)
The rotation time and period for a Secret. At next_rotation_time
, Secret Manager will send a Pub/Sub notification to the topics configured on the Secret. topics
must be set to configure rotation.
Structure is documented below.
project
- (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
name
-
(Required)
The resource name of the Pub/Sub topic that will be published to, in the following format: projects//topics/.
For publication to succeed, the Secret Manager Service Agent service account must have pubsub.publisher permissions on the topic.next_rotation_time
-
(Optional)
Timestamp in UTC at which the Secret is scheduled to rotate.
A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
rotation_period
-
(Optional)
The Duration between rotation notifications. Must be in seconds and at least 3600s (1h) and at most 3153600000s (100 years).
If rotationPeriod is set, next_rotation_time
must be set. next_rotation_time
will be advanced by this period when the service automatically sends rotation notifications.
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format projects/{{project}}/secrets/{{secret_id}}
name
-
The resource name of the Secret. Format:
projects/{{project}}/secrets/{{secret_id}}
create_time
-
The time at which the Secret was created.
terraform_labels
-
The combination of labels configured directly on the resource
and default labels configured on the provider.
effective_labels
-
All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.
effective_annotations
-
All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.
This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.update
- Default is 20 minutes.delete
- Default is 20 minutes.Secret can be imported using any of these accepted formats:
projects/{{project}}/secrets/{{secret_id}}
{{project}}/{{secret_id}}
{{secret_id}}
In Terraform v1.5.0 and later, use an import
block to import Secret using one of the formats above. For example:
import {
id = "projects/{{project}}/secrets/{{secret_id}}"
to = google_secret_manager_secret.default
}
When using the terraform import
command, Secret can be imported using one of the formats above. For example:
$ terraform import google_secret_manager_secret.default projects/{{project}}/secrets/{{secret_id}}
$ terraform import google_secret_manager_secret.default {{project}}/{{secret_id}}
$ terraform import google_secret_manager_secret.default {{secret_id}}
This resource supports User Project Overrides.