Provides a resource to manage AWS Secrets Manager secret metadata. To manage secret rotation, see the aws_secretsmanager_secret_rotation
resource. To manage a secret value, see the aws_secretsmanager_secret_version
resource.
resource "aws_secretsmanager_secret" "example" {
name = "example"
}
This resource supports the following arguments:
description
- (Optional) Description of the secret.kms_key_id
- (Optional) ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you need to reference a CMK in a different account, you can use only the key ARN. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager
). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.name_prefix
- (Optional) Creates a unique name beginning with the specified prefix. Conflicts with name
.name
- (Optional) Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@-
Conflicts with name_prefix
.policy
- (Optional) Valid JSON document representing a resource policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide. Removing policy
from your configuration or setting policy
to null or an empty string (i.e., policy = ""
) _will not_ delete the policy since it could have been set by aws_secretsmanager_secret_policy
. To delete the policy
, set it to "{}"
(an empty JSON document).recovery_window_in_days
- (Optional) Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0
to force deletion without recovery or range from 7
to 30
days. The default value is 30
.replica
- (Optional) Configuration block to support secret replication. See details below.force_overwrite_replica_secret
- (Optional) Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.tags
- (Optional) Key-value map of user-defined tags that are attached to the secret. If configured with a provider default_tags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.kms_key_id
- (Optional) ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to. If one is not specified, then Secrets Manager defaults to using the AWS account's default KMS key (aws/secretsmanager
) in the region or creates one for use if non-existent.region
- (Required) Region for replicating the secret.This resource exports the following attributes in addition to the arguments above:
id
- ARN of the secret.arn
- ARN of the secret.replica
- Attributes of a replica are described below.tags_all
- Map of tags assigned to the resource, including those inherited from the provider default_tags
configuration block.last_accessed_date
- Date that you last accessed the secret in the Region.status
- Status can be InProgress
, Failed
, or InSync
.status_message
- Message such as Replication succeeded
or Secret with this name already exists in this region
.In Terraform v1.5.0 and later, use an import
block to import aws_secretsmanager_secret
using the secret Amazon Resource Name (ARN). For example:
import {
to = aws_secretsmanager_secret.example
id = "arn:aws:secretsmanager:us-east-1:123456789012:secret:example-123456"
}
Using terraform import
, import aws_secretsmanager_secret
using the secret Amazon Resource Name (ARN). For example:
% terraform import aws_secretsmanager_secret.example arn:aws:secretsmanager:us-east-1:123456789012:secret:example-123456