google_secret_manager_secret

A Secret is a logical secret whose value and versions can be accessed.

To get more information about Secret, see:

Open in Cloud Shell

Example Usage - Secret Config Basic

resource "google_secret_manager_secret" "secret-basic" {
  secret_id = "secret"

  labels = {
    label = "my-label"
  }

  replication {
    user_managed {
      replicas {
        location = "us-central1"
      }
      replicas {
        location = "us-east1"
      }
    }
  }
}
Open in Cloud Shell

Example Usage - Secret With Annotations

resource "google_secret_manager_secret" "secret-with-annotations" {
  secret_id = "secret"

  labels = {
    label = "my-label"
  }

  annotations = {
    key1 = "someval"
    key2 = "someval2"
    key3 = "someval3"
    key4 = "someval4"
    key5 = "someval5"
  }

  replication {
    auto {}
  }
}
Open in Cloud Shell

Example Usage - Secret With Version Destroy Ttl

resource "google_secret_manager_secret" "secret-with-version-destroy-ttl" {
  secret_id = "secret"

  version_destroy_ttl = "2592000s"

  replication {
    auto {}
  }
}
Open in Cloud Shell

Example Usage - Secret With Automatic Cmek

data "google_project" "project" {}

resource "google_kms_crypto_key_iam_member" "kms-secret-binding" {
  crypto_key_id = "kms-key"
  role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
  member        = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-secretmanager.iam.gserviceaccount.com"
}

resource "google_secret_manager_secret" "secret-with-automatic-cmek" {
  secret_id = "secret"

  replication {
    auto {
      customer_managed_encryption {
        kms_key_name = "kms-key"
      }
    }
  }

  depends_on = [ google_kms_crypto_key_iam_member.kms-secret-binding ]
}

Argument Reference

The following arguments are supported:

The replication block supports:

The auto block supports:

The customer_managed_encryption block supports:

The user_managed block supports:

The replicas block supports:

The customer_managed_encryption block supports:


The topics block supports:

The rotation block supports:

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Timeouts

This resource provides the following Timeouts configuration options:

Import

Secret can be imported using any of these accepted formats:

In Terraform v1.5.0 and later, use an import block to import Secret using one of the formats above. For example:

import {
  id = "projects/{{project}}/secrets/{{secret_id}}"
  to = google_secret_manager_secret.default
}

When using the terraform import command, Secret can be imported using one of the formats above. For example:

$ terraform import google_secret_manager_secret.default projects/{{project}}/secrets/{{secret_id}}
$ terraform import google_secret_manager_secret.default {{project}}/{{secret_id}}
$ terraform import google_secret_manager_secret.default {{secret_id}}

User Project Overrides

This resource supports User Project Overrides.