Provides a resource to manage AWS Secrets Manager secret version including its secret value. To manage secret metadata, see the aws_secretsmanager_secret
resource.
resource "aws_secretsmanager_secret_version" "example" {
secret_id = aws_secretsmanager_secret.example.id
secret_string = "example-string-to-protect"
}
Secrets Manager also accepts key-value pairs in JSON.
# The map here can come from other supported configurations
# like locals, resource attribute, map() built-in, etc.
variable "example" {
default = {
key1 = "value1"
key2 = "value2"
}
type = map(string)
}
resource "aws_secretsmanager_secret_version" "example" {
secret_id = aws_secretsmanager_secret.example.id
secret_string = jsonencode(var.example)
}
Reading key-value pairs from JSON back into a native Terraform map can be accomplished in Terraform 0.12 and later with the jsondecode()
function:
output "example" {
value = jsondecode(aws_secretsmanager_secret_version.example.secret_string)["key1"]
}
This resource supports the following arguments:
secret_id
- (Required) Specifies the secret to which you want to add a new version. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret. The secret must already exist.secret_string
- (Optional) Specifies text data that you want to encrypt and store in this version of the secret. This is required if secret_binary
is not set.secret_binary
- (Optional) Specifies binary data that you want to encrypt and store in this version of the secret. This is required if secret_string
is not set. Needs to be encoded to base64.version_stages
- (Optional) Specifies a list of staging labels that are attached to this version of the secret. A staging label must be unique to a single version of the secret. If you specify a staging label that's already associated with a different version of the same secret then that staging label is automatically removed from the other version and attached to this version. If you do not specify a value, then AWS Secrets Manager automatically moves the staging label AWSCURRENT
to this new version on creation.This resource exports the following attributes in addition to the arguments above:
arn
- The ARN of the secret.id
- A pipe delimited combination of secret ID and version ID.version_id
- The unique identifier of the version of the secret.In Terraform v1.5.0 and later, use an import
block to import aws_secretsmanager_secret_version
using the secret ID and version ID. For example:
import {
to = aws_secretsmanager_secret_version.example
id = "arn:aws:secretsmanager:us-east-1:123456789012:secret:example-123456|xxxxx-xxxxxxx-xxxxxxx-xxxxx"
}
Using terraform import
, import aws_secretsmanager_secret_version
using the secret ID and version ID. For example:
% terraform import aws_secretsmanager_secret_version.example 'arn:aws:secretsmanager:us-east-1:123456789012:secret:example-123456|xxxxx-xxxxxxx-xxxxxxx-xxxxx'