Provides a resource to manage AWS Secrets Manager secret policy.
resource "aws_secretsmanager_secret" "example" {
name = "example"
}
data "aws_iam_policy_document" "example" {
statement {
sid = "EnableAnotherAWSAccountToReadTheSecret"
effect = "Allow"
principals {
type = "AWS"
identifiers = ["arn:aws:iam::123456789012:root"]
}
actions = ["secretsmanager:GetSecretValue"]
resources = ["*"]
}
}
resource "aws_secretsmanager_secret_policy" "example" {
secret_arn = aws_secretsmanager_secret.example.arn
policy = data.aws_iam_policy_document.example.json
}
The following arguments are required:
policy
- (Required) Valid JSON document representing a resource policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide. Unlike aws_secretsmanager_secret
, where policy
can be set to "{}"
to delete the policy, "{}"
is not a valid policy since policy
is required.secret_arn
- (Required) Secret ARN.The following arguments are optional:
block_public_policy
- (Optional) Makes an optional API call to Zelkova to validate the Resource Policy to prevent broad access to your secret.This resource exports the following attributes in addition to the arguments above:
id
- Amazon Resource Name (ARN) of the secret.In Terraform v1.5.0 and later, use an import
block to import aws_secretsmanager_secret_policy
using the secret Amazon Resource Name (ARN). For example:
import {
to = aws_secretsmanager_secret_policy.example
id = "arn:aws:secretsmanager:us-east-1:123456789012:secret:example-123456"
}
Using terraform import
, import aws_secretsmanager_secret_policy
using the secret Amazon Resource Name (ARN). For example:
% terraform import aws_secretsmanager_secret_policy.example arn:aws:secretsmanager:us-east-1:123456789012:secret:example-123456