Resource: awsSecretsmanagerSecretPolicy
Provides a resource to manage AWS Secrets Manager secret policy.
Example Usage
Basic
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsSecretsmanagerSecretExample =
new aws.secretsmanagerSecret.SecretsmanagerSecret(this, "example", {
name: "example",
});
const dataAwsIamPolicyDocumentExample =
new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(this, "example_1", {
statement: [
{
actions: ["secretsmanager:GetSecretValue"],
effect: "Allow",
principals: [
{
identifiers: ["arn:aws:iam::123456789012:root"],
type: "AWS",
},
],
resources: ["*"],
sid: "EnableAnotherAWSAccountToReadTheSecret",
},
],
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsIamPolicyDocumentExample.overrideLogicalId("example");
const awsSecretsmanagerSecretPolicyExample =
new aws.secretsmanagerSecretPolicy.SecretsmanagerSecretPolicy(
this,
"example_2",
{
policy: dataAwsIamPolicyDocumentExample.json,
secretArn: awsSecretsmanagerSecretExample.arn,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsSecretsmanagerSecretPolicyExample.overrideLogicalId("example");
Argument Reference
The following arguments are required:
policy
- (Required) Valid JSON document representing a resource policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide. UnlikeawsSecretsmanagerSecret
, wherepolicy
can be set to"{}"
to delete the policy,"{}"
is not a valid policy sincepolicy
is required.secretArn
- (Required) Secret ARN.
The following arguments are optional:
blockPublicPolicy
- (Optional) Makes an optional API call to Zelkova to validate the Resource Policy to prevent broad access to your secret.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
id
- Amazon Resource Name (ARN) of the secret.
Import
awsSecretsmanagerSecretPolicy
can be imported by using the secret Amazon Resource Name (ARN), e.g.,