Skip to content

Resource: awsSecretsmanagerSecretPolicy

Provides a resource to manage AWS Secrets Manager secret policy.

Example Usage

Basic

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsSecretsmanagerSecretExample =
  new aws.secretsmanagerSecret.SecretsmanagerSecret(this, "example", {
    name: "example",
  });
const dataAwsIamPolicyDocumentExample =
  new aws.dataAwsIamPolicyDocument.DataAwsIamPolicyDocument(this, "example_1", {
    statement: [
      {
        actions: ["secretsmanager:GetSecretValue"],
        effect: "Allow",
        principals: [
          {
            identifiers: ["arn:aws:iam::123456789012:root"],
            type: "AWS",
          },
        ],
        resources: ["*"],
        sid: "EnableAnotherAWSAccountToReadTheSecret",
      },
    ],
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsIamPolicyDocumentExample.overrideLogicalId("example");
const awsSecretsmanagerSecretPolicyExample =
  new aws.secretsmanagerSecretPolicy.SecretsmanagerSecretPolicy(
    this,
    "example_2",
    {
      policy: dataAwsIamPolicyDocumentExample.json,
      secretArn: awsSecretsmanagerSecretExample.arn,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsSecretsmanagerSecretPolicyExample.overrideLogicalId("example");

Argument Reference

The following arguments are required:

  • policy - (Required) Valid JSON document representing a resource policy. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide. Unlike awsSecretsmanagerSecret, where policy can be set to "{}" to delete the policy, "{}" is not a valid policy since policy is required.
  • secretArn - (Required) Secret ARN.

The following arguments are optional:

  • blockPublicPolicy - (Optional) Makes an optional API call to Zelkova to validate the Resource Policy to prevent broad access to your secret.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - Amazon Resource Name (ARN) of the secret.

Import

awsSecretsmanagerSecretPolicy can be imported by using the secret Amazon Resource Name (ARN), e.g.,

$ terraform import aws_secretsmanager_secret_policy.example arn:aws:secretsmanager:us-east-1:123456789012:secret:example-123456