Resource: awsSecretsmanagerSecretVersion
Provides a resource to manage AWS Secrets Manager secret version including its secret value. To manage secret metadata, see the awsSecretsmanagerSecret
resource.
\~> NOTE: If the awscurrent
staging label is present on this version during resource deletion, that label cannot be removed and will be skipped to prevent errors when fully deleting the secret. That label will leave this secret version active even after the resource is deleted from Terraform unless the secret itself is deleted. Move the awscurrent
staging label before or after deleting this resource from Terraform to fully trigger version deprecation if necessary.
Example Usage
Simple String Value
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.secretsmanagerSecretVersion.SecretsmanagerSecretVersion(
this,
"example",
{
secretId: "${aws_secretsmanager_secret.example.id}",
secretString: "example-string-to-protect",
}
);
Key-Value Pairs
Secrets Manager also accepts key-value pairs in JSON.
import * as cdktf from "cdktf";
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
/*Terraform Variables are not always the best fit for getting inputs in the context of Terraform CDK.
You can read more about this at https://cdk.tf/variables*/
const example = new cdktf.TerraformVariable(this, "example", {
default: [
{
key1: "value1",
key2: "value2",
},
],
});
const awsSecretsmanagerSecretVersionExample =
new aws.secretsmanagerSecretVersion.SecretsmanagerSecretVersion(
this,
"example_1",
{
secretId: "${aws_secretsmanager_secret.example.id}",
secretString: `\${jsonencode(${example.value})}`,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsSecretsmanagerSecretVersionExample.overrideLogicalId("example");
-> Note: In Terraform 0.14 and later, use sensitive =True
to protect the values of the variable from being printed in logs and console output (see Protect Sensitive Input Variables).
Reading key-value pairs from JSON back into a native Terraform map can be accomplished in Terraform 0.12 and later with the jsondecode()
function:
import * as cdktf from "cdktf";
new cdktf.TerraformOutput(this, "example", {
value:
'${jsondecode(aws_secretsmanager_secret_version.example.secret_string)["key1"]}',
});
Argument Reference
The following arguments are supported:
secretId
- (Required) Specifies the secret to which you want to add a new version. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret. The secret must already exist.secretString
- (Optional) Specifies text data that you want to encrypt and store in this version of the secret. This is required if secret_binary is not set.secretBinary
- (Optional) Specifies binary data that you want to encrypt and store in this version of the secret. This is required if secret_string is not set. Needs to be encoded to base64.versionStages
- (Optional) Specifies a list of staging labels that are attached to this version of the secret. A staging label must be unique to a single version of the secret. If you specify a staging label that's already associated with a different version of the same secret then that staging label is automatically removed from the other version and attached to this version. If you do not specify a value, then AWS Secrets Manager automatically moves the staging labelawscurrent
to this new version on creation.
\~> NOTE: If versionStages
is configured, you must include the awscurrent
staging label if this secret version is the only version or if the label is currently present on this secret version, otherwise Terraform will show a perpetual difference.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
arn
- The ARN of the secret.id
- A pipe delimited combination of secret ID and version ID.versionId
- The unique identifier of the version of the secret.
Import
awsSecretsmanagerSecretVersion
can be imported by using the secret ID and version ID, e.g.,