Skip to content

googleSecretManagerSecret

A Secret is a logical secret whose value and versions can be accessed.

To get more information about Secret, see:

Open in Cloud Shell

Example Usage - Secret Config Basic

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as google from "./.gen/providers/google";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: google.
For a more precise conversion please use the --provider flag in convert.*/
new google.secretManagerSecret.SecretManagerSecret(this, "secret-basic", {
  labels: [
    {
      label: "my-label",
    },
  ],
  replication: [
    {
      user_managed: [
        {
          replicas: [
            {
              location: "us-central1",
            },
            {
              location: "us-east1",
            },
          ],
        },
      ],
    },
  ],
  secret_id: "secret",
});

Argument Reference

The following arguments are supported:

  • replication - (Required) The replication policy of the secret data attached to the Secret. It cannot be changed after the Secret has been created. Structure is documented below.

  • secretId - (Required) This must be unique within the project.

The replication block supports:

  • automatic - (Optional) The Secret will automatically be replicated without any restrictions.

  • userManaged - (Optional) The Secret will automatically be replicated without any restrictions. Structure is documented below.

The userManaged block supports:

  • replicas - (Required) The list of Replicas for this Secret. Cannot be empty. Structure is documented below.

The replicas block supports:

  • location - (Required) The canonical IDs of the location to replicate data. For example: "us-east1".

  • customerManagedEncryption - (Optional) Customer Managed Encryption for the secret. Structure is documented below.

The customerManagedEncryption block supports:

  • kmsKeyName - (Required) Describes the Cloud KMS encryption key that will be used to protect destination secret.

  • labels - (Optional) The labels assigned to this Secret. Label keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}][\p{Ll}\p{Lo}\p{N}-]{0,62} Label values must be between 0 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}\p{N}-]{0,63} No more than 64 labels can be assigned to a given resource. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

  • topics - (Optional) A list of up to 10 Pub/Sub topics to which messages are published when control plane operations are called on the secret or its versions. Structure is documented below.

  • expireTime - (Optional) Timestamp in UTC when the Secret is scheduled to expire. This is always provided on output, regardless of what was sent on input. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

  • ttl - (Optional) The TTL for the Secret. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".

  • rotation - (Optional) The rotation time and period for a Secret. At nextRotationTime, Secret Manager will send a Pub/Sub notification to the topics configured on the Secret. topics must be set to configure rotation. Structure is documented below.

  • project - (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

The topics block supports:

  • name - (Required) The resource name of the Pub/Sub topic that will be published to, in the following format: projects//topics/. For publication to succeed, the Secret Manager Service Agent service account must have pubsub.publisher permissions on the topic.

The rotation block supports:

  • nextRotationTime - (Optional) Timestamp in UTC at which the Secret is scheduled to rotate. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

  • rotationPeriod - (Optional) The Duration between rotation notifications. Must be in seconds and at least 3600s (1h) and at most 3153600000s (100 years). If rotationPeriod is set, nextRotationTime must be set. nextRotationTime will be advanced by this period when the service automatically sends rotation notifications.

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

  • id - an identifier for the resource with format projects/{{project}}/secrets/{{secretId}}

  • name - The resource name of the Secret. Format: projects/{{project}}/secrets/{{secretId}}

  • createTime - The time at which the Secret was created.

Timeouts

This resource provides the following Timeouts configuration options:

  • create - Default is 20 minutes.
  • update - Default is 20 minutes.
  • delete - Default is 20 minutes.

Import

Secret can be imported using any of these accepted formats:

$ terraform import google_secret_manager_secret.default projects/{{project}}/secrets/{{secret_id}}
$ terraform import google_secret_manager_secret.default {{project}}/{{secret_id}}
$ terraform import google_secret_manager_secret.default {{secret_id}}

User Project Overrides

This resource supports User Project Overrides.