Google Git
Sign in
third-party-mirror / terraform-provider-google-beta / 7018e2f3f116fdacfd66c03551fbf0c3db62170a / . / v5.18.0 / website / docs / r / secret_manager_secret.html.markdown
blob: 00f2b3ac40e704f657901b9ace6e4b3de6fb0c9f [file] [log] [blame]
---
# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** Type: MMv1 ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file in
# .github/CONTRIBUTING.md.
#
# ----------------------------------------------------------------------------
subcategory: "Secret Manager"
description: |-
A Secret is a logical secret whose value and versions can be accessed.
---
# google\_secret\_manager\_secret
A Secret is a logical secret whose value and versions can be accessed.
To get more information about Secret, see:
* [API documentation](https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets)
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=secret_config_basic&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Secret Config Basic
```hcl
resource "google_secret_manager_secret" "secret-basic" {
secret_id = "secret"
labels = {
label = "my-label"
}
replication {
user_managed {
replicas {
location = "us-central1"
}
replicas {
location = "us-east1"
}
}
}
}
```
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=secret_with_annotations&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Secret With Annotations
```hcl
resource "google_secret_manager_secret" "secret-with-annotations" {
secret_id = "secret"
labels = {
label = "my-label"
}
annotations = {
key1 = "someval"
key2 = "someval2"
key3 = "someval3"
key4 = "someval4"
key5 = "someval5"
}
replication {
auto {}
}
}
```
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=secret_with_automatic_cmek&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Secret With Automatic Cmek
```hcl
data "google_project" "project" {}
resource "google_kms_crypto_key_iam_member" "kms-secret-binding" {
crypto_key_id = "kms-key"
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:service-${data.google_project.project.number}@gcp-sa-secretmanager.iam.gserviceaccount.com"
}
resource "google_secret_manager_secret" "secret-with-automatic-cmek" {
secret_id = "secret"
replication {
auto {
customer_managed_encryption {
kms_key_name = "kms-key"
}
}
}
depends_on = [ google_kms_crypto_key_iam_member.kms-secret-binding ]
}
```
## Argument Reference
The following arguments are supported:
* `replication` -
(Required)
The replication policy of the secret data attached to the Secret. It cannot be changed
after the Secret has been created.
Structure is [documented below](#nested_replication).
* `secret_id` -
(Required)
This must be unique within the project.
<a name="nested_replication"></a>The `replication` block supports:
* `auto` -
(Optional)
The Secret will automatically be replicated without any restrictions.
Structure is [documented below](#nested_auto).
* `user_managed` -
(Optional)
The Secret will be replicated to the regions specified by the user.
Structure is [documented below](#nested_user_managed).
<a name="nested_auto"></a>The `auto` block supports:
* `customer_managed_encryption` -
(Optional)
The customer-managed encryption configuration of the Secret.
If no configuration is provided, Google-managed default
encryption is used.
Structure is [documented below](#nested_customer_managed_encryption).
<a name="nested_customer_managed_encryption"></a>The `customer_managed_encryption` block supports:
* `kms_key_name` -
(Required)
The resource name of the Cloud KMS CryptoKey used to encrypt secret payloads.
<a name="nested_user_managed"></a>The `user_managed` block supports:
* `replicas` -
(Required)
The list of Replicas for this Secret. Cannot be empty.
Structure is [documented below](#nested_replicas).
<a name="nested_replicas"></a>The `replicas` block supports:
* `location` -
(Required)
The canonical IDs of the location to replicate data. For example: "us-east1".
* `customer_managed_encryption` -
(Optional)
Customer Managed Encryption for the secret.
Structure is [documented below](#nested_customer_managed_encryption).
<a name="nested_customer_managed_encryption"></a>The `customer_managed_encryption` block supports:
* `kms_key_name` -
(Required)
Describes the Cloud KMS encryption key that will be used to protect destination secret.
- - -
* `labels` -
(Optional)
The labels assigned to this Secret.
Label keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes,
and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}][\p{Ll}\p{Lo}\p{N}_-]{0,62}
Label values must be between 0 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes,
and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}\p{N}_-]{0,63}
No more than 64 labels can be assigned to a given resource.
An object containing a list of "key": value pairs. Example:
{ "name": "wrench", "mass": "1.3kg", "count": "3" }.
**Note**: This field is non-authoritative, and will only manage the labels present in your configuration.
Please refer to the field `effective_labels` for all of the labels present on the resource.
* `annotations` -
(Optional)
Custom metadata about the secret.
Annotations are distinct from various forms of labels. Annotations exist to allow
client tools to store their own state information without requiring a database.
Annotation keys must be between 1 and 63 characters long, have a UTF-8 encoding of
maximum 128 bytes, begin and end with an alphanumeric character ([a-z0-9A-Z]), and
may have dashes (-), underscores (_), dots (.), and alphanumerics in between these
symbols.
The total size of annotation keys and values must be less than 16KiB.
An object containing a list of "key": value pairs. Example:
{ "name": "wrench", "mass": "1.3kg", "count": "3" }.
**Note**: This field is non-authoritative, and will only manage the annotations present in your configuration.
Please refer to the field `effective_annotations` for all of the annotations present on the resource.
* `version_aliases` -
(Optional)
Mapping from version alias to version name.
A version alias is a string with a maximum length of 63 characters and can contain
uppercase and lowercase letters, numerals, and the hyphen (-) and underscore ('_')
characters. An alias string must start with a letter and cannot be the string
'latest' or 'NEW'. No more than 50 aliases can be assigned to a given secret.
An object containing a list of "key": value pairs. Example:
{ "name": "wrench", "mass": "1.3kg", "count": "3" }.
* `topics` -
(Optional)
A list of up to 10 Pub/Sub topics to which messages are published when control plane operations are called on the secret or its versions.
Structure is [documented below](#nested_topics).
* `expire_time` -
(Optional)
Timestamp in UTC when the Secret is scheduled to expire. This is always provided on output, regardless of what was sent on input.
A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
Only one of `expire_time` or `ttl` can be provided.
* `ttl` -
(Optional)
The TTL for the Secret.
A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
Only one of `ttl` or `expire_time` can be provided.
* `rotation` -
(Optional)
The rotation time and period for a Secret. At `next_rotation_time`, Secret Manager will send a Pub/Sub notification to the topics configured on the Secret. `topics` must be set to configure rotation.
Structure is [documented below](#nested_rotation).
* `project` - (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
<a name="nested_topics"></a>The `topics` block supports:
* `name` -
(Required)
The resource name of the Pub/Sub topic that will be published to, in the following format: projects/*/topics/*.
For publication to succeed, the Secret Manager Service Agent service account must have pubsub.publisher permissions on the topic.
<a name="nested_rotation"></a>The `rotation` block supports:
* `next_rotation_time` -
(Optional)
Timestamp in UTC at which the Secret is scheduled to rotate.
A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
* `rotation_period` -
(Optional)
The Duration between rotation notifications. Must be in seconds and at least 3600s (1h) and at most 3153600000s (100 years).
If rotationPeriod is set, `next_rotation_time` must be set. `next_rotation_time` will be advanced by this period when the service automatically sends rotation notifications.
## Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
* `id` - an identifier for the resource with format `projects/{{project}}/secrets/{{secret_id}}`
* `name` -
The resource name of the Secret. Format:
`projects/{{project}}/secrets/{{secret_id}}`
* `create_time` -
The time at which the Secret was created.
* `terraform_labels` -
The combination of labels configured directly on the resource
and default labels configured on the provider.
* `effective_labels` -
All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.
* `effective_annotations` -
All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.
## Timeouts
This resource provides the following
[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:
- `create` - Default is 20 minutes.
- `update` - Default is 20 minutes.
- `delete` - Default is 20 minutes.
## Import
Secret can be imported using any of these accepted formats:
* `projects/{{project}}/secrets/{{secret_id}}`
* `{{project}}/{{secret_id}}`
* `{{secret_id}}`
In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import Secret using one of the formats above. For example:
```tf
import {
id = "projects/{{project}}/secrets/{{secret_id}}"
to = google_secret_manager_secret.default
}
```
When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), Secret can be imported using one of the formats above. For example:
```
$ terraform import google_secret_manager_secret.default projects/{{project}}/secrets/{{secret_id}}
$ terraform import google_secret_manager_secret.default {{project}}/{{secret_id}}
$ terraform import google_secret_manager_secret.default {{secret_id}}
```
## User Project Overrides
This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).