# Copyright 2024 Google Inc. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. --- name: 'Secret' api_variant_patterns: - 'projects/{project}/secrets/{secret}' description: | A Secret is a logical secret whose value and versions can be accessed. references: guides: 'Create and deploy a Secret': 'https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets' api: 'https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets' docs: base_url: 'projects/{{project}}/secrets' self_link: 'projects/{{project}}/secrets/{{secret_id}}' create_url: 'projects/{{project}}/secrets?secretId={{secret_id}}' update_verb: 'PATCH' update_mask: true import_format: - 'projects/{{project}}/secrets/{{secret_id}}' timeouts: insert_minutes: 20 update_minutes: 20 delete_minutes: 20 iam_policy: method_name_separator: ':' allowed_iam_role: 'roles/secretmanager.secretAccessor' parent_resource_attribute: 'secret_id' iam_conditions_request_type: 'QUERY_PARAM_NESTED' example_config_body: 'templates/terraform/iam/iam_attributes.go.tmpl' custom_code: constants: 'templates/terraform/constants/secret_manager_secret.go.tmpl' pre_update: 'templates/terraform/pre_update/secret_manager_secret.go.tmpl' custom_diff: - 'secretManagerSecretAutoCustomizeDiff' examples: - name: 'secret_config_basic' primary_resource_id: 'secret-basic' primary_resource_name: 'fmt.Sprintf("secret%s", context["random_suffix"])' vars: secret_id: 'secret' - name: 'secret_with_annotations' primary_resource_id: 'secret-with-annotations' vars: secret_id: 'secret' - name: 'secret_with_version_destroy_ttl' primary_resource_id: 'secret-with-version-destroy-ttl' vars: secret_id: 'secret' - name: 'secret_with_automatic_cmek' primary_resource_id: 'secret-with-automatic-cmek' vars: secret_id: 'secret' kms_key_name: 'kms-key' test_vars_overrides: 'kms_key_name': 'acctest.BootstrapKMSKey(t).CryptoKey.Name' parameters: - name: 'secretId' type: String description: | This must be unique within the project. url_param_only: true required: true immutable: true properties: - name: 'name' type: String description: | The resource name of the Secret. Format: `projects/{{project}}/secrets/{{secret_id}}` output: true - name: 'createTime' type: String description: | The time at which the Secret was created. output: true - name: 'labels' type: KeyValueLabels description: | The labels assigned to this Secret. Label keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}][\p{Ll}\p{Lo}\p{N}_-]{0,62} Label values must be between 0 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}\p{N}_-]{0,63} No more than 64 labels can be assigned to a given resource. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. - name: 'annotations' type: KeyValueAnnotations description: | Custom metadata about the secret. Annotations are distinct from various forms of labels. Annotations exist to allow client tools to store their own state information without requiring a database. Annotation keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, begin and end with an alphanumeric character ([a-z0-9A-Z]), and may have dashes (-), underscores (_), dots (.), and alphanumerics in between these symbols. The total size of annotation keys and values must be less than 16KiB. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. - name: 'versionAliases' type: KeyValuePairs description: | Mapping from version alias to version name. A version alias is a string with a maximum length of 63 characters and can contain uppercase and lowercase letters, numerals, and the hyphen (-) and underscore ('_') characters. An alias string must start with a letter and cannot be the string 'latest' or 'NEW'. No more than 50 aliases can be assigned to a given secret. An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }. - name: 'versionDestroyTtl' type: String description: | Secret Version TTL after destruction request. This is a part of the delayed delete feature on Secret Version. For secret with versionDestroyTtl>0, version destruction doesn't happen immediately on calling destroy instead the version goes to a disabled state and the actual destruction happens after this TTL expires. - name: 'replication' type: NestedObject description: | The replication policy of the secret data attached to the Secret. It cannot be changed after the Secret has been created. required: true immutable: true properties: - name: 'auto' type: NestedObject description: | The Secret will automatically be replicated without any restrictions. api_name: automatic immutable: true send_empty_value: true allow_empty_object: true exactly_one_of: - 'replication.0.user_managed' - 'replication.0.auto' properties: - name: 'customerManagedEncryption' type: NestedObject description: | The customer-managed encryption configuration of the Secret. If no configuration is provided, Google-managed default encryption is used. properties: - name: 'kmsKeyName' type: String description: | The resource name of the Cloud KMS CryptoKey used to encrypt secret payloads. required: true - name: 'userManaged' type: NestedObject description: | The Secret will be replicated to the regions specified by the user. immutable: true exactly_one_of: - 'replication.0.user_managed' - 'replication.0.auto' properties: - name: 'replicas' type: Array description: | The list of Replicas for this Secret. Cannot be empty. required: true immutable: true item_type: type: NestedObject properties: - name: 'location' type: String description: | The canonical IDs of the location to replicate data. For example: "us-east1". required: true immutable: true - name: 'customerManagedEncryption' type: NestedObject description: | Customer Managed Encryption for the secret. properties: - name: 'kmsKeyName' type: String description: | Describes the Cloud KMS encryption key that will be used to protect destination secret. required: true min_size: 1 - name: 'topics' type: Array description: | A list of up to 10 Pub/Sub topics to which messages are published when control plane operations are called on the secret or its versions. item_type: type: NestedObject properties: - name: 'name' type: String description: | The resource name of the Pub/Sub topic that will be published to, in the following format: projects/*/topics/*. For publication to succeed, the Secret Manager Service Agent service account must have pubsub.publisher permissions on the topic. required: true - name: 'expireTime' type: String description: | Timestamp in UTC when the Secret is scheduled to expire. This is always provided on output, regardless of what was sent on input. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". Only one of `expire_time` or `ttl` can be provided. default_from_api: true - name: 'ttl' type: String description: | The TTL for the Secret. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s". Only one of `ttl` or `expire_time` can be provided. ignore_read: true - name: 'rotation' type: NestedObject description: | The rotation time and period for a Secret. At `next_rotation_time`, Secret Manager will send a Pub/Sub notification to the topics configured on the Secret. `topics` must be set to configure rotation. required_with: - 'topics' properties: - name: 'nextRotationTime' type: String description: | Timestamp in UTC at which the Secret is scheduled to rotate. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z". required_with: - 'rotation.0.rotation_period' - name: 'rotationPeriod' type: String description: | The Duration between rotation notifications. Must be in seconds and at least 3600s (1h) and at most 3153600000s (100 years). If rotationPeriod is set, `next_rotation_time` must be set. `next_rotation_time` will be advanced by this period when the service automatically sends rotation notifications.