Skip to content

aws.secretsmanager-secret resource

Description

Secret manages a Secrets Manager secret: the encrypted value plus the metadata that governs it. The name is fixed at creation, so a change to it replaces the secret; the description, the KMS key, the value, the replica regions, and the tags reconcile in place. The value is a field reconciled by PutSecretValue rather than a separate version resource, since CloudFormation models the secret string as a property of the secret. An unset optional input rides as absent and Secrets Manager applies its own default, including the AWS-managed aws/secretsmanager key when no KMS key is given.

Name is required, since Secrets Manager does not generate a name and CreateSecret needs one. It must match ^[0-9A-Za-z/_+=.@-]+$ and be at most 512 characters; that rule is a regular-expression and byte-length check in Create rather than a declarative constraint.

Source: internal/service/secretsmanager/secret_rsrc.go:48

Example usage:

imports: {
  aws: 'github.com/cloudboss/unobin-library-aws'
}

resources: {
  example: aws.secretsmanager-secret {
    # Set input fields here.
  }
}

Inputs

name

string

required

description

optional(string)

kms-key-id

optional(string)

force-overwrite-replica-secret

optional(boolean)

replica

list(object) 
list(
  object({
    region: string
    kms-key-id: optional(string)
  })
)

secret-string

optional(string)

sensitive

secret-binary

optional(string)

sensitive

recovery-window-in-days

optional(integer)

tags

map(string)

Input Constraints

Field combinations

At most one of secret-string or secret-binary.

Recovery window in days rules

recovery-window-in-days must be 0 or between 7 and 30.

Rule logic
When
input.recovery-window-in-days != null
Require
input.recovery-window-in-days == 0
|| ((input.recovery-window-in-days == null || input.recovery-window-in-days >= 7) && (input.recovery-window-in-days == null || input.recovery-window-in-days <= 30))

Replica rules

a replica requires a region.

Rule logic
For each
input.replica
Require
@each.value.region != null
&& @core.length(@each.value.region) >= 1

Outputs

arn

string

version-id

string

replica-status

list(object) 
list(
  object({
    region: string
    status: string
    status-message: string
    last-accessed-date: string
  })
)