A generated secret version resource.
This will generate a secret and store the value directly in the Google Secret manager secret, to avoid the secret appearing in clear text in the terraform source or the terraform state file.
given secrets should be stored using the google_kms_secret
and the google_secret_manager_secret_version
.
When the secret version is updated outside the scope of the terraform template, the resource will return the latest version.
resource "google_secret_manager_secret" "mysql_user_password" {
secret_id = "mysql-user-password"
}
resource "google_secret_manager_generated_secret_version" "secret-version-basic" {
secret = google_secret_manager_secret.secret-basic.id
length = 20
alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
required = [
{
count = 1
alphabet = "012356789"
}
{
count = 2
alphabet = "@!#$%^&*()_+-=:;<>,./?"
}
]
logical_version = "v1"
provider = google-secret-manager-beta
}
The following arguments are supported:
secret
- (Required) Secret Manager secret resource.length
- (Optional) the length of the secret to generate, default = 32.alphabet
- (Optional) the characters to generate the secret from, default = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".required
- (Optional) array of required characters in the secret, specifying the minimum number of characters and the alphabet for each.logical_version
- (Optional) an opaque string to force the secret to be regenerated.
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format {{name}}name
- The resource name of the SecretVersion. Format: projects/{{project}}/secrets/{{secret_id}}/versions/{{version}}value
- The generate value. This will not be stored in the state file.