AWS Secrets Manager Secret Version
This page shows how to write Terraform and CloudFormation for Secrets Manager Secret Version and write them securely.
aws_secretsmanager_secret_version (Terraform)
The Secret Version in Secrets Manager can be configured in Terraform with the resource name aws_secretsmanager_secret_version
. The following sections describe 1 example of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_secretsmanager_secret_version" "string_secret" {
count = var.type == "string" ? 1 : 0
secret_id = aws_secretsmanager_secret.secret.id
secret_string = var.value
}
Parameters
-
arn
optional computed - string -
id
optional computed - string -
secret_binary
optional - string -
secret_id
required - string -
secret_string
optional - string -
version_id
optional computed - string -
version_stages
optional computed - set of string
Explanation in Terraform Registry
Provides a resource to manage AWS Secrets Manager secret version including its secret value. To manage secret metadata, see the
aws_secretsmanager_secret
resource.NOTE: If the
AWSCURRENT
staging label is present on this version during resource deletion, that label cannot be removed and will be skipped to prevent errors when fully deleting the secret. That label will leave this secret version active even after the resource is deleted from Terraform unless the secret itself is deleted. Move theAWSCURRENT
staging label before or after deleting this resource from Terraform to fully trigger version deprecation if necessary.
AWS::SecretsManager::Secret GenerateSecretString (CloudFormation)
The Secret GenerateSecretString in SecretsManager can be configured in CloudFormation with the resource name AWS::SecretsManager::Secret GenerateSecretString
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
An example could not be found in GitHub.
Parameters
ExcludeCharacters
A string of the characters that you don't want in the password.
Required: No
Type: String
Minimum: 0
Maximum: 4096
Update requires: No interruption
ExcludeLowercase
Specifies whether to exclude lowercase letters from the password. If you don't include this switch, the password can contain lowercase letters.
Required: No
Type: Boolean
Update requires: No interruption
ExcludeNumbers
Specifies whether to exclude numbers from the password. If you don't include this switch, the password can contain numbers.
Required: No
Type: Boolean
Update requires: No interruption
ExcludePunctuation
Specifies whether to exclude the following punctuation characters from the password: ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _
{ | } ~`. If you don't include this switch, the password can contain punctuation.
Required: No
Type: Boolean
Update requires: No interruption
ExcludeUppercase
Specifies whether to exclude uppercase letters from the password. If you don't include this switch, the password can contain uppercase letters.
Required: No
Type: Boolean
Update requires: No interruption
GenerateStringKey
The JSON key name for the key/value pair, where the value is the generated password. This pair is added to the JSON structure specified by the SecretStringTemplate
parameter. If you specify this parameter, then you must also specify SecretStringTemplate
.
Required: No
Type: String
Update requires: No interruption
IncludeSpace
Specifies whether to exclude the space character. If you don't include this switch, the password can contain space characters.
Required: No
Type: Boolean
Update requires: No interruption
PasswordLength
The length of the password. If you don't include this parameter, the default length is 32 characters.
Required: No
Type: Integer
Update requires: No interruption
RequireEachIncludedType
Specifies whether to include at least one of every allowed character type. If you don't include this switch, the password contains at least one of every character type.
Required: No
Type: Boolean
Update requires: No interruption
SecretStringTemplate
A template that the generated string must match.
Required: No
Type: String
Update requires: No interruption
Explanation in CloudFormation Registry
Generates a random password. We recommend that you specify the maximum length and include every character type that the system you are generating a password for can support.
Frequently asked questions
What is AWS Secrets Manager Secret Version?
AWS Secrets Manager Secret Version is a resource for Secrets Manager of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS Secrets Manager Secret Version?
For Terraform, the commitdev/terraform-aws-zero source code example is useful. See the Terraform Example section for further details.