Top / Amazon Web Service / AWS Secrets Manager / Secret Version

AWS Secrets Manager Secret Version

This page shows how to write Terraform and CloudFormation for Secrets Manager Secret Version and write them securely.

terraform-logo

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_secretsmanager_secret_version (Terraform)

The Secret Version in Secrets Manager can be configured in Terraform with the resource name aws_secretsmanager_secret_version. The following sections describe 1 example of how to use the resource and its parameters.

Example Usage from GitHub

main.tf#L8
resource "aws_secretsmanager_secret_version" "string_secret" {
  count         = var.type == "string" ? 1 : 0
  secret_id     = aws_secretsmanager_secret.secret.id
  secret_string = var.value
}

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Provides a resource to manage AWS Secrets Manager secret version including its secret value. To manage secret metadata, see the aws_secretsmanager_secret resource.

NOTE: If the AWSCURRENT staging label is present on this version during resource deletion, that label cannot be removed and will be skipped to prevent errors when fully deleting the secret. That label will leave this secret version active even after the resource is deleted from Terraform unless the secret itself is deleted. Move the AWSCURRENT staging label before or after deleting this resource from Terraform to fully trigger version deprecation if necessary.

>> from Terraform Registry

AWS::SecretsManager::Secret GenerateSecretString (CloudFormation)

The Secret GenerateSecretString in SecretsManager can be configured in CloudFormation with the resource name AWS::SecretsManager::Secret GenerateSecretString. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Parameters

ExcludeCharacters A string of the characters that you don't want in the password.
Required: No
Type: String
Minimum: 0
Maximum: 4096
Update requires: No interruption

ExcludeLowercase Specifies whether to exclude lowercase letters from the password. If you don't include this switch, the password can contain lowercase letters.
Required: No
Type: Boolean
Update requires: No interruption

ExcludeNumbers Specifies whether to exclude numbers from the password. If you don't include this switch, the password can contain numbers.
Required: No
Type: Boolean
Update requires: No interruption

ExcludePunctuation Specifies whether to exclude the following punctuation characters from the password: ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ { | } ~`. If you don't include this switch, the password can contain punctuation.
Required: No
Type: Boolean
Update requires: No interruption

ExcludeUppercase Specifies whether to exclude uppercase letters from the password. If you don't include this switch, the password can contain uppercase letters.
Required: No
Type: Boolean
Update requires: No interruption

GenerateStringKey The JSON key name for the key/value pair, where the value is the generated password. This pair is added to the JSON structure specified by the SecretStringTemplate parameter. If you specify this parameter, then you must also specify SecretStringTemplate.
Required: No
Type: String
Update requires: No interruption

IncludeSpace Specifies whether to exclude the space character. If you don't include this switch, the password can contain space characters.
Required: No
Type: Boolean
Update requires: No interruption

PasswordLength The length of the password. If you don't include this parameter, the default length is 32 characters.
Required: No
Type: Integer
Update requires: No interruption

RequireEachIncludedType Specifies whether to include at least one of every allowed character type. If you don't include this switch, the password contains at least one of every character type.
Required: No
Type: Boolean
Update requires: No interruption

SecretStringTemplate A template that the generated string must match.
Required: No
Type: String
Update requires: No interruption

>> from AWS CloudFormation Documentation

Explanation in CloudFormation Registry

Generates a random password. We recommend that you specify the maximum length and include every character type that the system you are generating a password for can support.

>> from AWS CloudFormation Documentation

The Other Related AWS Secrets Manager Resources

Frequently asked questions

What is AWS Secrets Manager Secret Version?

AWS Secrets Manager Secret Version is a resource for Secrets Manager of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS Secrets Manager Secret Version?

For Terraform, the commitdev/terraform-aws-zero source code example is useful. See the Terraform Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents