Secret Manager Secrets

gcp-secret-manager

A Secret Manager secret with a chosen replication policy (Google-managed automatic by default, or user-managed regions with optional CMEK for data-residency), an optional initial version that prefers the write-only path so the value never touches state, optional expiry and rotation notifications, and least-privilege accessor IAM. Works with Terraform and OpenTofu (>= 1.6), Google provider >= 7.0, < 8.0.

Status: static-validated, live-test pending. Ships under live-test quarantine — validated with tofu fmt, tofu validate, and tflint. Real apply → verify → destroy against a GCP project is pending a cloud sandbox.

Secure defaults

• No initial version by default — the value is set out of band (a controller / gcloud), so Terraform never owns plaintext.
• Write-only seeding when you do seed — secret_data_wo (Terraform 1.11+) pushes a value that is never persisted to state; the state-stored secret_data path is available but discouraged, and the two are mutually exclusive (enforced as a precondition).
• Least-privilege accessor IAM — accessor_members are granted exactly roles/secretmanager.secretAccessor (read-only) on this one secret, via additive google_secret_manager_secret_iam_member bindings.
• CMEK-capable — user-managed replicas can be encrypted with your own KMS key (replica_kms_key_name); a precondition rejects CMEK with automatic replication, which uses Google-managed keys.
• Recovery window — version_destroy_ttl keeps destroyed versions recoverable for a grace period.
• Rotation is notification-only — Secret Manager pings a Pub/Sub topic on schedule (a precondition requires notification_topics when rotation is set); an external rotator mints the new value.

Requirements

• Terraform or OpenTofu >= 1.6
• hashicorp/google >= 7.0, < 8.0

License

Commercial — LicenseRef-IaCBazaar-Commercial.