IaC Bazaar
Google CloudPlan-validated

Secret Manager Secrets

Secrets with versions, replication policy, rotation schedules, expiry and accessor IAM.

terraformGCP#gcp

Compare Secrets & Key Management across clouds →

gcp-secret-managerterraform v1.7

Verification

Plan-validated

Passed: module logic verified on a mocked plan — inputs, validation rules, conditional creation and outputs resolve (no real provider, no cloud).

Conformance

  • Static validation (fmt · validate · tflint)
  • No applicable security policies for this provider
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live test pending (no cloud run yet)

Last verified 2026-06-28 · how we verify

Documentation

gcp-secret-manager

A Secret Manager secret with a chosen replication policy (Google-managed automatic by default, or user-managed regions with optional CMEK for data-residency), an optional initial version that prefers the write-only path so the value never touches state, optional expiry and rotation notifications, and least-privilege accessor IAM. Works with Terraform and OpenTofu (>= 1.6), Google provider >= 7.0, < 8.0.

Status: static-validated, live-test pending. Ships under live-test quarantine — validated with tofu fmt, tofu validate, and tflint. Real apply → verify → destroy against a GCP project is pending a cloud sandbox.

Secure defaults

  • No initial version by default — the value is set out of band (a controller / gcloud), so Terraform never owns plaintext.
  • Write-only seeding when you do seedsecret_data_wo (Terraform 1.11+) pushes a value that is never persisted to state; the state-stored secret_data path is available but discouraged, and the two are mutually exclusive (enforced as a precondition).
  • Least-privilege accessor IAMaccessor_members are granted exactly roles/secretmanager.secretAccessor (read-only) on this one secret, via additive google_secret_manager_secret_iam_member bindings.
  • CMEK-capable — user-managed replicas can be encrypted with your own KMS key (replica_kms_key_name); a precondition rejects CMEK with automatic replication, which uses Google-managed keys.
  • Recovery windowversion_destroy_ttl keeps destroyed versions recoverable for a grace period.
  • Rotation is notification-only — Secret Manager pings a Pub/Sub topic on schedule (a precondition requires notification_topics when rotation is set); an external rotator mints the new value.

Requirements

  • Terraform or OpenTofu >= 1.6
  • hashicorp/google >= 7.0, < 8.0

License

Commercial — LicenseRef-IaCBazaar-Commercial.

Usage code & full reference unlock after purchase

The complete copy-paste usage, the full input/output reference, and operational notes ship with your licence — shown here and bundled in the download.

  • Usage
  • Inputs
  • Outputs