» openstack_keymanager_secret_v1

Manages a V1 Barbican secret resource within OpenStack.

» Example Usage

» Simple secret

resource "openstack_keymanager_secret_v1" "secret_1" {
  algorithm            = "aes"
  bit_length           = 256
  mode                 = "cbc"
  name                 = "mysecret"
  payload              = "foobar"
  payload_content_type = "text/plain"
  secret_type          = "passphrase"

  metadata = {
    key = "foo"

» Secret with whitespaces

resource "openstack_keymanager_secret_v1" "secret_1" {
  name                     = "password"
  payload                  = "${base64encode("password with the whitespace at the end ")}"
  secret_type              = "passphrase"
  payload_content_type     = "application/octet-stream"
  payload_content_encoding = "base64"

» Secret with the expiration date

resource "openstack_keymanager_secret_v1" "secret_1" {
  name                 = "certificate"
  payload              = "${file("certificate.pem")}"
  secret_type          = "certificate"
  payload_content_type = "text/plain"
  expiration           = "${timeadd(timestamp(), format("%dh", 8760))}" # one year in hours

  lifecycle {
    ignore_changes = [

» Argument Reference

The following arguments are supported:

  • region - (Optional) The region in which to obtain the V1 KeyManager client. A KeyManager client is needed to create a secret. If omitted, the region argument of the provider is used. Changing this creates a new V1 secret.

  • name - (Optional) Human-readable name for the Secret. Does not have to be unique.

  • bit_length - (Optional) Metadata provided by a user or system for informational purposes.

  • algorithm - (Optional) Metadata provided by a user or system for informational purposes.

  • mode - (Optional) Metadata provided by a user or system for informational purposes.

  • secret_type - (Optional) Used to indicate the type of secret being stored. For more information see Secret types.

  • payload - (Optional) The secret's data to be stored. payload_content_type must also be supplied if payload is included.

  • payload_content_type - (Optional) (required if payload is included) The media type for the content of the payload. Must be one of text/plain, text/plain;charset=utf-8, text/plain; charset=utf-8, application/octet-stream, application/pkcs8.

  • payload_content_encoding - (Optional) (required if payload is encoded) The encoding used for the payload to be able to include it in the JSON request. Must be either base64 or binary.

  • expiration - (Optional) The expiration time of the secret in the RFC3339 timestamp format (e.g. 2019-03-09T12:58:49Z). If omitted, a secret will never expire. Changing this creates a new secret.

  • metadata - (Optional) Additional Metadata for the secret.

» Attributes Reference

The following attributes are exported:

» Import

Secrets can be imported using the secret id (the last part of the secret reference), e.g.:

$ terraform import openstack_keymanager_secret_v1.secret_1 8a7a79c2-cf17-4e65-b2ae-ddc8bfcf6c74