Secrets Manager

The Secrets Manager data source provides information about a Secrets Manager secret version, including its value and metadata.

Basic examples of usage:

data "googlecompute-secretsmanager" "basic-example" {
  project_id = "debian-cloud"
  name       = "packer_test_secret"
  key        = "packer_test_key"
}

# usage example of the data source output
locals {
  value = data.googlecompute-secretsmanager.basic-example.value
  payload = data.googlecompute-secretsmanager.basic-example.payload
}

Reading key-value pairs from JSON back into a native Packer map can be accomplished with the jsondecode() function.

Configuration Reference

Required

• project_id (string) - The Google Cloud project ID where the secret is stored.

• name (string) - The name of the secret in the secret manager.

Optional

• key (string) - The key to extract from the secret payload. If not provided, the entire payload will be returned.

• version (string) - The version of the secret to access. Defaults to "latest" if not specified.

• universe_domain (string) - Specify the GCP universe to deploy in. The default is "googleapis.com".

• custom_endpoints (map[string]string) - Custom service endpoints, typically used to configure the Google provider to communicate with GCP-like APIs such as the Cloud Functions emulator. Supported keys are secretmanager.

  Example: custom_endpoints = { secretmanager = "https://{your-endpoint}/" }

Output Data

• payload (string) - The raw string payload of the secret version.

• value (string) - The value extracted using the 'key', if provided.

• checksum (int64) - The crc32c checksum for the payload.

Authentication

To authenticate with GCE, this data-source supports everything the plugin does. To get more information on this, refer to the plugin's description page, under the authentication section.