AWSAWS Secrets Manageraws_secretsmanager_secret_versionPro

How to Import an AWS Secrets Manager Secret Version into Terraform

To import an existing AWS Secrets Manager Secret Version into Terraform, scan it with Terraback and run terraback aws import --method bulk. Terraback writes the matching aws_secretsmanager_secret_version resource block and the Terraform 1.5+ import block for you, so you do not have to run terraform import by hand. The import ID is the secret ID and version ID joined by a pipe, SECRET-ID|VERSION-ID (for example, arn:aws:secretsmanager:us-east-1:123456789012:secret:app/db-AbCdEf|EXAMPLE1-90ab-cdef-fab1-2b88EXAMPLE).

Import AWS Secrets Manager Secret Version with Terraback (recommended)

Terraback reverse-engineers your live infrastructure: it reads the AWS Secrets Manager resource with read-only credentials, generates the HCL, and produces the exact import block. Two commands take you from a live AWS Secrets Manager Secret Version to managed Terraform.

1

Scan your AWS account

terraback scan all aws --region us-east-1
2

Generate import blocks and import into state

terraback aws import --method bulk

The Terraform import block

Terraback emits a Terraform 1.5+ import block like the one below. Because the block lives in your configuration, the import is reviewable in a pull request and repeatable across environments.

import {
  to = aws_secretsmanager_secret_version.db
  id = "arn:aws:secretsmanager:us-east-1:123456789012:secret:app/db-AbCdEf|EXAMPLE1-90ab-cdef-fab1-2b88EXAMPLE"
}

Example aws_secretsmanager_secret_version configuration

Here is a realistic AWS Secrets Manager Secret Version block. Terraback generates a fuller version from your actual resource attributes; this is a minimal, valid starting point.

resource "aws_secretsmanager_secret_version" "db" {
  secret_id     = "arn:aws:secretsmanager:us-east-1:123456789012:secret:app/db-AbCdEf"
  secret_string = jsonencode({ username = "app", password = "CHANGE_ME" })

  lifecycle {
    ignore_changes = [secret_string, secret_binary]
  }
}

Gotchas when importing a AWS Secrets Manager Secret Version

  • The import ID is SECRET-ID|VERSION-ID joined with a pipe character, not a slash.
  • Terraform cannot read the actual secret value on import; Terraback writes a CHANGE_ME placeholder, so set the real value or keep ignore_changes on secret_string.
  • The version is a sub-resource of aws_secretsmanager_secret; import or declare the parent secret first and reference it via secret_id.
  • Putting plaintext secret_string in HCL leaks it into state and version control; prefer ignore_changes or source the value from a secure variable.

Doing it manually with terraform import

The native approach is to write the aws_secretsmanager_secret_version block by hand, then run terraform import aws_secretsmanager_secret_version.example <import-id> for every resource, one at a time. That works for a handful of resources, but it does not scale: you author all the HCL yourself and repeat the command for each item. Terraback generates the HCL and the import blocks for your whole account in one pass.

Import your whole AWS account in minutes

Terraback scans 80+ AWS resource types and emits clean Terraform plus import blocks, running locally with read-only credentials. $499 once, no SaaS.