--- title: Getting Started with Datadog description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Infrastructure > Datadog Resource Catalog --- # gcp_secretmanager_secret{% #gcp_secretmanager_secret %} ## `ancestors`{% #ancestors %} **Type**: `UNORDERED_LIST_STRING` ## `annotations`{% #annotations %} **Type**: `MAP_STRING_STRING`**Provider name**: `annotations`**Description**: Optional. Custom metadata about the secret. Annotations are distinct from various forms of labels. Annotations exist to allow client tools to store their own state information without requiring a database. Annotation keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, begin and end with an alphanumeric character ([a-z0-9A-Z]), and may have dashes (-), underscores (_), dots (.), and alphanumerics in between these symbols. The total size of annotation keys and values must be less than 16KiB. ## `create_time`{% #create_time %} **Type**: `TIMESTAMP`**Provider name**: `createTime`**Description**: Output only. The time at which the Secret was created. ## `customer_managed_encryption`{% #customer_managed_encryption %} **Type**: `STRUCT`**Provider name**: `customerManagedEncryption`**Description**: Optional. The customer-managed encryption configuration of the regionalized secrets. If no configuration is provided, Google-managed default encryption is used. Updates to the Secret encryption configuration only apply to SecretVersions added afterwards. They do not apply retroactively to existing SecretVersions. - `kms_key_name`**Type**: `STRING`**Provider name**: `kmsKeyName`**Description**: Required. The resource name of the Cloud KMS CryptoKey used to encrypt secret payloads. For secrets using the UserManaged replication policy type, Cloud KMS CryptoKeys must reside in the same location as the replica location. For secrets using the Automatic replication policy type, Cloud KMS CryptoKeys must reside in `global`. The expected format is `projects/*/locations/*/keyRings/*/cryptoKeys/*`. ## `etag`{% #etag %} **Type**: `STRING`**Provider name**: `etag`**Description**: Optional. Etag of the currently stored Secret. ## `expire_time`{% #expire_time %} **Type**: `TIMESTAMP`**Provider name**: `expireTime`**Description**: Optional. Timestamp in UTC when the Secret is scheduled to expire. This is always provided on output, regardless of what was sent on input. ## `labels`{% #labels %} **Type**: `UNORDERED_LIST_STRING` ## `name`{% #name %} **Type**: `STRING`**Provider name**: `name`**Description**: Output only. The resource name of the Secret in the format `projects/*/secrets/*`. ## `organization_id`{% #organization_id %} **Type**: `STRING` ## `parent`{% #parent %} **Type**: `STRING` ## `project_id`{% #project_id %} **Type**: `STRING` ## `project_number`{% #project_number %} **Type**: `STRING` ## `region_id`{% #region_id %} **Type**: `STRING` ## `replication`{% #replication %} **Type**: `STRUCT`**Provider name**: `replication`**Description**: Optional. Immutable. The replication policy of the secret data attached to the Secret. The replication policy cannot be changed after the Secret has been created. - `automatic`**Type**: `STRUCT`**Provider name**: `automatic`**Description**: The Secret will automatically be replicated without any restrictions. - `customer_managed_encryption`**Type**: `STRUCT`**Provider name**: `customerManagedEncryption`**Description**: Optional. The customer-managed encryption configuration of the Secret. If no configuration is provided, Google-managed default encryption is used. Updates to the Secret encryption configuration only apply to SecretVersions added afterwards. They do not apply retroactively to existing SecretVersions. - `kms_key_name`**Type**: `STRING`**Provider name**: `kmsKeyName`**Description**: Required. The resource name of the Cloud KMS CryptoKey used to encrypt secret payloads. For secrets using the UserManaged replication policy type, Cloud KMS CryptoKeys must reside in the same location as the replica location. For secrets using the Automatic replication policy type, Cloud KMS CryptoKeys must reside in `global`. The expected format is `projects/*/locations/*/keyRings/*/cryptoKeys/*`. - `user_managed`**Type**: `STRUCT`**Provider name**: `userManaged`**Description**: The Secret will only be replicated into the locations specified. - `replicas`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `replicas`**Description**: Required. The list of Replicas for this Secret. Cannot be empty. - `customer_managed_encryption`**Type**: `STRUCT`**Provider name**: `customerManagedEncryption`**Description**: Optional. The customer-managed encryption configuration of the User-Managed Replica. If no configuration is provided, Google-managed default encryption is used. Updates to the Secret encryption configuration only apply to SecretVersions added afterwards. They do not apply retroactively to existing SecretVersions. - `kms_key_name`**Type**: `STRING`**Provider name**: `kmsKeyName`**Description**: Required. The resource name of the Cloud KMS CryptoKey used to encrypt secret payloads. For secrets using the UserManaged replication policy type, Cloud KMS CryptoKeys must reside in the same location as the replica location. For secrets using the Automatic replication policy type, Cloud KMS CryptoKeys must reside in `global`. The expected format is `projects/*/locations/*/keyRings/*/cryptoKeys/*`. - `location`**Type**: `STRING`**Provider name**: `location`**Description**: The canonical IDs of the location to replicate data. For example: `"us-east1"`. ## `resource_name`{% #resource_name %} **Type**: `STRING` ## `rotation`{% #rotation %} **Type**: `STRUCT`**Provider name**: `rotation`**Description**: Optional. Rotation policy attached to the Secret. May be excluded if there is no rotation policy. - `next_rotation_time`**Type**: `TIMESTAMP`**Provider name**: `nextRotationTime`**Description**: Optional. Timestamp in UTC at which the Secret is scheduled to rotate. Cannot be set to less than 300s (5 min) in the future and at most 3153600000s (100 years). next_rotation_time MUST be set if rotation_period is set. - `rotation_period`**Type**: `STRING`**Provider name**: `rotationPeriod`**Description**: Input only. The Duration between rotation notifications. Must be in seconds and at least 3600s (1h) and at most 3153600000s (100 years). If rotation_period is set, next_rotation_time must be set. next_rotation_time will be advanced by this period when the service automatically sends rotation notifications. ## `tags`{% #tags %} **Type**: `UNORDERED_LIST_STRING` ## `topics`{% #topics %} **Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `topics`**Description**: Optional. A list of up to 10 Pub/Sub topics to which messages are published when control plane operations are called on the secret or its versions. - `name`**Type**: `STRING`**Provider name**: `name`**Description**: Identifier. The resource name of the Pub/Sub topic that will be published to, in the following format: `projects/*/topics/*`. For publication to succeed, the Secret Manager service agent must have the `pubsub.topic.publish` permission on the topic. The Pub/Sub Publisher role (`roles/pubsub.publisher`) includes this permission. ## `ttl`{% #ttl %} **Type**: `STRING`**Provider name**: `ttl`**Description**: Input only. The TTL for the Secret. ## `version_destroy_ttl`{% #version_destroy_ttl %} **Type**: `STRING`**Provider name**: `versionDestroyTtl`**Description**: Optional. Secret Version TTL after destruction request This is a part of the Delayed secret version destroy feature. For secret with TTL>0, version destruction doesn't happen immediately on calling destroy instead the version goes to a disabled state and destruction happens after the TTL expires. ## `zone_id`{% #zone_id %} **Type**: `STRING`