Contact Us 1-800-596-4880
  1. Homepage
  2. MuleSoft Terraform Provider
  3. Resources

  4. Secrets Manager Resources

Secrets Manager Resources

Use Secrets Manager resources to manage secret groups, certificates, keystores, truststores, shared secrets, and TLS contexts in Anypoint Platform.

These resources support declarative secrets and TLS configuration management for managed gateways and related infrastructure components.

anypoint_secret_group

Use the anypoint_secret_group resource to manage secret groups in Anypoint Secrets Manager.

Example

resource "anypoint_secret_group" "example" {
  environment_id = var.environment_id
  name           = "terraform-secrets"
  downloadable   = false
}

Key Arguments

  • environment_id - Environment ID where the secret group is created.

  • name - Name of the secret group.

  • organization_id - Organization ID. If omitted, the provider infers it from the connected app credentials.

  • downloadable - Indicates whether secrets in the group can be downloaded.

Read-Only Attributes

  • id - Unique identifier of the secret group.

  • current_state - Current state of the secret group.

Import

terraform import anypoint_secret_group.example organization_id/environment_id/secret_group_id

anypoint_secret_group_certificate

Use the anypoint_secret_group_certificate resource to manage certificates within a secret group.

This resource supports PEM, JKS, PKCS12, and JCEKS certificate formats.

Example

resource "anypoint_secret_group_certificate" "example" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "my-certificate"
  type            = "PEM"

  certificate_base64 = base64encode(file("${path.module}/certs/cert.pem"))
}

Key Arguments

  • environment_id - Environment ID.

  • secret_group_id - Secret group ID associated with the certificate.

  • name - Name of the certificate.

  • certificate_base64 - Base64-encoded certificate content.

  • type - Certificate format. Supported values are PEM, JKS, PKCS12, and JCEKS.

  • organization_id - Organization ID. If omitted, the provider infers it from the connected app credentials.

Read-Only Attributes

  • id - Unique identifier of the certificate.

  • expiration_date - Expiration date of the certificate.

  • algorithm - Signature algorithm of the certificate.

Import

terraform import anypoint_secret_group_certificate.example organization_id/environment_id/secret_group_id/certificate_id

anypoint_secret_group_certificate_pinset

Use the anypoint_secret_group_certificate_pinset resource to manage certificate pinsets within a secret group.

Certificate pinsets support certificate pinning validation workflows.

Example

resource "anypoint_secret_group_certificate_pinset" "example" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "my-cert-pinset"

  certificate_pinset_base64 = base64encode(file("${path.module}/certs/cert.pem"))
}

Key Arguments

  • environment_id - Environment ID.

  • secret_group_id - Secret group ID associated with the certificate pinset.

  • name - Name of the certificate pinset.

  • certificate_pinset_base64 - Base64-encoded certificate file content.

  • organization_id - Organization ID. If omitted, the provider infers it from the connected app credentials.

Read-Only Attributes

  • id - Unique identifier of the certificate pinset.

  • expiration_date - Expiration date of the pinned certificate.

  • algorithm - Signature algorithm of the pinned certificate.

Import

terraform import anypoint_secret_group_certificate_pinset.example organization_id/environment_id/secret_group_id/certificate_pinset_id

anypoint_secret_group_keystore

Use the anypoint_secret_group_keystore resource to manage keystores within a secret group.

This resource supports PEM, JKS, PKCS12, and JCEKS formats.

Example

resource "anypoint_secret_group_keystore" "pem" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "tls-pem-keystore"
  type            = "PEM"

  certificate_base64 = base64encode(file("${path.module}/certs/cert.pem"))
  key_base64         = base64encode(file("${path.module}/certs/key.pem"))
}

Key Arguments

  • environment_id - Environment ID.

  • secret_group_id - Secret group ID associated with the keystore.

  • name - Name of the keystore.

  • type - Keystore format. Supported values are PEM, JKS, PKCS12, and JCEKS.

  • certificate_base64 - Base64-encoded certificate content.

  • key_base64 - Base64-encoded private key content.

  • keystore_file_base64 - Base64-encoded keystore file content.

  • passphrase - Passphrase for the keystore.

  • alias - Alias within the keystore.

  • ca_path_base64 - Base64-encoded CA certificate chain.

  • organization_id - Organization ID. If omitted, the provider infers it from the connected app credentials.

Read-Only Attributes

  • id - Unique identifier of the keystore.

  • expiration_date - Expiration date of the certificate in the keystore.

  • algorithm - Signature algorithm of the certificate.

Import

terraform import anypoint_secret_group_keystore.example organization_id/environment_id/secret_group_id/keystore_id

anypoint_secret_group_shared_secret

Use the anypoint_secret_group_shared_secret resource to manage shared secrets within a secret group.

This resource supports UsernamePassword, S3Credential, SymmetricKey, and Blob secret types.

Example

resource "anypoint_secret_group_shared_secret" "db_creds" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "db-credentials"
  type            = "UsernamePassword"

  username = "admin"
  password = var.db_password
}

Key Arguments

  • environment_id - Environment ID.

  • secret_group_id - Secret group ID associated with the shared secret.

  • name - Name of the shared secret.

  • type - Shared secret type. Supported values are UsernamePassword, S3Credential, SymmetricKey, and Blob.

  • expiration_date - Optional expiration date for the secret.

  • username - Username for UsernamePassword secrets.

  • password - Password for UsernamePassword secrets.

  • access_key_id - AWS access key ID for S3Credential secrets.

  • secret_access_key - AWS secret access key for S3Credential secrets.

  • key - Base64-encoded symmetric key for SymmetricKey secrets.

  • content - Secret content for Blob secrets.

  • organization_id - Organization ID. If omitted, the provider infers it from the connected app credentials.

Read-Only Attributes

  • id - Unique identifier of the shared secret.

Import

terraform import anypoint_secret_group_shared_secret.example organization_id/environment_id/secret_group_id/shared_secret_id

anypoint_secret_group_truststore

Use the anypoint_secret_group_truststore resource to manage truststores within a secret group.

This resource supports PEM, JKS, PKCS12, and JCEKS truststore formats.

Example

resource "anypoint_secret_group_truststore" "pem" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "ca-truststore"
  type            = "PEM"

  truststore_base64 = base64encode(file("${path.module}/certs/truststore.pem"))
}

Key Arguments

  • environment_id - Environment ID.

  • secret_group_id - Secret group ID associated with the truststore.

  • name - Name of the truststore.

  • truststore_base64 - Base64-encoded truststore content.

  • type - Truststore format. Supported values are PEM, JKS, PKCS12, and JCEKS.

  • passphrase - Passphrase for the truststore.

  • organization_id - Organization ID. If omitted, the provider infers it from the connected app credentials.

Read-Only Attributes

  • id - Unique identifier of the truststore.

  • expiration_date - Expiration date of the certificate in the truststore.

  • algorithm - Signature algorithm of the certificate.

Import

terraform import anypoint_secret_group_truststore.example organization_id/environment_id/secret_group_id/truststore_id

anypoint_secret_group_tls_context

Use the anypoint_secret_group_tls_context resource to manage an Omni Gateway TLS context within a secret group in Anypoint Secrets Manager.

The target is automatically set to OmniGateway. References keystore and truststore resources by their IDs — the provider automatically builds the internal path references (keystores/{id}, truststores/{id}).

The Anypoint Secrets Manager API does not expose individual DELETE endpoints for sub-resources. terraform destroy removes this resource from Terraform state only — the TLS context is deleted on the platform when the parent anypoint_secret_group is destroyed.

Basic TLS Context Example

resource "anypoint_secret_group_tls_context" "example" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "omni-tls-context"

  keystore_id   = anypoint_secret_group_keystore.tls.id
  truststore_id = anypoint_secret_group_truststore.ca.id

  min_tls_version = "TLSv1.3"
  max_tls_version = "TLSv1.3"
  alpn_protocols  = ["h2", "http/1.1"]

  enable_client_cert_validation = false
  skip_server_cert_validation   = false
}

mTLS-Enabled TLS Context Example

resource "anypoint_secret_group_tls_context" "mtls" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "mtls-context"

  keystore_id   = anypoint_secret_group_keystore.tls.id
  truststore_id = anypoint_secret_group_truststore.ca.id

  min_tls_version = "TLSv1.3"
  max_tls_version = "TLSv1.3"
  alpn_protocols  = ["h2", "http/1.1"]

  enable_client_cert_validation = true
  skip_server_cert_validation   = false
}

Key Arguments

  • environment_id - (Required) Environment ID.

  • secret_group_id - (Required) Secret group ID that this TLS context belongs to.

  • name - (Required) Name of the TLS context.

  • organization_id - Organization ID. If omitted, the provider infers it from the connected app credentials.

  • keystore_id - ID of the keystore in the same secret group. Use anypoint_secret_group_keystore.example.id to reference it.

  • truststore_id - ID of the truststore in the same secret group. Use anypoint_secret_group_truststore.example.id to reference it.

  • min_tls_version - Minimum TLS version. Supported values are TLSv1.1, TLSv1.2, and TLSv1.3. Defaults to TLSv1.3.

  • max_tls_version - Maximum TLS version. Supported values are TLSv1.1, TLSv1.2, and TLSv1.3. Defaults to TLSv1.3.

  • alpn_protocols - ALPN protocol negotiation list. Supported values are h2 and http/1.1. Order determines preference: ["h2", "http/1.1"] prefers H2, ["http/1.1", "h2"] prefers HTTP/1.1.

  • cipher_suites - Allowed cipher suites. Empty list means use defaults.

  • enable_client_cert_validation - Enables mutual TLS client certificate validation (inbound). Defaults to false.

  • skip_server_cert_validation - Skips outbound server certificate validation. Defaults to false.

Read-Only Attributes

  • id - Unique identifier of the TLS context.

  • target - Target runtime for the TLS context. Always OmniGateway for this resource.

  • expiration_date - Expiration date of the TLS context.

Import

terraform import anypoint_secret_group_tls_context.example organization_id/environment_id/secret_group_id/tls_context_id