Contact Us 1-800-596-4880

Secrets Manager Resources

Use Secrets Manager resources to manage secret groups, certificates, keystores, truststores, shared secrets, and TLS contexts in Anypoint Platform.

These resources support declarative secrets and TLS configuration management for managed gateways and related infrastructure components.

anypoint_secret_group

Use the anypoint_secret_group resource to manage secret groups in Anypoint Secrets Manager.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Lifecycle: Deleting this resource also cascade-deletes all sub-resources on the platform (keystores, truststores, certificates, shared secrets, TLS contexts, certificate pinsets). Sub-resource Terraform resources (anypoint_secret_group_keystore, etc.) must be declared as dependents — destroy them first in your config or Terraform will remove them from state automatically when the secret group is destroyed.

Example Usage

resource "anypoint_secret_group" "example" {
  environment_id = var.environment_id
  name           = "terraform-secrets"
  downloadable   = false
}

Required Arguments

  • environment_id - Environment ID where the secret group is created.

  • name - Name of the secret group.

Optional Arguments

  • organization_id - Organization ID. If not provided, the organization ID is inferred from the connected app credentials.

  • downloadable - Whether the secrets in this group can be downloaded. Defaults to false.

Read-Only Attributes

  • id - Unique identifier of the secret group.

  • current_state - Current state of the secret group.

Import

An existing anypoint_secret_group can be imported using its composite ID: organization_id/environment_id/secret_group_id.

import {
  to = anypoint_secret_group.imported
  id = "<organization_id>/<environment_id>/<secret_group_id>"
}

resource "anypoint_secret_group" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  name            = "<secret_group_name>"
  downloadable    = false
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_secret_group.imported <organization_id>/<environment_id>/<secret_group_id>

anypoint_secret_group_certificate

Use the anypoint_secret_group_certificate resource to manage certificates within a secret group in Anypoint Secrets Manager. Supports PEM, JKS, PKCS12, and JCEKS formats.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Delete behaviour: The Anypoint Secrets Manager API doesn’t expose individual DELETE endpoints for sub-resources. terraform destroy removes this resource from Terraform state only — the certificate is deleted on the platform when the parent anypoint_secret_group is destroyed.

Example Usage

resource "anypoint_secret_group_certificate" "example" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "my-certificate"
  type            = "PEM"

  certificate_base64 = base64encode(file("${path.module}/certs/cert.pem"))
}

Required Arguments

  • environment_id - Environment ID.

  • secret_group_id - Secret group ID that this certificate belongs to.

  • name - Name of the certificate.

  • certificate_base64 - (Sensitive) Base64-encoded certificate file content. For PEM: base64encode(file("cert.pem")). For binary: filebase64("cert.der").

Optional Arguments

  • organization_id - Organization ID. If not provided, the organization ID is inferred from the connected app credentials.

  • type - Certificate format: PEM, JKS, PKCS12, or JCEKS. Defaults to PEM.

Read-Only Attributes

  • id - Unique identifier of the certificate.

  • expiration_date - Expiration date of the certificate.

  • algorithm - Signature algorithm of the certificate.

Import

An existing anypoint_secret_group_certificate can be imported using its composite ID: organization_id/environment_id/secret_group_id/certificate_id.

certificate_base64 is a write-only field and won’t be populated after import. Set it manually to avoid drift on the next plan.

import {
  to = anypoint_secret_group_certificate.imported
  id = "<organization_id>/<environment_id>/<secret_group_id>/<certificate_id>"
}

resource "anypoint_secret_group_certificate" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  secret_group_id = "<secret_group_id>"
  name            = "<certificate_name>"
  type            = "PEM"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_secret_group_certificate.imported <organization_id>/<environment_id>/<secret_group_id>/<certificate_id>

anypoint_secret_group_certificate_pinset

Use the anypoint_secret_group_certificate_pinset resource to manage certificate pinsets within a secret group in Anypoint Secrets Manager. A certificate pinset is used for certificate pinning validation.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Delete behaviour: The Anypoint Secrets Manager API doesn’t expose individual DELETE endpoints for sub-resources. terraform destroy removes this resource from Terraform state only — the certificate pinset is deleted on the platform when the parent anypoint_secret_group is destroyed.

Example Usage

resource "anypoint_secret_group_certificate_pinset" "example" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "my-cert-pinset"

  certificate_pinset_base64 = base64encode(file("${path.module}/certs/cert.pem"))
}

Required Arguments

  • environment_id - Environment ID.

  • secret_group_id - Secret group ID that this certificate pinset belongs to.

  • name - Name of the certificate pinset.

  • certificate_pinset_base64 - (Sensitive) Base64-encoded certificate file for pinning. For PEM: base64encode(file("cert.pem")).

Optional Arguments

  • organization_id - Organization ID. If not provided, the organization ID is inferred from the connected app credentials.

Read-Only Attributes

  • id - Unique identifier of the certificate pinset.

  • expiration_date - Expiration date of the pinned certificate.

  • algorithm - Signature algorithm of the pinned certificate.

Import

An existing anypoint_secret_group_certificate_pinset can be imported using its composite ID: organization_id/environment_id/secret_group_id/certificate_pinset_id.

import {
  to = anypoint_secret_group_certificate_pinset.imported
  id = "<organization_id>/<environment_id>/<secret_group_id>/<certificate_pinset_id>"
}

resource "anypoint_secret_group_certificate_pinset" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  secret_group_id = "<secret_group_id>"
  name            = "<pinset_name>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_secret_group_certificate_pinset.imported <organization_id>/<environment_id>/<secret_group_id>/<certificate_pinset_id>

anypoint_secret_group_keystore

Use the anypoint_secret_group_keystore resource to manage keystores within a secret group in Anypoint Secrets Manager. Supports PEM, JKS, PKCS12, and JCEKS formats. Use filebase64() to read binary files (JKS/PKCS12) or base64encode(file(…​)) for PEM text files.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Delete behaviour: The Anypoint Secrets Manager API doesn’t expose individual DELETE endpoints for sub-resources. terraform destroy removes this resource from Terraform state only — the keystore is deleted on the platform when the parent anypoint_secret_group is destroyed.

Example Usage

PEM keystore

resource "anypoint_secret_group_keystore" "pem" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "tls-pem-keystore"
  type            = "PEM"

  certificate_base64 = base64encode(file("${path.module}/certs/cert.pem"))
  key_base64         = base64encode(file("${path.module}/certs/key.pem"))
}

PEM keystore with CA chain

resource "anypoint_secret_group_keystore" "pem_with_ca" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "tls-pem-with-truststore"
  type            = "PEM"

  certificate_base64 = base64encode(file("${path.module}/certs/cert.pem"))
  key_base64         = base64encode(file("${path.module}/certs/key.pem"))
  ca_path_base64     = base64encode(file("${path.module}/certs/truststore.pem"))
}

JKS keystore

resource "anypoint_secret_group_keystore" "jks" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "tls-jks-keystore"
  type            = "JKS"

  keystore_file_base64 = filebase64("${path.module}/certs/keystore.jks")
  store_passphrase     = var.jks_store_passphrase
  key_passphrase       = var.jks_key_passphrase
  alias                = "myalias"
}

Required Arguments

  • environment_id - Environment ID. Changing this forces a new resource.

  • secret_group_id - Secret group ID that this keystore belongs to. Changing this forces a new resource.

  • name - Name of the keystore.

Optional Arguments

  • organization_id - Organization ID. If not provided, inferred from the connected app credentials.

  • type - Keystore format: PEM, JKS, PKCS12, or JCEKS. Defaults to PEM. Changing this forces a new resource.

  • certificate_base64 - (Sensitive) Base64-encoded certificate content. For PEM: base64encode(file("cert.pem")). For binary DER: filebase64("cert.der"). Used for PEM type.

  • key_base64 - (Sensitive) Base64-encoded private key content. For PEM: base64encode(file("key.pem")). Required for PEM type.

  • keystore_file_base64 - (Sensitive) Base64-encoded keystore file. Use filebase64("keystore.jks") or filebase64("keystore.p12"). Required for JKS, PKCS12, and JCEKS types.

  • store_passphrase - (Sensitive) Store-level passphrase. Required for JKS, PKCS12, and JCEKS types.

  • key_passphrase - (Sensitive) Private-key entry passphrase. Required for JKS, PKCS12, and JCEKS types. Optional for PEM encrypted keys.

  • alias - Entry alias within the keystore. Used for JKS, PKCS12, and JCEKS types.

  • ca_path_base64 - (Sensitive) Base64-encoded CA certificate chain (appended as truststore). Optional for all types.

Read-Only Attributes

  • id - Unique identifier of the keystore.

  • expiration_date - Expiration date of the certificate in the keystore.

  • algorithm - Signature algorithm of the certificate.

Import

An existing anypoint_secret_group_keystore can be imported using its composite ID: organization_id/environment_id/secret_group_id/keystore_id.

File content fields (certificate_base64, key_base64, etc.) are write-only and won’t be populated after import. Set them manually to avoid drift.

import {
  to = anypoint_secret_group_keystore.imported
  id = "<organization_id>/<environment_id>/<secret_group_id>/<keystore_id>"
}

resource "anypoint_secret_group_keystore" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  secret_group_id = "<secret_group_id>"
  name            = "<keystore_name>"
  type            = "PEM"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_secret_group_keystore.imported <organization_id>/<environment_id>/<secret_group_id>/<keystore_id>

anypoint_secret_group_shared_secret

Use the anypoint_secret_group_shared_secret resource to manage shared secrets within a secret group in Anypoint Secrets Manager. Supports four types: UsernamePassword, S3Credential, SymmetricKey, and Blob. Provide the type-specific fields based on the chosen type.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Delete behaviour: The Anypoint Secrets Manager API doesn’t expose individual DELETE endpoints for sub-resources. terraform destroy removes this resource from Terraform state only — the shared secret is deleted on the platform when the parent anypoint_secret_group is destroyed.

Example Usage

UsernamePassword

resource "anypoint_secret_group_shared_secret" "db_creds" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "db-credentials"
  type            = "UsernamePassword"

  username = "admin"
  password = var.db_password
}

S3Credential

resource "anypoint_secret_group_shared_secret" "s3" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "s3-backup-creds"
  type            = "S3Credential"

  access_key_id     = var.aws_access_key
  secret_access_key = var.aws_secret_key
  expiration_date   = "2026-12-31"
}

SymmetricKey

resource "anypoint_secret_group_shared_secret" "symmetric" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "encryption-key"
  type            = "SymmetricKey"

  key = base64encode("my-256-bit-secret-key-value-here")
}

Blob

resource "anypoint_secret_group_shared_secret" "blob" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "api-token"
  type            = "Blob"

  content = var.api_token
}

Required Arguments

  • environment_id - Environment ID.

  • secret_group_id - Secret group ID that this shared secret belongs to.

  • name - Name of the shared secret.

  • type - Type of shared secret: UsernamePassword, S3Credential, SymmetricKey, or Blob.

Optional Arguments

  • organization_id - Organization ID. If not provided, the organization ID is inferred from the connected app credentials.

  • expiration_date - Optional expiration date (for example, 2026-03-31).

  • username - Username (for UsernamePassword type).

  • password - (Sensitive) Password (for UsernamePassword type).

  • access_key_id - AWS access key ID (for S3Credential type).

  • secret_access_key - (Sensitive) AWS secret access key (for S3Credential type).

  • key - (Sensitive) Base64-encoded symmetric key (for SymmetricKey type).

  • content - (Sensitive) Secret content string (for Blob type).

Read-Only Attributes

  • id - Unique identifier of the shared secret.

Import

An existing anypoint_secret_group_shared_secret can be imported using its composite ID: organization_id/environment_id/secret_group_id/shared_secret_id.

Sensitive fields (passwords, secrets) are write-only and won’t be populated after import. Set them manually to avoid drift.

import {
  to = anypoint_secret_group_shared_secret.imported
  id = "<organization_id>/<environment_id>/<secret_group_id>/<shared_secret_id>"
}

resource "anypoint_secret_group_shared_secret" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  secret_group_id = "<secret_group_id>"
  name            = "<shared_secret_name>"
  type            = "UsernamePassword"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_secret_group_shared_secret.imported <organization_id>/<environment_id>/<secret_group_id>/<shared_secret_id>

anypoint_secret_group_truststore

Use the anypoint_secret_group_truststore resource to manage truststores within a secret group in Anypoint Secrets Manager. Supports PEM, JKS, PKCS12, and JCEKS formats. Use base64encode(file(…​)) for PEM text files or filebase64(…​) for binary JKS/PKCS12 files.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Delete behaviour: The Anypoint Secrets Manager API doesn’t expose individual DELETE endpoints for sub-resources. terraform destroy removes this resource from Terraform state only — the truststore is deleted on the platform when the parent anypoint_secret_group is destroyed.

Example Usage

PEM truststore

resource "anypoint_secret_group_truststore" "pem" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "ca-truststore"
  type            = "PEM"

  truststore_base64 = base64encode(file("${path.module}/certs/truststore.pem"))
}

JKS truststore

resource "anypoint_secret_group_truststore" "jks" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "ca-truststore-jks"
  type            = "JKS"

  truststore_base64 = filebase64("${path.module}/certs/truststore.jks")
  passphrase        = var.jks_passphrase
}

Required Arguments

  • environment_id - Environment ID.

  • secret_group_id - Secret group ID that this truststore belongs to.

  • name - Name of the truststore.

  • truststore_base64 - (Sensitive) Base64-encoded truststore file content. For PEM: base64encode(file("truststore.pem")). For JKS/PKCS12: filebase64("truststore.jks").

Optional Arguments

  • organization_id - Organization ID. If not provided, the organization ID is inferred from the connected app credentials.

  • type - Truststore format: PEM, JKS, PKCS12, or JCEKS. Defaults to PEM.

  • passphrase - (Sensitive) Passphrase for the truststore. Required for JKS, PKCS12, and JCEKS formats.

Read-Only Attributes

  • id - Unique identifier of the truststore.

  • expiration_date - Expiration date of the certificate in the truststore.

  • algorithm - Signature algorithm of the certificate.

Import

An existing anypoint_secret_group_truststore can be imported using its composite ID: organization_id/environment_id/secret_group_id/truststore_id.

truststore_base64 is a write-only field and won’t be populated after import. Set it manually to avoid drift on the next plan.

import {
  to = anypoint_secret_group_truststore.imported
  id = "<organization_id>/<environment_id>/<secret_group_id>/<truststore_id>"
}

resource "anypoint_secret_group_truststore" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  secret_group_id = "<secret_group_id>"
  name            = "<truststore_name>"
  type            = "PEM"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_secret_group_truststore.imported <organization_id>/<environment_id>/<secret_group_id>/<truststore_id>

anypoint_secret_group_tls_context

Use the anypoint_secret_group_tls_context resource to manage an Omni Gateway TLS context within a secret group in Anypoint Secrets Manager. The target is fixed to OmniGateway in this provider. References keystore and truststore resources by their IDs — the provider automatically builds the internal path references (keystores/{id}, truststores/{id}).

Target mapping: The Anypoint Secrets Manager API requires target: "FlexGateway" for Omni Gateway TLS contexts. The provider accepts OmniGateway in HCL and automatically maps it to FlexGateway before calling the API. If you create TLS contexts directly via the API or CLI, use "FlexGateway" as the target value.

Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes.

Delete behaviour: The Anypoint Secrets Manager API doesn’t expose individual DELETE endpoints for sub-resources. terraform destroy removes this resource from Terraform state only — the TLS context is deleted on the platform when the parent anypoint_secret_group is destroyed.

Example Usage

Basic TLS context

resource "anypoint_secret_group_tls_context" "example" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "omni-tls-context"

  keystore_id   = anypoint_secret_group_keystore.tls.id
  truststore_id = anypoint_secret_group_truststore.ca.id

  min_tls_version = "TLSv1.3"
  max_tls_version = "TLSv1.3"
  alpn_protocols  = ["h2", "http/1.1"]

  enable_client_cert_validation = false
  skip_server_cert_validation   = false
}

mTLS-enabled TLS context

resource "anypoint_secret_group_tls_context" "mtls" {
  environment_id  = var.environment_id
  secret_group_id = anypoint_secret_group.main.id
  name            = "mtls-context"

  keystore_id   = anypoint_secret_group_keystore.tls.id
  truststore_id = anypoint_secret_group_truststore.ca.id

  min_tls_version = "TLSv1.3"
  max_tls_version = "TLSv1.3"
  alpn_protocols  = ["h2", "http/1.1"]

  enable_client_cert_validation = true
  skip_server_cert_validation   = false
}

Required Arguments

  • environment_id - Environment ID.

  • secret_group_id - Secret group ID that this TLS context belongs to.

  • name - Name of the TLS context.

Optional Arguments

  • organization_id - Organization ID. If not provided, the organization ID is inferred from the connected app credentials.

  • keystore_id - ID of the keystore in the same secret group. Use anypoint_secret_group_keystore.example.id to reference it.

  • truststore_id - ID of the truststore in the same secret group. Use anypoint_secret_group_truststore.example.id to reference it.

  • min_tls_version - Minimum TLS version. Valid values: TLSv1.1, TLSv1.2, TLSv1.3. Defaults to TLSv1.3.

  • max_tls_version - Maximum TLS version. Valid values: TLSv1.1, TLSv1.2, TLSv1.3. Defaults to TLSv1.3.

  • alpn_protocols - (List of String) ALPN protocol negotiation list. Valid values: h2, http/1.1. Order determines preference: ["h2", "http/1.1"] prefers H2, ["http/1.1", "h2"] prefers HTTP/1.1.

  • cipher_suites - (List of String) Allowed cipher suites. Empty list means use defaults.

  • enable_client_cert_validation - Enable mutual TLS client certificate validation (inbound). Defaults to false.

  • skip_server_cert_validation - Skip server certificate validation (outbound). Defaults to false.

Read-Only Attributes

  • id - Unique identifier of the TLS context.

  • target - Target runtime for the TLS context. Always OmniGateway in Terraform. The provider maps this to FlexGateway when calling the Secrets Manager API.

  • expiration_date - Expiration date of the TLS context.

Import

An existing anypoint_secret_group_tls_context can be imported using its composite ID: organization_id/environment_id/secret_group_id/tls_context_id.

import {
  to = anypoint_secret_group_tls_context.imported
  id = "<organization_id>/<environment_id>/<secret_group_id>/<tls_context_id>"
}

resource "anypoint_secret_group_tls_context" "imported" {
  organization_id = "<organization_id>"
  environment_id  = "<environment_id>"
  secret_group_id = "<secret_group_id>"
  name            = "<tls_context_name>"
  keystore_id     = "<keystore_id>"
}

After adding the import block, run:

# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf

# Or apply the import directly if you have an existing resource block:
terraform apply

Using the CLI (deprecated, Terraform < 1.5)

terraform import anypoint_secret_group_tls_context.imported <organization_id>/<environment_id>/<secret_group_id>/<tls_context_id>