resource "anypoint_secret_group" "example" {
environment_id = var.environment_id
name = "terraform-secrets"
downloadable = false
}
Secrets Manager Resources
Use Secrets Manager resources to manage secret groups, certificates, keystores, truststores, shared secrets, and TLS contexts in Anypoint Platform.
These resources support declarative secrets and TLS configuration management for managed gateways and related infrastructure components.
anypoint_secret_group
Use the anypoint_secret_group resource to manage secret groups in Anypoint Secrets Manager.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
|
Lifecycle: Deleting this resource also cascade-deletes all sub-resources on the platform (keystores, truststores, certificates, shared secrets, TLS contexts, certificate pinsets). Sub-resource Terraform resources ( |
Example Usage
Required Arguments
-
environment_id- Environment ID where the secret group is created. -
name- Name of the secret group.
Optional Arguments
-
organization_id- Organization ID. If not provided, the organization ID is inferred from the connected app credentials. -
downloadable- Whether the secrets in this group can be downloaded. Defaults tofalse.
Read-Only Attributes
-
id- Unique identifier of the secret group. -
current_state- Current state of the secret group.
Import
An existing anypoint_secret_group can be imported using its composite ID: organization_id/environment_id/secret_group_id.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_secret_group.imported
id = "<organization_id>/<environment_id>/<secret_group_id>"
}
resource "anypoint_secret_group" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
name = "<secret_group_name>"
downloadable = false
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_secret_group_certificate
Use the anypoint_secret_group_certificate resource to manage certificates within a secret group in Anypoint Secrets Manager. Supports PEM, JKS, PKCS12, and JCEKS formats.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
|
Delete behaviour: The Anypoint Secrets Manager API doesn’t expose individual DELETE endpoints for sub-resources. |
Example Usage
resource "anypoint_secret_group_certificate" "example" {
environment_id = var.environment_id
secret_group_id = anypoint_secret_group.main.id
name = "my-certificate"
type = "PEM"
certificate_base64 = base64encode(file("${path.module}/certs/cert.pem"))
}
Required Arguments
-
environment_id- Environment ID. -
secret_group_id- Secret group ID that this certificate belongs to. -
name- Name of the certificate. -
certificate_base64- (Sensitive) Base64-encoded certificate file content. For PEM:base64encode(file("cert.pem")). For binary:filebase64("cert.der").
Optional Arguments
-
organization_id- Organization ID. If not provided, the organization ID is inferred from the connected app credentials. -
type- Certificate format:PEM,JKS,PKCS12, orJCEKS. Defaults toPEM.
Read-Only Attributes
-
id- Unique identifier of the certificate. -
expiration_date- Expiration date of the certificate. -
algorithm- Signature algorithm of the certificate.
Import
An existing anypoint_secret_group_certificate can be imported using its composite ID: organization_id/environment_id/secret_group_id/certificate_id.
|
|
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_secret_group_certificate.imported
id = "<organization_id>/<environment_id>/<secret_group_id>/<certificate_id>"
}
resource "anypoint_secret_group_certificate" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
secret_group_id = "<secret_group_id>"
name = "<certificate_name>"
type = "PEM"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_secret_group_certificate_pinset
Use the anypoint_secret_group_certificate_pinset resource to manage certificate pinsets within a secret group in Anypoint Secrets Manager. A certificate pinset is used for certificate pinning validation.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
|
Delete behaviour: The Anypoint Secrets Manager API doesn’t expose individual DELETE endpoints for sub-resources. |
Example Usage
resource "anypoint_secret_group_certificate_pinset" "example" {
environment_id = var.environment_id
secret_group_id = anypoint_secret_group.main.id
name = "my-cert-pinset"
certificate_pinset_base64 = base64encode(file("${path.module}/certs/cert.pem"))
}
Required Arguments
-
environment_id- Environment ID. -
secret_group_id- Secret group ID that this certificate pinset belongs to. -
name- Name of the certificate pinset. -
certificate_pinset_base64- (Sensitive) Base64-encoded certificate file for pinning. For PEM:base64encode(file("cert.pem")).
Optional Arguments
-
organization_id- Organization ID. If not provided, the organization ID is inferred from the connected app credentials.
Read-Only Attributes
-
id- Unique identifier of the certificate pinset. -
expiration_date- Expiration date of the pinned certificate. -
algorithm- Signature algorithm of the pinned certificate.
Import
An existing anypoint_secret_group_certificate_pinset can be imported using its composite ID: organization_id/environment_id/secret_group_id/certificate_pinset_id.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_secret_group_certificate_pinset.imported
id = "<organization_id>/<environment_id>/<secret_group_id>/<certificate_pinset_id>"
}
resource "anypoint_secret_group_certificate_pinset" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
secret_group_id = "<secret_group_id>"
name = "<pinset_name>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_secret_group_keystore
Use the anypoint_secret_group_keystore resource to manage keystores within a secret group in Anypoint Secrets Manager. Supports PEM, JKS, PKCS12, and JCEKS formats. Use filebase64() to read binary files (JKS/PKCS12) or base64encode(file(…)) for PEM text files.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
|
Delete behaviour: The Anypoint Secrets Manager API doesn’t expose individual DELETE endpoints for sub-resources. |
Example Usage
PEM keystore
resource "anypoint_secret_group_keystore" "pem" {
environment_id = var.environment_id
secret_group_id = anypoint_secret_group.main.id
name = "tls-pem-keystore"
type = "PEM"
certificate_base64 = base64encode(file("${path.module}/certs/cert.pem"))
key_base64 = base64encode(file("${path.module}/certs/key.pem"))
}
PEM keystore with CA chain
resource "anypoint_secret_group_keystore" "pem_with_ca" {
environment_id = var.environment_id
secret_group_id = anypoint_secret_group.main.id
name = "tls-pem-with-truststore"
type = "PEM"
certificate_base64 = base64encode(file("${path.module}/certs/cert.pem"))
key_base64 = base64encode(file("${path.module}/certs/key.pem"))
ca_path_base64 = base64encode(file("${path.module}/certs/truststore.pem"))
}
JKS keystore
resource "anypoint_secret_group_keystore" "jks" {
environment_id = var.environment_id
secret_group_id = anypoint_secret_group.main.id
name = "tls-jks-keystore"
type = "JKS"
keystore_file_base64 = filebase64("${path.module}/certs/keystore.jks")
store_passphrase = var.jks_store_passphrase
key_passphrase = var.jks_key_passphrase
alias = "myalias"
}
Required Arguments
-
environment_id- Environment ID. Changing this forces a new resource. -
secret_group_id- Secret group ID that this keystore belongs to. Changing this forces a new resource. -
name- Name of the keystore.
Optional Arguments
-
organization_id- Organization ID. If not provided, inferred from the connected app credentials. -
type- Keystore format:PEM,JKS,PKCS12, orJCEKS. Defaults toPEM. Changing this forces a new resource. -
certificate_base64- (Sensitive) Base64-encoded certificate content. For PEM:base64encode(file("cert.pem")). For binary DER:filebase64("cert.der"). Used for PEM type. -
key_base64- (Sensitive) Base64-encoded private key content. For PEM:base64encode(file("key.pem")). Required for PEM type. -
keystore_file_base64- (Sensitive) Base64-encoded keystore file. Usefilebase64("keystore.jks")orfilebase64("keystore.p12"). Required for JKS, PKCS12, and JCEKS types. -
store_passphrase- (Sensitive) Store-level passphrase. Required for JKS, PKCS12, and JCEKS types. -
key_passphrase- (Sensitive) Private-key entry passphrase. Required for JKS, PKCS12, and JCEKS types. Optional for PEM encrypted keys. -
alias- Entry alias within the keystore. Used for JKS, PKCS12, and JCEKS types. -
ca_path_base64- (Sensitive) Base64-encoded CA certificate chain (appended as truststore). Optional for all types.
Read-Only Attributes
-
id- Unique identifier of the keystore. -
expiration_date- Expiration date of the certificate in the keystore. -
algorithm- Signature algorithm of the certificate.
Import
An existing anypoint_secret_group_keystore can be imported using its composite ID: organization_id/environment_id/secret_group_id/keystore_id.
|
File content fields ( |
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_secret_group_keystore.imported
id = "<organization_id>/<environment_id>/<secret_group_id>/<keystore_id>"
}
resource "anypoint_secret_group_keystore" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
secret_group_id = "<secret_group_id>"
name = "<keystore_name>"
type = "PEM"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_secret_group_shared_secret
Use the anypoint_secret_group_shared_secret resource to manage shared secrets within a secret group in Anypoint Secrets Manager. Supports four types: UsernamePassword, S3Credential, SymmetricKey, and Blob. Provide the type-specific fields based on the chosen type.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
|
Delete behaviour: The Anypoint Secrets Manager API doesn’t expose individual DELETE endpoints for sub-resources. |
Example Usage
UsernamePassword
resource "anypoint_secret_group_shared_secret" "db_creds" {
environment_id = var.environment_id
secret_group_id = anypoint_secret_group.main.id
name = "db-credentials"
type = "UsernamePassword"
username = "admin"
password = var.db_password
}
S3Credential
resource "anypoint_secret_group_shared_secret" "s3" {
environment_id = var.environment_id
secret_group_id = anypoint_secret_group.main.id
name = "s3-backup-creds"
type = "S3Credential"
access_key_id = var.aws_access_key
secret_access_key = var.aws_secret_key
expiration_date = "2026-12-31"
}
Required Arguments
-
environment_id- Environment ID. -
secret_group_id- Secret group ID that this shared secret belongs to. -
name- Name of the shared secret. -
type- Type of shared secret:UsernamePassword,S3Credential,SymmetricKey, orBlob.
Optional Arguments
-
organization_id- Organization ID. If not provided, the organization ID is inferred from the connected app credentials. -
expiration_date- Optional expiration date (for example,2026-03-31). -
username- Username (forUsernamePasswordtype). -
password- (Sensitive) Password (forUsernamePasswordtype). -
access_key_id- AWS access key ID (forS3Credentialtype). -
secret_access_key- (Sensitive) AWS secret access key (forS3Credentialtype). -
key- (Sensitive) Base64-encoded symmetric key (forSymmetricKeytype). -
content- (Sensitive) Secret content string (forBlobtype).
Import
An existing anypoint_secret_group_shared_secret can be imported using its composite ID: organization_id/environment_id/secret_group_id/shared_secret_id.
|
Sensitive fields (passwords, secrets) are write-only and won’t be populated after import. Set them manually to avoid drift. |
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_secret_group_shared_secret.imported
id = "<organization_id>/<environment_id>/<secret_group_id>/<shared_secret_id>"
}
resource "anypoint_secret_group_shared_secret" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
secret_group_id = "<secret_group_id>"
name = "<shared_secret_name>"
type = "UsernamePassword"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_secret_group_truststore
Use the anypoint_secret_group_truststore resource to manage truststores within a secret group in Anypoint Secrets Manager. Supports PEM, JKS, PKCS12, and JCEKS formats. Use base64encode(file(…)) for PEM text files or filebase64(…) for binary JKS/PKCS12 files.
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
|
Delete behaviour: The Anypoint Secrets Manager API doesn’t expose individual DELETE endpoints for sub-resources. |
Example Usage
Required Arguments
-
environment_id- Environment ID. -
secret_group_id- Secret group ID that this truststore belongs to. -
name- Name of the truststore. -
truststore_base64- (Sensitive) Base64-encoded truststore file content. For PEM:base64encode(file("truststore.pem")). For JKS/PKCS12:filebase64("truststore.jks").
Optional Arguments
-
organization_id- Organization ID. If not provided, the organization ID is inferred from the connected app credentials. -
type- Truststore format:PEM,JKS,PKCS12, orJCEKS. Defaults toPEM. -
passphrase- (Sensitive) Passphrase for the truststore. Required for JKS, PKCS12, and JCEKS formats.
Read-Only Attributes
-
id- Unique identifier of the truststore. -
expiration_date- Expiration date of the certificate in the truststore. -
algorithm- Signature algorithm of the certificate.
Import
An existing anypoint_secret_group_truststore can be imported using its composite ID: organization_id/environment_id/secret_group_id/truststore_id.
|
|
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_secret_group_truststore.imported
id = "<organization_id>/<environment_id>/<secret_group_id>/<truststore_id>"
}
resource "anypoint_secret_group_truststore" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
secret_group_id = "<secret_group_id>"
name = "<truststore_name>"
type = "PEM"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply
anypoint_secret_group_tls_context
Use the anypoint_secret_group_tls_context resource to manage an Omni Gateway TLS context within a secret group in Anypoint Secrets Manager. The target is fixed to OmniGateway in this provider. References keystore and truststore resources by their IDs — the provider automatically builds the internal path references (keystores/{id}, truststores/{id}).
|
Target mapping: The Anypoint Secrets Manager API requires |
|
Connected App: This resource requires a standard connected app (client credentials). An admin connected app isn’t needed. The connected app must have relevant scopes. |
|
Delete behaviour: The Anypoint Secrets Manager API doesn’t expose individual DELETE endpoints for sub-resources. |
Example Usage
Basic TLS context
resource "anypoint_secret_group_tls_context" "example" {
environment_id = var.environment_id
secret_group_id = anypoint_secret_group.main.id
name = "omni-tls-context"
keystore_id = anypoint_secret_group_keystore.tls.id
truststore_id = anypoint_secret_group_truststore.ca.id
min_tls_version = "TLSv1.3"
max_tls_version = "TLSv1.3"
alpn_protocols = ["h2", "http/1.1"]
enable_client_cert_validation = false
skip_server_cert_validation = false
}
mTLS-enabled TLS context
resource "anypoint_secret_group_tls_context" "mtls" {
environment_id = var.environment_id
secret_group_id = anypoint_secret_group.main.id
name = "mtls-context"
keystore_id = anypoint_secret_group_keystore.tls.id
truststore_id = anypoint_secret_group_truststore.ca.id
min_tls_version = "TLSv1.3"
max_tls_version = "TLSv1.3"
alpn_protocols = ["h2", "http/1.1"]
enable_client_cert_validation = true
skip_server_cert_validation = false
}
Required Arguments
-
environment_id- Environment ID. -
secret_group_id- Secret group ID that this TLS context belongs to. -
name- Name of the TLS context.
Optional Arguments
-
organization_id- Organization ID. If not provided, the organization ID is inferred from the connected app credentials. -
keystore_id- ID of the keystore in the same secret group. Useanypoint_secret_group_keystore.example.idto reference it. -
truststore_id- ID of the truststore in the same secret group. Useanypoint_secret_group_truststore.example.idto reference it. -
min_tls_version- Minimum TLS version. Valid values:TLSv1.1,TLSv1.2,TLSv1.3. Defaults toTLSv1.3. -
max_tls_version- Maximum TLS version. Valid values:TLSv1.1,TLSv1.2,TLSv1.3. Defaults toTLSv1.3. -
alpn_protocols- (List of String) ALPN protocol negotiation list. Valid values:h2,http/1.1. Order determines preference:["h2", "http/1.1"]prefers H2,["http/1.1", "h2"]prefers HTTP/1.1. -
cipher_suites- (List of String) Allowed cipher suites. Empty list means use defaults. -
enable_client_cert_validation- Enable mutual TLS client certificate validation (inbound). Defaults tofalse. -
skip_server_cert_validation- Skip server certificate validation (outbound). Defaults tofalse.
Read-Only Attributes
-
id- Unique identifier of the TLS context. -
target- Target runtime for the TLS context. AlwaysOmniGatewayin Terraform. The provider maps this toFlexGatewaywhen calling the Secrets Manager API. -
expiration_date- Expiration date of the TLS context.
Import
An existing anypoint_secret_group_tls_context can be imported using its composite ID: organization_id/environment_id/secret_group_id/tls_context_id.
Using an import block (Terraform ≥ 1.5 — recommended)
import {
to = anypoint_secret_group_tls_context.imported
id = "<organization_id>/<environment_id>/<secret_group_id>/<tls_context_id>"
}
resource "anypoint_secret_group_tls_context" "imported" {
organization_id = "<organization_id>"
environment_id = "<environment_id>"
secret_group_id = "<secret_group_id>"
name = "<tls_context_name>"
keystore_id = "<keystore_id>"
}
After adding the import block, run:
# Let Terraform generate the full resource configuration automatically:
terraform plan -generate-config-out=generated.tf
# Or apply the import directly if you have an existing resource block:
terraform apply



