GoogleCloudPlatform · modular-magician · Oct 23, 2025 · Oct 23, 2025
@@ -41,6 +41,12 @@ func ConvertResource(asset caiasset.Asset) ([]*models.TerraformResourceBlock, er
 			} else if strings.Contains(asset.Name, "regions") {
 				converter = ConverterMap[asset.Type]["ComputeRegionHealthCheck"]
 			}
+		case "secretmanager.googleapis.com/Secret":
+			if strings.Contains(asset.Name, "locations") {
+				converter = ConverterMap[asset.Type]["SecretManagerRegionalRegionalSecret"]
+			} else {
+				converter = ConverterMap[asset.Type]["SecretManagerSecret"]
+			}
 		}
 	}
 

@@ -40,6 +40,8 @@ import (
 	"github.com/GoogleCloudPlatform/terraform-google-conversion/v7/pkg/services/pubsub"
 	"github.com/GoogleCloudPlatform/terraform-google-conversion/v7/pkg/services/redis"
 	"github.com/GoogleCloudPlatform/terraform-google-conversion/v7/pkg/services/resourcemanager"
+	"github.com/GoogleCloudPlatform/terraform-google-conversion/v7/pkg/services/secretmanager"
+	"github.com/GoogleCloudPlatform/terraform-google-conversion/v7/pkg/services/secretmanagerregional"
 
 	tpg_provider "github.com/GoogleCloudPlatform/terraform-google-conversion/v7/pkg/provider"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -247,4 +249,8 @@ var ConverterMap = map[string]map[string]models.Cai2hclConverter{
 	"redis.googleapis.com/Instance": {
 		"Default": redis.NewRedisInstanceCai2hclConverter(provider),
 	},
+	"secretmanager.googleapis.com/Secret": {
+		"SecretManagerRegionalRegionalSecret": secretmanagerregional.NewSecretManagerRegionalRegionalSecretCai2hclConverter(provider),
+		"SecretManagerSecret":                 secretmanager.NewSecretManagerSecretCai2hclConverter(provider),
+	},
 }
@@ -26,6 +26,8 @@ import (
 	"github.com/GoogleCloudPlatform/terraform-google-conversion/v7/pkg/services/pubsub"
 	"github.com/GoogleCloudPlatform/terraform-google-conversion/v7/pkg/services/redis"
 	"github.com/GoogleCloudPlatform/terraform-google-conversion/v7/pkg/services/resourcemanager"
+	"github.com/GoogleCloudPlatform/terraform-google-conversion/v7/pkg/services/secretmanager"
+	"github.com/GoogleCloudPlatform/terraform-google-conversion/v7/pkg/services/secretmanagerregional"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
 
@@ -36,7 +38,7 @@ var handwrittenTfplan2caiResources = map[string]*schema.Resource{
 	// ####### END handwritten resources ###########
 }
 
-// Generated resources: 66
+// Generated resources: 68
 var generatedResources = map[string]*schema.Resource{
 	"google_alloydb_backup":                                alloydb.ResourceAlloydbBackup(),
 	"google_alloydb_cluster":                               alloydb.ResourceAlloydbCluster(),
@@ -104,4 +106,6 @@ var generatedResources = map[string]*schema.Resource{
 	"google_pubsub_topic":                                  pubsub.ResourcePubsubTopic(),
 	"google_redis_cluster":                                 redis.ResourceRedisCluster(),
 	"google_redis_instance":                                redis.ResourceRedisInstance(),
+	"google_secret_manager_secret":                         secretmanager.ResourceSecretManagerSecret(),
+	"google_secret_manager_regional_secret":                secretmanagerregional.ResourceSecretManagerRegionalRegionalSecret(),
 }
@@ -0,0 +1,326 @@
+// ----------------------------------------------------------------------------
+//
+//     ***     AUTO GENERATED CODE    ***    Type: MMv1     ***
+//
+// ----------------------------------------------------------------------------
+//
+//     This code is generated by Magic Modules using the following:
+//
+//     Configuration: https://github.com/GoogleCloudPlatform/magic-modules/tree/main/mmv1/products/secretmanager/Secret.yaml
+//     Template:      https://github.com/GoogleCloudPlatform/magic-modules/tree/main/mmv1/templates/tgc_next/services/resource.go.tmpl
+//
+//     DO NOT EDIT this file directly. Any changes made to this file will be
+//     overwritten during the next generation cycle.
+//
+// ----------------------------------------------------------------------------
+
+package secretmanager
+
+import (
+	"context"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+const SecretManagerSecretAssetType string = "secretmanager.googleapis.com/Secret"
+
+const SecretManagerSecretSchemaName string = "google_secret_manager_secret"
+
+// Prevent ForceNew when upgrading replication.automatic -> replication.auto
+func secretManagerSecretAutoCustomizeDiff(_ context.Context, diff *schema.ResourceDiff, meta interface{}) error {
+	oAutomatic, nAutomatic := diff.GetChange("replication.0.automatic")
+	_, nAuto := diff.GetChange("replication.0.auto")
+	autoLen := len(nAuto.([]interface{}))
+
+	// Do not ForceNew if we are removing "automatic" while adding "auto"
+	if oAutomatic == true && nAutomatic == false && autoLen > 0 {
+		return nil
+	}
+
+	if diff.HasChange("replication.0.automatic") {
+		if err := diff.ForceNew("replication.0.automatic"); err != nil {
+			return err
+		}
+	}
+
+	if diff.HasChange("replication.0.auto") {
+		if err := diff.ForceNew("replication.0.auto"); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func ResourceSecretManagerSecret() *schema.Resource {
+	return &schema.Resource{
+		Schema: map[string]*schema.Schema{
+			"replication": {
+				Type:     schema.TypeList,
+				Required: true,
+				ForceNew: true,
+				Description: `The replication policy of the secret data attached to the Secret. It cannot be changed
+after the Secret has been created.`,
+				MaxItems: 1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"auto": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							ForceNew:    true,
+							Description: `The Secret will automatically be replicated without any restrictions.`,
+							MaxItems:    1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"customer_managed_encryption": {
+										Type:     schema.TypeList,
+										Optional: true,
+										Description: `The customer-managed encryption configuration of the Secret.
+If no configuration is provided, Google-managed default
+encryption is used.`,
+										MaxItems: 1,
+										Elem: &schema.Resource{
+											Schema: map[string]*schema.Schema{
+												"kms_key_name": {
+													Type:        schema.TypeString,
+													Required:    true,
+													Description: `The resource name of the Cloud KMS CryptoKey used to encrypt secret payloads.`,
+												},
+											},
+										},
+									},
+								},
+							},
+							ExactlyOneOf: []string{"replication.0.user_managed", "replication.0.auto"},
+						},
+						"user_managed": {
+							Type:        schema.TypeList,
+							Optional:    true,
+							ForceNew:    true,
+							Description: `The Secret will be replicated to the regions specified by the user.`,
+							MaxItems:    1,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"replicas": {
+										Type:        schema.TypeList,
+										Required:    true,
+										ForceNew:    true,
+										Description: `The list of Replicas for this Secret. Cannot be empty.`,
+										MinItems:    1,
+										Elem: &schema.Resource{
+											Schema: map[string]*schema.Schema{
+												"location": {
+													Type:        schema.TypeString,
+													Required:    true,
+													ForceNew:    true,
+													Description: `The canonical IDs of the location to replicate data. For example: "us-east1".`,
+												},
+												"customer_managed_encryption": {
+													Type:        schema.TypeList,
+													Optional:    true,
+													Description: `Customer Managed Encryption for the secret.`,
+													MaxItems:    1,
+													Elem: &schema.Resource{
+														Schema: map[string]*schema.Schema{
+															"kms_key_name": {
+																Type:        schema.TypeString,
+																Required:    true,
+																Description: `Describes the Cloud KMS encryption key that will be used to protect destination secret.`,
+															},
+														},
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+							ExactlyOneOf: []string{"replication.0.user_managed", "replication.0.auto"},
+						},
+					},
+				},
+			},
+			"secret_id": {
+				Type:        schema.TypeString,
+				Required:    true,
+				ForceNew:    true,
+				Description: `This must be unique within the project.`,
+			},
+			"annotations": {
+				Type:     schema.TypeMap,
+				Optional: true,
+				Description: `Custom metadata about the secret.
+
+Annotations are distinct from various forms of labels. Annotations exist to allow
+client tools to store their own state information without requiring a database.
+
+Annotation keys must be between 1 and 63 characters long, have a UTF-8 encoding of
+maximum 128 bytes, begin and end with an alphanumeric character ([a-z0-9A-Z]), and
+may have dashes (-), underscores (_), dots (.), and alphanumerics in between these
+symbols.
+
+The total size of annotation keys and values must be less than 16KiB.
+
+An object containing a list of "key": value pairs. Example:
+{ "name": "wrench", "mass": "1.3kg", "count": "3" }.
+
+
+**Note**: This field is non-authoritative, and will only manage the annotations present in your configuration.
+Please refer to the field 'effective_annotations' for all of the annotations present on the resource.`,
+				Elem: &schema.Schema{Type: schema.TypeString},
+			},
+			"expire_time": {
+				Type:     schema.TypeString,
+				Computed: true,
+				Optional: true,
+				Description: `Timestamp in UTC when the Secret is scheduled to expire. This is always provided on output, regardless of what was sent on input.
+A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
+Only one of 'expire_time' or 'ttl' can be provided.`,
+			},
+			"labels": {
+				Type:     schema.TypeMap,
+				Optional: true,
+				Description: `The labels assigned to this Secret.
+
+Label keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes,
+and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}][\p{Ll}\p{Lo}\p{N}_-]{0,62}
+
+Label values must be between 0 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes,
+and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}\p{N}_-]{0,63}
+
+No more than 64 labels can be assigned to a given resource.
+
+An object containing a list of "key": value pairs. Example:
+{ "name": "wrench", "mass": "1.3kg", "count": "3" }.
+
+
+**Note**: This field is non-authoritative, and will only manage the labels present in your configuration.
+Please refer to the field 'effective_labels' for all of the labels present on the resource.`,
+				Elem: &schema.Schema{Type: schema.TypeString},
+			},
+			"rotation": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: `The rotation time and period for a Secret. At 'next_rotation_time', Secret Manager will send a Pub/Sub notification to the topics configured on the Secret. 'topics' must be set to configure rotation.`,
+				MaxItems:    1,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"next_rotation_time": {
+							Type:     schema.TypeString,
+							Optional: true,
+							Description: `Timestamp in UTC at which the Secret is scheduled to rotate.
+A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".`,
+							RequiredWith: []string{"rotation.0.rotation_period"},
+						},
+						"rotation_period": {
+							Type:     schema.TypeString,
+							Optional: true,
+							Description: `The Duration between rotation notifications. Must be in seconds and at least 3600s (1h) and at most 3153600000s (100 years).
+If rotationPeriod is set, 'next_rotation_time' must be set. 'next_rotation_time' will be advanced by this period when the service automatically sends rotation notifications.`,
+						},
+					},
+				},
+				RequiredWith: []string{"topics"},
+			},
+			"tags": {
+				Type:     schema.TypeMap,
+				Optional: true,
+				ForceNew: true,
+				Description: `A map of resource manager tags.
+Resource manager tag keys and values have the same definition as resource manager tags.
+Keys must be in the format tagKeys/{tag_key_id}, and values are in the format tagValues/{tag_value_id}.`,
+				Elem: &schema.Schema{Type: schema.TypeString},
+			},
+			"topics": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: `A list of up to 10 Pub/Sub topics to which messages are published when control plane operations are called on the secret or its versions.`,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"name": {
+							Type:     schema.TypeString,
+							Required: true,
+							Description: `The resource name of the Pub/Sub topic that will be published to, in the following format: projects/*/topics/*.
+For publication to succeed, the Secret Manager Service Agent service account must have pubsub.publisher permissions on the topic.`,
+						},
+					},
+				},
+			},
+			"ttl": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Description: `The TTL for the Secret.
+A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
+Only one of 'ttl' or 'expire_time' can be provided.`,
+			},
+			"version_aliases": {
+				Type:     schema.TypeMap,
+				Optional: true,
+				Description: `Mapping from version alias to version name.
+
+A version alias is a string with a maximum length of 63 characters and can contain
+uppercase and lowercase letters, numerals, and the hyphen (-) and underscore ('_')
+characters. An alias string must start with a letter and cannot be the string
+'latest' or 'NEW'. No more than 50 aliases can be assigned to a given secret.
+
+An object containing a list of "key": value pairs. Example:
+{ "name": "wrench", "mass": "1.3kg", "count": "3" }.`,
+				Elem: &schema.Schema{Type: schema.TypeString},
+			},
+			"version_destroy_ttl": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Description: `Secret Version TTL after destruction request.
+This is a part of the delayed delete feature on Secret Version.
+For secret with versionDestroyTtl>0, version destruction doesn't happen immediately
+on calling destroy instead the version goes to a disabled state and
+the actual destruction happens after this TTL expires.`,
+			},
+			"create_time": {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: `The time at which the Secret was created.`,
+			},
+			"effective_annotations": {
+				Type:        schema.TypeMap,
+				Computed:    true,
+				Description: `All of annotations (key/value pairs) present on the resource in GCP, including the annotations configured through Terraform, other clients and services.`,
+				Elem:        &schema.Schema{Type: schema.TypeString},
+			},
+			"effective_labels": {
+				Type:        schema.TypeMap,
+				Computed:    true,
+				Description: `All of labels (key/value pairs) present on the resource in GCP, including the labels configured through Terraform, other clients and services.`,
+				Elem:        &schema.Schema{Type: schema.TypeString},
+			},
+			"name": {
+				Type:     schema.TypeString,
+				Computed: true,
+				Description: `The resource name of the Secret. Format:
+'projects/{{project}}/secrets/{{secret_id}}'`,
+			},
+			"terraform_labels": {
+				Type:     schema.TypeMap,
+				Computed: true,
+				Description: `The combination of labels configured directly on the resource
+ and default labels configured on the provider.`,
+				Elem: &schema.Schema{Type: schema.TypeString},
+			},
+			"deletion_protection": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Description: `Whether Terraform will be prevented from destroying the secret. Defaults to false.
+When the field is set to true in Terraform state, a 'terraform apply'
+or 'terraform destroy' that would delete the secret will fail.`,
+				Default: false,
+			},
+			"project": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+				ForceNew: true,
+			},
+		},
+		UseJSONNumber: true,
+	}
+}