**Warning:** managing versions will persist their data (the actual secret you want to protect) in the Terraform state in unencrypted form, accessible to any identity able to read or pull the state file.
CMEK will be used if an encryption key is set in the `keys` field of `secrets` object for the secret region. For secrets with auto-replication, a global key must be specified.
| [project_id](variables.tf#L29) | Project id where the keyring will be created. | <code>string</code> | ✓ | |
| [iam](variables.tf#L17) | IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format. | <code>map(map(list(string)))</code> | | <code>{}</code> |
| [labels](variables.tf#L23) | Optional labels for each secret. | <code>map(map(string))</code> | | <code>{}</code> |
| [secrets](variables.tf#L34) | Map of secrets to manage, their locations and KMS keys in {LOCATION => KEY} format. {GLOBAL => KEY} format enables CMEK for automatic managed secrets. If locations is null, automatic management will be set. | <codetitle="map(object({ locations = optional(list(string), null) keys = optional(map(string), null) }))">map(object({…}))</code> | | <code>{}</code> |
| [versions](variables.tf#L43) | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | <codetitle="map(map(object({ enabled = bool data = string })))">map(map(object({…})))</code> | | <code>{}</code> |