diff --git a/modules/secret-manager/README.md b/modules/secret-manager/README.md
index eefec750..32e6b305 100644
--- a/modules/secret-manager/README.md
+++ b/modules/secret-manager/README.md
@@ -110,11 +110,12 @@ module "secret-manager" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [project_id](variables.tf#L29) | Project id where the keyring will be created. | string | ✓ | |
-| [iam](variables.tf#L17) | IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {} |
-| [labels](variables.tf#L23) | Optional labels for each secret. | map(map(string)) | | {} |
-| [secrets](variables.tf#L34) | Map of secrets to manage, their locations and KMS keys in {LOCATION => KEY} format. {GLOBAL => KEY} format enables CMEK for automatic managed secrets. If locations is null, automatic management will be set. | map(object({…})) | | {} |
-| [versions](variables.tf#L43) | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | map(map(object({…}))) | | {} |
+| [project_id](variables.tf#L34) | Project id where the keyring will be created. | string | ✓ | |
+| [expire_time](variables.tf#L16) | Timestamp in UTC when the Secret is scheduled to expire. | string | | null |
+| [iam](variables.tf#L22) | IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {} |
+| [labels](variables.tf#L28) | Optional labels for each secret. | map(map(string)) | | {} |
+| [secrets](variables.tf#L39) | Map of secrets to manage, their locations and KMS keys in {LOCATION => KEY} format. {GLOBAL => KEY} format enables CMEK for automatic managed secrets. If locations is null, automatic management will be set. | map(object({…})) | | {} |
+| [versions](variables.tf#L48) | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | map(map(object({…}))) | | {} |
## Outputs
diff --git a/modules/secret-manager/main.tf b/modules/secret-manager/main.tf
index 61f4d5ef..d5df3730 100644
--- a/modules/secret-manager/main.tf
+++ b/modules/secret-manager/main.tf
@@ -33,13 +33,15 @@ locals {
version_keypairs = {
for pair in local.version_pairs : "${pair.secret}:${pair.name}" => pair
}
+ expire_time = var.expire_time != null ? var.expire_time : ""
}
resource "google_secret_manager_secret" "default" {
- for_each = var.secrets
- project = var.project_id
- secret_id = each.key
- labels = lookup(var.labels, each.key, null)
+ for_each = var.secrets
+ project = var.project_id
+ secret_id = each.key
+ labels = lookup(var.labels, each.key, null)
+ expire_time = local.expire_time != "" ? local.expire_time : null
dynamic "replication" {
for_each = each.value.locations == null ? [""] : []
@@ -93,4 +95,4 @@ resource "google_secret_manager_secret_iam_binding" "default" {
role = each.value.role
secret_id = google_secret_manager_secret.default[each.value.secret].id
members = each.value.members
-}
\ No newline at end of file
+}
diff --git a/modules/secret-manager/variables.tf b/modules/secret-manager/variables.tf
index 089f2a69..6fb44723 100644
--- a/modules/secret-manager/variables.tf
+++ b/modules/secret-manager/variables.tf
@@ -13,6 +13,11 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
+variable "expire_time" {
+ description = "Timestamp in UTC when the Secret is scheduled to expire."
+ type = string
+ default = null
+}
variable "iam" {
description = "IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format."
@@ -47,4 +52,4 @@ variable "versions" {
data = string
})))
default = {}
-}
\ No newline at end of file
+}