Skip to main content
← back to extensions

@swamp/aws/secretsmanager

v2026.04.23.3

AWS SECRETSMANAGER infrastructure models

Repository

https://github.com/systeminit/swamp-extensions

Platforms

linux-x86_64linux-aarch64darwin-x86_64darwin-aarch64

Labels

awssecretsmanagercloudinfrastructure

Contents

models

Quality score

Verified by Swamp

How well-documented and verifiable this extension is.

100%

Grade A

  • Has README or module doc2/2earned
  • README has a code example1/1earned
  • README is substantive1/1earned
  • Most symbols documented1/1earned
  • No slow types1/1earned
  • Has description1/1earned
  • At least one platform tag (or universal)1/1earned
  • Two or more platform tags (or universal)1/1earned
  • License declared1/1earned
  • Verified public repository2/2earned

Install

$ swamp extension pull @swamp/aws/secretsmanager

@swamp/aws/secretsmanager/resource-policyv2026.04.23.2resource_policy.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
SecretIdstringThe ARN or name of the secret to attach the resource-based policy.
ResourcePolicystringA JSON-formatted string for an AWS resource-based policy.
BlockPublicPolicy?booleanSpecifies whether to block resource-based policies that allow broad access to the secret.
createCreate a SecretsManager ResourcePolicy
getGet a SecretsManager ResourcePolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the SecretsManager ResourcePolicy
updateUpdate a SecretsManager ResourcePolicy
deleteDelete a SecretsManager ResourcePolicy
ArgumentTypeDescription
identifierstringThe primary identifier of the SecretsManager ResourcePolicy
syncSync SecretsManager ResourcePolicy state from AWS

Resources

state(infinite)— SecretsManager ResourcePolicy resource state
@swamp/aws/secretsmanager/rotation-schedulev2026.04.23.2rotation_schedule.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
HostedRotationLambda?objectCreates a new Lambda rotation function based on one of the Secrets Manager rotation function templates. To use a rotation function that already exists, specify RotationLambdaARN instead.
SecretIdstringThe ARN or name of the secret to rotate.
ExternalSecretRotationMetadata?arrayThe list of metadata needed to successfully rotate a managed external secret.
ExternalSecretRotationRoleArn?stringThe ARN of the IAM role that is used by Secrets Manager to rotate a managed external secret.
RotateImmediatelyOnUpdate?booleanSpecifies whether to rotate the secret immediately or wait until the next scheduled rotation window.
RotationLambdaARN?stringThe ARN of an existing Lambda rotation function. To specify a rotation function that is also defined in this template, use the Ref function.
RotationRules?objectA structure that defines the rotation configuration for this secret.
createCreate a SecretsManager RotationSchedule
getGet a SecretsManager RotationSchedule
ArgumentTypeDescription
identifierstringThe primary identifier of the SecretsManager RotationSchedule
updateUpdate a SecretsManager RotationSchedule
deleteDelete a SecretsManager RotationSchedule
ArgumentTypeDescription
identifierstringThe primary identifier of the SecretsManager RotationSchedule
syncSync SecretsManager RotationSchedule state from AWS

Resources

state(infinite)— SecretsManager RotationSchedule resource state
@swamp/aws/secretsmanager/secretv2026.04.23.2secret.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
Description?stringThe description of the secret.
KmsKeyId?stringThe ARN, key ID, or alias of the KMS key that Secrets Manager uses to encrypt the secret value in the secret. An alias is always prefixed by alias/, for example alias/aws/secretsmanager. For more information, see [About aliases](https://docs.aws.amazon.com/kms/latest/developerguide/alias-about.html). To use a KMS key in a different account, use the key ARN or the alias ARN. If you don't specify this value, then Secrets Manager uses the key aws/secretsmanager. If that key doesn't yet exist, then
SecretString?stringThe text to encrypt and store in the secret. We recommend you use a JSON structure of key/value pairs for your secret value. To generate a random password, use GenerateSecretString instead. If you omit both GenerateSecretString and SecretString, you create an empty secret. When you make a change to this property, a new secret version is created.
GenerateSecretString?objectA structure that specifies how to generate a password to encrypt and store in the secret. To include a specific string in the secret, use SecretString instead. If you omit both GenerateSecretString and SecretString, you create an empty secret. When you make a change to this property, a new secret version is created. We recommend that you specify the maximum length and include every character type that the system you are generating a password for can support.
ReplicaRegions?arrayA custom type that specifies a Region and the KmsKeyId for a replica secret.
Tags?arrayA list of tags to attach to the secret. Each tag is a key and value pair of strings in a JSON text string, for example: [{"Key":"CostCenter","Value":"12345"},{"Key":"environment","Value":"production"}] Secrets Manager tag key names are case sensitive. A tag with the key "ABC" is a different tag from one with key "abc". Stack-level tags, tags you apply to the CloudFormation stack, are also attached to the secret. If you check tags in permissions policies as part of your security strategy, then ad
Name?stringThe name of the new secret. The secret name can contain ASCII letters, numbers, and the following characters: /_+=.@- Do not end your secret name with a hyphen followed by six characters. If you do so, you risk confusion and unexpected results when searching for a secret by partial ARN. Secrets Manager automatically adds a hyphen and six random characters after the secret name at the end of the ARN.
Type?stringThe exact string that identifies the third-party partner that holds the external secret. For more information, see [Managed external secret partners](https://docs.aws.amazon.com/secretsmanager/latest/userguide/mes-partners.html).
createCreate a SecretsManager Secret
getGet a SecretsManager Secret
ArgumentTypeDescription
identifierstringThe primary identifier of the SecretsManager Secret
updateUpdate a SecretsManager Secret
deleteDelete a SecretsManager Secret
ArgumentTypeDescription
identifierstringThe primary identifier of the SecretsManager Secret
syncSync SecretsManager Secret state from AWS

Resources

state(infinite)— SecretsManager Secret resource state
@swamp/aws/secretsmanager/secret-target-attachmentv2026.04.23.2secret_target_attachment.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
SecretIdstring
TargetTypestring
TargetIdstring
createCreate a SecretsManager SecretTargetAttachment
getGet a SecretsManager SecretTargetAttachment
ArgumentTypeDescription
identifierstringThe primary identifier of the SecretsManager SecretTargetAttachment
updateUpdate a SecretsManager SecretTargetAttachment
deleteDelete a SecretsManager SecretTargetAttachment
ArgumentTypeDescription
identifierstringThe primary identifier of the SecretsManager SecretTargetAttachment
syncSync SecretsManager SecretTargetAttachment state from AWS

Resources

state(infinite)— SecretsManager SecretTargetAttachment resource state