From 12e69c71e37f125a4cd2927e95d8cfd0a8411cbb Mon Sep 17 00:00:00 2001 From: Lorenzo Caggioni Date: Mon, 14 Jun 2021 18:35:53 +0200 Subject: [PATCH] Add Service Identity for Secret Manager --- modules/project/README.md | 2 +- modules/project/service_accounts.tf | 12 ++++++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/modules/project/README.md b/modules/project/README.md index 281a7776..267c7633 100644 --- a/modules/project/README.md +++ b/modules/project/README.md @@ -149,7 +149,7 @@ module "project-host" { # tftest:modules=5:resources=12 ``` -## Cloud KMS ncryption keys +## Cloud KMS encryption keys ```hcl module "project" { source = "./modules/project" diff --git a/modules/project/service_accounts.tf b/modules/project/service_accounts.tf index f949f33f..c7dc1d49 100644 --- a/modules/project/service_accounts.tf +++ b/modules/project/service_accounts.tf @@ -32,6 +32,7 @@ locals { gae-flex = "gae-api-prod" gcf = "gcf-admin-robot" pubsub = "gcp-sa-pubsub" + secretmanager = "gcp-sa-secretmanager" storage = "gs-project-accounts" } service_accounts_robots = { @@ -41,11 +42,18 @@ locals { } data "google_storage_project_service_account" "gcs_account" { - count = try(var.services["storage.googleapis.com"], false) ? 1 : 0 + count = contains(var.services, "storage.googleapis.com") ? 1 : 0 project = local.project.project_id } data "google_bigquery_default_service_account" "bq_sa" { - count = try(var.services["bigquery.googleapis.com"], false) ? 1 : 0 + count = contains(var.services, "bigquery.googleapis.com") ? 1 : 0 project = local.project.project_id } + +resource "google_project_service_identity" "sm_sa" { + provider = google-beta + count = contains(var.services, "secretmanager.googleapis.com") ? 1 : 0 + project = local.project.project_id + service = "secretmanager.googleapis.com" +}