Merge pull request #264 from terraform-google-modules/lcaggio-kms-002
Add Service Identity for Secret Manager
This commit is contained in:
commit
6cdc48fdd6
|
@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file.
|
|||
- Fix `message_retention_duration` variable type in `pubsub` module
|
||||
- Move `bq` robot service account into the robot service account project output
|
||||
- Add IAM cryptDecrypt role to robot service account on specified keys
|
||||
- Add Service Identity creation on `project' module if secretmanager enabled
|
||||
|
||||
## [4.9.0] - 2021-06-04
|
||||
|
||||
|
|
|
@ -149,7 +149,7 @@ module "project-host" {
|
|||
# tftest:modules=5:resources=12
|
||||
```
|
||||
|
||||
## Cloud KMS ncryption keys
|
||||
## Cloud KMS encryption keys
|
||||
```hcl
|
||||
module "project" {
|
||||
source = "./modules/project"
|
||||
|
@ -170,7 +170,7 @@ module "project" {
|
|||
]
|
||||
}
|
||||
}
|
||||
# tftest:modules=1:resources=6
|
||||
# tftest:modules=1:resources=7
|
||||
```
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
|
|
@ -370,6 +370,13 @@ resource "google_kms_crypto_key_iam_member" "crypto_key" {
|
|||
for service_key in local.service_encryption_key_ids : "${service_key.service}.${service_key.key}" => service_key
|
||||
}
|
||||
crypto_key_id = each.value.key
|
||||
role = "roles/cloudkms.cryptoKeyEncrypter"
|
||||
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
|
||||
member = "serviceAccount:${local.service_accounts_robots[each.value.service]}"
|
||||
depends_on = [
|
||||
google_project.project,
|
||||
google_project_service.project_services,
|
||||
data.google_bigquery_default_service_account.bq_sa,
|
||||
data.google_project.project,
|
||||
data.google_storage_project_service_account.gcs_sa,
|
||||
]
|
||||
}
|
||||
|
|
|
@ -23,7 +23,8 @@ output "project_id" {
|
|||
google_project_organization_policy.boolean,
|
||||
google_project_organization_policy.list,
|
||||
google_project_service.project_services,
|
||||
google_compute_shared_vpc_service_project.service_projects
|
||||
google_compute_shared_vpc_service_project.service_projects,
|
||||
google_kms_crypto_key_iam_member.crypto_key
|
||||
]
|
||||
}
|
||||
|
||||
|
@ -34,7 +35,8 @@ output "name" {
|
|||
google_project_organization_policy.boolean,
|
||||
google_project_organization_policy.list,
|
||||
google_project_service.project_services,
|
||||
google_compute_shared_vpc_service_project.service_projects
|
||||
google_compute_shared_vpc_service_project.service_projects,
|
||||
google_kms_crypto_key_iam_member.crypto_key
|
||||
]
|
||||
}
|
||||
|
||||
|
@ -45,7 +47,8 @@ output "number" {
|
|||
google_project_organization_policy.boolean,
|
||||
google_project_organization_policy.list,
|
||||
google_project_service.project_services,
|
||||
google_compute_shared_vpc_service_project.service_projects
|
||||
google_compute_shared_vpc_service_project.service_projects,
|
||||
google_kms_crypto_key_iam_member.crypto_key
|
||||
]
|
||||
}
|
||||
|
||||
|
@ -56,7 +59,10 @@ output "service_accounts" {
|
|||
default = local.service_accounts_default
|
||||
robots = local.service_accounts_robots
|
||||
}
|
||||
depends_on = [google_project_service.project_services]
|
||||
depends_on = [
|
||||
google_project_service.project_services,
|
||||
google_kms_crypto_key_iam_member.crypto_key
|
||||
]
|
||||
}
|
||||
|
||||
output "custom_roles" {
|
||||
|
|
|
@ -32,6 +32,7 @@ locals {
|
|||
gae-flex = "gae-api-prod"
|
||||
gcf = "gcf-admin-robot"
|
||||
pubsub = "gcp-sa-pubsub"
|
||||
secretmanager = "gcp-sa-secretmanager"
|
||||
storage = "gs-project-accounts"
|
||||
}
|
||||
service_accounts_robots = {
|
||||
|
@ -40,12 +41,23 @@ locals {
|
|||
}
|
||||
}
|
||||
|
||||
data "google_storage_project_service_account" "gcs_account" {
|
||||
count = try(var.services["storage.googleapis.com"], false) ? 1 : 0
|
||||
project = local.project.project_id
|
||||
data "google_storage_project_service_account" "gcs_sa" {
|
||||
count = contains(var.services, "storage.googleapis.com") ? 1 : 0
|
||||
project = local.project.project_id
|
||||
depends_on = [google_project_service.project_services]
|
||||
}
|
||||
|
||||
data "google_bigquery_default_service_account" "bq_sa" {
|
||||
count = try(var.services["bigquery.googleapis.com"], false) ? 1 : 0
|
||||
project = local.project.project_id
|
||||
count = contains(var.services, "bigquery.googleapis.com") ? 1 : 0
|
||||
project = local.project.project_id
|
||||
depends_on = [google_project_service.project_services]
|
||||
}
|
||||
|
||||
# Secret Manager SA created just in time, we need to trigger the creation.
|
||||
resource "google_project_service_identity" "sm_sa" {
|
||||
provider = google-beta
|
||||
count = contains(var.services, "secretmanager.googleapis.com") ? 1 : 0
|
||||
project = local.project.project_id
|
||||
service = "secretmanager.googleapis.com"
|
||||
depends_on = [google_project_service.project_services]
|
||||
}
|
||||
|
|
|
@ -24,4 +24,4 @@ def test_resources(e2e_plan_runner):
|
|||
"Test that plan works and the numbers of resources is as expected."
|
||||
modules, resources = e2e_plan_runner(FIXTURES_DIR)
|
||||
assert len(modules) == 5
|
||||
assert len(resources) == 17
|
||||
assert len(resources) == 18
|
||||
|
|
|
@ -24,4 +24,4 @@ def test_resources(e2e_plan_runner):
|
|||
"Test that plan works and the numbers of resources is as expected."
|
||||
modules, resources = e2e_plan_runner(FIXTURES_DIR)
|
||||
assert len(modules) == 14
|
||||
assert len(resources) == 61
|
||||
assert len(resources) == 62
|
||||
|
|
|
@ -24,4 +24,4 @@ def test_resources(e2e_plan_runner):
|
|||
"Test that plan works and the numbers of resources is as expected."
|
||||
modules, resources = e2e_plan_runner(FIXTURES_DIR)
|
||||
assert len(modules) == 8
|
||||
assert len(resources) == 82
|
||||
assert len(resources) == 83
|
||||
|
|
Loading…
Reference in New Issue