Remove iam_roles from secret_manager
This commit is contained in:
parent
a27ec7bf61
commit
96dba2256e
|
@ -25,7 +25,7 @@ module "secret-manager" {
|
|||
|
||||
### Secret IAM bindings
|
||||
|
||||
IAM bindings can be set per secret in the same way as for most other modules supporting IAM, via `iam_roles` and `iam_members` variables.
|
||||
IAM bindings can be set per secret in the same way as for most other modules supporting IAM, using the `iam_members` variable.
|
||||
|
||||
```hcl
|
||||
module "secret-manager" {
|
||||
|
@ -35,10 +35,6 @@ module "secret-manager" {
|
|||
test-auto = null
|
||||
test-manual = ["europe-west1", "europe-west4"]
|
||||
}
|
||||
iam_roles = {
|
||||
test-auto = ["roles/secretmanager.secretAccessor"]
|
||||
test-manual = ["roles/secretmanager.secretAccessor"]
|
||||
}
|
||||
iam_members = {
|
||||
test-auto = {
|
||||
"roles/secretmanager.secretAccessor" = ["group:auto-readers@example.com"]
|
||||
|
@ -80,8 +76,7 @@ module "secret-manager" {
|
|||
| name | description | type | required | default |
|
||||
|---|---|:---: |:---:|:---:|
|
||||
| project_id | Project id where the keyring will be created. | <code title="">string</code> | ✓ | |
|
||||
| *iam_members* | IAM members keyed by secret name and role. | <code title="map(map(list(string)))">map(map(list(string)))</code> | | <code title="">{}</code> |
|
||||
| *iam_roles* | IAM roles keyed by secret name. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||
| *iam_members* | IAM members keyed by secret name and role. | <code title="map(map(set(string)))">map(map(set(string)))</code> | | <code title="">{}</code> |
|
||||
| *labels* | Optional labels for each secret. | <code title="map(map(string))">map(map(string))</code> | | <code title="">{}</code> |
|
||||
| *secrets* | Map of secrets to manage and their locations. If locations is null, automatic management will be set. | <code title="map(list(string))">map(list(string))</code> | | <code title="">{}</code> |
|
||||
| *versions* | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | <code title="map(map(object({ enabled = bool data = string })))">map(map(object({...})))</code> | | <code title="">{}</code> |
|
||||
|
|
|
@ -16,13 +16,15 @@
|
|||
|
||||
locals {
|
||||
# distinct is needed to make the expanding function argument work
|
||||
iam_pairs = flatten([
|
||||
for name, roles in var.iam_roles :
|
||||
[for role in roles : { name = name, role = role }]
|
||||
])
|
||||
iam_keypairs = {
|
||||
for pair in local.iam_pairs : "${pair.name}-${pair.role}" => pair
|
||||
iam_members = flatten([
|
||||
for secret, roles in var.iam_members : [
|
||||
for role, members in roles : {
|
||||
secret = secret
|
||||
role = role
|
||||
members = members
|
||||
}
|
||||
]
|
||||
])
|
||||
version_pairs = flatten([
|
||||
for secret, versions in var.versions : [
|
||||
for name, attrs in versions : merge(attrs, { name = name, secret = secret })
|
||||
|
@ -74,10 +76,11 @@ resource "google_secret_manager_secret_version" "default" {
|
|||
|
||||
resource "google_secret_manager_secret_iam_binding" "default" {
|
||||
provider = google-beta
|
||||
for_each = local.iam_keypairs
|
||||
for_each = {
|
||||
for binding in local.iam_members :
|
||||
"${binding.secret}.${binding.role}" => binding
|
||||
}
|
||||
role = each.value.role
|
||||
secret_id = google_secret_manager_secret.default[each.value.name].id
|
||||
members = lookup(
|
||||
lookup(var.iam_members, each.value.name, {}), each.value.role, []
|
||||
)
|
||||
secret_id = google_secret_manager_secret.default[each.value.secret].id
|
||||
members = each.value.members
|
||||
}
|
||||
|
|
|
@ -16,13 +16,7 @@
|
|||
|
||||
variable "iam_members" {
|
||||
description = "IAM members keyed by secret name and role."
|
||||
type = map(map(list(string)))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "iam_roles" {
|
||||
description = "IAM roles keyed by secret name."
|
||||
type = map(list(string))
|
||||
type = map(map(set(string)))
|
||||
default = {}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue