f6775aca1b
* add default versions file, remove old providers and versions * use default versions file everywhere * fix kms module * re-add provider configuration for data platform step 2 * update kms module outputs sorting * update kms documentation * fix data solutions tests * fix GKE workload identity attribute name * work around firewall provider issue in datafusion example |
||
|---|---|---|
| .. | ||
| README.md | ||
| main.tf | ||
| outputs.tf | ||
| variables.tf | ||
| versions.tf | ||
README.md
Google Secret Manager Module
Simple Secret Manager module that allows managing one or more secrets, their versions, and IAM bindings.
Secret Manager locations are available via the gcloud secrets locations list command.
Warning: managing versions will persist their data (the actual secret you want to protect) in the Terraform state in unencrypted form, accessible to any identity able to read or pull the state file.
Examples
Secrets
The secret replication policy is automatically managed if no location is set, or manually managed if a list of locations is passed to the secret.
module "secret-manager" {
source = "./modules/secret-manager"
project_id = "my-project"
secrets = {
test-auto = null
test-manual = ["europe-west1", "europe-west4"]
}
}
# tftest:modules=1:resources=2
Secret IAM bindings
IAM bindings can be set per secret in the same way as for most other modules supporting IAM, using the iam variable.
module "secret-manager" {
source = "./modules/secret-manager"
project_id = "my-project"
secrets = {
test-auto = null
test-manual = ["europe-west1", "europe-west4"]
}
iam = {
test-auto = {
"roles/secretmanager.secretAccessor" = ["group:auto-readers@example.com"]
}
test-manual = {
"roles/secretmanager.secretAccessor" = ["group:manual-readers@example.com"]
}
}
}
# tftest:modules=1:resources=4
Secret versions
As mentioned above, please be aware that version data will be stored in state in unencrypted form.
module "secret-manager" {
source = "./modules/secret-manager"
project_id = "my-project"
secrets = {
test-auto = null
test-manual = ["europe-west1", "europe-west4"]
}
versions = {
test-auto = {
v1 = { enabled = false, data = "auto foo bar baz" }
v2 = { enabled = true, data = "auto foo bar spam" }
},
test-manual = {
v1 = { enabled = true, data = "manual foo bar spam" }
}
}
}
# tftest:modules=1:resources=5
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| project_id | Project id where the keyring will be created. | string |
✓ | |
| iam | IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format. | map(map(list(string))) |
{} |
|
| labels | Optional labels for each secret. | map(map(string)) |
{} |
|
| secrets | Map of secrets to manage and their locations. If locations is null, automatic management will be set. | map(list(string)) |
{} |
|
| versions | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | map(map(object({...}))) |
{} |
Outputs
| name | description | sensitive |
|---|---|---|
| ids | Secret ids keyed by secret_ids (names). | |
| secrets | Secret resources. | |
| version_ids | Version ids keyed by secret name : version name. | |
| versions | Secret versions. |
Requirements
These sections describe requirements for using this module.
IAM
The following roles must be used to provision the resources of this module:
- Cloud KMS Admin:
roles/cloudkms.adminor - Owner:
roles/owner
APIs
A project with the following APIs enabled must be used to host the resources of this module:
- Google Cloud Key Management Service:
cloudkms.googleapis.com