789328ff5a
* bump provider versions to 5.0.0 * fix cloud run, logging and vpc-sc * Fix secret manager * fix gke nodepool * fix gke multitenant stage and blueprint * Moving alloydb module to experimental. * Add project to bare resources in examples * tfdoc * fix svpc blueprint test * Revert "fix svpc blueprint test" This reverts commit 14f02659098070136e64ead600580dd52c23c339. * Fix GKE peering project * Disable tests in alloydb module * Bring back secret ids in secret manager tests * Remove duplicate key * last push --------- Co-authored-by: Julio Castillo <jccb@google.com> |
||
---|---|---|
.. | ||
README.md | ||
main.tf | ||
outputs.tf | ||
variables.tf | ||
versions.tf |
README.md
Google Secret Manager Module
Simple Secret Manager module that allows managing one or more secrets, their versions, and IAM bindings.
Secret Manager locations are available via the gcloud secrets locations list
command.
Warning: managing versions will persist their data (the actual secret you want to protect) in the Terraform state in unencrypted form, accessible to any identity able to read or pull the state file.
Examples
Secrets
The secret replication policy is automatically managed if no location is set, or manually managed if a list of locations is passed to the secret.
module "secret-manager" {
source = "./fabric/modules/secret-manager"
project_id = "my-project"
secrets = {
test-auto = null
test-manual = ["europe-west1", "europe-west4"]
}
}
# tftest modules=1 resources=2
Secret IAM bindings
IAM bindings can be set per secret in the same way as for most other modules supporting IAM, using the iam
variable.
module "secret-manager" {
source = "./fabric/modules/secret-manager"
project_id = "my-project"
secrets = {
test-auto = null
test-manual = ["europe-west1", "europe-west4"]
}
iam = {
test-auto = {
"roles/secretmanager.secretAccessor" = ["group:auto-readers@example.com"]
}
test-manual = {
"roles/secretmanager.secretAccessor" = ["group:manual-readers@example.com"]
}
}
}
# tftest modules=1 resources=4 inventory=iam.yaml
Secret versions
As mentioned above, please be aware that version data will be stored in state in unencrypted form.
module "secret-manager" {
source = "./fabric/modules/secret-manager"
project_id = "my-project"
secrets = {
test-auto = null
test-manual = ["europe-west1", "europe-west4"]
}
versions = {
test-auto = {
v1 = { enabled = false, data = "auto foo bar baz" }
v2 = { enabled = true, data = "auto foo bar spam" }
},
test-manual = {
v1 = { enabled = true, data = "manual foo bar spam" }
}
}
}
# tftest modules=1 resources=5 inventory=versions.yaml
Secret with customer managed encryption key
Secrets will be used if an encryption key is set in the encryption_key
variable for the secret region.
module "secret-manager" {
source = "./fabric/modules/secret-manager"
project_id = "my-project"
secrets = {
test-encryption = ["europe-west1", "europe-west4"]
}
encryption_key = {
europe-west1 = "projects/PROJECT_ID/locations/europe-west1/keyRings/KEYRING/cryptoKeys/KEY"
europe-west4 = "projects/PROJECT_ID/locations/europe-west4/keyRings/KEYRING/cryptoKeys/KEY"
}
}
# tftest modules=1 resources=1
Variables
name | description | type | required | default |
---|---|---|---|---|
project_id | Project id where the keyring will be created. | string |
✓ | |
encryption_key | Self link of the KMS keys in {LOCATION => KEY} format. A key must be provided for all replica locations. | map(string) |
null |
|
iam | IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format. | map(map(list(string))) |
{} |
|
labels | Optional labels for each secret. | map(map(string)) |
{} |
|
secrets | Map of secrets to manage and their locations. If locations is null, automatic management will be set. | map(list(string)) |
{} |
|
versions | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | map(map(object({…}))) |
{} |
Outputs
name | description | sensitive |
---|---|---|
ids | Fully qualified secret ids. | |
secrets | Secret resources. | |
version_ids | Version ids keyed by secret name : version name. | |
versions | Secret versions. | ✓ |
Requirements
These sections describe requirements for using this module.
IAM
The following roles must be used to provision the resources of this module:
- Cloud KMS Admin:
roles/cloudkms.admin
or - Owner:
roles/owner
APIs
A project with the following APIs enabled must be used to host the resources of this module:
- Google Cloud Key Management Service:
cloudkms.googleapis.com