bee3072568
Add support for Cloud Run v2 jobs * create a separate file for service creation (service.tf) and job (job.tf) - for easy comparison * add E2E tests where possibile * remove default value for input variable `region` * fix subnet range VPC Access Connector example * add creation of service account for audit logs call (trigger requires service account) * use provided trigger service account email in `local.trigger_sa_email`, so explicitly provided SA is passed to trigger * set default value for vpc_connector_create.throughput.max, to match what is set by GCP API, as provider uses wrong default of 300 which results in perma-diff * create inventory fiels for all examples Global changes * (tests) add input variable `project_number`, to allow assigning IAM permissions to Service Accounts in fixtures * (tests) fix not outputting the path, when object is not found in inventory * (tests) fix `create_e2e_sandbox.sh` - now it properly finds root of the repo Secret Manager * added `version_versions` output, to allow specifying versions in other modules. `versions` is sensitive and it makes it unsuitable for `for_each` values New test fixtures * `pubsub.tf` - creating one topic * `secret-credential.tf` - creating Secret Manager `credential` secret * `shared-vpc.tf` - creating two projects (host and service), and vpc in host project * `vpc-connector.tf` - creating VPC Access Connector instance |
||
|---|---|---|
| .. | ||
| README.md | ||
| main.tf | ||
| outputs.tf | ||
| variables.tf | ||
| versions.tf | ||
README.md
Google Secret Manager Module
Simple Secret Manager module that allows managing one or more secrets, their versions, and IAM bindings.
Secret Manager locations are available via the gcloud secrets locations list command.
Warning: managing versions will persist their data (the actual secret you want to protect) in the Terraform state in unencrypted form, accessible to any identity able to read or pull the state file.
Examples
Secrets
The secret replication policy is automatically managed if no location is set, or manually managed if a list of locations is passed to the secret.
module "secret-manager" {
source = "./fabric/modules/secret-manager"
project_id = "my-project"
secrets = {
test-auto = {}
test-manual = {
locations = ["europe-west1", "europe-west4"]
}
}
}
# tftest modules=1 resources=2
Secret IAM bindings
IAM bindings can be set per secret in the same way as for most other modules supporting IAM, using the iam variable.
module "secret-manager" {
source = "./fabric/modules/secret-manager"
project_id = "my-project"
secrets = {
test-auto = {}
test-manual = {
locations = ["europe-west1", "europe-west4"]
}
}
iam = {
test-auto = {
"roles/secretmanager.secretAccessor" = ["group:auto-readers@example.com"]
}
test-manual = {
"roles/secretmanager.secretAccessor" = ["group:manual-readers@example.com"]
}
}
}
# tftest modules=1 resources=4 inventory=iam.yaml
Secret versions
As mentioned above, please be aware that version data will be stored in state in unencrypted form.
module "secret-manager" {
source = "./fabric/modules/secret-manager"
project_id = "my-project"
secrets = {
test-auto = {}
test-manual = {
locations = ["europe-west1", "europe-west4"]
}
}
versions = {
test-auto = {
v1 = { enabled = false, data = "auto foo bar baz" }
v2 = { enabled = true, data = "auto foo bar spam" }
},
test-manual = {
v1 = { enabled = true, data = "manual foo bar spam" }
}
}
}
# tftest modules=1 resources=5 inventory=versions.yaml
Secret with customer managed encryption key
CMEK will be used if an encryption key is set in the keys field of secrets object for the secret region. For secrets with auto-replication, a global key must be specified.
module "secret-manager" {
source = "./fabric/modules/secret-manager"
project_id = "my-project"
secrets = {
test-auto = {
keys = {
global = "projects/PROJECT_ID/locations/global/keyRings/KEYRING/cryptoKeys/KEY"
}
}
test-auto-nokeys = {}
test-manual = {
locations = ["europe-west1", "europe-west4"]
keys = {
europe-west1 = "projects/PROJECT_ID/locations/europe-west1/keyRings/KEYRING/cryptoKeys/KEY"
europe-west4 = "projects/PROJECT_ID/locations/europe-west4/keyRings/KEYRING/cryptoKeys/KEY"
}
}
}
}
# tftest modules=1 resources=3
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| project_id | Project id where the keyring will be created. | string |
✓ | |
| iam | IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format. | map(map(list(string))) |
{} |
|
| labels | Optional labels for each secret. | map(map(string)) |
{} |
|
| secrets | Map of secrets to manage, their locations and KMS keys in {LOCATION => KEY} format. {GLOBAL => KEY} format enables CMEK for automatic managed secrets. If locations is null, automatic management will be set. | map(object({…})) |
{} |
|
| versions | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | map(map(object({…}))) |
{} |
Outputs
| name | description | sensitive |
|---|---|---|
| ids | Fully qualified secret ids. | |
| secrets | Secret resources. | |
| version_ids | Version ids keyed by secret name : version name. | |
| version_versions | Version versions keyed by secret name : version name. | |
| versions | Secret versions. | ✓ |
Requirements
These sections describe requirements for using this module.
IAM
The following roles must be used to provision the resources of this module:
- Cloud KMS Admin:
roles/cloudkms.adminor - Owner:
roles/owner
APIs
A project with the following APIs enabled must be used to host the resources of this module:
- Google Cloud Key Management Service:
cloudkms.googleapis.com