Add CMEK support
This commit is contained in:
parent
087b4c40b4
commit
306b38295e
|
@ -72,17 +72,37 @@ module "secret-manager" {
|
|||
}
|
||||
# tftest modules=1 resources=5 inventory=versions.yaml
|
||||
```
|
||||
|
||||
### Secret with customer managed encryption key
|
||||
|
||||
Secrets will be used if an encryption key is set in the `encryption_key` variable for the secret region.
|
||||
|
||||
```hcl
|
||||
module "secret-manager" {
|
||||
source = "./fabric/modules/secret-manager"
|
||||
project_id = "my-project"
|
||||
secrets = {
|
||||
test-encryption = ["europe-west1", "europe-west4"]
|
||||
}
|
||||
encryption_key = {
|
||||
europe-west1 = "projects/PROJECT_ID/locations/europe-west1/keyRings/KEYRING/cryptoKeys/KEY"
|
||||
europe-west4 = "projects/PROJECT_ID/locations/europe-west4/keyRings/KEYRING/cryptoKeys/KEY"
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=1
|
||||
```
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [project_id](variables.tf#L29) | Project id where the keyring will be created. | <code>string</code> | ✓ | |
|
||||
| [iam](variables.tf#L17) | IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| [labels](variables.tf#L23) | Optional labels for each secret. | <code>map(map(string))</code> | | <code>{}</code> |
|
||||
| [secrets](variables.tf#L34) | Map of secrets to manage and their locations. If locations is null, automatic management will be set. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [versions](variables.tf#L40) | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | <code title="map(map(object({ enabled = bool data = string })))">map(map(object({…})))</code> | | <code>{}</code> |
|
||||
| [project_id](variables.tf#L35) | Project id where the keyring will be created. | <code>string</code> | ✓ | |
|
||||
| [encryption_key](variables.tf#L17) | Self link of the KMS keys in {LOCATION => KEY} format. A key must be provided for all replica locations. | <code>map(string)</code> | | <code>null</code> |
|
||||
| [iam](variables.tf#L23) | IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format. | <code>map(map(list(string)))</code> | | <code>{}</code> |
|
||||
| [labels](variables.tf#L29) | Optional labels for each secret. | <code>map(map(string))</code> | | <code>{}</code> |
|
||||
| [secrets](variables.tf#L40) | Map of secrets to manage and their locations. If locations is null, automatic management will be set. | <code>map(list(string))</code> | | <code>{}</code> |
|
||||
| [versions](variables.tf#L46) | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | <code title="map(map(object({ enabled = bool data = string })))">map(map(object({…})))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -36,7 +36,6 @@ locals {
|
|||
}
|
||||
|
||||
resource "google_secret_manager_secret" "default" {
|
||||
provider = google-beta
|
||||
for_each = var.secrets
|
||||
project = var.project_id
|
||||
secret_id = each.key
|
||||
|
@ -59,6 +58,12 @@ resource "google_secret_manager_secret" "default" {
|
|||
iterator = location
|
||||
content {
|
||||
location = location.value
|
||||
dynamic "customer_managed_encryption" {
|
||||
for_each = try(var.encryption_key[location.value] != null ? [""] : [], [])
|
||||
content {
|
||||
kms_key_name = var.encryption_key[location.value]
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -14,6 +14,12 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
|
||||
variable "encryption_key" {
|
||||
description = "Self link of the KMS keys in {LOCATION => KEY} format. A key must be provided for all replica locations."
|
||||
type = map(string)
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "iam" {
|
||||
description = "IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format."
|
||||
type = map(map(list(string)))
|
||||
|
|
Loading…
Reference in New Issue