Skip to content

A Terraform module for creating and managing secrets in Google Secret Manager in Google Cloud https://cloud.google.com/secret-manager

License

Notifications You must be signed in to change notification settings

mineiros-io/terraform-google-secret-manager

Repository files navigation

Build Status GitHub tag (latest SemVer) Terraform Version Google Provider Version Join Slack

terraform-google-secret-manager

A Terraform module to create a Google Secret Manager on Google Cloud Services (GCP)

This module supports Terraform version 1 and is compatible with the Terraform Google Provider version 5.

This module is part of our Infrastructure as Code (IaC) framework that enables our users and customers to easily deploy and manage reusable, secure, and production-grade cloud infrastructure.

Module Features

This module implements the following terraform resources:

  • google_secret_manager_secret

and supports additional features of the following modules:

Getting Started

Most basic usage just setting required arguments:

module "terraform-google-secret-manager" {
  source = "github.com/mineiros-io/terraform-google-secret-manager.git?ref=v0.3.0"

  secret_id = "secret"
}

Module Argument Reference

See variables.tf and examples/ for details and use-cases.

Main Resource Configuration

  • secret_id: (Required string)

    This must be unique within the project.

  • replicas: (Optional list(replica))

    A list of replicas for the secret will be replicated in according to the location set in the location property. If empty The Secret will automatically be replicated without any restrictions.

    Default is [].

    Example:

    replicas = [{
      location = "us-central1"
    }]

    Each replica object in the list accepts the following attributes:

    • location: (Required string)

      The canonical IDs of the location to replicate data. For example: us-east1.

    • customer_managed_encryption: (Optional object(customer_managed_encryption))

      Customer Managed Encryption for the secret.

      Example:

      customer_managed_encryption = {
        kms_key_name = "mykey"
      }

      The customer_managed_encryption object accepts the following attributes:

      • kms_key_name: (Required string)

        Describes the Cloud KMS encryption key that will be used to protect destination secret.

  • labels: (Optional map(string))

    The labels assigned to this Secret. Label keys must be between 1 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}][\p{Ll}\p{Lo}\p{N}-]{0,62} Label values must be between 0 and 63 characters long, have a UTF-8 encoding of maximum 128 bytes, and must conform to the following PCRE regular expression: [\p{Ll}\p{Lo}\p{N}-]{0,63} No more than 64 labels can be assigned to a given resource. An object containing a list of key: value pairs.

    Default is {}.

    Example:

    labels = {
      "app": "web",
      "env": "prod"
    }
  • expire_time: (Optional string)

    Timestamp in UTC when the Secret is scheduled to expire. This is always provided on output, regardless of what was sent on input. A timestamp in RFC3339 UTC Zulu format, with nanosecond resolution and up to nine fractional digits. Examples: 2014-10-02T15:01:23Z and 2014-10-02T15:01:23.045123456Z.

  • ttl: (Optional string)

    The TTL for the Secret. A duration in seconds with up to nine fractional digits, terminated by s. Example: 3.5s.

  • topics: (Optional set(string))

    A list of up to 10 Pub/Sub topics to which messages are published when control plane operations are called on the secret or its versions. Structure is documented below. If you set topics, you will need to set rotation too.

  • rotation: (Optional object(rotation))

    The rotation time and period for a Secret. At next_rotation_time, Secret Manager will send a Pub/Sub notification to the topics configured on the Secret. topics must be set to configure rotation.

    Example:

    rotation = {
      next_rotation_time = "2022-10-02T15:01:23.045123456Z"
      rotation_period    = "3600s"
    }

    The rotation object accepts the following attributes:

    • next_rotation_time: (Optional string)

      Timestamp in UTC at which the Secret is scheduled to rotate. A timestamp in RFC3339 UTC Zulu format, with nanosecond resolution and up to nine fractional digits. Examples: 2014-10-02T15:01:23Z and 2014-10-02T15:01:23.045123456Z.

    • rotation_period: (Optional string)

      The Duration between rotation notifications. Must be in seconds and at least 3600s (1h) and at most 3153600000s (100 years). If rotationPeriod is set, next_rotation_time must be set. next_rotation_time will be advanced by this period when the service automatically sends rotation notifications.

  • project: (Optional string)

    The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

Extended Resource Configuration

  • iam: (Optional list(iam))

    A list of IAM access.

    Default is [].

    Example:

    iam = [{
      role = "roles/secretmanager.admin"
      members = ["user:member@example.com"]
      authoritative = false
    }]

    Each iam object in the list accepts the following attributes:

    • members: (Optional set(string))

      Identities that will be granted the privilege in role. Each entry can have one of the following values:

      • allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.
      • allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.
      • user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
      • serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
      • group:{emailid}: An email address that represents a Google group. For example, admins@example.com.
      • domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
      • projectOwner:projectid: Owners of the given project. For example, projectOwner:my-example-project
      • projectEditor:projectid: Editors of the given project. For example, projectEditor:my-example-project
      • projectViewer:projectid: Viewers of the given project. For example, projectViewer:my-example-project
      • computed:{identifier}: An existing key from var.computed_members_map.

      Default is [].

    • role: (Optional string)

      The role that should be applied. Note that custom roles must be of the format [projects|organizations]/{parent-name}/roles/{role-name}.

    • authoritative: (Optional bool)

      Whether to exclusively set (authoritative mode) or add (non-authoritative/additive mode) members to the role.

      Default is true.

  • policy_bindings: (Optional list(policy_bindings))

    A list of IAM policy bindings.

    Example:

    policy_bindings = [{
      role    = "roles/secretmanager.admin"
      members = ["user:member@example.com"]
      condition = {
        title       = "expires_after_2021_12_31"
        description = "Expiring at midnight of 2021-12-31"
        expression  = "request.time < timestamp(\"2022-01-01T00:00:00Z\")"
      }
    }]

    Each policy_bindings object in the list accepts the following attributes:

    • role: (Required string)

      The role that should be applied.

    • members: (Optional set(string))

      Identities that will be granted the privilege in role.

      Default is var.members.

    • condition: (Optional object(condition))

      An IAM Condition for a given binding.

      Example:

      condition = {
        expression = "request.time < timestamp(\"2022-01-01T00:00:00Z\")"
        title      = "expires_after_2021_12_31"
      }

      The condition object accepts the following attributes:

      • expression: (Required string)

        Textual representation of an expression in Common Expression Language syntax.

      • title: (Required string)

        A title for the expression, i.e. a short string describing its purpose.

      • description: (Optional string)

        An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.

  • computed_members_map: (Optional map(string))

    A map of members to replace in members of various IAM settings to handle terraform computed values.

    Default is {}.

Module Configuration

  • module_enabled: (Optional bool)

    Specifies whether resources in the module will be created.

    Default is true.

  • module_depends_on: (Optional list(dependency))

    A list of dependencies. Any object can be assigned to this list to define a hidden external dependency.

    Example:

    module_depends_on = [
      google_network.network
    ]

Module Outputs

The following attributes are exported in the outputs of the module:

  • secret: (object(secret))

    All google_secret_manager_secret resource attributes.

  • iam: (list(iam))

    All attributes of the created policy_bindings mineiros-io/secret-manager-iam/google module when using iam bindings or members.

  • policy_binding: (list(iam))

    All attributes of the created policy_bindings mineiros-io/secret-manager-iam/google module when using policy bindings.

External Documentation

Google Documentation

Terraform Google Provider Documentation

Module Versioning

This Module follows the principles of Semantic Versioning (SemVer).

Given a version number MAJOR.MINOR.PATCH, we increment the:

  1. MAJOR version when we make incompatible changes,
  2. MINOR version when we add functionality in a backwards compatible manner, and
  3. PATCH version when we make backwards compatible bug fixes.

Backwards compatibility in 0.0.z and 0.y.z version

  • Backwards compatibility in versions 0.0.z is not guaranteed when z is increased. (Initial development)
  • Backwards compatibility in versions 0.y.z is not guaranteed when y is increased. (Pre-release)

About Mineiros

Mineiros is a remote-first company headquartered in Berlin, Germany that solves development, automation and security challenges in cloud infrastructure.

Our vision is to massively reduce time and overhead for teams to manage and deploy production-grade and secure cloud infrastructure.

We offer commercial support for all of our modules and encourage you to reach out if you have any questions or need help. Feel free to email us at hello@mineiros.io or join our Community Slack channel.

Reporting Issues

We use GitHub Issues to track community reported issues and missing features.

Contributing

Contributions are always encouraged and welcome! For the process of accepting changes, we use Pull Requests. If you'd like more information, please see our Contribution Guidelines.

Makefile Targets

This repository comes with a handy Makefile. Run make help to see details on each available target.

License

license

This module is licensed under the Apache License Version 2.0, January 2004. Please see LICENSE for full details.

Copyright © 2020-2022 Mineiros GmbH