Terraform Vault GCP Secrets
This terraform module mounts GCP Secrets backend with an ACL templated policy. This is designed to run once in a given Vault namespace. Thereafter GCP rolesets would be created independently, using the output of this module to determine the mounted backend path.
Requirements
GCP SA credentials must be presented as variable with the json contents. It is strongly advised to rotate the key immediately after it setup successfully.
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
http://127.0.0.1:8200/v1/gcp/config/rotate-root
Usage:
module "vault_gcp_secrets" {
source = "git::https://github.com/devops-adeel/terraform-vault-secrets-gcp.git?ref=v0.7.3"
credentials = var.credentials
}Requirements
| Name | Version |
|---|---|
| vault | ~> 2.21.0 |
Providers
| Name | Version |
|---|---|
| vault | ~> 2.21.0 |
Modules
No modules.
Resources
| Name | Type |
|---|---|
| vault_gcp_secret_backend.default | resource |
| vault_identity_group.editor | resource |
| vault_identity_group.rotation | resource |
| vault_identity_group_policies.editor | resource |
| vault_identity_group_policies.rotation | resource |
| vault_policy.editor | resource |
| vault_policy.reader | resource |
| vault_policy.rotation | resource |
| vault_policy_document.editor | data source |
| vault_policy_document.reader | data source |
| vault_policy_document.rotation | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| credentials | GCP SA credentials | string |
n/a | yes |
Outputs
| Name | Description |
|---|---|
| backend_path | Secrets Backend Path as output |
| identity_group_id | ID of the created Vault Identity Group. |
| reader_policy_name | The name of the GCP Reader Policy |
| rotation_group_id | ID for rotation identity group |