/terraform-google-secret-manager

A Terraform module for creating GCP Secret Manager secrets and assigning read-permissions to them

Primary LanguageHCLApache License 2.0Apache-2.0

Secret Manager for Terraform 0.14+

GitHub release Maintenance Contributor Covenant

This module provides an opinionated wrapper around creating and managing secret values in GCP Secret Manager with Terraform 0.14 and newer.

NOTE: The random sub-module has been removed from v2.x releases; use Terraform's random provider or other method to generate a suitable secret password.

Given a project identifier, the module will create a new secret, or update an existing secret version, so that it contains the value provided. An optional list of IAM user, group, or service account identifiers can be provided and each of the identifiers will be granted roles/secretmanager.secretAccessor on th

module "secret" {
  source     = "memes/secret-manager/google"
  version    = "2.1.1"
  project_id = "my-project-id"
  id         = "my-secret"
  secret     = "T0pS3cret!"
  accessors  = ["group:team@example.com"]
}

Requirements

Name Version
terraform >= 0.14.5
google >= 4.8

Modules

No modules.

Resources

Name Type
google_secret_manager_secret.secret resource
google_secret_manager_secret_iam_member.secret resource
google_secret_manager_secret_version.secret resource

Inputs

Name Description Type Default Required
id The secret identifier to create; this value must be unique within the project. string n/a yes
project_id The GCP project identifier where the secret will be created. string n/a yes
secret The secret payload to store in Secret Manager; if blank or null a versioned secret
value will NOT be created and must be populated outside of this module. Binary
values should be base64 encoded before use.		 string n/a yes
accessors An optional list of IAM account identifiers that will be granted accessor (read-only)
permission to the secret.		 list(string) [] no
labels An optional map of label key:value pairs to assign to the secret resources.
Default is an empty map.		 map(string) {} no
replication An optional map of replication configurations for the secret. If the map is empty
(default), then automatic replication will be used for the secret. If the map is
not empty, replication will be configured for each key (region) and, optionally,
will use the provided Cloud KMS keys.

NOTE: If Cloud KMS keys are used, a Cloud KMS key must be provided for every
region key.

E.g. to use automatic replication policy (default)
replication = {}

E.g. to force secrets to be replicated only in us-east1 and us-west1 regions,
with Google managed encryption keys
replication = {
"us-east1" = null
"us-west1" = null
}

E.g. to force secrets to be replicated only in us-east1 and us-west1 regions, but
use Cloud KMS keys from each region.
replication = {
"us-east1" = { kms_key_name = "my-east-key-name" }
"us-west1" = { kms_key_name = "my-west-key-name" }
}		 
map(object({
    kms_key_name = string
  }))
 {} no

Outputs

Name Description
id The fully-qualified id of the Secret Manager key that contains the secret.
secret_id The project-local id Secret Manager key that contains the secret. Should match
the input id.