NOTE: This module is for Terraform 0.13 and newer - use 0.12.x releases for Terraform 0.12
This module provides an opinionated wrapper around creating and managing secret values in GCP Secret Manager with Terraform 0.13 and newer.
Given a project identifier, the module will create a new secret, or update an
existing secret version, so that it contains the value provided. An optional list
of IAM user, group, or service account identifiers can be provided and each of
the identifiers will be granted roles/secretmanager.secretAccessor on th
module "secret" {
source = "memes/secret-manager/google"
version = "1.0.3"
project_id = "my-project-id"
id = "my-secret"
secret = "T0pS3cret!"
accessors = ["group:team@example.com"]
}The random sub-module can be used to create a secret with a generated value.
module "secret" {
source = "memes/secret-manager/google//modules/random"
version = "1.0.3"
project_id = "my-project-id"
id = "my-secret"
# My application requires a 12 character alphanumeric password that must
# contain at least one of these special chars: #$%@
length = 12
min_special_chars = 1
special_char_set = "#$%@"
}| Name | Version |
|---|---|
| terraform | >= 0.13 |
| >= 3.44 |
| Name | Version |
|---|---|
| >= 3.44 |
No modules.
| Name | Type |
|---|---|
| google_secret_manager_secret.secret | resource |
| google_secret_manager_secret_iam_member.secret | resource |
| google_secret_manager_secret_version.secret | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| accessors | An optional list of IAM account identifiers that will be granted accessor (read-only) permission to the secret. |
list(string) |
[] |
no |
| id | The secret identifier to create; this value must be unique within the project. | string |
n/a | yes |
| labels | An optional map of label key:value pairs to assign to the secret resources. Default is an empty map. |
map(string) |
{} |
no |
| project_id | The GCP project identifier where the secret will be created. | string |
n/a | yes |
| replication_keys | An optional map of customer managed keys per location. This needs to match the locations specified in replication_locations.E.g. replication_keys = { "us-east1": "my-key-name", "us-west1": "another-key-name" } |
map(string) |
{} |
no |
| replication_locations | An optional list of replication locations for the secret. If the value is an empty list (default) then an automatic replication policy will be applied. Use this if you must have replication constrained to specific locations. E.g. to use automatic replication policy (default) replication_locations = [] E.g. to force secrets to be replicated only in us-east1 and us-west1 regions: replication_locations = [ "us-east1", "us-west1" ] |
list(string) |
[] |
no |
| secret | The secret payload to store in Secret Manager. Binary values should be base64 encoded before use. |
string |
n/a | yes |
| Name | Description |
|---|---|
| id | The fully-qualified id of the Secret Manager key that contains the secret. |
| secret_id | The project-local id Secret Manager key that contains the secret. Should match the input id. |