A Terraform module to create a Google Secret Manager IAM on Google Cloud Services (GCP).
This module supports Terraform version 1 and is compatible with the Terraform Google Provider version 4. and 5._**
This module is part of our Infrastructure as Code (IaC) framework that enables our users and customers to easily deploy and manage reusable, secure, and production-grade cloud infrastructure.
- Module Features
- Getting Started
- Module Argument Reference
- Module Attributes Reference
- Module Outputs
- External Documentation
- Module Versioning
- About Mineiros
- Reporting Issues
- Contributing
- Makefile Targets
- License
This module implements the following terraform resources:
google_secret_manager_secret_iam_binding
google_secret_manager_secret_iam_member
google_secret_manager_secret_iam_policy
Most basic usage just setting required arguments:
module "terraform-google-secret-manager-iam" {
source = "github.com/mineiros-io/terraform-google-secret-manager-iam.git?ref=v0.1.0"
secret_id = google_secret_manager_secret.secret-basic.secret_id
role = "roles/secretmanager.secretAccessor"
members = ["user:admin@example.com"]
}
See variables.tf and examples/ for details and use-cases.
-
secret_id
: (Requiredstring
)The id of the secret.
-
members
: (Optionalset(string)
)Identities that will be granted the privilege in role. Each entry can have one of the following values:
allUsers
: A special identifier that represents anyone who is on the internet; with or without a Google account.allAuthenticatedUsers
: A special identifier that represents anyone who is authenticated with a Google account or a service account.user:{emailid}
: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.serviceAccount:{emailid}
: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.group:{emailid}
: An email address that represents a Google group. For example, admins@example.com.domain:{domain}
: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.projectOwner:projectid
: Owners of the given project. For example,projectOwner:my-example-project
projectEditor:projectid
: Editors of the given project. For example,projectEditor:my-example-project
projectViewer:projectid
: Viewers of the given project. For example,projectViewer:my-example-project
computed:{identifier}
: An existing key from var.computed_members_map.
Default is
[]
. -
computed_members_map
: (Optionalmap(string)
)A map of identifiers to identities to be replaced in 'var.members' or in members of
policy_bindings
to handle terraform computed values. The format of each value must satisfy the format as described invar.members
.Default is
{}
. -
role
: (Optionalstring
)The role that should be applied. Note that custom roles must be of the format
[projects|organizations]/{parent-name}/roles/{role-name}
. Must be set ifpolicy_bindings
is unset. -
project
: (Optionalstring
)The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
-
authoritative
: (Optionalbool
)Whether to exclusively set (authoritative mode) or add (non-authoritative/additive mode) members to the role.
Default is
true
. -
policy_bindings
: (Optionallist(policy_binding)
)A list of IAM policy bindings. If set,
role
is ignored and a policy_binding is created.Example:
policy_bindings = [ { role = "roles/secretmanager.secretAccessor" members = [ "user:member@example.com", ] } ]
Each
policy_binding
object in the list accepts the following attributes:-
role
: (Requiredstring
)The role that will be grated to the members.
-
members
: (Requiredset(string)
)A set of identities that will be granted the privilege in role. Each entry can have one of the following values:
allUsers
: A special identifier that represents anyone who is on the internet; with or without a Google account.allAuthenticatedUsers
: A special identifier that represents anyone who is authenticated with a Google account or a service account.user:{emailid}
: An email address that represents a specific Google account. For example,alice@gmail.com
orjoe@example.com
.serviceAccount:{emailid}
: An email address that represents a service account. For example,my-other-app@appspot.gserviceaccount.com
.group:{emailid}
: An email address that represents a Google group. For example,admins@example.com
.domain:{domain}
: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example,google.com
orexample.com
.
-
condition
: (Optionalobject(condition)
)An IAM Condition for a given binding.
Example:
condition = { expression = "request.time < timestamp(\"2022-01-01T00:00:00Z\")" title = "expires_after_2021_12_31" }
The
condition
object accepts the following attributes:-
expression
: (Requiredstring
)Textual representation of an expression in Common Expression Language syntax.
-
title
: (Requiredstring
)A title for the expression, i.e. a short string describing its purpose.
-
description
: (Optionalstring
)An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
-
-
-
module_enabled
: (Optionalbool
)Specifies whether resources in the module will be created.
Default is
true
. -
module_depends_on
: (Optionallist(dependency)
)A list of dependencies. Any object can be assigned to this list to define a hidden external dependency.
Example:
module_depends_on = [ null_resource.name ]
The following attributes are exported in the outputs of the module:
-
module_enabled
Whether this module is enabled.
-
iam
All attributes of the created
iam_binding
oriam_member
oriam_policy
resource according to the mode.
The following attributes are exported in the outputs of the module:
-
iam
: (object(iam)
)All attributes of the created
iam_binding
oriam_member
oriam_policy
resource according to the mode.
- Secret Manager: https://cloud.google.com/secret-manager/docs
- Secret Manager Access Control: https://cloud.google.com/secret-manager/docs/access-control
- https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret
- https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_iam
This Module follows the principles of Semantic Versioning (SemVer).
Given a version number MAJOR.MINOR.PATCH
, we increment the:
MAJOR
version when we make incompatible changes,MINOR
version when we add functionality in a backwards compatible manner, andPATCH
version when we make backwards compatible bug fixes.
- Backwards compatibility in versions
0.0.z
is not guaranteed whenz
is increased. (Initial development) - Backwards compatibility in versions
0.y.z
is not guaranteed wheny
is increased. (Pre-release)
Mineiros is a remote-first company headquartered in Berlin, Germany that solves development, automation and security challenges in cloud infrastructure.
Our vision is to massively reduce time and overhead for teams to manage and deploy production-grade and secure cloud infrastructure.
We offer commercial support for all of our modules and encourage you to reach out if you have any questions or need help. Feel free to email us at hello@mineiros.io or join our Community Slack channel.
We use GitHub Issues to track community reported issues and missing features.
Contributions are always encouraged and welcome! For the process of accepting changes, we use Pull Requests. If you'd like more information, please see our Contribution Guidelines.
This repository comes with a handy Makefile.
Run make help
to see details on each available target.
This module is licensed under the Apache License Version 2.0, January 2004. Please see LICENSE for full details.
Copyright © 2020-2021 Mineiros GmbH