Terraform module for Google Secret Manager
➡️ Terraform module to create AWS Parameterstore
➡️ Terraform module to create Azure Key Vault
- Module tested for Terraform 1.0.1.
- Google provider version 4.12.0
mainbranch: Provider versions not pinned to keep up with Terraform releasestagsreleases: Tags are pinned with versions (usein your releases)
terrafrom init
terraform plan -var='teamid=tryme' -var='prjid=project1'
terraform apply -var='teamid=tryme' -var='prjid=project1'
terraform destroy -var='teamid=tryme' -var='prjid=project1'
Note: With this option please take care of remote state storage
Recommended method (stores remote state in remote backend(S3, Azure storage, or Google bucket) using prjid and teamid to create directory structure):
- Create python 3.8+ virtual environment
python3 -m venv <venv name>
- Install package:
pip install tfremote --upgrade
- Set below environment variables:
export TF_GCLOUD_BUCKET=<remote state bucket name>
export TF_GCLOUD_PREFIX=<remote state bucket prefix>
export TF_GCLOUD_CREDENTIALS=<gcp credentials.json>
-
Updated
examplesdirectory with required values. -
Run and verify the output before deploying:
tf -c=gcloud plan -var='teamid=foo' -var='prjid=bar'
- Run below to deploy:
tf -c=gcloud apply -var='teamid=foo' -var='prjid=bar'
- Run below to destroy:
tf -c=gcloud destroy -var='teamid=foo' -var='prjid=bar'
Note: Read more on tfremote
module "secret_manager" {
source = "../"
gcp_project = "demo-1000"
id = "foo"
secret = "bar"
#-----------------------------------------------
# Note: Do not change teamid and prjid once set.
teamid = var.teamid
prjid = var.prjid
}
Please refer to examples directory link for references.
Following APIs must be enabled on the project:
iam.googleapis.comsecretmanager.googleapis.com
| Name | Version |
|---|---|
| terraform | >= 1.0.1 |
| ~> 4.12.0 |
| Name | Version |
|---|---|
| ~> 4.12.0 |
No modules.
| Name | Type |
|---|---|
| google_secret_manager_secret.default | resource |
| google_secret_manager_secret_iam_member.secret | resource |
| google_secret_manager_secret_version.secret | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| accessors | An optional list of IAM account identifiers that will be granted accessor (read-only) permission to the secret. |
list(string) |
[] |
no |
| id | The secret identifier to create; this value must be unique within the project. | string |
null |
no |
| prjid | Name of the project/stack e.g: mystack, nifieks, demoaci. Should not be changed after running 'tf apply' | string |
n/a | yes |
| replication_locations | An optional list of replication locations for the secret. If the value is an empty list (default) then an automatic replication policy will be applied. Use this if you must have replication constrained to specific locations. E.g. to use automatic replication policy (default) replication_locations = [] E.g. to force secrets to be replicated only in us-east1 and us-west1 regions: replication_locations = [ "us-east1", "us-west1" ] |
list(string) |
[] |
no |
| secret | The secret payload to store in Secret Manager. Binary values should be base64 encoded before use. |
string |
n/a | yes |
| teamid | Name of the team/group e.g. devops, dataengineering. Should not be changed after running 'tf apply' | string |
n/a | yes |
| Name | Description |
|---|---|
| id | The fully-qualified id of the Secret Manager key that contains the secret. |
| secret_id | The project-local id Secret Manager key that contains the secret. Should match the input id. |