A Terraform module to create a Google Secret Manager IAM on Google Cloud Services (GCP).
This module supports Terraform version 1 and is compatible with the Terraform Google Provider version 4. and 5._**
This module is part of our Infrastructure as Code (IaC) framework that enables our users and customers to easily deploy and manage reusable, secure, and production-grade cloud infrastructure.
- Module Features
- Getting Started
- Module Argument Reference
- Module Attributes Reference
- Module Outputs
- External Documentation
- Module Versioning
- About Mineiros
- Reporting Issues
- Contributing
- Makefile Targets
- License
This module implements the following terraform resources:
google_secret_manager_secret_iam_bindinggoogle_secret_manager_secret_iam_membergoogle_secret_manager_secret_iam_policy
Most basic usage just setting required arguments:
module "terraform-google-secret-manager-iam" {
source = "github.com/mineiros-io/terraform-google-secret-manager-iam.git?ref=v0.1.0"
secret_id = google_secret_manager_secret.secret-basic.secret_id
role = "roles/secretmanager.secretAccessor"
members = ["user:[email protected]"]
}See variables.tf and examples/ for details and use-cases.
-
secret_id: (Requiredstring)The id of the secret.
-
members: (Optionalset(string))Identities that will be granted the privilege in role. Each entry can have one of the following values:
allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.user:{emailid}: An email address that represents a specific Google account. For example, [email protected] or [email protected].serviceAccount:{emailid}: An email address that represents a service account. For example, [email protected].group:{emailid}: An email address that represents a Google group. For example, [email protected].domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.projectOwner:projectid: Owners of the given project. For example,projectOwner:my-example-projectprojectEditor:projectid: Editors of the given project. For example,projectEditor:my-example-projectprojectViewer:projectid: Viewers of the given project. For example,projectViewer:my-example-projectcomputed:{identifier}: An existing key from var.computed_members_map.
Default is
[]. -
computed_members_map: (Optionalmap(string))A map of identifiers to identities to be replaced in 'var.members' or in members of
policy_bindingsto handle terraform computed values. The format of each value must satisfy the format as described invar.members.Default is
{}. -
role: (Optionalstring)The role that should be applied. Note that custom roles must be of the format
[projects|organizations]/{parent-name}/roles/{role-name}. Must be set ifpolicy_bindingsis unset. -
project: (Optionalstring)The ID of the project in which the resource belongs. If it is not provided, the project will be parsed from the identifier of the parent resource. If no project is provided in the parent identifier and no project is specified, the provider project is used.
-
authoritative: (Optionalbool)Whether to exclusively set (authoritative mode) or add (non-authoritative/additive mode) members to the role.
Default is
true. -
policy_bindings: (Optionallist(policy_binding))A list of IAM policy bindings. If set,
roleis ignored and a policy_binding is created.Example:
policy_bindings = [ { role = "roles/secretmanager.secretAccessor" members = [ "user:[email protected]", ] } ]
Each
policy_bindingobject in the list accepts the following attributes:-
role: (Requiredstring)The role that will be grated to the members.
-
members: (Requiredset(string))A set of identities that will be granted the privilege in role. Each entry can have one of the following values:
allUsers: A special identifier that represents anyone who is on the internet; with or without a Google account.allAuthenticatedUsers: A special identifier that represents anyone who is authenticated with a Google account or a service account.user:{emailid}: An email address that represents a specific Google account. For example,[email protected]or[email protected].serviceAccount:{emailid}: An email address that represents a service account. For example,[email protected].group:{emailid}: An email address that represents a Google group. For example,[email protected].domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example,google.comorexample.com.
-
condition: (Optionalobject(condition))An IAM Condition for a given binding.
Example:
condition = { expression = "request.time < timestamp(\"2022-01-01T00:00:00Z\")" title = "expires_after_2021_12_31" }
The
conditionobject accepts the following attributes:-
expression: (Requiredstring)Textual representation of an expression in Common Expression Language syntax.
-
title: (Requiredstring)A title for the expression, i.e. a short string describing its purpose.
-
description: (Optionalstring)An optional description of the expression. This is a longer text which describes the expression, e.g. when hovered over it in a UI.
-
-
-
module_enabled: (Optionalbool)Specifies whether resources in the module will be created.
Default is
true. -
module_depends_on: (Optionallist(dependency))A list of dependencies. Any object can be assigned to this list to define a hidden external dependency.
Example:
module_depends_on = [ null_resource.name ]
The following attributes are exported in the outputs of the module:
-
module_enabledWhether this module is enabled.
-
iamAll attributes of the created
iam_bindingoriam_memberoriam_policyresource according to the mode.
The following attributes are exported in the outputs of the module:
-
iam: (object(iam))All attributes of the created
iam_bindingoriam_memberoriam_policyresource according to the mode.
- Secret Manager: https://cloud.google.com/secret-manager/docs
- Secret Manager Access Control: https://cloud.google.com/secret-manager/docs/access-control
- https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret
- https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_iam
This Module follows the principles of Semantic Versioning (SemVer).
Given a version number MAJOR.MINOR.PATCH, we increment the:
MAJORversion when we make incompatible changes,MINORversion when we add functionality in a backwards compatible manner, andPATCHversion when we make backwards compatible bug fixes.
- Backwards compatibility in versions
0.0.zis not guaranteed whenzis increased. (Initial development) - Backwards compatibility in versions
0.y.zis not guaranteed whenyis increased. (Pre-release)
Mineiros is a remote-first company headquartered in Berlin, Germany that solves development, automation and security challenges in cloud infrastructure.
Our vision is to massively reduce time and overhead for teams to manage and deploy production-grade and secure cloud infrastructure.
We offer commercial support for all of our modules and encourage you to reach out if you have any questions or need help. Feel free to email us at [email protected] or join our Community Slack channel.
We use GitHub Issues to track community reported issues and missing features.
Contributions are always encouraged and welcome! For the process of accepting changes, we use Pull Requests. If you'd like more information, please see our Contribution Guidelines.
This repository comes with a handy Makefile.
Run make help to see details on each available target.
This module is licensed under the Apache License Version 2.0, January 2004. Please see LICENSE for full details.
Copyright © 2020-2021 Mineiros GmbH