-
Notifications
You must be signed in to change notification settings - Fork 33
/
main.tf
105 lines (99 loc) · 4.04 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
resource "google_project_service_identity" "secretmanager_identity" {
count = length(var.add_kms_permissions) > 0 || length(var.add_pubsub_permissions) > 0 ? 1 : 0
provider = google-beta
project = var.project_id
service = "secretmanager.googleapis.com"
}
resource "google_kms_crypto_key_iam_member" "sm_sa_encrypter_decrypter" {
count = var.add_kms_permissions != null ? length(var.add_kms_permissions) : 0
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
member = "serviceAccount:${google_project_service_identity.secretmanager_identity[0].email}"
crypto_key_id = var.add_kms_permissions[count.index]
}
resource "google_pubsub_topic_iam_member" "sm_sa_publisher" {
project = var.project_id
count = var.add_pubsub_permissions != null ? length(var.add_pubsub_permissions) : 0
role = "roles/pubsub.publisher"
member = "serviceAccount:${google_project_service_identity.secretmanager_identity[0].email}"
topic = var.add_pubsub_permissions[count.index]
}
resource "google_secret_manager_secret" "secrets" {
project = var.project_id
for_each = { for secret in var.secrets : secret.name => secret }
secret_id = each.value.name
replication {
dynamic "auto" {
for_each = lookup(var.user_managed_replication, each.key, null) == null ? [1] : []
content {
dynamic "customer_managed_encryption" {
for_each = try(var.automatic_replication[each.key].kms_key_name, null) != null ? [var.automatic_replication[each.key].kms_key_name] : []
content {
kms_key_name = customer_managed_encryption.value
}
}
}
}
dynamic "user_managed" {
for_each = lookup(var.user_managed_replication, each.key, null) != null ? [1] : []
content {
dynamic "replicas" {
for_each = lookup(var.user_managed_replication, each.key, [])
content {
location = replicas.value.location
dynamic "customer_managed_encryption" {
for_each = replicas.value.kms_key_name != null ? [replicas.value.kms_key_name] : []
content {
kms_key_name = customer_managed_encryption.value
}
}
}
}
}
}
}
labels = lookup(var.labels, each.key, null)
dynamic "topics" {
for_each = lookup(var.topics, each.key, [])
content {
name = topics.value.name
}
}
dynamic "rotation" {
for_each = (lookup(each.value, "next_rotation_time", null) != null || lookup(each.value, "rotation_period", null) != null) ? [1] : []
content {
next_rotation_time = lookup(each.value, "next_rotation_time", null)
rotation_period = lookup(each.value, "rotation_period", null)
}
}
depends_on = [
google_kms_crypto_key_iam_member.sm_sa_encrypter_decrypter,
google_pubsub_topic_iam_member.sm_sa_publisher
]
}
resource "google_secret_manager_secret_version" "secret-version" {
for_each = { for secret in var.secrets : secret.name => secret if secret.create_version }
secret = google_secret_manager_secret.secrets[each.value.name].id
secret_data = each.value.secret_data
}
resource "google_secret_manager_secret_iam_binding" "binding" {
project = var.project_id
for_each = { for secret in var.secrets : secret.name => secret if length(var.secret_accessors_list) > 0 }
secret_id = google_secret_manager_secret.secrets[each.value.name].id
role = "roles/secretmanager.secretAccessor"
members = var.secret_accessors_list
}