This modules makes it easy to create Google Secret Manager secrets. If enabled it can enable the use of KMS keys for encrypting the secrets. Also if rotation is enabled and pubsub topics are passed in, then notification about secret rotation are sent to the pubsub topics. Here is a diagram of the resources that are deployed:
Basic usage of this module is as follows:
module "secret-manager" {
source = "GoogleCloudPlatform/secret-manager/google"
version = "~> 0.5"
project_id = var.project_id
secrets = [
{
name = "secret-1"
secret_data = "secret information"
},
]
}
Functional examples are included in the examples directory.
Name | Description | Type | Default | Required |
---|---|---|---|---|
add_kms_permissions | The list of the crypto keys to give secret manager access to | list(string) |
[] |
no |
add_pubsub_permissions | The list of the pubsub topics to give secret manager access to | list(string) |
[] |
no |
automatic_replication | Automatic replication parameters that will be used for defined secrets. If not provided, the secret will be automatically replicated using Google-managed key without any restrictions. | map(object({ kms_key_name = string })) |
{} |
no |
labels | labels to be added for the defined secrets | map(map(string)) |
{} |
no |
project_id | The project ID to manage the Secret Manager resources | string |
n/a | yes |
secret_accessors_list | The list of the members to allow accessing secrets | list(string) |
[] |
no |
secrets | The list of the secrets | list(object({ |
[] |
no |
topics | topics that will be used for defined secrets | map(list(object({ name = string }))) |
{} |
no |
user_managed_replication | Replication parameters that will be used for defined secrets | map(list(object({ location = string, kms_key_name = string }))) |
{} |
no |
Name | Description |
---|---|
secret_names | The name list of Secrets |
secret_versions | The name list of Secret Versions |
These sections describe requirements for using this module.
The following dependencies must be available:
- Terraform v0.13
- Terraform Provider for GCP plugin v3.0
A service account with the following roles must be used to provision the resources of this module:
- Secret Manager Admin:
roles/secretmanager.admin
If you want the module to change IAM permissions (for the pubsub and kms use cases), it will require the following additional roles:
- Project IAM Admin:
roles/resourcemanager.projectIamAdmin
The Project Factory module and the IAM module may be used in combination to provision a service account with the necessary roles applied.
A project with the following APIs enabled must be used to host the resources of this module:
- Secret Manager API:
secretmanager.googleapis.com
The Project Factory module can be used to provision a project with the necessary APIs enabled.
Refer to the contribution guidelines for information on contributing to this module.
Please see our security disclosure process.