diff --git a/modules/secret-manager/README.md b/modules/secret-manager/README.md
index fed83d0933..89be21dd5c 100644
--- a/modules/secret-manager/README.md
+++ b/modules/secret-manager/README.md
@@ -17,11 +17,25 @@ module "secret-manager" {
source = "./fabric/modules/secret-manager"
project_id = "my-project"
secrets = {
- test-auto = null
- test-manual = ["europe-west1", "europe-west4"]
+ test-auto = {
+ locations = null
+ keys = {
+ global = "projects/PROJECT_ID/locations/global/keyRings/KEYRING/cryptoKeys/KEY"
+ }
+ }
+ test-auto-nokeys = {
+ locations = null
+ }
+ test-manual = {
+ locations = ["europe-west1", "europe-west4"]
+ keys = {
+ europe-west1 = "projects/PROJECT_ID/locations/europe-west1/keyRings/KEYRING/cryptoKeys/KEY"
+ europe-west4 = "projects/PROJECT_ID/locations/europe-west4/keyRings/KEYRING/cryptoKeys/KEY"
+ }
+ }
}
}
-# tftest modules=1 resources=2
+# tftest modules=1 resources=3
```
### Secret IAM bindings
@@ -33,8 +47,12 @@ module "secret-manager" {
source = "./fabric/modules/secret-manager"
project_id = "my-project"
secrets = {
- test-auto = null
- test-manual = ["europe-west1", "europe-west4"]
+ test-auto = {
+ locations = null
+ }
+ test-manual = {
+ locations = ["europe-west1", "europe-west4"]
+ }
}
iam = {
test-auto = {
@@ -57,8 +75,12 @@ module "secret-manager" {
source = "./fabric/modules/secret-manager"
project_id = "my-project"
secrets = {
- test-auto = null
- test-manual = ["europe-west1", "europe-west4"]
+ test-auto = {
+ locations = null
+ }
+ test-manual = {
+ locations = ["europe-west1", "europe-west4"]
+ }
}
versions = {
test-auto = {
@@ -75,20 +97,29 @@ module "secret-manager" {
### Secret with customer managed encryption key
-Secrets will be used if an encryption key is set in the `encryption_key` variable for the secret region.
+CMEK will be used if an encryption key is set in the `keys` field of `secrets` object for the secret region. For secrets with auto-replication, a global key must be specified.
```hcl
module "secret-manager" {
source = "./fabric/modules/secret-manager"
project_id = "my-project"
secrets = {
- test-auto = null
- test-encryption = ["europe-west1", "europe-west4"]
- }
- encryption_key = {
- europe-west1 = "projects/PROJECT_ID/locations/europe-west1/keyRings/KEYRING/cryptoKeys/KEY"
- europe-west4 = "projects/PROJECT_ID/locations/europe-west4/keyRings/KEYRING/cryptoKeys/KEY"
- global = "projects/PROJECT_ID/locations/global/keyRings/KEYRING/cryptoKeys/KEY"
+ test-auto = {
+ locations = null
+ keys = {
+ global = "projects/PROJECT_ID/locations/global/keyRings/KEYRING/cryptoKeys/KEY"
+ }
+ }
+ test-auto-nokeys = {
+ locations = null
+ }
+ test-manual = {
+ locations = ["europe-west1", "europe-west4"]
+ keys = {
+ europe-west1 = "projects/PROJECT_ID/locations/europe-west1/keyRings/KEYRING/cryptoKeys/KEY"
+ europe-west4 = "projects/PROJECT_ID/locations/europe-west4/keyRings/KEYRING/cryptoKeys/KEY"
+ }
+ }
}
}
# tftest modules=1 resources=2
@@ -98,12 +129,11 @@ module "secret-manager" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [project_id](variables.tf#L35) | Project id where the keyring will be created. | string | ✓ | |
-| [encryption_key](variables.tf#L17) | Self link of the KMS keys in {LOCATION => KEY} format. A key must be provided for all replica locations. {GLOBAL => KEY} format enables CMEK for automatic managed secrets. | map(string) | | null |
-| [iam](variables.tf#L23) | IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {} |
-| [labels](variables.tf#L29) | Optional labels for each secret. | map(map(string)) | | {} |
-| [secrets](variables.tf#L40) | Map of secrets to manage and their locations. If locations is null, automatic management will be set. | map(list(string)) | | {} |
-| [versions](variables.tf#L46) | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | map(map(object({…}))) | | {} |
+| [project_id](variables.tf#L29) | Project id where the keyring will be created. | string | ✓ | |
+| [iam](variables.tf#L17) | IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {} |
+| [labels](variables.tf#L23) | Optional labels for each secret. | map(map(string)) | | {} |
+| [secrets](variables.tf#L34) | Map of secrets to manage, their locations and KMS keys in {LOCATION => KEY} format. {GLOBAL => KEY} format enables CMEK for automatic managed secrets. If locations is null, automatic management will be set. | map(object({…})) | | {…} |
+| [versions](variables.tf#L45) | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | map(map(object({…}))) | | {} |
## Outputs
diff --git a/modules/secret-manager/main.tf b/modules/secret-manager/main.tf
index 13bc23ee0e..61f4d5efe2 100644
--- a/modules/secret-manager/main.tf
+++ b/modules/secret-manager/main.tf
@@ -42,13 +42,13 @@ resource "google_secret_manager_secret" "default" {
labels = lookup(var.labels, each.key, null)
dynamic "replication" {
- for_each = each.value == null ? [""] : []
+ for_each = each.value.locations == null ? [""] : []
content {
auto {
dynamic "customer_managed_encryption" {
- for_each = try(lookup(var.encryption_key, "global", null) == null ? [] : [""], [])
+ for_each = try(lookup(each.value.keys, "global", null) == null ? [] : [""], [])
content {
- kms_key_name = var.encryption_key["global"]
+ kms_key_name = each.value.keys["global"]
}
}
}
@@ -56,19 +56,18 @@ resource "google_secret_manager_secret" "default" {
}
dynamic "replication" {
- for_each = each.value == null ? [] : [each.value]
- iterator = locations
+ for_each = each.value.locations == null ? [] : [""]
content {
user_managed {
dynamic "replicas" {
- for_each = locations.value
+ for_each = each.value.locations
iterator = location
content {
location = location.value
dynamic "customer_managed_encryption" {
- for_each = try(var.encryption_key[location.value] != null ? [""] : [], [])
+ for_each = try(lookup(each.value.keys, location.value, null) == null ? [] : [""], [])
content {
- kms_key_name = var.encryption_key[location.value]
+ kms_key_name = each.value.keys[location.value]
}
}
}
diff --git a/modules/secret-manager/variables.tf b/modules/secret-manager/variables.tf
index f318311751..d0920e7e3d 100644
--- a/modules/secret-manager/variables.tf
+++ b/modules/secret-manager/variables.tf
@@ -14,12 +14,6 @@
* limitations under the License.
*/
-variable "encryption_key" {
- description = "Self link of the KMS keys in {LOCATION => KEY} format. A key must be provided for all replica locations. {GLOBAL => KEY} format enables CMEK for automatic managed secrets."
- type = map(string)
- default = null
-}
-
variable "iam" {
description = "IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format."
type = map(map(list(string)))
@@ -38,9 +32,14 @@ variable "project_id" {
}
variable "secrets" {
- description = "Map of secrets to manage and their locations. If locations is null, automatic management will be set."
- type = map(list(string))
- default = {}
+ description = "Map of secrets to manage, their locations and KMS keys in {LOCATION => KEY} format. {GLOBAL => KEY} format enables CMEK for automatic managed secrets. If locations is null, automatic management will be set."
+ type = map(object({
+ locations = list(string)
+ keys = optional(map(string), null)
+ }))
+ default = {
+ locations = null
+ }
}
variable "versions" {