From 856ec68a6f720f7c8cd16c81e268ee28d1c617d9 Mon Sep 17 00:00:00 2001 From: deanosaurx Date: Sun, 23 Jun 2024 16:23:12 +0300 Subject: [PATCH 1/3] Added expire_time option to the secret module --- modules/secret-manager/main.tf | 12 +++++++----- modules/secret-manager/variables.tf | 8 +++++++- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/modules/secret-manager/main.tf b/modules/secret-manager/main.tf index 61f4d5efe2..d5df3730c3 100644 --- a/modules/secret-manager/main.tf +++ b/modules/secret-manager/main.tf @@ -33,13 +33,15 @@ locals { version_keypairs = { for pair in local.version_pairs : "${pair.secret}:${pair.name}" => pair } + expire_time = var.expire_time != null ? var.expire_time : "" } resource "google_secret_manager_secret" "default" { - for_each = var.secrets - project = var.project_id - secret_id = each.key - labels = lookup(var.labels, each.key, null) + for_each = var.secrets + project = var.project_id + secret_id = each.key + labels = lookup(var.labels, each.key, null) + expire_time = local.expire_time != "" ? local.expire_time : null dynamic "replication" { for_each = each.value.locations == null ? [""] : [] @@ -93,4 +95,4 @@ resource "google_secret_manager_secret_iam_binding" "default" { role = each.value.role secret_id = google_secret_manager_secret.default[each.value.secret].id members = each.value.members -} \ No newline at end of file +} diff --git a/modules/secret-manager/variables.tf b/modules/secret-manager/variables.tf index 089f2a69b2..b55ae95e3d 100644 --- a/modules/secret-manager/variables.tf +++ b/modules/secret-manager/variables.tf @@ -26,6 +26,12 @@ variable "labels" { default = {} } +variable "expire_time" { + description = "Timestamp in UTC when the Secret is scheduled to expire." + type = string + default = null +} + variable "project_id" { description = "Project id where the keyring will be created." type = string @@ -47,4 +53,4 @@ variable "versions" { data = string }))) default = {} -} \ No newline at end of file +} From a4adb733bf680256c8a1025aba78d221075c2026 Mon Sep 17 00:00:00 2001 From: deanosaurx Date: Sun, 23 Jun 2024 16:30:41 +0300 Subject: [PATCH 2/3] Ran tfdoc to update the readme file --- modules/secret-manager/README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/modules/secret-manager/README.md b/modules/secret-manager/README.md index eefec750b5..0e49ee15ba 100644 --- a/modules/secret-manager/README.md +++ b/modules/secret-manager/README.md @@ -110,11 +110,12 @@ module "secret-manager" { | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [project_id](variables.tf#L29) | Project id where the keyring will be created. | string | ✓ | | +| [project_id](variables.tf#L35) | Project id where the keyring will be created. | string | ✓ | | +| [expire_time](variables.tf#L29) | Timestamp in UTC when the Secret is scheduled to expire. | string | | null | | [iam](variables.tf#L17) | IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {} | | [labels](variables.tf#L23) | Optional labels for each secret. | map(map(string)) | | {} | -| [secrets](variables.tf#L34) | Map of secrets to manage, their locations and KMS keys in {LOCATION => KEY} format. {GLOBAL => KEY} format enables CMEK for automatic managed secrets. If locations is null, automatic management will be set. | map(object({…})) | | {} | -| [versions](variables.tf#L43) | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | map(map(object({…}))) | | {} | +| [secrets](variables.tf#L40) | Map of secrets to manage, their locations and KMS keys in {LOCATION => KEY} format. {GLOBAL => KEY} format enables CMEK for automatic managed secrets. If locations is null, automatic management will be set. | map(object({…})) | | {} | +| [versions](variables.tf#L49) | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | map(map(object({…}))) | | {} | ## Outputs From dd6cdcd32ce7c63892e18077f0ff66b8adbc43ec Mon Sep 17 00:00:00 2001 From: deanosaurx Date: Sun, 23 Jun 2024 16:40:09 +0300 Subject: [PATCH 3/3] Fixed a failed test, moved the expire_time variable to the top and ran tfdoc again --- modules/secret-manager/README.md | 12 ++++++------ modules/secret-manager/variables.tf | 11 +++++------ 2 files changed, 11 insertions(+), 12 deletions(-) diff --git a/modules/secret-manager/README.md b/modules/secret-manager/README.md index 0e49ee15ba..32e6b305a2 100644 --- a/modules/secret-manager/README.md +++ b/modules/secret-manager/README.md @@ -110,12 +110,12 @@ module "secret-manager" { | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [project_id](variables.tf#L35) | Project id where the keyring will be created. | string | ✓ | | -| [expire_time](variables.tf#L29) | Timestamp in UTC when the Secret is scheduled to expire. | string | | null | -| [iam](variables.tf#L17) | IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {} | -| [labels](variables.tf#L23) | Optional labels for each secret. | map(map(string)) | | {} | -| [secrets](variables.tf#L40) | Map of secrets to manage, their locations and KMS keys in {LOCATION => KEY} format. {GLOBAL => KEY} format enables CMEK for automatic managed secrets. If locations is null, automatic management will be set. | map(object({…})) | | {} | -| [versions](variables.tf#L49) | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | map(map(object({…}))) | | {} | +| [project_id](variables.tf#L34) | Project id where the keyring will be created. | string | ✓ | | +| [expire_time](variables.tf#L16) | Timestamp in UTC when the Secret is scheduled to expire. | string | | null | +| [iam](variables.tf#L22) | IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format. | map(map(list(string))) | | {} | +| [labels](variables.tf#L28) | Optional labels for each secret. | map(map(string)) | | {} | +| [secrets](variables.tf#L39) | Map of secrets to manage, their locations and KMS keys in {LOCATION => KEY} format. {GLOBAL => KEY} format enables CMEK for automatic managed secrets. If locations is null, automatic management will be set. | map(object({…})) | | {} | +| [versions](variables.tf#L48) | Optional versions to manage for each secret. Version names are only used internally to track individual versions. | map(map(object({…}))) | | {} | ## Outputs diff --git a/modules/secret-manager/variables.tf b/modules/secret-manager/variables.tf index b55ae95e3d..6fb447239c 100644 --- a/modules/secret-manager/variables.tf +++ b/modules/secret-manager/variables.tf @@ -13,6 +13,11 @@ * See the License for the specific language governing permissions and * limitations under the License. */ +variable "expire_time" { + description = "Timestamp in UTC when the Secret is scheduled to expire." + type = string + default = null +} variable "iam" { description = "IAM bindings in {SECRET => {ROLE => [MEMBERS]}} format." @@ -26,12 +31,6 @@ variable "labels" { default = {} } -variable "expire_time" { - description = "Timestamp in UTC when the Secret is scheduled to expire." - type = string - default = null -} - variable "project_id" { description = "Project id where the keyring will be created." type = string