diff --git a/modules/secure-source-manager-instance/README.md b/modules/secure-source-manager-instance/README.md index 5d71d3605e..9e99851676 100644 --- a/modules/secure-source-manager-instance/README.md +++ b/modules/secure-source-manager-instance/README.md @@ -41,9 +41,7 @@ module "ssm_instance" { location = var.region kms_key = "projects/another-project-id/locations/${var.region}/keyRings/my-key-ring/cryptoKeys/my-key" repositories = { - my-repository = { - location = var.region - } + my-repository = {} } } # tftest modules=1 resources=2 inventory=public-instance-with-cmek.yaml @@ -59,9 +57,7 @@ module "ssm_instance" { location = var.region ca_pool = "projects/another-project/locations/${var.region}/caPools/my-ca-pool" repositories = { - my-repository = { - location = var.region - } + my-repository = {} } } # tftest modules=1 resources=2 inventory=private-instance.yaml @@ -82,7 +78,6 @@ module "ssm_instance" { } repositories = { my-repository = { - location = var.region iam = { "roles/securesourcemanager.repoAdmin" = [ "group:my-repo-admins@myorg.com" @@ -109,7 +104,6 @@ module "ssm_instance" { } repositories = { my-repository = { - location = var.region iam_bindings_additive = { my-repository-admin = { role = "roles/securesourcemanager.repoAdmin" @@ -138,7 +132,6 @@ module "ssm_instance" { } repositories = { my-repository = { - location = var.region iam_bindings = { my-repository-admin = { role = "roles/securesourcemanager.repoAdmin" @@ -157,16 +150,17 @@ module "ssm_instance" { | name | description | type | required | default | |---|---|:---:|:---:|:---:| -| [instance_id](variables.tf#L23) | Instance ID. | string | ✓ | | -| [location](variables.tf#L40) | Location. | string | ✓ | | -| [project_id](variables.tf#L45) | Project ID. | string | ✓ | | -| [repositories](variables.tf#L50) | Repositories. | map(object({…})) | ✓ | | +| [instance_id](variables.tf#L29) | Instance ID. | string | ✓ | | +| [location](variables.tf#L46) | Location. | string | ✓ | | +| [project_id](variables.tf#L51) | Project ID. | string | ✓ | | +| [repositories](variables.tf#L56) | Repositories. | map(object({…})) | ✓ | | | [ca_pool](variables.tf#L17) | CA pool. | string | | null | | [iam](variables-iam.tf#L17) | IAM bindings. | map(list(string)) | | {} | | [iam_bindings](variables-iam.tf#L23) | IAM bindings. | map(object({…})) | | {} | | [iam_bindings_additive](variables-iam.tf#L32) | IAM bindings. | map(object({…})) | | {} | -| [kms_key](variables.tf#L28) | KMS key. | string | | null | -| [labels](variables.tf#L34) | Instance labels. | map(string) | | {} | +| [instance_create](variables.tf#L23) | Create SSM Instance. When set to false, uses instance_id to reference existing SSM instance. | bool | | true | +| [kms_key](variables.tf#L34) | KMS key. | string | | null | +| [labels](variables.tf#L40) | Instance labels. | map(string) | | null | ## Outputs diff --git a/modules/secure-source-manager-instance/iam.tf b/modules/secure-source-manager-instance/iam.tf index db111bb8f0..15144931c1 100644 --- a/modules/secure-source-manager-instance/iam.tf +++ b/modules/secure-source-manager-instance/iam.tf @@ -29,31 +29,37 @@ locals { "${k1}.${k2}" => merge(v2, { repository = k1 }) }]...) + + iam_instance_values = { + project = var.instance_create ? google_secure_source_manager_instance.instance[0].project : var.project_id + location = var.instance_create ? google_secure_source_manager_instance.instance[0].location : var.location + instance_id = var.instance_create ? google_secure_source_manager_instance.instance[0].instance_id : var.instance_id + } } resource "google_secure_source_manager_instance_iam_binding" "authoritative" { for_each = var.iam - project = google_secure_source_manager_instance.instance.project - location = google_secure_source_manager_instance.instance.location - instance_id = google_secure_source_manager_instance.instance.instance_id + project = local.iam_instance_values["project"] + location = local.iam_instance_values["location"] + instance_id = local.iam_instance_values["instance_id"] role = each.key members = each.value } resource "google_secure_source_manager_instance_iam_binding" "bindings" { for_each = var.iam_bindings - project = google_secure_source_manager_instance.instance.project - location = google_secure_source_manager_instance.instance.location - instance_id = google_secure_source_manager_instance.instance.instance_id + project = local.iam_instance_values["project"] + location = local.iam_instance_values["location"] + instance_id = local.iam_instance_values["instance_id"] role = each.value.role members = each.value.members } resource "google_secure_source_manager_instance_iam_member" "bindings" { for_each = var.iam_bindings_additive - project = google_secure_source_manager_instance.instance.project - location = google_secure_source_manager_instance.instance.location - instance_id = google_secure_source_manager_instance.instance.instance_id + project = local.iam_instance_values["project"] + location = local.iam_instance_values["location"] + instance_id = local.iam_instance_values["instance_id"] role = each.value.role member = each.value.member } diff --git a/modules/secure-source-manager-instance/main.tf b/modules/secure-source-manager-instance/main.tf index 0ef58549d4..f22f6a4bee 100644 --- a/modules/secure-source-manager-instance/main.tf +++ b/modules/secure-source-manager-instance/main.tf @@ -15,6 +15,7 @@ */ resource "google_secure_source_manager_instance" "instance" { + count = var.instance_create ? 1 : 0 instance_id = var.instance_id project = var.project_id location = var.location @@ -32,9 +33,10 @@ resource "google_secure_source_manager_instance" "instance" { resource "google_secure_source_manager_repository" "repositories" { for_each = var.repositories repository_id = each.key - instance = google_secure_source_manager_instance.instance.name + instance = try(google_secure_source_manager_instance.instance[0].name, "projects/${var.project_id}/locations/${var.location}/instances/${var.instance_id}") project = var.project_id - location = each.value.location + location = var.location + description = each.value.description dynamic "initial_config" { for_each = each.value.initial_config == null ? [] : [""] content { diff --git a/modules/secure-source-manager-instance/outputs.tf b/modules/secure-source-manager-instance/outputs.tf index 5ce9600c9e..9ea6f5acb9 100644 --- a/modules/secure-source-manager-instance/outputs.tf +++ b/modules/secure-source-manager-instance/outputs.tf @@ -16,12 +16,12 @@ output "instance" { description = "Instance." - value = google_secure_source_manager_instance.instance + value = try(google_secure_source_manager_instance.instance[0], null) } output "instance_id" { description = "Instance id." - value = google_secure_source_manager_instance.instance.id + value = try(google_secure_source_manager_instance.instance[0].id, null) } output "repositories" { diff --git a/modules/secure-source-manager-instance/variables.tf b/modules/secure-source-manager-instance/variables.tf index ef0e5f7a86..4f06dd9655 100644 --- a/modules/secure-source-manager-instance/variables.tf +++ b/modules/secure-source-manager-instance/variables.tf @@ -20,6 +20,12 @@ variable "ca_pool" { default = null } +variable "instance_create" { + description = "Create SSM Instance. When set to false, uses instance_id to reference existing SSM instance." + type = bool + default = true +} + variable "instance_id" { description = "Instance ID." type = string @@ -34,7 +40,7 @@ variable "kms_key" { variable "labels" { description = "Instance labels." type = map(string) - default = {} + default = null } variable "location" { @@ -66,6 +72,5 @@ variable "repositories" { license = optional(string) readme = optional(string) })) - location = string })) } diff --git a/tests/modules/secure_source_manager_instance/examples/iam-bindings-additive.yaml b/tests/modules/secure_source_manager_instance/examples/iam-bindings-additive.yaml index a81bbd30ba..5c00969253 100644 --- a/tests/modules/secure_source_manager_instance/examples/iam-bindings-additive.yaml +++ b/tests/modules/secure_source_manager_instance/examples/iam-bindings-additive.yaml @@ -13,7 +13,7 @@ # limitations under the License. values: - module.ssm_instance.google_secure_source_manager_instance.instance: + module.ssm_instance.google_secure_source_manager_instance.instance[0]: effective_labels: goog-terraform-provisioned: 'true' instance_id: my-instance diff --git a/tests/modules/secure_source_manager_instance/examples/iam-bindings.yaml b/tests/modules/secure_source_manager_instance/examples/iam-bindings.yaml index bbf36cd4c9..843c10ed92 100644 --- a/tests/modules/secure_source_manager_instance/examples/iam-bindings.yaml +++ b/tests/modules/secure_source_manager_instance/examples/iam-bindings.yaml @@ -13,7 +13,7 @@ # limitations under the License. values: - module.ssm_instance.google_secure_source_manager_instance.instance: + module.ssm_instance.google_secure_source_manager_instance.instance[0]: effective_labels: goog-terraform-provisioned: 'true' instance_id: my-instance diff --git a/tests/modules/secure_source_manager_instance/examples/iam.yaml b/tests/modules/secure_source_manager_instance/examples/iam.yaml index 6dae437891..c3b2377cbd 100644 --- a/tests/modules/secure_source_manager_instance/examples/iam.yaml +++ b/tests/modules/secure_source_manager_instance/examples/iam.yaml @@ -13,7 +13,7 @@ # limitations under the License. values: - module.ssm_instance.google_secure_source_manager_instance.instance: + module.ssm_instance.google_secure_source_manager_instance.instance[0]: effective_labels: goog-terraform-provisioned: 'true' instance_id: my-instance diff --git a/tests/modules/secure_source_manager_instance/examples/private-instance.yaml b/tests/modules/secure_source_manager_instance/examples/private-instance.yaml index 1c0537a3f8..b3f793e657 100644 --- a/tests/modules/secure_source_manager_instance/examples/private-instance.yaml +++ b/tests/modules/secure_source_manager_instance/examples/private-instance.yaml @@ -13,7 +13,7 @@ # limitations under the License. values: - module.ssm_instance.google_secure_source_manager_instance.instance: + module.ssm_instance.google_secure_source_manager_instance.instance[0]: effective_labels: goog-terraform-provisioned: 'true' instance_id: my-instance diff --git a/tests/modules/secure_source_manager_instance/examples/public-instance-with-cmek.yaml b/tests/modules/secure_source_manager_instance/examples/public-instance-with-cmek.yaml index a4071b2c18..b07edb4e2c 100644 --- a/tests/modules/secure_source_manager_instance/examples/public-instance-with-cmek.yaml +++ b/tests/modules/secure_source_manager_instance/examples/public-instance-with-cmek.yaml @@ -13,7 +13,7 @@ # limitations under the License. values: - module.ssm_instance.google_secure_source_manager_instance.instance: + module.ssm_instance.google_secure_source_manager_instance.instance[0]: effective_labels: goog-terraform-provisioned: 'true' instance_id: my-instance diff --git a/tests/modules/secure_source_manager_instance/examples/public-instance.yaml b/tests/modules/secure_source_manager_instance/examples/public-instance.yaml index 7856ca1abc..180213548c 100644 --- a/tests/modules/secure_source_manager_instance/examples/public-instance.yaml +++ b/tests/modules/secure_source_manager_instance/examples/public-instance.yaml @@ -13,7 +13,7 @@ # limitations under the License. values: - module.ssm_instance.google_secure_source_manager_instance.instance: + module.ssm_instance.google_secure_source_manager_instance.instance[0]: effective_labels: goog-terraform-provisioned: 'true' instance_id: my-instance