diff --git a/modules/secure-source-manager-instance/README.md b/modules/secure-source-manager-instance/README.md
index 5d71d3605e..9e99851676 100644
--- a/modules/secure-source-manager-instance/README.md
+++ b/modules/secure-source-manager-instance/README.md
@@ -41,9 +41,7 @@ module "ssm_instance" {
location = var.region
kms_key = "projects/another-project-id/locations/${var.region}/keyRings/my-key-ring/cryptoKeys/my-key"
repositories = {
- my-repository = {
- location = var.region
- }
+ my-repository = {}
}
}
# tftest modules=1 resources=2 inventory=public-instance-with-cmek.yaml
@@ -59,9 +57,7 @@ module "ssm_instance" {
location = var.region
ca_pool = "projects/another-project/locations/${var.region}/caPools/my-ca-pool"
repositories = {
- my-repository = {
- location = var.region
- }
+ my-repository = {}
}
}
# tftest modules=1 resources=2 inventory=private-instance.yaml
@@ -82,7 +78,6 @@ module "ssm_instance" {
}
repositories = {
my-repository = {
- location = var.region
iam = {
"roles/securesourcemanager.repoAdmin" = [
"group:my-repo-admins@myorg.com"
@@ -109,7 +104,6 @@ module "ssm_instance" {
}
repositories = {
my-repository = {
- location = var.region
iam_bindings_additive = {
my-repository-admin = {
role = "roles/securesourcemanager.repoAdmin"
@@ -138,7 +132,6 @@ module "ssm_instance" {
}
repositories = {
my-repository = {
- location = var.region
iam_bindings = {
my-repository-admin = {
role = "roles/securesourcemanager.repoAdmin"
@@ -157,16 +150,17 @@ module "ssm_instance" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [instance_id](variables.tf#L23) | Instance ID. | string
| ✓ | |
-| [location](variables.tf#L40) | Location. | string
| ✓ | |
-| [project_id](variables.tf#L45) | Project ID. | string
| ✓ | |
-| [repositories](variables.tf#L50) | Repositories. | map(object({…}))
| ✓ | |
+| [instance_id](variables.tf#L29) | Instance ID. | string
| ✓ | |
+| [location](variables.tf#L46) | Location. | string
| ✓ | |
+| [project_id](variables.tf#L51) | Project ID. | string
| ✓ | |
+| [repositories](variables.tf#L56) | Repositories. | map(object({…}))
| ✓ | |
| [ca_pool](variables.tf#L17) | CA pool. | string
| | null
|
| [iam](variables-iam.tf#L17) | IAM bindings. | map(list(string))
| | {}
|
| [iam_bindings](variables-iam.tf#L23) | IAM bindings. | map(object({…}))
| | {}
|
| [iam_bindings_additive](variables-iam.tf#L32) | IAM bindings. | map(object({…}))
| | {}
|
-| [kms_key](variables.tf#L28) | KMS key. | string
| | null
|
-| [labels](variables.tf#L34) | Instance labels. | map(string)
| | {}
|
+| [instance_create](variables.tf#L23) | Create SSM Instance. When set to false, uses instance_id to reference existing SSM instance. | bool
| | true
|
+| [kms_key](variables.tf#L34) | KMS key. | string
| | null
|
+| [labels](variables.tf#L40) | Instance labels. | map(string)
| | null
|
## Outputs
diff --git a/modules/secure-source-manager-instance/iam.tf b/modules/secure-source-manager-instance/iam.tf
index db111bb8f0..15144931c1 100644
--- a/modules/secure-source-manager-instance/iam.tf
+++ b/modules/secure-source-manager-instance/iam.tf
@@ -29,31 +29,37 @@ locals {
"${k1}.${k2}" => merge(v2, {
repository = k1
}) }]...)
+
+ iam_instance_values = {
+ project = var.instance_create ? google_secure_source_manager_instance.instance[0].project : var.project_id
+ location = var.instance_create ? google_secure_source_manager_instance.instance[0].location : var.location
+ instance_id = var.instance_create ? google_secure_source_manager_instance.instance[0].instance_id : var.instance_id
+ }
}
resource "google_secure_source_manager_instance_iam_binding" "authoritative" {
for_each = var.iam
- project = google_secure_source_manager_instance.instance.project
- location = google_secure_source_manager_instance.instance.location
- instance_id = google_secure_source_manager_instance.instance.instance_id
+ project = local.iam_instance_values["project"]
+ location = local.iam_instance_values["location"]
+ instance_id = local.iam_instance_values["instance_id"]
role = each.key
members = each.value
}
resource "google_secure_source_manager_instance_iam_binding" "bindings" {
for_each = var.iam_bindings
- project = google_secure_source_manager_instance.instance.project
- location = google_secure_source_manager_instance.instance.location
- instance_id = google_secure_source_manager_instance.instance.instance_id
+ project = local.iam_instance_values["project"]
+ location = local.iam_instance_values["location"]
+ instance_id = local.iam_instance_values["instance_id"]
role = each.value.role
members = each.value.members
}
resource "google_secure_source_manager_instance_iam_member" "bindings" {
for_each = var.iam_bindings_additive
- project = google_secure_source_manager_instance.instance.project
- location = google_secure_source_manager_instance.instance.location
- instance_id = google_secure_source_manager_instance.instance.instance_id
+ project = local.iam_instance_values["project"]
+ location = local.iam_instance_values["location"]
+ instance_id = local.iam_instance_values["instance_id"]
role = each.value.role
member = each.value.member
}
diff --git a/modules/secure-source-manager-instance/main.tf b/modules/secure-source-manager-instance/main.tf
index 0ef58549d4..f22f6a4bee 100644
--- a/modules/secure-source-manager-instance/main.tf
+++ b/modules/secure-source-manager-instance/main.tf
@@ -15,6 +15,7 @@
*/
resource "google_secure_source_manager_instance" "instance" {
+ count = var.instance_create ? 1 : 0
instance_id = var.instance_id
project = var.project_id
location = var.location
@@ -32,9 +33,10 @@ resource "google_secure_source_manager_instance" "instance" {
resource "google_secure_source_manager_repository" "repositories" {
for_each = var.repositories
repository_id = each.key
- instance = google_secure_source_manager_instance.instance.name
+ instance = try(google_secure_source_manager_instance.instance[0].name, "projects/${var.project_id}/locations/${var.location}/instances/${var.instance_id}")
project = var.project_id
- location = each.value.location
+ location = var.location
+ description = each.value.description
dynamic "initial_config" {
for_each = each.value.initial_config == null ? [] : [""]
content {
diff --git a/modules/secure-source-manager-instance/outputs.tf b/modules/secure-source-manager-instance/outputs.tf
index 5ce9600c9e..9ea6f5acb9 100644
--- a/modules/secure-source-manager-instance/outputs.tf
+++ b/modules/secure-source-manager-instance/outputs.tf
@@ -16,12 +16,12 @@
output "instance" {
description = "Instance."
- value = google_secure_source_manager_instance.instance
+ value = try(google_secure_source_manager_instance.instance[0], null)
}
output "instance_id" {
description = "Instance id."
- value = google_secure_source_manager_instance.instance.id
+ value = try(google_secure_source_manager_instance.instance[0].id, null)
}
output "repositories" {
diff --git a/modules/secure-source-manager-instance/variables.tf b/modules/secure-source-manager-instance/variables.tf
index ef0e5f7a86..4f06dd9655 100644
--- a/modules/secure-source-manager-instance/variables.tf
+++ b/modules/secure-source-manager-instance/variables.tf
@@ -20,6 +20,12 @@ variable "ca_pool" {
default = null
}
+variable "instance_create" {
+ description = "Create SSM Instance. When set to false, uses instance_id to reference existing SSM instance."
+ type = bool
+ default = true
+}
+
variable "instance_id" {
description = "Instance ID."
type = string
@@ -34,7 +40,7 @@ variable "kms_key" {
variable "labels" {
description = "Instance labels."
type = map(string)
- default = {}
+ default = null
}
variable "location" {
@@ -66,6 +72,5 @@ variable "repositories" {
license = optional(string)
readme = optional(string)
}))
- location = string
}))
}
diff --git a/tests/modules/secure_source_manager_instance/examples/iam-bindings-additive.yaml b/tests/modules/secure_source_manager_instance/examples/iam-bindings-additive.yaml
index a81bbd30ba..5c00969253 100644
--- a/tests/modules/secure_source_manager_instance/examples/iam-bindings-additive.yaml
+++ b/tests/modules/secure_source_manager_instance/examples/iam-bindings-additive.yaml
@@ -13,7 +13,7 @@
# limitations under the License.
values:
- module.ssm_instance.google_secure_source_manager_instance.instance:
+ module.ssm_instance.google_secure_source_manager_instance.instance[0]:
effective_labels:
goog-terraform-provisioned: 'true'
instance_id: my-instance
diff --git a/tests/modules/secure_source_manager_instance/examples/iam-bindings.yaml b/tests/modules/secure_source_manager_instance/examples/iam-bindings.yaml
index bbf36cd4c9..843c10ed92 100644
--- a/tests/modules/secure_source_manager_instance/examples/iam-bindings.yaml
+++ b/tests/modules/secure_source_manager_instance/examples/iam-bindings.yaml
@@ -13,7 +13,7 @@
# limitations under the License.
values:
- module.ssm_instance.google_secure_source_manager_instance.instance:
+ module.ssm_instance.google_secure_source_manager_instance.instance[0]:
effective_labels:
goog-terraform-provisioned: 'true'
instance_id: my-instance
diff --git a/tests/modules/secure_source_manager_instance/examples/iam.yaml b/tests/modules/secure_source_manager_instance/examples/iam.yaml
index 6dae437891..c3b2377cbd 100644
--- a/tests/modules/secure_source_manager_instance/examples/iam.yaml
+++ b/tests/modules/secure_source_manager_instance/examples/iam.yaml
@@ -13,7 +13,7 @@
# limitations under the License.
values:
- module.ssm_instance.google_secure_source_manager_instance.instance:
+ module.ssm_instance.google_secure_source_manager_instance.instance[0]:
effective_labels:
goog-terraform-provisioned: 'true'
instance_id: my-instance
diff --git a/tests/modules/secure_source_manager_instance/examples/private-instance.yaml b/tests/modules/secure_source_manager_instance/examples/private-instance.yaml
index 1c0537a3f8..b3f793e657 100644
--- a/tests/modules/secure_source_manager_instance/examples/private-instance.yaml
+++ b/tests/modules/secure_source_manager_instance/examples/private-instance.yaml
@@ -13,7 +13,7 @@
# limitations under the License.
values:
- module.ssm_instance.google_secure_source_manager_instance.instance:
+ module.ssm_instance.google_secure_source_manager_instance.instance[0]:
effective_labels:
goog-terraform-provisioned: 'true'
instance_id: my-instance
diff --git a/tests/modules/secure_source_manager_instance/examples/public-instance-with-cmek.yaml b/tests/modules/secure_source_manager_instance/examples/public-instance-with-cmek.yaml
index a4071b2c18..b07edb4e2c 100644
--- a/tests/modules/secure_source_manager_instance/examples/public-instance-with-cmek.yaml
+++ b/tests/modules/secure_source_manager_instance/examples/public-instance-with-cmek.yaml
@@ -13,7 +13,7 @@
# limitations under the License.
values:
- module.ssm_instance.google_secure_source_manager_instance.instance:
+ module.ssm_instance.google_secure_source_manager_instance.instance[0]:
effective_labels:
goog-terraform-provisioned: 'true'
instance_id: my-instance
diff --git a/tests/modules/secure_source_manager_instance/examples/public-instance.yaml b/tests/modules/secure_source_manager_instance/examples/public-instance.yaml
index 7856ca1abc..180213548c 100644
--- a/tests/modules/secure_source_manager_instance/examples/public-instance.yaml
+++ b/tests/modules/secure_source_manager_instance/examples/public-instance.yaml
@@ -13,7 +13,7 @@
# limitations under the License.
values:
- module.ssm_instance.google_secure_source_manager_instance.instance:
+ module.ssm_instance.google_secure_source_manager_instance.instance[0]:
effective_labels:
goog-terraform-provisioned: 'true'
instance_id: my-instance