From a9a1b1521b66f7032718f4af34c1aafb79f46a8d Mon Sep 17 00:00:00 2001 From: Leslie Lam Date: Fri, 15 Dec 2023 09:48:42 -0500 Subject: [PATCH 1/2] Support Google Secrets Manager Secrets --- README.md | 7 +++++++ main.tf | 24 ++++++++++++++++++++++++ variables.tf | 10 ++++++++++ 3 files changed, 41 insertions(+) diff --git a/README.md b/README.md index da6d956..1325997 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,11 @@ module "gcp_connector" { identity_pool_project_id = "my-project-id" gcp_org_id = "123456789" + # Enable the Admin SDK API if managing Google Group membership enable_google_group_management = true + + # A list of Google Secret Manager secrets to which the Sym Runtime may have read-only access + accessible_secrets = [google_secret_manager_secret.okta_api_key] } ``` @@ -64,8 +68,10 @@ No modules. | [google_project_service.admin_sdk_api](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource | | [google_project_service.iam_api](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource | | [google_project_service.resource_manager_api](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource | +| [google_project_service.secretmanager_api](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource | | [google_project_service.service_account_credentials_api](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource | | [google_project_service.sts_api](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource | +| [google_secret_manager_secret_iam_member.secret_reader](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_iam_member) | resource | | [google_service_account.sym](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource | | [google_service_account_iam_member.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_member) | resource | | [sym_integration.google_workload_identity_federation](https://registry.terraform.io/providers/symopsio/sym/latest/docs/resources/integration) | resource | @@ -76,6 +82,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [accessible\_secrets](#input\_accessible\_secrets) | A map of google\_secret\_manager\_secret objects to grant the Sym Integration read-only access to. | 
list(object({
    project   = string
    secret_id = string
    name      = string
  }))
| `null` | no | | [enable\_google\_group\_management](#input\_enable\_google\_group\_management) | A boolean indicating whether to enable the Admin SDK API to allow the Sym Integration to manage Google Group membership. | `bool` | `false` | no | | [environment](#input\_environment) | An environment qualifier for the resources this module creates, e.g. staging, or prod. | `string` | n/a | yes | | [gcp\_org\_id](#input\_gcp\_org\_id) | The Organization ID of your Google Cloud Organization | `any` | n/a | yes | diff --git a/main.tf b/main.tf index 0c4ae2a..2644320 100644 --- a/main.tf +++ b/main.tf @@ -122,6 +122,30 @@ resource "google_project_service" "admin_sdk_api" { disable_dependent_services = false } +######## Google Secret Manager Secrets Access Resources +# Enable the Secret Manager API in the Workload Identity Pool Project +resource "google_project_service" "secretmanager_api" { + count = var.accessible_secrets ? 1 : 0 + + project = data.google_project.sym_integration.project_id + service = "secretmanager.googleapis.com" + + disable_on_destroy = false + disable_dependent_services = false +} + +# For each given secret, grant the Sym Service Account the secretAccessor role. +resource "google_secret_manager_secret_iam_member" "secret_reader" { + for_each = { # Can't for-each over a list of objects, so converting it to a map of unique names to secret objects + for _, secret in var.accessible_secrets : secret.name => secret + } + + project = each.value.project + role = "roles/secretmanager.secretAccessor" + member = "serviceAccount:${google_service_account.sym.email}" + secret_id = each.value.secret_id +} + ######## Sym Resources # Create a sym_integration for the created Google Workload Identity Federation resources. diff --git a/variables.tf b/variables.tf index 4b8262f..6b18229 100644 --- a/variables.tf +++ b/variables.tf @@ -18,6 +18,16 @@ variable "enable_google_group_management" { default = false } +variable "accessible_secrets" { + description = "A map of google_secret_manager_secret objects to grant the Sym Integration read-only access to." + type = list(object({ + project = string + secret_id = string + name = string + })) + default = null +} + variable "sym_account_id" { description = "The AWS account ID that can impersonate the created Google service account. Defaults to the Sym Production AWS account ID." type = string From 031f6de73c3ae61543f71f7302822d132e0a9b52 Mon Sep 17 00:00:00 2001 From: Leslie Lam Date: Tue, 9 Jan 2024 15:11:58 -0500 Subject: [PATCH 2/2] fix foreach key for google_secret_manager_secret_iam_member resources --- README.md | 2 +- main.tf | 8 ++++++-- variables.tf | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 1325997..b43c7b2 100644 --- a/README.md +++ b/README.md @@ -82,7 +82,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [accessible\_secrets](#input\_accessible\_secrets) | A map of google\_secret\_manager\_secret objects to grant the Sym Integration read-only access to. | 
list(object({
    project   = string
    secret_id = string
    name      = string
  }))
| `null` | no | +| [accessible\_secrets](#input\_accessible\_secrets) | A map of google\_secret\_manager\_secret objects to grant the Sym Integration read-only access to. | 
list(object({
    project   = string
    secret_id = string
    name      = string
  }))
| `[]` | no | | [enable\_google\_group\_management](#input\_enable\_google\_group\_management) | A boolean indicating whether to enable the Admin SDK API to allow the Sym Integration to manage Google Group membership. | `bool` | `false` | no | | [environment](#input\_environment) | An environment qualifier for the resources this module creates, e.g. staging, or prod. | `string` | n/a | yes | | [gcp\_org\_id](#input\_gcp\_org\_id) | The Organization ID of your Google Cloud Organization | `any` | n/a | yes | diff --git a/main.tf b/main.tf index 2644320..e0f66f7 100644 --- a/main.tf +++ b/main.tf @@ -123,9 +123,13 @@ resource "google_project_service" "admin_sdk_api" { } ######## Google Secret Manager Secrets Access Resources +locals { + secretmanager_api_count = length(var.accessible_secrets) > 0 ? 1 : 0 +} + # Enable the Secret Manager API in the Workload Identity Pool Project resource "google_project_service" "secretmanager_api" { - count = var.accessible_secrets ? 1 : 0 + count = local.secretmanager_api_count project = data.google_project.sym_integration.project_id service = "secretmanager.googleapis.com" @@ -137,7 +141,7 @@ resource "google_project_service" "secretmanager_api" { # For each given secret, grant the Sym Service Account the secretAccessor role. resource "google_secret_manager_secret_iam_member" "secret_reader" { for_each = { # Can't for-each over a list of objects, so converting it to a map of unique names to secret objects - for _, secret in var.accessible_secrets : secret.name => secret + for secret in var.accessible_secrets : "${secret.project}/${secret.secret_id}" => secret } project = each.value.project diff --git a/variables.tf b/variables.tf index 6b18229..a6ff948 100644 --- a/variables.tf +++ b/variables.tf @@ -25,7 +25,7 @@ variable "accessible_secrets" { secret_id = string name = string })) - default = null + default = [] } variable "sym_account_id" {