From c6f498fbf142a23c97322f8feb4bca3d00e92e58 Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Thu, 16 Jun 2022 16:34:46 +0200 Subject: [PATCH] add support for secrets (#684) --- modules/cloud-function/README.md | 11 ++++++----- modules/cloud-function/main.tf | 29 +++++++++++++++++++++++++++++ modules/cloud-function/variables.tf | 12 ++++++++++++ 3 files changed, 47 insertions(+), 5 deletions(-) diff --git a/modules/cloud-function/README.md b/modules/cloud-function/README.md index 6eac68bf1a..73a1d3f2af 100644 --- a/modules/cloud-function/README.md +++ b/modules/cloud-function/README.md @@ -173,11 +173,12 @@ module "cf-http" { | [labels](variables.tf#L82) | Resource labels. | map(string) | | {} | | [prefix](variables.tf#L93) | Optional prefix used for resource names. | string | | null | | [region](variables.tf#L104) | Region used for all resources. | string | | "europe-west1" | -| [service_account](variables.tf#L110) | Service account email. Unused if service account is auto-created. | string | | null | -| [service_account_create](variables.tf#L116) | Auto-create service account. | bool | | false | -| [trigger_config](variables.tf#L122) | Function trigger configuration. Leave null for HTTP trigger. | object({…}) | | null | -| [vpc_connector](variables.tf#L132) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | object({…}) | | null | -| [vpc_connector_config](variables.tf#L142) | VPC connector network configuration. Must be provided if new VPC connector is being created. | object({…}) | | null | +| [secrets](variables.tf#L110) | Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format. | map(object({…})) | | {} | +| [service_account](variables.tf#L122) | Service account email. Unused if service account is auto-created. | string | | null | +| [service_account_create](variables.tf#L128) | Auto-create service account. | bool | | false | +| [trigger_config](variables.tf#L134) | Function trigger configuration. Leave null for HTTP trigger. | object({…}) | | null | +| [vpc_connector](variables.tf#L144) | VPC connector configuration. Set create to 'true' if a new connector needs to be created. | object({…}) | | null | +| [vpc_connector_config](variables.tf#L154) | VPC connector network configuration. Must be provided if new VPC connector is being created. | object({…}) | | null | ## Outputs diff --git a/modules/cloud-function/main.tf b/modules/cloud-function/main.tf index 949cb69b16..0a26c12059 100644 --- a/modules/cloud-function/main.tf +++ b/modules/cloud-function/main.tf @@ -91,6 +91,35 @@ resource "google_cloudfunctions_function" "function" { } } + dynamic "secret_environment_variables" { + for_each = { for k, v in var.secrets : k => v if !v.is_volume } + iterator = secret + content { + key = secret.key + project_id = secret.value.project_id + secret = secret.value.secret + version = try(secret.value.versions.0, "latest") + } + } + + dynamic "secret_volumes" { + for_each = { for k, v in var.secrets : k => v if v.is_volume } + iterator = secret + content { + mount_path = secret.key + project_id = secret.value.project_id + secret = secret.value.secret + dynamic "versions" { + for_each = secret.value.versions + iterator = version + content { + path = split(":", version)[1] + version = split(":", version)[0] + } + } + } + } + } resource "google_cloudfunctions_function_iam_binding" "default" { diff --git a/modules/cloud-function/variables.tf b/modules/cloud-function/variables.tf index a613b2f68b..ce8633c8fc 100644 --- a/modules/cloud-function/variables.tf +++ b/modules/cloud-function/variables.tf @@ -107,6 +107,18 @@ variable "region" { default = "europe-west1" } +variable "secrets" { + description = "Secret Manager secrets. Key is the variable name or mountpoint, volume versions are in version:path format." + type = map(object({ + is_volume = bool + project_id = number + secret = string + versions = list(string) + })) + nullable = false + default = {} +} + variable "service_account" { description = "Service account email. Unused if service account is auto-created." type = string