diff --git a/secrethub/resource_service_gcp.go b/secrethub/resource_service_gcp.go index 87b9f9d..b01575e 100644 --- a/secrethub/resource_service_gcp.go +++ b/secrethub/resource_service_gcp.go @@ -27,13 +27,13 @@ func resourceServiceGCP() *schema.Resource { Type: schema.TypeString, Required: true, ForceNew: true, - Description: "The role name or ARN of the IAM role that should have access to this service account.", + Description: "The email of the Google Service Account that provides the identity of the SecretHub service account.", }, "kms_key_id": { Type: schema.TypeString, Required: true, ForceNew: true, - Description: "The Resource ID of the KMS key to use to encrypt and decrypt your SecretHub key material.", + Description: "The Resource ID of the Cloud KMS key to use to encrypt and decrypt your SecretHub key material.", }, }, } diff --git a/website/docs/r/service_aws.html.markdown b/website/docs/r/service_aws.html.markdown index 5ea4674..93833bb 100755 --- a/website/docs/r/service_aws.html.markdown +++ b/website/docs/r/service_aws.html.markdown @@ -10,7 +10,7 @@ description: |- This resource allows you to manage a service account that is tied to an AWS IAM role. -The native AWS identity provider uses a combination of AWS IAM and AWS KMS to provide access to SecretHub for any service running on AWS (e.g. EC2, Lambda or ECS) without needing a SecretHub credential. +The AWS identity provider uses a combination of AWS IAM and AWS KMS to read secrets from SecretHub from any app running on AWS (EC2, ECS, Lambda, etc.) without needing to manage another key. ## Example Usage diff --git a/website/docs/r/service_gcp.html.markdown b/website/docs/r/service_gcp.html.markdown new file mode 100755 index 0000000..3866cb2 --- /dev/null +++ b/website/docs/r/service_gcp.html.markdown @@ -0,0 +1,33 @@ +--- +layout: "secrethub" +page_title: "Resource: secrethub_service_gcp" +sidebar_current: "docs-secrethub-resource-service-gcp" +description: |- + Creates and manages SecretHub service accounts tied to a GCP Service Account. +--- + +# Resource: secrethub_service_gcp + +This resource allows you to manage a SecretHub service account that is tied to a GCP Service Account. + +The GCP identity provider uses a combination of Cloud IAM and Cloud KMS to read secrets from SecretHub from any app running on Google Cloud (GCE, GKE, etc.) without needing to manage another key. + +## GCP Project link + +Before you can use this resource, you first have to link your SecretHub namespace with your GCP project. +You only have to do this once for your namespace and GCP project. + +Because the linking process uses OAuth and therefore needs a web browser login, it cannot be Terraformed and needs the SecretHub CLI: + +``` +secrethub service gcp link +``` + +## Argument Reference + +The following arguments are supported: + +* `service_account_email` - (Required) The email of the Google Service Account that provides the identity of the SecretHub service account. +* `kms_key_id` - (Required) The Resource ID of the Cloud KMS key to use to encrypt and decrypt your SecretHub key material. +* `repo` - (Required) The path of the repository on which the service operates. +* `description` - (Optional) A description of the service so others will recognize it. diff --git a/website/secrethub.erb b/website/secrethub.erb index a3730f8..4b09485 100644 --- a/website/secrethub.erb +++ b/website/secrethub.erb @@ -14,9 +14,10 @@ > Data Sources @@ -26,17 +27,22 @@ > secrethub_secret + > + secrethub_access_rule + > secrethub_service - > + > secrethub_service_aws - - > - secrethub_service + > + secrethub_service_gcp + + + <% end %>