https://github.com/devops-rob/terraform-vault-gcp-secrets-engine

A Terraform module to configures HashiCorp Vault GCP secrets engine.
https://github.com/devops-rob/terraform-vault-gcp-secrets-engine

Last synced: 8 days ago
JSON representation

A Terraform module to configures HashiCorp Vault GCP secrets engine.

• Host: GitHub
• URL: https://github.com/devops-rob/terraform-vault-gcp-secrets-engine
• Owner: devops-rob
• License: apache-2.0
• Created: 2021-01-21T18:01:39.000Z (about 5 years ago)
• Default Branch: main
• Last Pushed: 2021-01-22T11:47:15.000Z (about 5 years ago)
• Last Synced: 2025-04-02T11:49:07.594Z (10 months ago)
• Language: HCL
• Homepage:
• Size: 11.7 KB
• Stars: 1
• Watchers: 1
• Forks: 3
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Terraform Module: Vault GCP Secrets Engine

A Terraform module to configures HashiCorp Vault GCP secrets engine.  

## Overview 

This module will enable operators to implement dynamic credential provisioning for their GCP environments.

## GCP Requirements

- A GCP project.

- A GCP service account.

- The service account needs the following permissions:

    - iam.serviceAccountKeys.create

    - iam.serviceAccountKeys.delete

    - iam.serviceAccountKeys.get

    - iam.serviceAccountKeys.list

    - iam.serviceAccounts.create

    - iam.serviceAccounts.delete

    - iam.serviceAccounts.get

    - resourcemanager.projects.getIamPolicy

    - resourcemanager.projects.setIamPolicy

- A GCP credentials file for the service account.

For information about Service Accounts, Permissions and Roles, refer to the [Google Cloud documentation](https://cloud.google.com/iam/docs/creating-managing-service-accounts)

***NOTE: Credentials files should not be committed to Version Control systems.***

## Usage example

```hcl

provider "vault" {

  address = "http://localhost:8200"

  token   = var.vault_token

}

variable "vault_token" {

  description = "Set this value using the 'TF_VAR_vault_token' environment variable."

}

variable "project" {

  default     = "test"

  description = "GCP project name"

}

module "gcp_defaults" {

  source = "devops-rob/gcp-secrets-engine/vault"

  path             = "gcp"

  gcp_project      = var.project

  gcp_roleset_name = "key-role"

  gcp_credentials  = file("credentials.json")

  gcp_secret_type  = "service_account_key"

  gcp_bindings = [

    {

      resource = "//cloudresourcemanager.googleapis.com/projects/${var.project}"

      roles = [

        "roles/viewer"

      ]

    }

  ]

}

```

## License

Licensed under the Apache License, Version 2.0 (the "License").

You may obtain a copy of the License at [apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0).

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an _"AS IS"_ basis, without WARRANTIES or conditions of any kind, either express or implied.

See the License for the specific language governing permissions and limitations under the License.