diff --git a/modules/secure-source-manager-instance/README.md b/modules/secure-source-manager-instance/README.md
index 5c351aedb..42f0e52d2 100644
--- a/modules/secure-source-manager-instance/README.md
+++ b/modules/secure-source-manager-instance/README.md
@@ -32,7 +32,7 @@ module "ssm_instance" {
# tftest modules=1 resources=2 inventory=public-instance.yaml
```
-### Public instance with CMEK
+### Public instance with CMEK
```hcl
module "ssm_instance" {
@@ -56,7 +56,9 @@ module "ssm_instance" {
project_id = var.project_id
instance_id = "my-instance"
location = var.region
- ca_pool = "projects/another-project/locations/${var.region}/caPools/my-ca-pool"
+ private_configs = {
+ is_private = true
+ }
repositories = {
my-repository = {}
}
@@ -64,6 +66,25 @@ module "ssm_instance" {
# tftest modules=1 resources=2 inventory=private-instance.yaml
```
+You can optionally specify a Certificate Authority (CAS) pool and use your own certificate.
+
+```hcl
+module "ssm_instance" {
+ source = "./fabric/modules/secure-source-manager-instance"
+ project_id = var.project_id
+ instance_id = "my-instance"
+ location = var.region
+ private_configs = {
+ is_private = true
+ ca_pool_id = "projects/another-project/locations/${var.region}/caPools/my-ca-pool"
+ }
+ repositories = {
+ my-repository = {}
+ }
+}
+# tftest modules=1 resources=2 inventory=private-instance-ca-pool.yaml
+```
+
### IAM
```hcl
@@ -179,17 +200,17 @@ module "ssm_instance" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [instance_id](variables.tf#L29) | Instance ID. | string | ✓ | |
-| [location](variables.tf#L46) | Location. | string | ✓ | |
-| [project_id](variables.tf#L51) | Project ID. | string | ✓ | |
-| [repositories](variables.tf#L56) | Repositories. | map(object({…})) | ✓ | |
-| [ca_pool](variables.tf#L17) | CA pool. | string | | null |
+| [instance_id](variables.tf#L23) | Instance ID. | string | ✓ | |
+| [location](variables.tf#L40) | Location. | string | ✓ | |
+| [project_id](variables.tf#L55) | Project ID. | string | ✓ | |
+| [repositories](variables.tf#L60) | Repositories. | map(object({…})) | ✓ | |
| [iam](variables-iam.tf#L17) | IAM bindings. | map(list(string)) | | {} |
| [iam_bindings](variables-iam.tf#L23) | IAM bindings. | map(object({…})) | | {} |
| [iam_bindings_additive](variables-iam.tf#L32) | IAM bindings. | map(object({…})) | | {} |
-| [instance_create](variables.tf#L23) | Create SSM Instance. When set to false, uses instance_id to reference existing SSM instance. | bool | | true |
-| [kms_key](variables.tf#L34) | KMS key. | string | | null |
-| [labels](variables.tf#L40) | Instance labels. | map(string) | | null |
+| [instance_create](variables.tf#L17) | Create SSM Instance. When set to false, uses instance_id to reference existing SSM instance. | bool | | true |
+| [kms_key](variables.tf#L28) | KMS key. | string | | null |
+| [labels](variables.tf#L34) | Instance labels. | map(string) | | null |
+| [private_configs](variables.tf#L45) | The configurations for SSM private instances. | object({…}) | | {} |
## Outputs
diff --git a/modules/secure-source-manager-instance/iam.tf b/modules/secure-source-manager-instance/iam.tf
index 15144931c..424a86057 100644
--- a/modules/secure-source-manager-instance/iam.tf
+++ b/modules/secure-source-manager-instance/iam.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2024 Google LLC
+ * Copyright 2025 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
diff --git a/modules/secure-source-manager-instance/main.tf b/modules/secure-source-manager-instance/main.tf
index 5c870994d..913772dad 100644
--- a/modules/secure-source-manager-instance/main.tf
+++ b/modules/secure-source-manager-instance/main.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2024 Google LLC
+ * Copyright 2025 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -41,10 +41,10 @@ resource "google_secure_source_manager_instance" "instance" {
labels = var.labels
kms_key = var.kms_key
dynamic "private_config" {
- for_each = var.ca_pool == null ? [] : [""]
+ for_each = var.private_configs.is_private ? [""] : []
content {
is_private = true
- ca_pool = var.ca_pool
+ ca_pool = var.private_configs.ca_pool_id
}
}
}
@@ -81,4 +81,4 @@ resource "google_secure_source_manager_branch_rule" "branch_rules" {
require_linear_history = each.value.require_linear_history
require_pull_request = each.value.require_pull_request
allow_stale_reviews = each.value.allow_stale_reviews
-}
\ No newline at end of file
+}
diff --git a/modules/secure-source-manager-instance/outputs.tf b/modules/secure-source-manager-instance/outputs.tf
index 9ea6f5acb..a4299a745 100644
--- a/modules/secure-source-manager-instance/outputs.tf
+++ b/modules/secure-source-manager-instance/outputs.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2024 Google LLC
+ * Copyright 2025 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
diff --git a/modules/secure-source-manager-instance/variables-iam.tf b/modules/secure-source-manager-instance/variables-iam.tf
index 253c797fe..20b4839d6 100644
--- a/modules/secure-source-manager-instance/variables-iam.tf
+++ b/modules/secure-source-manager-instance/variables-iam.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2024 Google LLC
+ * Copyright 2025 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -36,4 +36,4 @@ variable "iam_bindings_additive" {
member = string
}))
default = {}
-}
\ No newline at end of file
+}
diff --git a/modules/secure-source-manager-instance/variables.tf b/modules/secure-source-manager-instance/variables.tf
index 01e5231b6..8a2b097e3 100644
--- a/modules/secure-source-manager-instance/variables.tf
+++ b/modules/secure-source-manager-instance/variables.tf
@@ -1,5 +1,5 @@
/**
- * Copyright 2024 Google LLC
+ * Copyright 2025 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -14,12 +14,6 @@
* limitations under the License.
*/
-variable "ca_pool" {
- description = "CA pool."
- type = string
- default = null
-}
-
variable "instance_create" {
description = "Create SSM Instance. When set to false, uses instance_id to reference existing SSM instance."
type = bool
@@ -48,6 +42,16 @@ variable "location" {
type = string
}
+variable "private_configs" {
+ description = "The configurations for SSM private instances."
+ type = object({
+ is_private = optional(bool, true)
+ ca_pool_id = optional(string)
+ })
+ nullable = false
+ default = {}
+}
+
variable "project_id" {
description = "Project ID."
type = string
diff --git a/tests/modules/secure_source_manager_instance/examples/branch-protection-rules.yaml b/tests/modules/secure_source_manager_instance/examples/branch-protection-rules.yaml
index cb5557eed..4ae3ce2f0 100644
--- a/tests/modules/secure_source_manager_instance/examples/branch-protection-rules.yaml
+++ b/tests/modules/secure_source_manager_instance/examples/branch-protection-rules.yaml
@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -28,19 +28,23 @@ values:
require_pull_request: true
timeouts: null
module.ssm_instance.google_secure_source_manager_instance.instance[0]:
+ deletion_policy: PREVENT
effective_labels:
goog-terraform-provisioned: 'true'
instance_id: my-instance
kms_key: null
labels: null
location: europe-west8
- private_config: []
+ private_config:
+ - ca_pool: null
+ is_private: true
project: project-id
terraform_labels:
goog-terraform-provisioned: 'true'
timeouts: null
workforce_identity_federation_config: []
module.ssm_instance.google_secure_source_manager_repository.repositories["my-repository"]:
+ deletion_policy: PREVENT
description: null
initial_config: []
location: europe-west8
@@ -53,4 +57,4 @@ counts:
google_secure_source_manager_instance: 1
google_secure_source_manager_repository: 1
modules: 1
- resources: 3
\ No newline at end of file
+ resources: 3
diff --git a/tests/modules/secure_source_manager_instance/examples/iam-bindings-additive.yaml b/tests/modules/secure_source_manager_instance/examples/iam-bindings-additive.yaml
index 5c0096925..8686841e6 100644
--- a/tests/modules/secure_source_manager_instance/examples/iam-bindings-additive.yaml
+++ b/tests/modules/secure_source_manager_instance/examples/iam-bindings-additive.yaml
@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -14,25 +14,31 @@
values:
module.ssm_instance.google_secure_source_manager_instance.instance[0]:
+ deletion_policy: PREVENT
effective_labels:
goog-terraform-provisioned: 'true'
instance_id: my-instance
kms_key: null
labels: null
location: europe-west8
- private_config: []
+ private_config:
+ - ca_pool: null
+ is_private: true
project: project-id
terraform_labels:
goog-terraform-provisioned: 'true'
timeouts: null
+ workforce_identity_federation_config: []
module.ssm_instance.google_secure_source_manager_instance_iam_binding.bindings["my-instance-admin"]:
condition: []
instance_id: my-instance
+ location: europe-west8
members:
- group:my-instance-admins@myorg.com
project: project-id
role: roles/securesourcemanager.instanceOwner
module.ssm_instance.google_secure_source_manager_repository.repositories["my-repository"]:
+ deletion_policy: PREVENT
description: null
initial_config: []
location: europe-west8
@@ -41,6 +47,7 @@ values:
timeouts: null
module.ssm_instance.google_secure_source_manager_repository_iam_binding.bindings["my-repository.my-repository-admin"]:
condition: []
+ location: europe-west8
members:
- group:my-repo-admins@myorg.com
project: project-id
@@ -53,4 +60,4 @@ counts:
google_secure_source_manager_repository: 1
google_secure_source_manager_repository_iam_binding: 1
modules: 1
- resources: 4
\ No newline at end of file
+ resources: 4
diff --git a/tests/modules/secure_source_manager_instance/examples/iam-bindings.yaml b/tests/modules/secure_source_manager_instance/examples/iam-bindings.yaml
index 843c10ed9..6dd75446c 100644
--- a/tests/modules/secure_source_manager_instance/examples/iam-bindings.yaml
+++ b/tests/modules/secure_source_manager_instance/examples/iam-bindings.yaml
@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -14,24 +14,30 @@
values:
module.ssm_instance.google_secure_source_manager_instance.instance[0]:
+ deletion_policy: PREVENT
effective_labels:
goog-terraform-provisioned: 'true'
instance_id: my-instance
kms_key: null
labels: null
location: europe-west8
- private_config: []
+ private_config:
+ - ca_pool: null
+ is_private: true
project: project-id
terraform_labels:
goog-terraform-provisioned: 'true'
timeouts: null
+ workforce_identity_federation_config: []
module.ssm_instance.google_secure_source_manager_instance_iam_member.bindings["my-instance-admin"]:
condition: []
instance_id: my-instance
+ location: europe-west8
member: group:my-instance-admins@myorg.com
project: project-id
role: roles/securesourcemanager.instanceOwner
module.ssm_instance.google_secure_source_manager_repository.repositories["my-repository"]:
+ deletion_policy: PREVENT
description: null
initial_config: []
location: europe-west8
@@ -40,7 +46,16 @@ values:
timeouts: null
module.ssm_instance.google_secure_source_manager_repository_iam_member.bindings["my-repository.my-repository-admin"]:
condition: []
+ location: europe-west8
member: group:my-repo-admins@myorg.com
project: project-id
repository_id: my-repository
- role: roles/securesourcemanager.repoAdmin
\ No newline at end of file
+ role: roles/securesourcemanager.repoAdmin
+
+counts:
+ google_secure_source_manager_instance: 1
+ google_secure_source_manager_instance_iam_member: 1
+ google_secure_source_manager_repository: 1
+ google_secure_source_manager_repository_iam_member: 1
+ modules: 1
+ resources: 4
diff --git a/tests/modules/secure_source_manager_instance/examples/iam.yaml b/tests/modules/secure_source_manager_instance/examples/iam.yaml
index c3b2377cb..f67f30a4d 100644
--- a/tests/modules/secure_source_manager_instance/examples/iam.yaml
+++ b/tests/modules/secure_source_manager_instance/examples/iam.yaml
@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -14,25 +14,31 @@
values:
module.ssm_instance.google_secure_source_manager_instance.instance[0]:
+ deletion_policy: PREVENT
effective_labels:
goog-terraform-provisioned: 'true'
instance_id: my-instance
kms_key: null
labels: null
location: europe-west8
- private_config: []
+ private_config:
+ - ca_pool: null
+ is_private: true
project: project-id
terraform_labels:
goog-terraform-provisioned: 'true'
timeouts: null
+ workforce_identity_federation_config: []
? module.ssm_instance.google_secure_source_manager_instance_iam_binding.authoritative["roles/securesourcemanager.instanceOwner"]
: condition: []
instance_id: my-instance
+ location: europe-west8
members:
- group:my-instance-admins@myorg.com
project: project-id
role: roles/securesourcemanager.instanceOwner
module.ssm_instance.google_secure_source_manager_repository.repositories["my-repository"]:
+ deletion_policy: PREVENT
description: null
initial_config: []
location: europe-west8
@@ -41,6 +47,7 @@ values:
timeouts: null
? module.ssm_instance.google_secure_source_manager_repository_iam_binding.authoritative["my-repository.roles/securesourcemanager.repoAdmin"]
: condition: []
+ location: europe-west8
members:
- group:my-repo-admins@myorg.com
project: project-id
@@ -53,4 +60,4 @@ counts:
google_secure_source_manager_repository: 1
google_secure_source_manager_repository_iam_binding: 1
modules: 1
- resources: 4
\ No newline at end of file
+ resources: 4
diff --git a/tests/modules/secure_source_manager_instance/examples/private-instance-ca-pool.yaml b/tests/modules/secure_source_manager_instance/examples/private-instance-ca-pool.yaml
new file mode 100644
index 000000000..a327e8aab
--- /dev/null
+++ b/tests/modules/secure_source_manager_instance/examples/private-instance-ca-pool.yaml
@@ -0,0 +1,45 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.ssm_instance.google_secure_source_manager_instance.instance[0]:
+ deletion_policy: PREVENT
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ instance_id: my-instance
+ kms_key: null
+ labels: null
+ location: europe-west8
+ private_config:
+ - ca_pool: projects/another-project/locations/europe-west8/caPools/my-ca-pool
+ is_private: true
+ project: project-id
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ workforce_identity_federation_config: []
+ module.ssm_instance.google_secure_source_manager_repository.repositories["my-repository"]:
+ deletion_policy: PREVENT
+ description: null
+ initial_config: []
+ location: europe-west8
+ project: project-id
+ repository_id: my-repository
+ timeouts: null
+
+counts:
+ google_secure_source_manager_instance: 1
+ google_secure_source_manager_repository: 1
+ modules: 1
+ resources: 2
diff --git a/tests/modules/secure_source_manager_instance/examples/private-instance.yaml b/tests/modules/secure_source_manager_instance/examples/private-instance.yaml
index b3f793e65..0ee15966c 100644
--- a/tests/modules/secure_source_manager_instance/examples/private-instance.yaml
+++ b/tests/modules/secure_source_manager_instance/examples/private-instance.yaml
@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -14,6 +14,7 @@
values:
module.ssm_instance.google_secure_source_manager_instance.instance[0]:
+ deletion_policy: PREVENT
effective_labels:
goog-terraform-provisioned: 'true'
instance_id: my-instance
@@ -21,13 +22,15 @@ values:
labels: null
location: europe-west8
private_config:
- - ca_pool: projects/another-project/locations/europe-west8/caPools/my-ca-pool
+ - ca_pool: null
is_private: true
project: project-id
terraform_labels:
goog-terraform-provisioned: 'true'
timeouts: null
+ workforce_identity_federation_config: []
module.ssm_instance.google_secure_source_manager_repository.repositories["my-repository"]:
+ deletion_policy: PREVENT
description: null
initial_config: []
location: europe-west8
@@ -39,4 +42,4 @@ counts:
google_secure_source_manager_instance: 1
google_secure_source_manager_repository: 1
modules: 1
- resources: 2
\ No newline at end of file
+ resources: 2
diff --git a/tests/modules/secure_source_manager_instance/examples/public-instance-with-cmek.yaml b/tests/modules/secure_source_manager_instance/examples/public-instance-with-cmek.yaml
index b07edb4e2..67131f87c 100644
--- a/tests/modules/secure_source_manager_instance/examples/public-instance-with-cmek.yaml
+++ b/tests/modules/secure_source_manager_instance/examples/public-instance-with-cmek.yaml
@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -14,18 +14,23 @@
values:
module.ssm_instance.google_secure_source_manager_instance.instance[0]:
+ deletion_policy: PREVENT
effective_labels:
goog-terraform-provisioned: 'true'
instance_id: my-instance
kms_key: projects/another-project-id/locations/europe-west8/keyRings/my-key-ring/cryptoKeys/my-key
labels: null
location: europe-west8
- private_config: []
+ private_config:
+ - ca_pool: null
+ is_private: true
project: project-id
terraform_labels:
goog-terraform-provisioned: 'true'
timeouts: null
+ workforce_identity_federation_config: []
module.ssm_instance.google_secure_source_manager_repository.repositories["my-repository"]:
+ deletion_policy: PREVENT
description: null
initial_config: []
location: europe-west8
@@ -37,4 +42,4 @@ counts:
google_secure_source_manager_instance: 1
google_secure_source_manager_repository: 1
modules: 1
- resources: 2
\ No newline at end of file
+ resources: 2
diff --git a/tests/modules/secure_source_manager_instance/examples/public-instance.yaml b/tests/modules/secure_source_manager_instance/examples/public-instance.yaml
index 180213548..0ee15966c 100644
--- a/tests/modules/secure_source_manager_instance/examples/public-instance.yaml
+++ b/tests/modules/secure_source_manager_instance/examples/public-instance.yaml
@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@@ -14,18 +14,23 @@
values:
module.ssm_instance.google_secure_source_manager_instance.instance[0]:
+ deletion_policy: PREVENT
effective_labels:
goog-terraform-provisioned: 'true'
instance_id: my-instance
kms_key: null
labels: null
location: europe-west8
- private_config: []
+ private_config:
+ - ca_pool: null
+ is_private: true
project: project-id
terraform_labels:
goog-terraform-provisioned: 'true'
timeouts: null
+ workforce_identity_federation_config: []
module.ssm_instance.google_secure_source_manager_repository.repositories["my-repository"]:
+ deletion_policy: PREVENT
description: null
initial_config: []
location: europe-west8
@@ -37,4 +42,4 @@ counts:
google_secure_source_manager_instance: 1
google_secure_source_manager_repository: 1
modules: 1
- resources: 2
\ No newline at end of file
+ resources: 2