Merge remote-tracking branch 'origin/master' into fast-dev
This commit is contained in:
Ludovico Magnocavallo
@@ -37,9 +37,22 @@ module "kms" {
|
||||
iam = {
|
||||
"roles/cloudkms.admin" = ["group:${var.group_email}"]
|
||||
}
|
||||
iam_bindings = {
|
||||
agent = {
|
||||
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
|
||||
members = [var.service_account.iam_email]
|
||||
}
|
||||
}
|
||||
}
|
||||
key-b = {
|
||||
rotation_period = "604800s"
|
||||
iam_bindings = {
|
||||
# reusing the same binding name across different keys is supported
|
||||
agent = {
|
||||
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
|
||||
members = [var.service_account.iam_email]
|
||||
}
|
||||
}
|
||||
iam_bindings_additive = {
|
||||
key-b-iam1 = {
|
||||
key = "key-b"
|
||||
@@ -55,7 +68,7 @@ module "kms" {
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=6 inventory=basic.yaml e2e
|
||||
# tftest modules=1 resources=8 inventory=basic.yaml e2e
|
||||
```
|
||||
|
||||
### Using an existing keyring
|
||||
|
||||
@@ -27,7 +27,7 @@ locals {
|
||||
key_iam_bindings = merge([
|
||||
for k, v in var.keys : {
|
||||
for binding_key, data in v.iam_bindings :
|
||||
binding_key => {
|
||||
"${k}:${binding_key}" => {
|
||||
key = k
|
||||
role = data.role
|
||||
members = data.members
|
||||
@@ -38,7 +38,7 @@ locals {
|
||||
key_iam_bindings_additive = merge([
|
||||
for k, v in var.keys : {
|
||||
for binding_key, data in v.iam_bindings_additive :
|
||||
binding_key => {
|
||||
"${k}:${binding_key}" => {
|
||||
key = k
|
||||
role = data.role
|
||||
member = data.member
|
||||
|
||||
File diff suppressed because one or more lines are too long
@@ -230,12 +230,12 @@ variable "urlmap_config" {
|
||||
request_mirror_backend = optional(string)
|
||||
cors_policy = optional(object({
|
||||
allow_credentials = optional(bool)
|
||||
allow_headers = optional(string)
|
||||
allow_methods = optional(string)
|
||||
allow_headers = optional(list(string))
|
||||
allow_methods = optional(list(string))
|
||||
allow_origin_regexes = list(string)
|
||||
allow_origins = list(string)
|
||||
disabled = optional(bool)
|
||||
expose_headers = optional(string)
|
||||
expose_headers = optional(list(string))
|
||||
max_age = optional(string)
|
||||
}))
|
||||
fault_injection_policy = optional(object({
|
||||
|
||||
@@ -59,7 +59,7 @@ values:
|
||||
members:
|
||||
- serviceAccount:test@test-project.iam.gserviceaccount.com
|
||||
role: roles/viewer
|
||||
google_kms_crypto_key_iam_binding.bindings["myrole_two"]:
|
||||
google_kms_crypto_key_iam_binding.bindings["key-a:myrole_two"]:
|
||||
condition:
|
||||
- description: null
|
||||
expression: resource.matchTag('1234567890/environment', 'development')
|
||||
@@ -67,7 +67,7 @@ values:
|
||||
members:
|
||||
- serviceAccount:test@test-project.iam.gserviceaccount.com
|
||||
role: organizations/366118655033/roles/myRoleTwo
|
||||
google_kms_crypto_key_iam_member.members["myrole_three"]:
|
||||
google_kms_crypto_key_iam_member.members["key-b:myrole_three"]:
|
||||
condition: []
|
||||
member: serviceAccount:test@test-project.iam.gserviceaccount.com
|
||||
role: organizations/366118655033/roles/myRoleThree
|
||||
|
||||
@@ -14,30 +14,57 @@
|
||||
|
||||
values:
|
||||
module.kms.google_kms_crypto_key.default["key-a"]:
|
||||
effective_labels:
|
||||
goog-terraform-provisioned: 'true'
|
||||
labels: null
|
||||
name: key-a
|
||||
purpose: ENCRYPT_DECRYPT
|
||||
rotation_period: null
|
||||
skip_initial_version_creation: false
|
||||
terraform_labels:
|
||||
goog-terraform-provisioned: 'true'
|
||||
timeouts: null
|
||||
module.kms.google_kms_crypto_key.default["key-b"]:
|
||||
effective_labels:
|
||||
goog-terraform-provisioned: 'true'
|
||||
labels: null
|
||||
name: key-b
|
||||
purpose: ENCRYPT_DECRYPT
|
||||
rotation_period: 604800s
|
||||
skip_initial_version_creation: false
|
||||
terraform_labels:
|
||||
goog-terraform-provisioned: 'true'
|
||||
timeouts: null
|
||||
module.kms.google_kms_crypto_key.default["key-c"]:
|
||||
effective_labels:
|
||||
env: test
|
||||
goog-terraform-provisioned: 'true'
|
||||
labels:
|
||||
env: test
|
||||
name: key-c
|
||||
purpose: ENCRYPT_DECRYPT
|
||||
rotation_period: null
|
||||
skip_initial_version_creation: false
|
||||
terraform_labels:
|
||||
env: test
|
||||
goog-terraform-provisioned: 'true'
|
||||
timeouts: null
|
||||
module.kms.google_kms_crypto_key_iam_binding.authoritative["key-a.roles/cloudkms.admin"]:
|
||||
condition: []
|
||||
members:
|
||||
- group:organization-admins@example.org
|
||||
role: roles/cloudkms.admin
|
||||
module.kms.google_kms_crypto_key_iam_member.members["key-b-iam1"]:
|
||||
module.kms.google_kms_crypto_key_iam_binding.bindings["key-a:agent"]:
|
||||
condition: []
|
||||
members:
|
||||
- serviceAccount:sa1@sa.example
|
||||
role: roles/cloudkms.cryptoKeyEncrypterDecrypter
|
||||
module.kms.google_kms_crypto_key_iam_binding.bindings["key-b:agent"]:
|
||||
condition: []
|
||||
members:
|
||||
- serviceAccount:sa1@sa.example
|
||||
role: roles/cloudkms.cryptoKeyEncrypterDecrypter
|
||||
module.kms.google_kms_crypto_key_iam_member.members["key-b:key-b-iam1"]:
|
||||
condition: []
|
||||
member: group:organization-admins@example.org
|
||||
role: roles/cloudkms.cryptoKeyEncrypterDecrypter
|
||||
@@ -45,9 +72,10 @@ values:
|
||||
location: europe-west8
|
||||
name: test-test
|
||||
project: project-id
|
||||
timeouts: null
|
||||
|
||||
counts:
|
||||
google_kms_crypto_key: 3
|
||||
google_kms_crypto_key_iam_binding: 1
|
||||
google_kms_crypto_key_iam_binding: 3
|
||||
google_kms_crypto_key_iam_member: 1
|
||||
google_kms_key_ring: 1
|
||||
|
||||
Reference in New Issue
Block a user