90360c591e
* Add confidential compute support to google_dataproc_cluster in the dataproc module * fix parent id lookup for networking and security stages (#2744) * Add optional automated MD5 generation in net-vlan-attachment module (#2745) * Bump path-to-regexp and express in /blueprints/gke/binauthz/image (#2749) Bumps [path-to-regexp](https://github.com/pillarjs/path-to-regexp) to 0.1.12 and updates ancestor dependency [express](https://github.com/expressjs/express). These dependencies need to be updated together. Updates `path-to-regexp` from 0.1.10 to 0.1.12 - [Release notes](https://github.com/pillarjs/path-to-regexp/releases) - [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md) - [Commits](https://github.com/pillarjs/path-to-regexp/compare/v0.1.10...v0.1.12) Updates `express` from 4.21.1 to 4.21.2 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/4.21.2/History.md) - [Commits](https://github.com/expressjs/express/compare/4.21.1...4.21.2) --- updated-dependencies: - dependency-name: path-to-regexp dependency-type: indirect - dependency-name: express dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add ability to autogenerate md5 keys in net-vpn-ha (#2748) * Add ability to optionally generate MD5 secrets in VPN module * Add ability to autogenerate MD5 keys in net-vpn-ha module * restore missing output * fix test counts --------- Co-authored-by: Luca Prete <lucaprete@google.com> Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com> * update changelog * Bump path-to-regexp and express (#2752) Bumps [path-to-regexp](https://github.com/pillarjs/path-to-regexp) and [express](https://github.com/expressjs/express). These dependencies needed to be updated together. Updates `path-to-regexp` from 0.1.10 to 0.1.12 - [Release notes](https://github.com/pillarjs/path-to-regexp/releases) - [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md) - [Commits](https://github.com/pillarjs/path-to-regexp/compare/v0.1.10...v0.1.12) Updates `express` from 4.21.1 to 4.21.2 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/4.21.2/History.md) - [Commits](https://github.com/expressjs/express/compare/4.21.1...4.21.2) --- updated-dependencies: - dependency-name: path-to-regexp dependency-type: indirect - dependency-name: express dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * add support for routing mode to net-swp module (#2751) Co-authored-by: Julio Castillo <jccb@google.com> * remove default location in tag value - cloud-run-v2 tags.tf (#2755) The Parent resource has a default to europe-west1 when it should be for the resource block from where the cloud run actually is. Changed to use the var.region instead * Add path_template_match and path_template_rewrite support to net-lb-app-ext (required for React apps for example). * Add rest of load balancers. * Add path_template_match and path_template_rewrite support to internal load balancers * Add disk encyption key to the google_compute_instance_template - Sovereign support (#2750) * add disk encyption key to the google_compute_instance_template * add a condition to the kms_key_self_link * use dynamic variable for disk_encryption_key * remove the getpip from the repo --------- Co-authored-by: Julio Castillo <jccb@google.com> Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com> * Add support for password validation policy to cloudsql module (#2740) * add support for password validation policy to cloudsql module * fix defaults * update changelog * bump provider version constraint --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com> Co-authored-by: Luca Prete <preteluca@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Luca Prete <lucaprete@google.com> Co-authored-by: Julio Castillo <jccb@google.com> Co-authored-by: Matthew Callinan <47421139+Mattible@users.noreply.github.com> Co-authored-by: Taneli Leppä <taneli@google.com> Co-authored-by: Wiktor Niesiobędzki <wiktorn@google.com> Co-authored-by: Kovács Dávid <david-kovacs@t-systems.com>
Secure Source Manager
This module allows to create a Secure Source Manager instance and repositories in it. Additionally it allows creating instance IAM bindings and repository IAM bindings.
Examples
Public instance
module "ssm_instance" {
source = "./fabric/modules/secure-source-manager-instance"
project_id = var.project_id
instance_id = "my-instance"
location = var.region
repositories = {
my-repository = {
location = var.region
}
}
}
# tftest modules=1 resources=2 inventory=public-instance.yaml
Public instance with CMEK
module "ssm_instance" {
source = "./fabric/modules/secure-source-manager-instance"
project_id = var.project_id
instance_id = "my-instance"
location = var.region
kms_key = "projects/another-project-id/locations/${var.region}/keyRings/my-key-ring/cryptoKeys/my-key"
repositories = {
my-repository = {}
}
}
# tftest modules=1 resources=2 inventory=public-instance-with-cmek.yaml
Private instance
module "ssm_instance" {
source = "./fabric/modules/secure-source-manager-instance"
project_id = var.project_id
instance_id = "my-instance"
location = var.region
ca_pool = "projects/another-project/locations/${var.region}/caPools/my-ca-pool"
repositories = {
my-repository = {}
}
}
# tftest modules=1 resources=2 inventory=private-instance.yaml
IAM
module "ssm_instance" {
source = "./fabric/modules/secure-source-manager-instance"
project_id = var.project_id
instance_id = "my-instance"
location = var.region
iam = {
"roles/securesourcemanager.instanceOwner" = [
"group:my-instance-admins@myorg.com"
]
}
repositories = {
my-repository = {
iam = {
"roles/securesourcemanager.repoAdmin" = [
"group:my-repo-admins@myorg.com"
]
}
}
}
}
# tftest modules=1 resources=4 inventory=iam.yaml
module "ssm_instance" {
source = "./fabric/modules/secure-source-manager-instance"
project_id = var.project_id
instance_id = "my-instance"
location = var.region
iam_bindings_additive = {
my-instance-admin = {
role = "roles/securesourcemanager.instanceOwner"
member = "group:my-instance-admins@myorg.com"
}
}
repositories = {
my-repository = {
iam_bindings_additive = {
my-repository-admin = {
role = "roles/securesourcemanager.repoAdmin"
member = "group:my-repo-admins@myorg.com"
}
}
}
}
}
# tftest modules=1 resources=4 inventory=iam-bindings.yaml
module "ssm_instance" {
source = "./fabric/modules/secure-source-manager-instance"
project_id = var.project_id
instance_id = "my-instance"
location = var.region
iam_bindings = {
my-instance-admin = {
role = "roles/securesourcemanager.instanceOwner"
members = [
"group:my-instance-admins@myorg.com"
]
}
}
repositories = {
my-repository = {
iam_bindings = {
my-repository-admin = {
role = "roles/securesourcemanager.repoAdmin"
members = [
"group:my-repo-admins@myorg.com"
]
}
}
}
}
}
# tftest modules=1 resources=4 inventory=iam-bindings-additive.yaml
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| instance_id | Instance ID. | string |
✓ | |
| location | Location. | string |
✓ | |
| project_id | Project ID. | string |
✓ | |
| repositories | Repositories. | map(object({…})) |
✓ | |
| ca_pool | CA pool. | string |
null |
|
| iam | IAM bindings. | map(list(string)) |
{} |
|
| iam_bindings | IAM bindings. | map(object({…})) |
{} |
|
| iam_bindings_additive | IAM bindings. | map(object({…})) |
{} |
|
| instance_create | Create SSM Instance. When set to false, uses instance_id to reference existing SSM instance. | bool |
true |
|
| kms_key | KMS key. | string |
null |
|
| labels | Instance labels. | map(string) |
null |
Outputs
| name | description | sensitive |
|---|---|---|
| instance | Instance. | |
| instance_id | Instance id. | |
| repositories | Repositories. | |
| repository_ids | Repository ids. |