Giter Club home page Giter Club logo

terraform-vault-service-account's Introduction

terraform-vault-service-account

locals Block

service_account: This local variable determines which service account to use based on the create_service_account variable. If create_service_account is true, it uses the service account created by the google_service_account resource. Otherwise, it uses an existing service account fetched by the data.google_service_account data source. service_account_id: This local variable extracts the ID of the selected service account.

Resource

time_rotating.key_rotation: This resource sets up a key rotation schedule, rotating the key every 30 days. This ensures that the service account key is regularly rotated for security purposes. google_service_account_key.vault_gcp_sa_key: This resource creates a new key for the service account. The keepers block ensures that the key is recreated whenever the last_rotation time changes, which is controlled by the time_rotating resource.

google_project_iam_member.vault_gcp_sa_iam: This resource assigns IAM roles to the service account. It iterates over the iam_roles variable and assigns each role to the service account in the specified project.

vault_gcp_auth_backend.gcp: This resource configures the Vault GCP authentication backend. It uses the private key of the service account created by the google_service_account_key resource.

vault_gcp_auth_backend_role.gcp_role: This resource defines a role for the Vault GCP authentication backend. It specifies the backend path, role name, type, and binds the role to specific service accounts and projects.

Summary

The code sets up a service account and rotates its key every 30 days. It assigns IAM roles to the service account. It configures the Vault GCP authentication backend using the service account's private key. It defines a role for the Vault GCP authentication backend, binding it to specific service accounts and projects.

Requirements

Name Version
google ~> 6.1.0

Providers

Name Version
google 6.1.0
time 0.12.0
vault 4.4.0

Modules

No modules.

Resources

Name Type
google_project_iam_custom_role.vault_gcp_validator_validator_role resource
google_project_iam_member.vault_gcp_validator_iam resource
google_service_account.vault_gcp_validator resource
google_service_account_key.vault_gcp_validator_key resource
time_rotating.key_rotation resource
vault_gcp_auth_backend.gcp resource
vault_gcp_auth_backend_role.gcp_gce_role resource
vault_gcp_auth_backend_role.gcp_iam_role resource
vault_policy.policy resource
google_service_account.vault_gcp_validator data source

Inputs

Name Description Type Default Required
add_jwt_validotor_permissions n/a bool false no
allow_gce_inference Flag to allow GCE inference bool false no
allowed_service_accounts n/a list(string) [] no
bind_project n/a bool true no
bound_instance_groups List of instance groups to bind list(string) [] no
bound_labels Map of labels to bind list(string) [] no
bound_projects n/a list(string) [] no
bound_regions List of regions to bind list(string) [] no
bound_zones List of zones to bind list(string) [] no
create_service_account Create a new service account or use an existing one. bool false no
gcp_auth_type n/a string "iam" no
iam_roles A list of IAM roles to attach to the service account. list(string) [] no
key_rotation Rotate key ever N number of days string 7 no
max_jwt_exp Maximum JWT expiration time in seconds number 3600 no
policies n/a map(string) n/a yes
project_id The ID of the project in which to create the service account. string n/a yes
rotate_key n/a bool false no
vault_gcp_auth_path The path where the GCP auth backend will be mounted in Vault. string n/a yes
vault_gcp_auth_role_name The name of the role to create in the GCP auth backend. string n/a yes
vault_jwt_validation_service_account_display_name The display name of the service account. string null no
vault_jwt_validation_service_account_id The ID of the service account to create. string n/a yes

Outputs

Name Description
service_account_email The email of the created service account.
vault_gcp_auth_backend_path The path of the Vault GCP auth backend.

terraform-vault-service-account's People

Contributors

djaboxx avatar roknsound avatar jamesoundb avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.