service_account: This local variable determines which service account to use based on the create_service_account variable. If create_service_account is true, it uses the service account created by the google_service_account resource. Otherwise, it uses an existing service account fetched by the data.google_service_account data source. service_account_id: This local variable extracts the ID of the selected service account.
time_rotating.key_rotation: This resource sets up a key rotation schedule, rotating the key every 30 days. This ensures that the service account key is regularly rotated for security purposes. google_service_account_key.vault_gcp_sa_key: This resource creates a new key for the service account. The keepers block ensures that the key is recreated whenever the last_rotation time changes, which is controlled by the time_rotating resource.
google_project_iam_member.vault_gcp_sa_iam: This resource assigns IAM roles to the service account. It iterates over the iam_roles variable and assigns each role to the service account in the specified project.
vault_gcp_auth_backend.gcp: This resource configures the Vault GCP authentication backend. It uses the private key of the service account created by the google_service_account_key resource.
vault_gcp_auth_backend_role.gcp_role: This resource defines a role for the Vault GCP authentication backend. It specifies the backend path, role name, type, and binds the role to specific service accounts and projects.
The code sets up a service account and rotates its key every 30 days. It assigns IAM roles to the service account. It configures the Vault GCP authentication backend using the service account's private key. It defines a role for the Vault GCP authentication backend, binding it to specific service accounts and projects.
Name | Version |
---|---|
~> 6.1.0 |
Name | Version |
---|---|
6.1.0 | |
time | 0.12.0 |
vault | 4.4.0 |
No modules.
Name | Type |
---|---|
google_project_iam_custom_role.vault_gcp_validator_validator_role | resource |
google_project_iam_member.vault_gcp_validator_iam | resource |
google_service_account.vault_gcp_validator | resource |
google_service_account_key.vault_gcp_validator_key | resource |
time_rotating.key_rotation | resource |
vault_gcp_auth_backend.gcp | resource |
vault_gcp_auth_backend_role.gcp_gce_role | resource |
vault_gcp_auth_backend_role.gcp_iam_role | resource |
vault_policy.policy | resource |
google_service_account.vault_gcp_validator | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
add_jwt_validotor_permissions | n/a | bool |
false |
no |
allow_gce_inference | Flag to allow GCE inference | bool |
false |
no |
allowed_service_accounts | n/a | list(string) |
[] |
no |
bind_project | n/a | bool |
true |
no |
bound_instance_groups | List of instance groups to bind | list(string) |
[] |
no |
bound_labels | Map of labels to bind | list(string) |
[] |
no |
bound_projects | n/a | list(string) |
[] |
no |
bound_regions | List of regions to bind | list(string) |
[] |
no |
bound_zones | List of zones to bind | list(string) |
[] |
no |
create_service_account | Create a new service account or use an existing one. | bool |
false |
no |
gcp_auth_type | n/a | string |
"iam" |
no |
iam_roles | A list of IAM roles to attach to the service account. | list(string) |
[] |
no |
key_rotation | Rotate key ever N number of days | string |
7 |
no |
max_jwt_exp | Maximum JWT expiration time in seconds | number |
3600 |
no |
policies | n/a | map(string) |
n/a | yes |
project_id | The ID of the project in which to create the service account. | string |
n/a | yes |
rotate_key | n/a | bool |
false |
no |
vault_gcp_auth_path | The path where the GCP auth backend will be mounted in Vault. | string |
n/a | yes |
vault_gcp_auth_role_name | The name of the role to create in the GCP auth backend. | string |
n/a | yes |
vault_jwt_validation_service_account_display_name | The display name of the service account. | string |
null |
no |
vault_jwt_validation_service_account_id | The ID of the service account to create. | string |
n/a | yes |
Name | Description |
---|---|
service_account_email | The email of the created service account. |
vault_gcp_auth_backend_path | The path of the Vault GCP auth backend. |