# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: blueprints.cloud.google.com/v1alpha1 kind: BlueprintMetadata metadata: name: terraform-google-secret-manager annotations: config.kubernetes.io/local-config: "true" spec: info: title: terraform-google-secret-manager source: repo: https://github.com/GoogleCloudPlatform/terraform-google-secret-manager.git sourceType: git version: 0.8.0 actuationTool: flavor: Terraform version: ">= 1.3" description: {} content: subBlueprints: - name: simple-secret location: modules/simple-secret examples: - name: kms location: examples/kms - name: multiple location: examples/multiple - name: pubsub location: examples/pubsub - name: simple location: examples/simple interfaces: variables: - name: project_id description: The project ID to manage the Secret Manager resources varType: string required: true - name: secrets description: The list of the secrets varType: |- list(object({ name : string, secret_data : optional(string), next_rotation_time : optional(string), rotation_period : optional(string), create_version : optional(bool, true) })) defaultValue: [] - name: user_managed_replication description: Replication parameters that will be used for defined secrets varType: map(list(object({ location = string, kms_key_name = string }))) defaultValue: {} - name: automatic_replication description: Automatic replication parameters that will be used for defined secrets. If not provided, the secret will be automatically replicated using Google-managed key without any restrictions. varType: map(object({ kms_key_name = string })) defaultValue: {} - name: topics description: topics that will be used for defined secrets varType: map(list(object({ name = string }))) defaultValue: {} - name: labels description: labels to be added for the defined secrets varType: map(map(string)) defaultValue: {} - name: add_kms_permissions description: The list of the crypto keys to give secret manager access to varType: list(string) defaultValue: [] - name: add_pubsub_permissions description: The list of the pubsub topics to give secret manager access to varType: list(string) defaultValue: [] - name: secret_accessors_list description: The list of the members to allow accessing secrets varType: list(string) defaultValue: [] outputs: - name: secret_names description: The name list of Secrets - name: secret_versions description: The name list of Secret Versions requirements: roles: - level: Project roles: - roles/secretmanager.admin - roles/cloudkms.admin - roles/pubsub.admin services: - cloudresourcemanager.googleapis.com - storage-api.googleapis.com - serviceusage.googleapis.com - secretmanager.googleapis.com - pubsub.googleapis.com - cloudkms.googleapis.com providerVersions: - source: hashicorp/google version: ">= 4.83.0, < 7" - source: hashicorp/google-beta version: ">= 4.83.0, < 7"