initial commit

Author: rogerthatdev

.gitignore

@@ -0,0 +1,34 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+#
+*.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc

tf/provider.tf

@@ -0,0 +1,5 @@
+provider "google" {
+  project         = var.project_id
+  request_timeout = "60s"
+  region          = "us-central1"
+}

tf/setup.tf

@@ -0,0 +1,30 @@
+# Resources needed for all tests
+
+resource "google_project_service" "secret_manager" {
+  service = "secretmanager.googleapis.com"
+
+  timeouts {
+    create = "30m"
+    update = "40m"
+  }
+
+  disable_dependent_services = true
+}
+
+resource "google_service_account" "cloud_function_runner" {
+  account_id   = "cloud-function-service"
+  display_name = "Testing Cloud Function Secrets integration"
+}
+
+resource "google_storage_bucket" "cloud_functions" {
+  name                        = "${var.project_id}-cloud-functions"
+  location                    = "US"
+  uniform_bucket_level_access = true
+}
+
+
+
+
+
+
+

tf/test01.tf

@@ -0,0 +1,85 @@
+# Function Secrets Test 1: providing secret in secret_environment_variables block
+
+resource "google_secret_manager_secret" "test_secret_01" {
+  secret_id = "test-secret_01"
+
+  replication {
+    user_managed {
+      replicas {
+        location = "us-central1"
+      }
+      replicas {
+        location = "us-east1"
+      }
+    }
+  }
+  depends_on = [
+    google_project_service.secret_manager
+  ]
+}
+
+resource "google_secret_manager_secret_version" "test_secret_version_01a" {
+  secret      = google_secret_manager_secret.test_secret_01.id
+  secret_data = "This is my secret for test 1."
+
+
+}
+
+
+# resource "google_secret_manager_secret_version" "test_secret_version_01b" {
+#   secret      = google_secret_manager_secret.test_secret_01.id
+#   secret_data = "This is another version of my secret for test 1."
+# }
+
+
+resource "google_secret_manager_secret_iam_member" "cloud_function_sa_01" {
+  secret_id = google_secret_manager_secret.test_secret_01.id
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${google_service_account.cloud_function_runner.email}"
+}
+
+data "archive_file" "cloud_function_1_zip" {
+  type        = "zip"
+  output_path = "/tmp/cloud_function_1.zip"
+  source {
+    content  = <<-EOF
+    exports.echoSecret = (req, res) => {
+    let message = req.query.message || req.body.message || "Secret: "+process.env.MY_SECRET;
+    res.status(200).send(message);
+    };
+    EOF
+    filename = "index.js"
+  }
+}
+
+resource "google_storage_bucket_object" "cloud_function_1_zip" {
+  name   = "cloud-function-1.zip"
+  bucket = google_storage_bucket.cloud_functions.id
+  source = data.archive_file.cloud_function_1_zip.output_path
+}
+
+
+
+resource "google_cloudfunctions_function" "secrets_test" {
+  name                  = "secrets-test-01"
+  runtime               = "nodejs14"
+  service_account_email = google_service_account.cloud_function_runner.email
+  entry_point           = "echoSecret"
+  source_archive_bucket = google_storage_bucket.cloud_functions.id
+  source_archive_object = google_storage_bucket_object.cloud_function_1_zip.name
+  trigger_http          = true
+  secret_environment_variables {
+    key     = "MY_SECRET"
+    secret  = google_secret_manager_secret.test_secret_01.secret_id // description for arg says 'name of secret', terraform keeps this value as "secret_id"
+    version = "latest"                                              // This value is not made available by the secret_manager_secret_version resource
+  }
+}
+
+resource "google_cloudfunctions_function_iam_member" "invoker" {
+  cloud_function = google_cloudfunctions_function.secrets_test.name
+  role           = "roles/cloudfunctions.invoker"
+  member         = "allUsers"
+}
+output "functions_secrets_test_1_URL" {
+  value = google_cloudfunctions_function.secrets_test.https_trigger_url
+}

tf/test02.tf

@@ -0,0 +1,100 @@
+# Function Secrets Test 2: providing secret in secret_volumes block
+
+resource "google_secret_manager_secret" "test_secret_02" {
+  secret_id = "test-secret_02"
+
+  replication {
+    user_managed {
+      replicas {
+        location = "us-central1"
+      }
+      replicas {
+        location = "us-east1"
+      }
+    }
+  }
+  depends_on = [
+    google_project_service.secret_manager
+  ]
+}
+
+resource "google_secret_manager_secret_version" "test_secret_version_02a" {
+  secret      = google_secret_manager_secret.test_secret_02.id
+  secret_data = "This is my secret for test 2."
+}
+
+
+# resource "google_secret_manager_secret_version" "test_secret_version_02b" {
+#   secret      = google_secret_manager_secret.test_secret_02.id
+#   secret_data = "This is another version of my secret for test 2."
+# }
+
+
+resource "google_secret_manager_secret_iam_member" "cloud_function_sa_02" {
+  secret_id = google_secret_manager_secret.test_secret_02.id
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${google_service_account.cloud_function_runner.email}"
+}
+
+data "archive_file" "cloud_function_2_zip" {
+  type        = "zip"
+  output_path = "/tmp/cloud_function_2.zip"
+  source {
+    content  = <<-EOF
+      const fs = require('fs')
+
+      exports.echoSecret = (req, res) => {
+        const path = '/etc/secrets/test-secret'
+        fs.access(path, fs.F_OK, (err) => {
+          if (err) {
+            console.error(err)
+            res.status(200).send(err)
+            return
+          }
+        fs.readFile(path, 'utf8', function(err,data) {
+          res.status(200).send("Secret: "+data)
+          return
+        });
+      })
+      };
+    EOF
+    filename = "index.js"
+  }
+}
+
+
+resource "google_cloudfunctions_function" "secrets_test_02" {
+  name                  = "secrets-test-02"
+  runtime               = "nodejs14"
+  service_account_email = google_service_account.cloud_function_runner.email
+  entry_point           = "echoSecret"
+  source_archive_bucket = google_storage_bucket.cloud_functions.id
+  source_archive_object = google_storage_bucket_object.cloud_function_2_zip.name
+  trigger_http          = true
+
+  secret_volumes {
+    secret     = google_secret_manager_secret.test_secret_02.secret_id
+    mount_path = "/etc/secrets"
+    versions { // code suggests this can be left empty, but still required
+      version = "latest"
+      path    = "/test-secret"
+    }
+  }
+}
+
+resource "google_storage_bucket_object" "cloud_function_2_zip" {
+  name   = "cloud-function-2.zip"
+  bucket = google_storage_bucket.cloud_functions.id
+  source = data.archive_file.cloud_function_2_zip.output_path
+}
+
+resource "google_cloudfunctions_function_iam_member" "invoker_02" {
+  cloud_function = google_cloudfunctions_function.secrets_test_02.name
+  role           = "roles/cloudfunctions.invoker"
+  member         = "allUsers"
+}
+output "functions_secrets_test_2_URL" {
+  value = google_cloudfunctions_function.secrets_test_02.https_trigger_url
+}
+
+

tf/variables.tf

@@ -0,0 +1,4 @@
+variable "project_id" {
+  type        = string
+  description = "The project ID to use for Google provider."
+}