devops-adeel · April 28, 2022 13:54
diff --git a/gcp_config.tf b/gcp_config.tf
 variable "approle_id" {}
 variable "approle_secret" {}

 provider "vault" {
  auth_login {
    namespace = "admin/terraform-vault-secrets-gcp"
    path = "auth/approle/login"

    parameters = {
      role_id   = var.approle_id
      secret_id = var.approle_secret
    }
  }
 }

 data "vault_generic_secret" "default" {
  path = "gcp/roleset/gcp-project/token"
 }

 provider "google" {
  project     = "my-project-id"
  region      = "us-central1"
  access_token = data.vault_generic_secret.default.data["token"]
 }

 resource "google_storage_bucket" "default" {
  name          = "auto-expiring-bucket"
  location      = "US"
  force_destroy = true

  lifecycle_rule {
    condition {
      age = 3
    }
    action {
      type = "Delete"
    }
  }
 }
diff --git a/vault_gcp.tf b/vault_gcp.tf
 resource "vault_gcp_secret_backend" "default" {
  credentials = var.credentials
  description = "GCP Secrets Backend"
 }

 data "vault_policy_document" "default" {
  rule {
    path         = "gcp/roleset/gcp-project/token"
    capabilities = ["read"]
    description  = "Allow generation of Oauth tokens"
  }
 }

 resource "vault_policy" "default" {
  name   = "gcp-creds-tmpl"
  policy = data.vault_policy_document.default.hcl
 }

 resource "vault_identity_group" "default" {
  name                       = "gcp-creds"
  type                       = "internal"
  external_policies          = true
  external_member_entity_ids = true
 }

 resource "vault_identity_group_policies" "default" {
  group_id  = vault_identity_group.default.id
  exclusive = true
  policies = [
    vault_policy.default.name,
  ]
 }

 resource "vault_gcp_secret_roleset" "default" {
  backend      = vault_gcp_secret_backend.default.path
  roleset      = "gcp-project"
  secret_type  = "access_token"
  project      = var.project_id
  token_scopes = ["https://www.googleapis.com/auth/cloud-platform"]

  binding {
    resource = "//cloudresourcemanager.googleapis.com/${data.google_project.default.id}"

    roles = [
      "roles/storage.admin",
    ]
  }
 }
	variable "approle_id" {}
	variable "approle_secret" {}

	provider "vault" {
	auth_login {
	namespace = "admin/terraform-vault-secrets-gcp"
	path = "auth/approle/login"

	parameters = {
	role_id = var.approle_id
	secret_id = var.approle_secret
	}
	}
	}

	data "vault_generic_secret" "default" {
	path = "gcp/roleset/gcp-project/token"
	}

	provider "google" {
	project = "my-project-id"
	region = "us-central1"
	access_token = data.vault_generic_secret.default.data["token"]
	}

	resource "google_storage_bucket" "default" {
	name = "auto-expiring-bucket"
	location = "US"
	force_destroy = true

	lifecycle_rule {
	condition {
	age = 3
	}
	action {
	type = "Delete"
	}
	}
	}
	resource "vault_gcp_secret_backend" "default" {
	credentials = var.credentials
	description = "GCP Secrets Backend"
	}

	data "vault_policy_document" "default" {
	rule {
	path = "gcp/roleset/gcp-project/token"
	capabilities = ["read"]
	description = "Allow generation of Oauth tokens"
	}
	}

	resource "vault_policy" "default" {
	name = "gcp-creds-tmpl"
	policy = data.vault_policy_document.default.hcl
	}

	resource "vault_identity_group" "default" {
	name = "gcp-creds"
	type = "internal"
	external_policies = true
	external_member_entity_ids = true
	}

	resource "vault_identity_group_policies" "default" {
	group_id = vault_identity_group.default.id
	exclusive = true
	policies = [
	vault_policy.default.name,
	]
	}

	resource "vault_gcp_secret_roleset" "default" {
	backend = vault_gcp_secret_backend.default.path
	roleset = "gcp-project"
	secret_type = "access_token"
	project = var.project_id
	token_scopes = ["https://www.googleapis.com/auth/cloud-platform"]

	binding {
	resource = "//cloudresourcemanager.googleapis.com/${data.google_project.default.id}"

	roles = [
	"roles/storage.admin",
	]
	}
	}