Reputation: 31
Google Cloud - How do I import GCP cloud SQL certificates into Secret Manager using Terraform?
My GCP cloud SQL has SSL enabled. With that, my client will require the server CA cert, client cert and key to connect to the database. The client is configured to retrieve the certs and key from Secret Manager.
I am deploying my setup using Terraform. Once the SQL instance is created, it needs to output the certs and key so that I can create them in Secret Manager. However, Secret Manager only takes in string format but the output of the certs and keys are in list format.
I am quite new to Terraform, what can I do to import the SQL certs and key into Secret Manager?
The following are my Terraform code snippets:
Cloud SQL
output "server_ca_cert" {
description = "Server ca certificate for the SQL DB"
value = google_sql_database_instance.instance.server_ca_cert
}
output "client_key" {
description = "Client private key for the SQL DB"
value = google_sql_ssl_cert.client_cert.private_key
}
output "client_cert" {
description = "Client cert for the SQL DB"
value = google_sql_ssl_cert.client_cert.cert
Secret Manager
module "server_ca" {
source = "../siac-modules/modules/secretManager"
project_id = var.project_id
region_id = local.default_region
secret_ids = local.server_ca_key
# secret_datas = file("${path.module}/certs/server-ca.pem")
secret_datas = module.sql_db_timeslot_manager.server_ca_cert
}
Terraform plan error Error: Invalid value for input variable │ │ on ..\siac-modules\modules\secretManager\variables.tf line 21: │ 21: variable "secret_datas" { │ │ The given value is not suitable for module.server_ca.var.secret_datas, which is sensitive: string required. Invalid value defined at 30-secret_manager.tf:71,18-63.
Upvotes: 1
Views: 1119
Answers (3)
Reputation: 17
If I understand your question correctly, the value of your output is wrong. You know it's a list, so it should be retrieved like this:
output "server_ca_cert" {
description = "Server ca certificate for the SQL DB"
value = google_sql_database_instance.instance.server_ca_cert.0.cert
}
You can find out more from the doc: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance#server_ca_cert.0.cert
Upvotes: 0
Reputation: 31
I managed to solve this issue by:
- Exporting the SQL outputs to a file
- Use data to read the file contents, add dependency to the output. This dependency is key to the setup, the deployment will wait for the SQL to be created and certificate exported before creating the secrets.
- At secret manager use the data as the content for secret_data
Upvotes: 0
Reputation: 130
eg:
resource "google_secret_manager_secret" "my_secret" {
name = "my-secret"
type = "generic-secret"
project = "my-project"
labels = {
"env" = "prod"
}
}
resource "google_secret_manager_secret_version" "secret_version" {
name = "secret_version"
secret = google_secret_manager_secret.my_secret.id
project = "my-project"
payload = "c2VjcmV0"
}
Upvotes: 0
Related Questions
- How to use terraform to store connection string from SQL Managed Instance in Azure Key vault
- How to add api-key to google secret-manager
- Create GCP service account and store service account key in secret manager in terraform
- Google Cloud Run Service Reference Secret within Terraform
- How to create a secret in Google Cloud Secret Manager by Terraform?
- Inserting secrets into GCP VM instance from secrets manager
- importing encryption key to google cloud key-management
- terraform create k8s secret from gcp secret
- Access secret manager from cloud function in GCP. What IAM settings to use?
- Retrieve the client certificates from Cloud SQL using terraform