secure_secrets
airasia/secure_secrets/google
Terraform module for decrypting secrets (that were encrypted with KMS Keys) in GCP. Can optionally store the encrypted secrets into Secret Manager as well.
Terraform module for decrypting secrets (that were encrypted with KMS Keys) in GCP. Can optionally store the encrypted secrets into Secret Manager as well. Generating ciphertext from plaintext using KMS symmetric encryption You can use the gcloud kms encrypt tool in your terminal, to create a ciphertext from a plaintext. ``bash echo -n "my-plaintext-secret" \ | gcloud kms encrypt \ --project "my-gcp-project-id" \ --location "asia-southeast1" \ --keyring "my-kms-key-ring" \ --key "my-kms-key" \ --plaintext-file - \ --ciphertext-file - \ | base64 ` It outputs a base64 encoded ciphertext: ` CiQAosletmGOhvZDifaX4JxkBGSwm1/5mIPtMGPhEE8xGkpii4cSLnCNaYhPP2qjEQetFwc6XMWluCsgp/6kJGBPRdT8UNu6UyhVHWguZqJ/yiUIeQ== ` Revealing plaintext from ciphertext using KMS symmetric decryption You can use the gcl
| Name | Type | Description | Default |
|---|---|---|---|
| name_suffix | string | An arbitrary suffix that will be added to the end of the resource name(s). For e | |
| kms_key | string | A KMS Key (self-link) that will be used for decrypting the secrets. | |
| secrets | map(string) | Mapping of secret_names (as keys) and secret_ciphertexts (as values). Generate t | |
| copy_to_sm | bool | Whether to copy the secret_ciphertexts (from var.secrets) into GCP Secret Manage | false |
| encrypt | bool | Whether to keep the encrypted secret while adding to secret manager or save it a | false |
decrypted_secrets — A map of secret_names (as keys) and secret_plaintexts (as values).