GCP Secret Manager

Creates a GCP Secret Manager secret with an optional IAM binding for service account access.

Use this module when a Rabbit service needs to store sensitive data in Secret Manager with automatic replication and optional service account access grants.

Supported Features

• Secret creation with automatic replication.
• Secret version creation with sensitive data.
• Optional secretAccessor IAM binding for a service account.
• Secret labels.

Prerequisites

• GCP credentials with permission to manage Secret Manager resources.
• The secretmanager.googleapis.com API enabled on the project.

Important Notes

• This module is used internally by k8s-access to store kubeconfig and SA tokens. It can also be used directly.
• service_account_email is optional. When provided, the module grants roles/secretmanager.secretAccessor to that service account.
• Replication is set to auto (Google-managed).

Minimal Example

services:
  - name: "GCP Secret Manager"
    module: "gcp-secret-manager"
    id: "my-secret"
    deployment_order: 65
    configurations:
      secret_id: "my-app-secret"
      secret_data: "sensitive-value"
      secret_labels:
        creator: "automation"
      project_id: "my-project-id"

Outputs

Output	Description
secret_version	The version of the created secret.
secret_name	The name of the created secret.
secret_labels	The labels associated with the secret.

Full Configuration Schema

This module uses Terraform variables directly instead of a YAML configurations block.

Field	Type	Required	Description
secret_id	string	Yes	The ID of the secret.
secret_data	string	Yes	The sensitive data to store in the secret.
secret_labels	map[string]	Yes	Labels to associate with the secret.
project_id	string	Yes	GCP project ID where the secret will be created.
service_account_email	string	No	Service account email to grant secretAccessor access. Defaults to "" (no binding).