diff --git a/.gitignore b/.gitignore index 7aaaec8..15ac482 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,9 @@ +.DS_Store .external_modules .idea .terraform terraform.tfstate* +terraform.tfvars +*.key +*.crt diff --git a/gcp/byo-project/iam.tf b/gcp/byo-project/iam.tf index 4a58178..eca7466 100644 --- a/gcp/byo-project/iam.tf +++ b/gcp/byo-project/iam.tf @@ -30,21 +30,17 @@ resource "google_project_iam_member" "fleet_run_sa_monitoring_writer" { } -resource "google_secret_manager_secret_iam_member" "fleet_run_sa_db_secret_access" { - project = var.project_id - secret_id = google_secret_manager_secret.database_password.id - role = "roles/secretmanager.secretAccessor" - member = "serviceAccount:${google_service_account.fleet_run_sa.email}" - - depends_on = [google_secret_manager_secret.database_password] -} +resource "google_secret_manager_secret_iam_member" "fleet_run_sa_secret_access" { + for_each = local.fleet_secrets_env_vars -resource "google_secret_manager_secret_iam_member" "fleet_run_sa_private_key_secret_access" { project = var.project_id - secret_id = google_secret_manager_secret.private_key.id + secret_id = each.value.secret role = "roles/secretmanager.secretAccessor" member = "serviceAccount:${google_service_account.fleet_run_sa.email}" - depends_on = [google_secret_manager_secret.private_key] + depends_on = [ + google_secret_manager_secret.database_password, + google_secret_manager_secret.private_key, + ] } diff --git a/gcp/main.tf b/gcp/main.tf index 3afe57f..28a4354 100644 --- a/gcp/main.tf +++ b/gcp/main.tf @@ -49,13 +49,59 @@ module "project_factory" { labels = var.labels } +resource "google_secret_manager_secret" "mdm_wstep_cert" { + project = module.project_factory.project_id + secret_id = "fleet-mdm-wstep-identity-cert" + replication { + auto {} + } +} + +resource "google_secret_manager_secret_version" "mdm_wstep_cert" { + secret = google_secret_manager_secret.mdm_wstep_cert.name + secret_data_wo = var.windows_mdm_wstep_identity_cert + secret_data_wo_version = 2 +} + +resource "google_secret_manager_secret" "mdm_wstep_key" { + project = module.project_factory.project_id + secret_id = "fleet-mdm-wstep-identity-key" + replication { + auto {} + } +} + +resource "google_secret_manager_secret_version" "mdm_wstep_key" { + secret = google_secret_manager_secret.mdm_wstep_key.name + secret_data_wo = var.windows_mdm_wstep_identity_key + secret_data_wo_version = 2 +} + +locals { + windows_mdm_secret_env_vars = { + FLEET_MDM_WINDOWS_WSTEP_IDENTITY_CERT_BYTES = { + secret = google_secret_manager_secret.mdm_wstep_cert.secret_id + version = "latest" + } + FLEET_MDM_WINDOWS_WSTEP_IDENTITY_KEY_BYTES = { + secret = google_secret_manager_secret.mdm_wstep_key.secret_id + version = "latest" + } + } +} + module "fleet" { source = "./byo-project" project_id = module.project_factory.project_id dns_record_name = var.dns_record_name dns_zone_name = var.dns_zone_name vpc_config = var.vpc_config - fleet_config = var.fleet_config + fleet_config = merge(var.fleet_config, { + extra_secret_env_vars = merge( + coalesce(var.fleet_config.extra_secret_env_vars, {}), + local.windows_mdm_secret_env_vars, + ) + }) cache_config = var.cache_config database_config = var.database_config region = var.region diff --git a/gcp/variables.tf b/gcp/variables.tf index 677d436..492b933 100644 --- a/gcp/variables.tf +++ b/gcp/variables.tf @@ -2,6 +2,18 @@ variable "project_name" { default = "fleet" } +variable "windows_mdm_wstep_identity_cert" { + description = "PEM-encoded certificate for Windows MDM WSTEP identity (FLEET_MDM_WINDOWS_WSTEP_IDENTITY_CERT_BYTES)" + type = string + sensitive = true +} + +variable "windows_mdm_wstep_identity_key" { + description = "PEM-encoded private key for Windows MDM WSTEP identity (FLEET_MDM_WINDOWS_WSTEP_IDENTITY_KEY_BYTES)" + type = string + sensitive = true +} + variable "org_id" { description = "organization id" }