terraform-secrets-management
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseTerraform Secrets Management Skill
Terraform 机密信息管理指南
Table of Contents
目录
How to Implement → Step-by-Step | Examples
Help → Requirements | See Also
Purpose
用途
Manage sensitive data securely without storing secrets in Terraform code or state files. Learn to use Google Secret Manager, IAM bindings, sensitive outputs, and secure secret workflows.
安全管理敏感数据,避免将机密信息存储在Terraform代码或状态文件中。学习如何使用Google Secret Manager、IAM绑定、敏感输出以及安全的机密信息工作流。
When to Use
适用场景
Use this skill when you need to:
- Manage passwords securely - Database passwords, admin credentials
- Handle API keys - External service authentication tokens
- Store database credentials - Connection strings, usernames, passwords
- Manage encryption keys - KMS keys, JWT secrets
- Pass secrets to applications - Environment variables, Kubernetes secrets
- Rotate secrets safely - Update secret versions without downtime
- Prevent secrets in state - Keep sensitive data out of Terraform state files
Security Requirements:
- Never hardcode secrets in .tf files
- Never commit secrets to Git
- Use Google Secret Manager for all sensitive values
- Apply least privilege IAM permissions
Trigger Phrases:
- "Store database password in Secret Manager"
- "Retrieve secret from Google Secret Manager"
- "Pass secrets to Kubernetes deployment"
- "Rotate secrets safely"
- "Prevent secrets in Terraform state"
当你需要以下操作时,使用本指南:
- 安全管理密码 - 数据库密码、管理员凭证
- 处理API密钥 - 外部服务认证令牌
- 存储数据库凭证 - 连接字符串、用户名、密码
- 管理加密密钥 - KMS密钥、JWT机密
- 向应用传递机密信息 - 环境变量、Kubernetes机密
- 安全轮换机密信息 - 无需停机即可更新机密版本
- 防止机密信息存入状态文件 - 避免敏感数据出现在Terraform状态文件中
安全要求:
- 绝对不要在.tf文件中硬编码机密信息
- 绝对不要将机密信息提交到Git
- 所有敏感值都使用Google Secret Manager存储
- 应用最小权限原则配置IAM权限
常见需求话术:
- "在Secret Manager中存储数据库密码"
- "从Google Secret Manager中获取机密信息"
- "将机密信息传递给Kubernetes部署"
- "安全轮换机密信息"
- "防止机密信息出现在Terraform状态文件中"
Quick Start
快速开始
Retrieve a secret from Google Secret Manager safely in 3 steps:
bash
undefined分3步安全从Google Secret Manager中获取机密信息:
bash
undefined1. Create secret in GCP
1. 在GCP中创建机密信息
echo -n "MySecretPassword123" | gcloud secrets create db-password --data-file=-
echo -n "MySecretPassword123" | gcloud secrets create db-password --data-file=-
2. Grant service account access
2. 为服务账号授予访问权限
gcloud secrets add-iam-policy-binding db-password
--member="serviceAccount:app-runtime@project.iam.gserviceaccount.com"
--role="roles/secretmanager.secretAccessor"
--member="serviceAccount:app-runtime@project.iam.gserviceaccount.com"
--role="roles/secretmanager.secretAccessor"
gcloud secrets add-iam-policy-binding db-password
--member="serviceAccount:app-runtime@project.iam.gserviceaccount.com"
--role="roles/secretmanager.secretAccessor"
--member="serviceAccount:app-runtime@project.iam.gserviceaccount.com"
--role="roles/secretmanager.secretAccessor"
3. Use in Terraform
3. 在Terraform中使用
data "google_secret_manager_secret_version" "db_password" {
secret = "db-password"
}
resource "google_sql_database_instance" "main" {
settings {
database_flags {
name = "password"
value = data.google_secret_manager_secret_version.db_password.secret_data
}
}
}
undefineddata "google_secret_manager_secret_version" "db_password" {
secret = "db-password"
}
resource "google_sql_database_instance" "main" {
settings {
database_flags {
name = "password"
value = data.google_secret_manager_secret_version.db_password.secret_data
}
}
}
undefinedInstructions
分步指南
Step 1: Understand Secret Management Problem
步骤1:理解机密信息管理的问题
The Problem:
hcl
undefined问题示例:
hcl
undefined❌ NEVER DO THIS
❌ 绝对不要这样做
variable "db_password" {
type = string
default = "SuperSecret123" # Now in Git history forever!
}
variable "db_password" {
type = string
default = "SuperSecret123" # 该值会永久保留在Git历史中!
}
Even worse
更糟糕的写法
resource "google_sql_database_instance" "main" {
settings {
database_flags {
name = "password"
value = "SuperSecret123" # Hardcoded secret!
}
}
}
**Why This is Bad**:
- ✗ Secrets exposed in Git history (impossible to remove)
- ✗ Secrets in `.tfstate` file
- ✗ Secrets visible in plan output
- ✗ Secrets accessible to anyone with Git access
- ✗ Violates compliance (SOC2, PCI-DSS)
**The Solution**: Use Google Secret Managerresource "google_sql_database_instance" "main" {
settings {
database_flags {
name = "password"
value = "SuperSecret123" # 硬编码的机密信息!
}
}
}
**风险分析:**
- ✗ 机密信息暴露在Git历史中(无法彻底删除)
- ✗ 机密信息出现在.tfstate文件中
- ✗ 机密信息会显示在计划输出中
- ✗ 任何拥有Git访问权限的人都能获取机密信息
- ✗ 违反合规要求(如SOC2、PCI-DSS)
**解决方案:** 使用Google Secret ManagerStep 2: Set Up Google Secret Manager
步骤2:配置Google Secret Manager
Create Secrets:
bash
undefined创建机密信息:
bash
undefinedCreate secret
创建机密信息
echo -n "database-password-here" | gcloud secrets create db-password
--data-file=-
--data-file=-
echo -n "database-password-here" | gcloud secrets create db-password
--data-file=-
--data-file=-
Or create empty secret
或者创建空的机密信息
gcloud secrets create api-key
gcloud secrets create api-key
Update secret value
更新机密信息的值
echo -n "new-password-value" | gcloud secrets versions add db-password
--data-file=-
--data-file=-
echo -n "new-password-value" | gcloud secrets versions add db-password
--data-file=-
--data-file=-
List secrets
列出所有机密信息
gcloud secrets list
gcloud secrets list
View secret value (be careful!)
查看机密信息的值(请谨慎操作!)
gcloud secrets versions access latest --secret="db-password"
**Secret Naming Convention**:
- Use lowercase with hyphens: `db-password`, `api-key`, `jwt-secret`
- Include environment: `db-password-prod`, `api-key-labs`
- Be specific: `github-pat` (Personal Access Token) instead of `github-key`gcloud secrets versions access latest --secret="db-password"
**机密信息命名规范:**
- 使用小写字母加连字符:`db-password`、`api-key`、`jwt-secret`
- 包含环境标识:`db-password-prod`、`api-key-labs`
- 名称要具体:使用`github-pat`(个人访问令牌)而非`github-key`Step 3: Configure IAM for Secrets
步骤3:为机密信息配置IAM权限
Principle: Only grant access to secrets that services actually need.
bash
undefined原则: 仅为服务授予其实际需要的机密信息访问权限。
bash
undefinedGrant service account access to specific secret
为服务账号授予特定机密信息的访问权限
gcloud secrets add-iam-policy-binding db-password
--member="serviceAccount:app-runtime@ecp-wtr-supplier-charges-prod.iam.gserviceaccount.com"
--role="roles/secretmanager.secretAccessor"
--member="serviceAccount:app-runtime@ecp-wtr-supplier-charges-prod.iam.gserviceaccount.com"
--role="roles/secretmanager.secretAccessor"
gcloud secrets add-iam-policy-binding db-password
--member="serviceAccount:app-runtime@ecp-wtr-supplier-charges-prod.iam.gserviceaccount.com"
--role="roles/secretmanager.secretAccessor"
--member="serviceAccount:app-runtime@ecp-wtr-supplier-charges-prod.iam.gserviceaccount.com"
--role="roles/secretmanager.secretAccessor"
Grant access to multiple secrets
为服务账号授予多个机密信息的访问权限
gcloud secrets add-iam-policy-binding db-password
--member="serviceAccount:app-runtime@..."
--role="roles/secretmanager.secretAccessor"
--member="serviceAccount:app-runtime@..."
--role="roles/secretmanager.secretAccessor"
gcloud secrets add-iam-policy-binding api-key
--member="serviceAccount:app-runtime@..."
--role="roles/secretmanager.secretAccessor"
--member="serviceAccount:app-runtime@..."
--role="roles/secretmanager.secretAccessor"
gcloud secrets add-iam-policy-binding db-password
--member="serviceAccount:app-runtime@..."
--role="roles/secretmanager.secretAccessor"
--member="serviceAccount:app-runtime@..."
--role="roles/secretmanager.secretAccessor"
gcloud secrets add-iam-policy-binding api-key
--member="serviceAccount:app-runtime@..."
--role="roles/secretmanager.secretAccessor"
--member="serviceAccount:app-runtime@..."
--role="roles/secretmanager.secretAccessor"
View who has access
查看机密信息的访问权限列表
gcloud secrets get-iam-policy db-password
**Terraform IAM**:
```hclgcloud secrets get-iam-policy db-password
**使用Terraform配置IAM:**
```hclGrant service account secret access
为服务账号授予机密信息访问权限
data "google_service_account" "app_runtime" {
account_id = "app-runtime"
}
resource "google_secret_manager_secret_iam_member" "db_password_access" {
secret_id = "db-password"
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${data.google_service_account.app_runtime.email}"
}
undefineddata "google_service_account" "app_runtime" {
account_id = "app-runtime"
}
resource "google_secret_manager_secret_iam_member" "db_password_access" {
secret_id = "db-password"
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${data.google_service_account.app_runtime.email}"
}
undefinedStep 4: Read Secrets in Terraform
步骤4:在Terraform中读取机密信息
Read Secret Value:
hcl
undefined读取机密信息的值:
hcl
undefinedData source to read secret
用于读取机密信息的数据源
data "google_secret_manager_secret_version" "db_password" {
secret = "db-password"
version defaults to "latest"
}
data "google_secret_manager_secret_version" "db_password" {
secret = "db-password"
version默认值为"latest"
}
Use secret in resource
在资源中使用机密信息
resource "google_sql_database_instance" "main" {
settings {
database_flags {
name = "password"
value = data.google_secret_manager_secret_version.db_password.secret_data
}
}
}
resource "google_sql_database_instance" "main" {
settings {
database_flags {
name = "password"
value = data.google_secret_manager_secret_version.db_password.secret_data
}
}
}
Output (marks as sensitive to hide in logs)
输出(标记为敏感以隐藏在日志中)
output "db_instance_connection_string" {
value = google_sql_database_instance.main.connection_name
sensitive = true # Won't print to console
}
**Secret Versions**:
```hcloutput "db_instance_connection_string" {
value = google_sql_database_instance.main.connection_name
sensitive = true # 不会在控制台打印
}
**机密信息版本管理:**
```hclRead latest version
读取最新版本
data "google_secret_manager_secret_version" "latest" {
secret = "db-password"
version = "latest"
}
data "google_secret_manager_secret_version" "latest" {
secret = "db-password"
version = "latest"
}
Read specific version
读取特定版本
data "google_secret_manager_secret_version" "v1" {
secret = "db-password"
version = "1"
}
data "google_secret_manager_secret_version" "v1" {
secret = "db-password"
version = "1"
}
Read all versions
读取机密信息的所有版本
data "google_secret_manager_secret" "db_password" {
secret_id = "db-password"
}
data "google_secret_manager_secret" "db_password" {
secret_id = "db-password"
}
List versions
列出所有版本
data "google_secret_manager_secret_version" "versions" {
for_each = data.google_secret_manager_secret.db_password.versions
secret = "db-password"
version = each.key
}
undefineddata "google_secret_manager_secret_version" "versions" {
for_each = data.google_secret_manager_secret.db_password.versions
secret = "db-password"
version = each.key
}
undefinedStep 5: Pass Secrets to Applications
步骤5:向应用传递机密信息
Method 1: Environment Variables:
hcl
undefined方法1:环境变量
hcl
undefinedGKE deployment
GKE部署配置
resource "kubernetes_deployment" "app" {
spec {
template {
spec {
container {
env {
name = "DB_PASSWORD"
value_from {
secret_key_ref {
name = "db-credentials"
key = "password"
}
}
}
}
}
}
}
}
**Method 2: Kubernetes Secrets**:
```hclresource "kubernetes_deployment" "app" {
spec {
template {
spec {
container {
env {
name = "DB_PASSWORD"
value_from {
secret_key_ref {
name = "db-credentials"
key = "password"
}
}
}
}
}
}
}
}
**方法2:Kubernetes机密信息**
```hclCreate Kubernetes secret from Google Secret Manager
从Google Secret Manager创建Kubernetes机密信息
resource "kubernetes_secret" "db_credentials" {
metadata {
name = "db-credentials"
namespace = "default"
}
data = {
"password" = data.google_secret_manager_secret_version.db_password.secret_data
"username" = "postgres"
"host" = google_sql_database_instance.main.private_ip_address
}
type = "Opaque"
}
resource "kubernetes_secret" "db_credentials" {
metadata {
name = "db-credentials"
namespace = "default"
}
data = {
"password" = data.google_secret_manager_secret_version.db_password.secret_data
"username" = "postgres"
"host" = google_sql_database_instance.main.private_ip_address
}
type = "Opaque"
}
Use in deployment
在部署中使用
resource "kubernetes_deployment" "app" {
spec {
template {
spec {
container {
env_from {
secret_ref {
name = kubernetes_secret.db_credentials.metadata[0].name
}
}
}
}
}
}
}
**Method 3: Cloud Run Environment**:
```hcl
resource "google_cloud_run_service" "api" {
template {
spec {
containers {
env {
name = "DATABASE_PASSWORD"
value_from {
secret_key_ref {
name = "db-password"
}
}
}
}
}
}
}resource "kubernetes_deployment" "app" {
spec {
template {
spec {
container {
env_from {
secret_ref {
name = kubernetes_secret.db_credentials.metadata[0].name
}
}
}
}
}
}
}
**方法3:Cloud Run环境变量**
```hcl
resource "google_cloud_run_service" "api" {
template {
spec {
containers {
env {
name = "DATABASE_PASSWORD"
value_from {
secret_key_ref {
name = "db-password"
}
}
}
}
}
}
}Step 6: Rotate Secrets Safely
步骤6:安全轮换机密信息
Update Secret Version:
bash
undefined更新机密信息版本:
bash
undefinedCreate new secret version
创建新的机密信息版本
echo -n "new-password-value" | gcloud secrets versions add db-password
--data-file=-
--data-file=-
echo -n "new-password-value" | gcloud secrets versions add db-password
--data-file=-
--data-file=-
List versions
列出所有版本
gcloud secrets versions list db-password
gcloud secrets versions list db-password
Destroy old version (optional, usually keep for rollback)
删除旧版本(可选,通常保留用于回滚)
gcloud secrets versions destroy 1 --secret="db-password"
**Terraform Handling of Rotation**:
```hclgcloud secrets versions destroy 1 --secret="db-password"
**Terraform对轮换的处理:**
```hclTerraform will update to latest version automatically
Terraform会自动更新为最新版本
data "google_secret_manager_secret_version" "db_password" {
secret = "db-password"
Always uses latest
}
data "google_secret_manager_secret_version" "db_password" {
secret = "db-password"
始终使用最新版本
}
After secret rotation, Kubernetes will pick up automatically
机密信息轮换后,Kubernetes会自动获取新版本
but other applications may need restart
但其他应用可能需要重启
undefinedundefinedStep 7: Prevent Secrets in State
步骤7:防止机密信息存入状态文件
Validate Configuration:
bash
undefined验证配置:
bash
undefinedCheck if terraform plan would expose secrets
检查terraform plan是否会暴露机密信息
terraform plan | grep -i "secret|password|key" | grep -v "secret_manager"
terraform plan | grep -i "secret|password|key" | grep -v "secret_manager"
Mark outputs as sensitive
将输出标记为敏感
output "connection_string" {
value = "Server=${google_sql_database_instance.main.private_ip_address};..."
sensitive = true # Prevents display in console
}
**Exclude from Logging**:
```hcloutput "connection_string" {
value = "Server=${google_sql_database_instance.main.private_ip_address};..."
sensitive = true # 避免在控制台显示
}
**排除在日志之外:**
```hclMark variables as sensitive
将变量标记为敏感
variable "api_key" {
type = string
sensitive = true # Won't appear in logs/plan output
}
variable "api_key" {
type = string
sensitive = true # 不会出现在日志/计划输出中
}
Don't echo secrets in outputs
不要在输出中回显机密信息
output "api_key" {
value = var.api_key
sensitive = true
}
output "api_key" {
value = var.api_key
sensitive = true
}
But do provide endpoint information
但可以提供端点信息
output "api_endpoint" {
value = google_cloud_run_service.api.status[0].url
}
undefinedoutput "api_endpoint" {
value = google_cloud_run_service.api.status[0].url
}
undefinedStep 8: Secret Security Best Practices
步骤8:机密信息安全最佳实践
Least Privilege:
hcl
undefined最小权限原则:
hcl
undefined❌ Grant broad access
❌ 授予过宽的权限
resource "google_secret_manager_secret_iam_member" "all_access" {
secret_id = "db-password"
role = "roles/secretmanager.admin" # Too powerful
member = "serviceAccount:..."
}
resource "google_secret_manager_secret_iam_member" "all_access" {
secret_id = "db-password"
role = "roles/secretmanager.admin" # 权限过大
member = "serviceAccount:..."
}
✅ Grant only what's needed
✅ 仅授予所需权限
resource "google_secret_manager_secret_iam_member" "reader" {
secret_id = "db-password"
role = "roles/secretmanager.secretAccessor" # Read-only
member = "serviceAccount:..."
}
**Rotation Schedule**:
- Database passwords: Every 30 days
- API keys: Every 90 days
- JWTs: As needed
- Document rotation schedule in runbooks
**Audit Trail**:
```bashresource "google_secret_manager_secret_iam_member" "reader" {
secret_id = "db-password"
role = "roles/secretmanager.secretAccessor" # 只读权限
member = "serviceAccount:..."
}
**轮换计划:**
- 数据库密码:每30天轮换一次
- API密钥:每90天轮换一次
- JWT机密:按需轮换
- 在操作手册中记录轮换计划
**审计追踪:**
```bashView secret access logs
查看机密信息访问日志
gcloud logging read "resource.type=secretmanager.googleapis.com"
--limit 50
--format=json | jq '.[] | {timestamp: .timestamp, protoPayload}'
--limit 50
--format=json | jq '.[] | {timestamp: .timestamp, protoPayload}'
undefinedgcloud logging read "resource.type=secretmanager.googleapis.com"
--limit 50
--format=json | jq '.[] | {timestamp: .timestamp, protoPayload}'
--limit 50
--format=json | jq '.[] | {timestamp: .timestamp, protoPayload}'
undefinedExamples
示例
Example 1: Complete Cloud SQL Setup with Secret Manager
示例1:使用Secret Manager的完整Cloud SQL配置
hcl
undefinedhcl
undefinedvariables.tf
variables.tf
variable "environment" {
type = string
}
variable "environment" {
type = string
}
main.tf
main.tf
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "~> 5.26"
}
}
}
provider "google" {
project = "ecp-wtr-supplier-charges-${var.environment}"
region = "europe-west2"
}
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "~> 5.26"
}
}
}
provider "google" {
project = "ecp-wtr-supplier-charges-${var.environment}"
region = "europe-west2"
}
Read database password from Secret Manager
从Secret Manager读取数据库密码
data "google_secret_manager_secret_version" "db_password" {
secret = "database-password-${var.environment}"
}
data "google_secret_manager_secret_version" "db_password" {
secret = "database-password-${var.environment}"
}
Get service account for Cloud SQL
获取Cloud SQL的服务账号
data "google_service_account" "cloudsql_instance" {
account_id = "cloudsql-instance"
}
data "google_service_account" "cloudsql_instance" {
account_id = "cloudsql-instance"
}
Create Cloud SQL instance
创建Cloud SQL实例
resource "google_sql_database_instance" "charges_db" {
name = "supplier-charges-db-${var.environment}"
database_version = "POSTGRES_15"
region = "europe-west2"
settings {
tier = var.environment == "prod" ? "db-custom-2-7680" : "db-f1-micro"
backup_configuration {
enabled = true
}
# Encrypted with service account
user_labels = {
environment = var.environment
managed_by = "terraform"
}}
}
resource "google_sql_database_instance" "charges_db" {
name = "supplier-charges-db-${var.environment}"
database_version = "POSTGRES_15"
region = "europe-west2"
settings {
tier = var.environment == "prod" ? "db-custom-2-7680" : "db-f1-micro"
backup_configuration {
enabled = true
}
# 使用服务账号加密
user_labels = {
environment = var.environment
managed_by = "terraform"
}}
}
Create database
创建数据库
resource "google_sql_database" "charges" {
name = "supplier_charges"
instance = google_sql_database_instance.charges_db.name
}
resource "google_sql_database" "charges" {
name = "supplier_charges"
instance = google_sql_database_instance.charges_db.name
}
Create user with secret password
使用机密信息创建数据库用户
resource "google_sql_user" "app_user" {
name = "app_user"
instance = google_sql_database_instance.charges_db.name
password = data.google_secret_manager_secret_version.db_password.secret_data
}
resource "google_sql_user" "app_user" {
name = "app_user"
instance = google_sql_database_instance.charges_db.name
password = data.google_secret_manager_secret_version.db_password.secret_data
}
Grant service account access to secret
为服务账号授予机密信息访问权限
resource "google_secret_manager_secret_iam_member" "db_password" {
secret_id = "database-password-${var.environment}"
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${data.google_service_account.cloudsql_instance.email}"
}
resource "google_secret_manager_secret_iam_member" "db_password" {
secret_id = "database-password-${var.environment}"
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${data.google_service_account.cloudsql_instance.email}"
}
Outputs (marked sensitive)
输出(标记为敏感)
output "database_connection" {
value = {
host = google_sql_database_instance.charges_db.private_ip_address
port = 5432
database = google_sql_database.charges.name
user = google_sql_user.app_user.name
}
sensitive = true
}
output "database_name" {
value = google_sql_database.charges.name
}
undefinedoutput "database_connection" {
value = {
host = google_sql_database_instance.charges_db.private_ip_address
port = 5432
database = google_sql_database.charges.name
user = google_sql_user.app_user.name
}
sensitive = true
}
output "database_name" {
value = google_sql_database.charges.name
}
undefinedExample 2: GKE Deployment with Secrets
示例2:使用机密信息的GKE部署配置
hcl
undefinedhcl
undefinedsecrets.tf
secrets.tf
data "google_secret_manager_secret_version" "db_password" {
secret = "db-password-${var.environment}"
}
data "google_secret_manager_secret_version" "jwt_secret" {
secret = "jwt-secret-${var.environment}"
}
data "google_secret_manager_secret_version" "db_password" {
secret = "db-password-${var.environment}"
}
data "google_secret_manager_secret_version" "jwt_secret" {
secret = "jwt-secret-${var.environment}"
}
kubernetes_secrets.tf
kubernetes_secrets.tf
resource "kubernetes_secret" "app_secrets" {
metadata {
name = "app-secrets"
namespace = "production"
}
data = {
"DB_PASSWORD" = data.google_secret_manager_secret_version.db_password.secret_data
"JWT_SECRET" = data.google_secret_manager_secret_version.jwt_secret.secret_data
"DB_HOST" = google_sql_database_instance.charges_db.private_ip_address
}
type = "Opaque"
}
resource "kubernetes_secret" "app_secrets" {
metadata {
name = "app-secrets"
namespace = "production"
}
data = {
"DB_PASSWORD" = data.google_secret_manager_secret_version.db_password.secret_data
"JWT_SECRET" = data.google_secret_manager_secret_version.jwt_secret.secret_data
"DB_HOST" = google_sql_database_instance.charges_db.private_ip_address
}
type = "Opaque"
}
deployment.tf
deployment.tf
resource "kubernetes_deployment" "charges_service" {
metadata {
name = "charges-service"
namespace = "production"
}
spec {
replicas = 3
template {
spec {
container {
name = "charges-service"
image = "gcr.io/project/charges:1.0.0"
# Mount secrets as environment variables
env_from {
secret_ref {
name = kubernetes_secret.app_secrets.metadata[0].name
}
}
# Override specific values
env {
name = "LOG_LEVEL"
value = var.environment == "prod" ? "info" : "debug"
}
}
}
}}
}
undefinedresource "kubernetes_deployment" "charges_service" {
metadata {
name = "charges-service"
namespace = "production"
}
spec {
replicas = 3
template {
spec {
container {
name = "charges-service"
image = "gcr.io/project/charges:1.0.0"
# 将机密信息挂载为环境变量
env_from {
secret_ref {
name = kubernetes_secret.app_secrets.metadata[0].name
}
}
# 覆盖特定配置值
env {
name = "LOG_LEVEL"
value = var.environment == "prod" ? "info" : "debug"
}
}
}
}}
}
undefinedExample 3: Secret Rotation Pipeline
示例3:机密信息轮换脚本
bash
undefinedbash
undefinedrotate_secrets.sh
rotate_secrets.sh
#!/bin/bash
set -e
SECRET_NAME=$1
ENVIRONMENT=$2
if [ -z "$SECRET_NAME" ] || [ -z "$ENVIRONMENT" ]; then
echo "Usage: ./rotate_secrets.sh SECRET_NAME ENVIRONMENT"
echo "Example: ./rotate_secrets.sh db-password prod"
exit 1
fi
FULL_SECRET_NAME="${SECRET_NAME}-${ENVIRONMENT}"
echo "Rotating secret: $FULL_SECRET_NAME"
#!/bin/bash
set -e
SECRET_NAME=$1
ENVIRONMENT=$2
if [ -z "$SECRET_NAME" ] || [ -z "$ENVIRONMENT" ]; then
echo "Usage: ./rotate_secrets.sh SECRET_NAME ENVIRONMENT"
echo "Example: ./rotate_secrets.sh db-password prod"
exit 1
fi
FULL_SECRET_NAME="${SECRET_NAME}-${ENVIRONMENT}"
echo "Rotating secret: $FULL_SECRET_NAME"
1. Generate new value
1. 生成新的机密值
NEW_SECRET=$(openssl rand -base64 32)
NEW_SECRET=$(openssl rand -base64 32)
2. Create new version in Secret Manager
2. 在Secret Manager中创建新版本
echo -n "$NEW_SECRET" | gcloud secrets versions add "$FULL_SECRET_NAME"
--data-file=-
--data-file=-
echo "New version created"
echo -n "$NEW_SECRET" | gcloud secrets versions add "$FULL_SECRET_NAME"
--data-file=-
--data-file=-
echo "New version created"
3. Update Terraform state (plan shown first)
3. 更新Terraform状态(先查看计划)
cd terraform/
terraform plan
cd terraform/
terraform plan
4. Apply to update applications
4. 应用更新以同步到应用
terraform apply -auto-approve
terraform apply -auto-approve
5. Wait for rollout
5. 等待部署完成
kubectl rollout restart deployment/charges-service -n production
echo "Secret rotation complete"
undefinedkubectl rollout restart deployment/charges-service -n production
echo "Secret rotation complete"
undefinedRequirements
环境要求
- Terraform 1.x+
- Google Cloud provider v5.26+
- Google Secret Manager enabled in GCP
- Service account with secretmanager.secretAccessor role
- gcloud CLI for secret management
Enable APIs:
bash
gcloud services enable secretmanager.googleapis.com- Terraform 1.x+
- Google Cloud provider v5.26+
- GCP中已启用Google Secret Manager
- 拥有secretmanager.secretAccessor角色的服务账号
- 用于机密信息管理的gcloud CLI
启用API:
bash
gcloud services enable secretmanager.googleapis.comSee Also
相关链接
- terraform skill - General reference
- terraform-gcp-integration - GCP resources
- terraform-troubleshooting - Debugging secrets
- terraform 基础技能 - 通用参考
- terraform-gcp集成 - GCP资源管理
- terraform故障排查 - 机密信息相关调试