gcp secret manager

src/coverage/google.md

@@ -1,6 +1,6 @@
 # todo google
 
-Resource percentage coverage   7.79
+Resource percentage coverage   7.77
 Datasource percentage coverage 30.42
 
 ./resource.ps1 google_access_context_manager_access_level
@@ -21,6 +21,7 @@ Datasource percentage coverage 30.42
 ./resource.ps1 google_alloydb_backup
 ./resource.ps1 google_alloydb_cluster
 ./resource.ps1 google_alloydb_instance
+./resource.ps1 google_alloydb_user
 ./resource.ps1 google_api_gateway_api
 ./resource.ps1 google_api_gateway_api_config
 ./resource.ps1 google_api_gateway_api_config_iam_binding
@@ -319,6 +320,7 @@ Datasource percentage coverage 30.42
 ./resource.ps1 google_data_loss_prevention_stored_info_type
 ./resource.ps1 google_data_pipeline_pipeline
 ./resource.ps1 google_database_migration_service_connection_profile
+./resource.ps1 google_database_migration_service_private_connection
 ./resource.ps1 google_dataflow_flex_template_job
 ./resource.ps1 google_dataflow_job
 ./resource.ps1 google_dataform_repository
@@ -626,16 +628,12 @@ Datasource percentage coverage 30.42
 ./resource.ps1 google_project_iam_audit_config
 ./resource.ps1 google_project_iam_policy
 ./resource.ps1 google_project_organization_policy
-./resource.ps1 google_project_service_identity
 ./resource.ps1 google_project_services
 ./resource.ps1 google_project_usage_export_bucket
 ./resource.ps1 google_public_ca_external_account_key
 ./resource.ps1 google_pubsub_subscription_iam_binding
 ./resource.ps1 google_pubsub_subscription_iam_member
 ./resource.ps1 google_pubsub_subscription_iam_policy
-./resource.ps1 google_pubsub_topic_iam_binding
-./resource.ps1 google_pubsub_topic_iam_member
-./resource.ps1 google_pubsub_topic_iam_policy
 ./resource.ps1 google_recaptcha_enterprise_key
 ./resource.ps1 google_redis_cluster
 ./resource.ps1 google_redis_instance
@@ -654,11 +652,6 @@ Datasource percentage coverage 30.42
 ./resource.ps1 google_scc_source_iam_binding
 ./resource.ps1 google_scc_source_iam_member
 ./resource.ps1 google_scc_source_iam_policy
-./resource.ps1 google_secret_manager_secret
-./resource.ps1 google_secret_manager_secret_iam_binding
-./resource.ps1 google_secret_manager_secret_iam_member
-./resource.ps1 google_secret_manager_secret_iam_policy
-./resource.ps1 google_secret_manager_secret_version
 ./resource.ps1 google_security_scanner_scan_config
 ./resource.ps1 google_service_directory_endpoint
 ./resource.ps1 google_service_directory_namespace

src/files_gcp.go

@@ -165,3 +165,15 @@ var googlePubsubSchema []byte
 
 //go:embed  mapping/google/resource/pubsub/google_pubsub_subscription.json
 var googlePubsubSubscription []byte
+
+//go:embed  mapping/google/resource/pubsub/google_pubsub_topic_iam_binding.json
+var googlePubsubTopicIam []byte
+
+//go:embed  mapping/google/resource/secretmanager/google_secret_manager_secret.json
+var googleSecretManagerSecret []byte
+
+//go:embed  mapping/google/resource/secretmanager/google_secret_manager_secret_iam_binding.json
+var googleSecretManagerSecretIam []byte
+
+//go:embed  mapping/google/resource/secretmanager/google_secret_manager_secret_version.json
+var googleSecretManagerSecretVersion []byte

src/gcp.go

@@ -54,6 +54,13 @@ func GCPLookup(result string) interface{} {
 		"google_bigquery_job":                             googleBigqueryJob,
 		"google_bigquery_table":                           placeholder,
 		"google_bigtable_instance":                        googleBigtableInstance,
+		"google_bigtable_instance_iam_binding":            googleBigTableInstanceIam,
+		"google_bigtable_instance_iam_member":             googleBigTableInstanceIam,
+		"google_bigtable_instance_iam_policy":             googleBigTableInstanceIam,
+		"google_bigtable_table":                           googleBigtableTable,
+		"google_bigtable_table_iam_binding":               googleBigTableTableIam,
+		"google_bigtable_table_iam_member":                googleBigTableTableIam,
+		"google_bigtable_table_iam_policy":                googleBigTableTableIam,
 		"google_cloudfunctions_function":                  googleCloudfunctionsFunction,
 		"google_cloudfunctions_function_iam_member":       googleCloudfunctionsFunctionIamPolicy,
 		"google_cloudfunctions_function_iam_policy":       googleCloudfunctionsFunctionIamPolicy,
@@ -80,10 +87,22 @@ func GCPLookup(result string) interface{} {
 		"google_project_iam_binding":                      googleProjectIamBinding,
 		"google_project_iam_custom_role":                  googleProjectIamCustomRole,
 		"google_project_iam_member":                       googleProjectIamBinding,
+		"google_project_service":                          googleProjectService,
+		"google_project_service_identity":                 placeholder,
 		"google_pubsub_lite_reservation":                  googlePubsubLiteReservation,
 		"google_pubsub_lite_subscription":                 googlePubsubLiteSubscription,
 		"google_pubsub_lite_topic":                        googlePubsubLiteTopic,
+		"google_pubsub_schema":                            googlePubsubSchema,
+		"google_pubsub_subscription":                      googlePubsubSubscription,
 		"google_pubsub_topic":                             googlePubsubTopic,
+		"google_pubsub_topic_iam_binding":                 googlePubsubTopicIam,
+		"google_pubsub_topic_iam_member":                  googlePubsubTopicIam,
+		"google_pubsub_topic_iam_policy":                  googlePubsubTopicIam,
+		"google_secret_manager_secret":                    googleSecretManagerSecret,
+		"google_secret_manager_secret_iam_binding":        googleSecretManagerSecretIam,
+		"google_secret_manager_secret_iam_member":         googleSecretManagerSecretIam,
+		"google_secret_manager_secret_iam_policy":         googleSecretManagerSecretIam,
+		"google_secret_manager_secret_version":            googleSecretManagerSecretVersion,
 		"google_service_account":                          googleServiceAccount,
 		"google_service_account_iam_binding":              googleServiceAccountIamBinding,
 		"google_service_account_iam_member":               googleServiceAccountIamMember,
@@ -98,16 +117,6 @@ func GCPLookup(result string) interface{} {
 		"google_storage_bucket_acl":                       googleStorageBucketACL,
 		"google_storage_bucket_iam_binding":               googleStorageBucketIamBinding,
 		"google_storage_bucket_object":                    googleStorageBucketObject,
-		"google_bigtable_table":                           googleBigtableTable,
-		"google_bigtable_instance_iam_policy":             googleBigTableInstanceIam,
-		"google_bigtable_instance_iam_member":             googleBigTableInstanceIam,
-		"google_bigtable_instance_iam_binding":            googleBigTableInstanceIam,
-		"google_bigtable_table_iam_binding":               googleBigTableTableIam,
-		"google_bigtable_table_iam_member":                googleBigTableTableIam,
-		"google_bigtable_table_iam_policy":                googleBigTableTableIam,
-		"google_pubsub_schema":                            googlePubsubSchema,
-		"google_pubsub_subscription":                      googlePubsubSubscription,
-		"google_project_service":                          googleProjectService,
 	}
 
 	return TFLookup[result]

src/mapping/google/resource/pubsub/google_pubsub_topic_iam_binding.json

@@ -0,0 +1,14 @@
+[
+  {
+    "apply": [
+      "pubsub.topics.getIamPolicy",
+      "pubsub.topics.setIamPolicy"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [],
+    "modify": [],
+    "plan": []
+  }
+]

src/mapping/google/resource/secretmanager/google_secret_manager_secret.json

@@ -0,0 +1,22 @@
+[
+  {
+    "apply": [
+      "secretmanager.secrets.create",
+      "secretmanager.secrets.get",
+      "secretmanager.secrets.update",
+      "secretmanager.secrets.delete"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [
+      "secretmanager.secrets.delete"
+    ],
+    "modify": [
+      "secretmanager.secrets.update"
+    ],
+    "plan": [
+      "secretmanager.secrets.get"
+    ]
+  }
+]

src/mapping/google/resource/secretmanager/google_secret_manager_secret_iam_binding.json

@@ -0,0 +1,14 @@
+[
+  {
+    "apply": [
+      "secretmanager.secrets.getIamPolicy",
+      "secretmanager.secrets.setIamPolicy"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [],
+    "modify": [],
+    "plan": []
+  }
+]

src/mapping/google/resource/secretmanager/google_secret_manager_secret_version.json

@@ -0,0 +1,21 @@
+[
+  {
+    "apply": [
+      "secretmanager.versions.add",
+      "secretmanager.versions.enable",
+      "secretmanager.versions.get",
+      "secretmanager.versions.access",
+      "secretmanager.versions.destroy"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [
+      "secretmanager.versions.destroy"
+    ],
+    "modify": [],
+    "plan": [
+      "secretmanager.versions.get"
+    ]
+  }
+]

terraform/google/backup/google_artifact_registry_repository_iam_binding.tf

@@ -5,6 +5,6 @@ resource "google_artifact_registry_repository_iam_binding" "pike" {
   role       = "roles/artifactregistry.reader"
   members = [
     "user:james.woolfenden@gmail.com",
-    "user:crwoolfenden@gmail.com"
+    "user:anonymous@gmail.com"
   ]
 }

terraform/google/backup/google_artifact_registry_repository_iam_member.tf

@@ -3,5 +3,5 @@ resource "google_artifact_registry_repository_iam_member" "pike" {
   location   = google_artifact_registry_repository.pike.location
   repository = google_artifact_registry_repository.pike.name
   role       = "roles/artifactregistry.reader"
-  member     = "user:crwoolfenden@gmail.com"
+  member     = "user:anonymous@gmail.com"
 }

terraform/google/backup/google_artifact_registry_repository_iam_policy.tf

@@ -3,7 +3,7 @@ data "google_iam_policy" "admin" {
     role = "roles/artifactregistry.reader"
     members = [
       "user:james.woolfenden@gmail.com",
-      "user:crwoolfenden@gmail.com",
+      "user:anonymous@gmail.com",
     ]
   }
 }

terraform/google/backup/google_bigtable_table_iam_binding.tf

@@ -3,7 +3,7 @@ data "google_iam_policy" "admin" {
   binding {
     role = "roles/bigtable.user"
     members = [
-      "user:crwoolfenden@gmail.com",
+      "user:anonymous@gmail.com",
     ]
   }
 }

terraform/google/backup/google_project_service_identity.tf

@@ -0,0 +1,12 @@
+data "google_project" "project" {}
+
+resource "google_project_service_identity" "hc_sa" {
+  provider = google-beta
+
+  project = data.google_project.project.project_id
+  service = "healthcare.googleapis.com"
+}
+
+output "identity" {
+  value = google_project_service_identity.hc_sa
+}

terraform/google/backup/google_pubsub_topic_iam_binding.tf

@@ -0,0 +1 @@
+resource "google_pubsub_topic_iam_binding" "pike" {}

terraform/google/backup/google_pubsub_topic_iam_member.tf

@@ -0,0 +1,5 @@
+resource "google_pubsub_topic_iam_member" "pike" {
+  topic  = "projects/pike-gcp/topics/pike"
+  member = "user:anonymous@gmail.com"
+  role   = "roles/viewer"
+}

terraform/google/backup/google_pubsub_topic_iam_policy.tf

@@ -0,0 +1 @@
+resource "google_pubsub_topic_iam_policy" "pike" {}

terraform/google/backup/google_secret_manager_secret.tf

@@ -0,0 +1,11 @@
+resource "google_secret_manager_secret" "pike" {
+  secret_id = "secret-version"
+
+  labels = {
+    label = "my-label"
+  }
+
+  replication {
+    auto {}
+  }
+}

terraform/google/backup/google_secret_manager_secret_iam_binding.tf

@@ -0,0 +1 @@
+resource "google_secret_manager_secret_iam_binding" "pike" {}

terraform/google/backup/google_secret_manager_secret_iam_member.tf

@@ -0,0 +1,5 @@
+resource "google_secret_manager_secret_iam_member" "pike" {
+  member    = "user:anonymous@gmail.com"
+  secret_id = google_secret_manager_secret.pike.id
+  role      = "roles/secretmanager.secretAccessor"
+}

terraform/google/backup/google_secret_manager_secret_iam_policy.tf

@@ -0,0 +1 @@
+resource "google_secret_manager_secret_iam_policy" "pike" {}

terraform/google/backup/google_secret_manager_secret_version.tf

@@ -0,0 +1,4 @@
+resource "google_secret_manager_secret_version" "pike" {
+  secret_data = "mysecret"
+  secret      = google_secret_manager_secret.pike.id
+}

terraform/google/backup/google_service_account_iam_binding.tf

@@ -8,6 +8,6 @@ resource "google_service_account_iam_binding" "admin-account-iam" {
   role               = "roles/iam.serviceAccountUser"
 
   members = [
-    "user:crwoolfenden@gmail.com",
+    "user:anonymous@gmail.com",
   ]
 }

terraform/google/backup/google_service_account_iam_member.tf

@@ -6,5 +6,5 @@ resource "google_service_account" "sa" {
 resource "google_service_account_iam_member" "pike" {
   service_account_id = google_service_account.sa.name
   role               = "roles/iam.serviceAccountUser"
-  member             = "user:crwoolfenden@gmail.com"
+  member             = "user:anonymous@gmail.com"
 }

terraform/google/role/google_project_iam_custom_role.tf

@@ -4,20 +4,27 @@ resource "google_project_iam_custom_role" "pike" {
   title       = "pike terraform user"
   description = "A user with least privileges"
   permissions = [
-
-    //google_project_service
-    "serviceusage.services.get",
-    "serviceusage.services.list",
-    "serviceusage.services.enable",
-    "serviceusage.services.disable",
-
     "resourcemanager.projects.get",
-    #    "iam.serviceAccounts.list",
-    #    "iam.serviceAccounts.setIamPolicy",
-    #    "iam.serviceAccounts.getIamPolicy",
-    #    "iam.serviceAccounts.undelete"
 
+    //google_pubsub_topic_iam_member
+    "pubsub.topics.getIamPolicy",
+    "pubsub.topics.setIamPolicy",
+
+    //google_secret_manager_secret
+    "secretmanager.secrets.create",
+    "secretmanager.secrets.get",
+    "secretmanager.secrets.update",
+    "secretmanager.secrets.delete",
 
+    //google_secret_manager_secret_iam_member
+    "secretmanager.secrets.getIamPolicy",
+    "secretmanager.secrets.setIamPolicy",
 
+    //google_secret_manager_secret_version
+    "secretmanager.versions.add",
+    "secretmanager.versions.enable",
+    "secretmanager.versions.get",
+    "secretmanager.versions.access",
+    "secretmanager.versions.destroy"
   ]
 }