feature: Set sensitive variables

filippolmt · filippolmt · commit 88cc064ce057 · 2025-06-19T12:32:59.000+02:00
diff --git a/cloudsql_dumps_bucket.tf b/cloudsql_dumps_bucket.tf
@@ -35,7 +35,7 @@ resource "google_storage_bucket" "cloudsql_dumps" {
 
   lifecycle_rule {
     action {
-      type = "SetStorageClass"
+      type          = "SetStorageClass"
       storage_class = "COLDLINE"
     }
     condition {
diff --git a/examples/test.tfvars b/examples/test.tfvars
@@ -15,7 +15,7 @@ my_drupal_projects_list = [
     bucket_name                     = "test-project-bucket-name"
     bucket_append_random_suffix     = false
     bucket_enable_disaster_recovery = false
-    bucket_labels                   = {
+    bucket_labels = {
       "project" = "test-project"
       "env"     = "stage"
     }
diff --git a/secrets.tf b/secrets.tf
@@ -1,19 +1,22 @@
 locals {
-  map_of_drupal_buckets = var.create_buckets == true ? {
+  map_of_drupal_buckets = var.create_buckets ? {
     for o in local.drupal_buckets_list : o.name => o
   } : {}
-  map_of_drupal_databases = trimspace(var.cloudsql_instance_name) != "" && trimspace(var.cloudsql_privileged_user_name) != "" && trimspace(var.cloudsql_privileged_user_password) != "" && var.create_databases_and_users == true ? {
+  map_of_drupal_databases = trimspace(var.cloudsql_instance_name) != "" && trimspace(var.cloudsql_privileged_user_name) != "" && trimspace(var.cloudsql_privileged_user_password) != "" && var.create_databases_and_users ? {
     for o in local.drupal_database_and_user_list : o.database => o
   } : {}
-  map_of_output_drupal_databases = trimspace(var.cloudsql_instance_name) != "" && trimspace(var.cloudsql_privileged_user_name) != "" && trimspace(var.cloudsql_privileged_user_password) != "" && var.create_databases_and_users == true ? {
+  map_of_drupal_databases_indexed = {
+    for idx, o in local.map_of_drupal_databases : tostring(idx) => o
+  }
+  map_of_output_drupal_databases = trimspace(var.cloudsql_instance_name) != "" && trimspace(var.cloudsql_privileged_user_name) != "" && trimspace(var.cloudsql_privileged_user_password) != "" && var.create_databases_and_users ? {
     for o in module.drupal_databases_and_users[0].sql_users_creds : o.database => o
   } : {}
 }
 
 resource "kubernetes_secret" "bucket_secret_name" {
   for_each = {
     for o in local.map_of_drupal_buckets : o.name => o
-    if var.create_buckets == true
+    if var.create_buckets
   }
 
   metadata {
@@ -23,7 +26,7 @@ resource "kubernetes_secret" "bucket_secret_name" {
     name        = each.value.helm_release_name == null ? "drupal-${each.value.release_branch_name}-${each.value.project_id}-bucket" : "${each.value.helm_release_name}-bucket"
     namespace   = var.use_existing_kubernetes_namespaces ? each.value.namespace : kubernetes_namespace.namespace[each.value.namespace].metadata[0].name
     annotations = {}
-    labels = var.default_k8s_labels
+    labels      = var.default_k8s_labels
   }
   data = {
     "endpoint"         = each.value.host
@@ -36,8 +39,8 @@ resource "kubernetes_secret" "bucket_secret_name" {
 
 resource "kubernetes_secret" "database_secret_name" {
   for_each = {
-    for o in local.map_of_drupal_databases : o.database => o
-    if trimspace(o.namespace) != "" && var.create_databases_and_users == true
+    for idx, o in local.map_of_drupal_databases_indexed : idx => o
+    if trimspace(o.namespace) != "" && var.create_databases_and_users
   }
   metadata {
     # If not specified, we suppose that the Helm release name is defined with
@@ -46,13 +49,13 @@ resource "kubernetes_secret" "database_secret_name" {
     name        = each.value.helm_release_name == null ? "drupal-${each.value.release_branch_name}-${each.value.project_id}-db-user" : "${each.value.helm_release_name}-db-user"
     namespace   = var.use_existing_kubernetes_namespaces ? each.value.namespace : kubernetes_namespace.namespace[each.value.namespace].metadata[0].name
     annotations = {}
-    labels = var.default_k8s_labels
+    labels      = var.default_k8s_labels
   }
   data = {
     "endpoint" = each.value.host != null ? each.value.host : ""
     "port"     = each.value.port
-    "database" = local.map_of_output_drupal_databases[each.key].database
-    "username" = local.map_of_output_drupal_databases[each.key].user
-    "password" = local.map_of_output_drupal_databases[each.key].password
+    "database" = local.map_of_output_drupal_databases[each.value.database].database
+    "username" = local.map_of_output_drupal_databases[each.value.database].user
+    "password" = local.map_of_output_drupal_databases[each.value.database].password
   }
 }
diff --git a/variables.tf b/variables.tf
@@ -23,6 +23,7 @@ variable "cloudsql_privileged_user_name" {
 variable "cloudsql_privileged_user_password" {
   type        = string
   description = "The password of the privileged user of the Cloud SQL instance"
+  sensitive   = true
   default     = ""
 }
 

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ resource "google_storage_bucket" "cloudsql_dumps" {`
`35`	`35`
`36`	`36`	`lifecycle_rule {`
`37`	`37`	`action {`
`38`		`- type = "SetStorageClass"`
	`38`	`+ type = "SetStorageClass"`
`39`	`39`	`storage_class = "COLDLINE"`
`40`	`40`	`}`
`41`	`41`	`condition {`
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ my_drupal_projects_list = [`
`15`	`15`	`bucket_name = "test-project-bucket-name"`
`16`	`16`	`bucket_append_random_suffix = false`
`17`	`17`	`bucket_enable_disaster_recovery = false`
`18`		`- bucket_labels = {`
	`18`	`+ bucket_labels = {`
`19`	`19`	`"project" = "test-project"`
`20`	`20`	`"env" = "stage"`
`21`	`21`	`}`
Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@ variable "cloudsql_privileged_user_name" {`
`23`	`23`	`variable "cloudsql_privileged_user_password" {`
`24`	`24`	`type = string`
`25`	`25`	`description = "The password of the privileged user of the Cloud SQL instance"`
	`26`	`+ sensitive = true`
`26`	`27`	`default = ""`
`27`	`28`	`}`
`28`	`29`