feature: Set sensitive variables

filippolmt · filippolmt · commit cdffbcd05271 · 2025-06-19T14:04:27.000+02:00
diff --git a/cloudsql_dumps_bucket.tf b/cloudsql_dumps_bucket.tf
@@ -35,7 +35,7 @@ resource "google_storage_bucket" "cloudsql_dumps" {
 
   lifecycle_rule {
     action {
-      type = "SetStorageClass"
+      type          = "SetStorageClass"
       storage_class = "COLDLINE"
     }
     condition {
diff --git a/examples/test.tfvars b/examples/test.tfvars
@@ -15,7 +15,7 @@ my_drupal_projects_list = [
     bucket_name                     = "test-project-bucket-name"
     bucket_append_random_suffix     = false
     bucket_enable_disaster_recovery = false
-    bucket_labels                   = {
+    bucket_labels = {
       "project" = "test-project"
       "env"     = "stage"
     }
diff --git a/secrets.tf b/secrets.tf
@@ -2,57 +2,66 @@ locals {
   map_of_drupal_buckets = var.create_buckets == true ? {
     for o in local.drupal_buckets_list : o.name => o
   } : {}
-  map_of_drupal_databases = trimspace(var.cloudsql_instance_name) != "" && trimspace(var.cloudsql_privileged_user_name) != "" && trimspace(var.cloudsql_privileged_user_password) != "" && var.create_databases_and_users == true ? {
+
+  map_of_drupal_databases = (
+    trimspace(var.cloudsql_instance_name) != "" &&
+    trimspace(var.cloudsql_privileged_user_name) != "" &&
+    trimspace(var.cloudsql_privileged_user_password) != "" &&
+    var.create_databases_and_users == true
+    ) ? {
     for o in local.drupal_database_and_user_list : o.database => o
   } : {}
-  map_of_output_drupal_databases = trimspace(var.cloudsql_instance_name) != "" && trimspace(var.cloudsql_privileged_user_name) != "" && trimspace(var.cloudsql_privileged_user_password) != "" && var.create_databases_and_users == true ? {
+
+  map_of_output_drupal_databases = (
+    trimspace(var.cloudsql_instance_name) != "" &&
+    trimspace(var.cloudsql_privileged_user_name) != "" &&
+    trimspace(var.cloudsql_privileged_user_password) != "" &&
+    var.create_databases_and_users == true
+    ) ? {
     for o in module.drupal_databases_and_users[0].sql_users_creds : o.database => o
   } : {}
+
+  drupal_databases_keys = (
+    var.create_databases_and_users == true ?
+    [
+      for o in local.drupal_database_and_user_list : o.database
+      if trimspace(o.namespace) != ""
+    ] : []
+  )
 }
 
 resource "kubernetes_secret" "bucket_secret_name" {
-  for_each = {
-    for o in local.map_of_drupal_buckets : o.name => o
-    if var.create_buckets == true
-  }
+  for_each = local.map_of_drupal_buckets
 
   metadata {
-    # If not specified, we suppose that the Helm release name is defined with
-    # the following convention (the default of sparkfabrik/pkg_drupal):
-    # PKG_DRUPAL_HELM_RELEASE_NAME: drupal-${CI_COMMIT_REF_SLUG}-${CI_PROJECT_ID}
     name        = each.value.helm_release_name == null ? "drupal-${each.value.release_branch_name}-${each.value.project_id}-bucket" : "${each.value.helm_release_name}-bucket"
     namespace   = var.use_existing_kubernetes_namespaces ? each.value.namespace : kubernetes_namespace.namespace[each.value.namespace].metadata[0].name
     annotations = {}
-    labels = var.default_k8s_labels
+    labels      = var.default_k8s_labels
   }
   data = {
-    "endpoint"         = each.value.host
-    "name"             = module.drupal_buckets[0].buckets_access_credentials[each.key].bucket_name
-    "username"         = module.drupal_buckets[0].buckets_access_credentials[each.key].access_id
-    "password"         = module.drupal_buckets[0].buckets_access_credentials[each.key].secret
-    "nginx_osb_bucket" = "https://${each.value.host}/${module.drupal_buckets[0].buckets_access_credentials[each.key].bucket_name}${each.value.legacy_public_files_path}"
+    endpoint         = each.value.host
+    name             = module.drupal_buckets[0].buckets_access_credentials[each.key].bucket_name
+    username         = module.drupal_buckets[0].buckets_access_credentials[each.key].access_id
+    password         = module.drupal_buckets[0].buckets_access_credentials[each.key].secret
+    nginx_osb_bucket = "https://${each.value.host}/${module.drupal_buckets[0].buckets_access_credentials[each.key].bucket_name}${each.value.legacy_public_files_path}"
   }
 }
 
 resource "kubernetes_secret" "database_secret_name" {
-  for_each = {
-    for o in local.map_of_drupal_databases : o.database => o
-    if trimspace(o.namespace) != "" && var.create_databases_and_users == true
-  }
+  for_each = toset(local.drupal_databases_keys)
+
   metadata {
-    # If not specified, we suppose that the Helm release name is defined with
-    # the following convention (the default of sparkfabrik/pkg_drupal):
-    # PKG_DRUPAL_HELM_RELEASE_NAME: drupal-${CI_COMMIT_REF_SLUG}-${CI_PROJECT_ID}
-    name        = each.value.helm_release_name == null ? "drupal-${each.value.release_branch_name}-${each.value.project_id}-db-user" : "${each.value.helm_release_name}-db-user"
-    namespace   = var.use_existing_kubernetes_namespaces ? each.value.namespace : kubernetes_namespace.namespace[each.value.namespace].metadata[0].name
+    name        = local.map_of_drupal_databases[each.key].helm_release_name == null ? "drupal-${local.map_of_drupal_databases[each.key].release_branch_name}-${local.map_of_drupal_databases[each.key].project_id}-db-user" : "${local.map_of_drupal_databases[each.key].helm_release_name}-db-user"
+    namespace   = var.use_existing_kubernetes_namespaces ? local.map_of_drupal_databases[each.key].namespace : kubernetes_namespace.namespace[local.map_of_drupal_databases[each.key].namespace].metadata[0].name
     annotations = {}
-    labels = var.default_k8s_labels
+    labels      = var.default_k8s_labels
   }
   data = {
-    "endpoint" = each.value.host != null ? each.value.host : ""
-    "port"     = each.value.port
-    "database" = local.map_of_output_drupal_databases[each.key].database
-    "username" = local.map_of_output_drupal_databases[each.key].user
-    "password" = local.map_of_output_drupal_databases[each.key].password
+    endpoint = local.map_of_drupal_databases[each.key].host != null ? local.map_of_drupal_databases[each.key].host : ""
+    port     = local.map_of_drupal_databases[each.key].port
+    database = local.map_of_output_drupal_databases[each.key].database
+    username = local.map_of_output_drupal_databases[each.key].user
+    password = local.map_of_output_drupal_databases[each.key].password
   }
 }
diff --git a/variables.tf b/variables.tf
@@ -23,6 +23,7 @@ variable "cloudsql_privileged_user_name" {
 variable "cloudsql_privileged_user_password" {
   type        = string
   description = "The password of the privileged user of the Cloud SQL instance"
+  sensitive   = true
   default     = ""
 }
 

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ resource "google_storage_bucket" "cloudsql_dumps" {`
`35`	`35`
`36`	`36`	`lifecycle_rule {`
`37`	`37`	`action {`
`38`		`- type = "SetStorageClass"`
	`38`	`+ type = "SetStorageClass"`
`39`	`39`	`storage_class = "COLDLINE"`
`40`	`40`	`}`
`41`	`41`	`condition {`
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@ my_drupal_projects_list = [`
`15`	`15`	`bucket_name = "test-project-bucket-name"`
`16`	`16`	`bucket_append_random_suffix = false`
`17`	`17`	`bucket_enable_disaster_recovery = false`
`18`		`- bucket_labels = {`
	`18`	`+ bucket_labels = {`
`19`	`19`	`"project" = "test-project"`
`20`	`20`	`"env" = "stage"`
`21`	`21`	`}`
Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@ variable "cloudsql_privileged_user_name" {`
`23`	`23`	`variable "cloudsql_privileged_user_password" {`
`24`	`24`	`type = string`
`25`	`25`	`description = "The password of the privileged user of the Cloud SQL instance"`
	`26`	`+ sensitive = true`
`26`	`27`	`default = ""`
`27`	`28`	`}`
`28`	`29`