google_secret_manager_secret doesn't have ${secret_id} as standalone attribute

abower-digimarc commented 1 month ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.
If an issue is assigned to a user, that user is claiming responsibility for the issue.
Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Description

Currently, google_secret_manager_secret has two identical attributes: id and name. According to the doc, these both spit out identical strings that are prepended with the project id path.

However, when assigning secrets to container environment variables, the format requires alphanumeric, hyphen, or underscore only. This means the name and id attribute of a created secret are incompatible with passing into cloud run container secret env vars. I'd like an option to get the name/id alone without the path out of the object.

Error 400: service.spec.template.spec.containers[0].env[1].value_from.secret_key_ref.name: should have only alphanumeric characters, hyphens, or underscores │ Details: │ [ │ { │ "@type": "type.googleapis.com/google.rpc.BadRequest", │ "fieldViolations": [ │ { │ "description": "should have only alphanumeric characters, hyphens, or underscores", │ "field": "service.spec.template.spec.containers[0].env[1].value_from.secret_key_ref.name" │ } │ ] │ } │ ]

New or Affected Resource(s)

google_secret_manager_secret

Potential Terraform Configuration

resource "google_secret_manager_secret" "redis_password" { secret_id = "myResource-redis-password-${var.region}" replication { user_managed { replicas { location = var.region } } } }

resource "google_secret_manager_secret_version" "redis_password_value" { secret = google_secret_manager_secret.redis_password.id secret_data = data.secretsmanager_field.redis_password.value }

name = "REDIS_PASSWORD" value_from { secret_key_ref { key = latest name = resource.google_secret_manager_secret.redis_password.name }

References

No response

b/344606298

SarahFrench commented 4 weeks ago

Hi @abower-digimarc , thanks for opening this issue. From reading through your config I wonder if referencing the secret_id like below would help solve your issue?

resource "google_secret_manager_secret" "redis_password" {
  secret_id = "myResource-redis-password-${var.region}"
  replication {
    user_managed {
    replicas {
    location = var.region
}
}
}
}

resource "google_secret_manager_secret_version" "redis_password_value" {
secret = google_secret_manager_secret.redis_password.id
secret_data = data.secretsmanager_field.redis_password.value
}

name = "REDIS_PASSWORD"
value_from {
secret_key_ref {
key = latest
- name = resource.google_secret_manager_secret.redis_password.name
+ name = resource.google_secret_manager_secret.redis_password.secret_id
}

SarahFrench commented 4 weeks ago

Note from triage: Forwarding this as a documentation issue

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_service#nested_secret_key_ref

hashicorp / terraform-provider-google