feat: Add support for Google provider v5

Google provider v5 enforced a change in how automatic replication was
specified; this change makes the `automatic` => `auto` stanza change and
supports setting a KMS key for Google-managed replication with a user
provided KMS key through the variable `auto_replication_kms_key_name`.

The newer versions of Google provider also support `annotations` in
addition to `labels`; this commit adds an optional `annotations`
variable.
Closes #76

.talismanrc

@@ -1,4 +1,6 @@
 # spell-checker: ignore fileignoreconfig tfvars
+---
+version: ""
 fileignoreconfig:
 - filename: .github/workflows/pre-commit.yml
   checksum: 079f171fdbd654d9e637f509bd9372cfc44f959ae4ff4d56d1cd810577f3ffd6
@@ -15,17 +17,17 @@ fileignoreconfig:
 - filename: examples/user-managed-replication/terraform.tfvars.example
   checksum: d619606a155c5b9a63def97d621913240b58f8d36672d005a0cb39bccda26c1b
 - filename: README.md
-  checksum: 92877d805e8077452846c87778b2a5db5394753e9287818828cd080a3728db70
+  checksum: c461ea9595035f9d14448d0efecdf615d639e39cfc533afb1555395d5739f7b0
 - filename: examples/generated-secret/main.tf
   checksum: 37c8edd39b841077663467bd9053e4041092b05b040f107bd8fcb2b1adb04670
 - filename: modules/random/main.tf
   checksum: 64cbbdabd2a425a9e7fd9c1db9107b5d7874befb660dbe62c9b9c5d1be9f97f2
 - filename: main.tf
-  checksum: 5c1b49174ea34816fd635dbbd8c4e41d2109f045789be3c62d02f0e4bea2c2c9
+  checksum: 363761215db80e4a3c42ed13fb65a3065b6dcf76adc04c6e2a448ea0b912f52d
 - filename: examples/simple/main.tf
   checksum: b26086277af49d853473caea9f0bbbb62ebb6b7fd16ccde74f57f9d0d9b63444
 - filename: variables.tf
-  checksum: c58645b1901328c54b510d6464d803f9de4fc466ca49b94c496d46db34d5d4cc
+  checksum: 95224f6924751d18b26f6def930ab78a0e15ecc34fa7f0802a6a1c13bb2b8e59
 - filename: examples/user-managed-replication-accessors/main.tf
   checksum: af29e994e68a7587c981ac1dc962a402e604caecf1942098272266706ee42d15
 - filename: modules/random/README.md
@@ -83,7 +85,7 @@ fileignoreconfig:
 - filename: CHANGELOG.md
   checksum: c65416e7d46d4c5fd6439a5b65d8352c729756deffb6c9632ef0e0ebaa695ac2
 - filename: examples/all-options/variables.tf
-  checksum: 9ac418a296be758e18f999197e3e4f57b41778e97b667e563961ecba76207daf
+  checksum: af986c416750a05afc2ca54e1ec5dec54e05b64c4c1b3e0267687c187a2453fa
 - filename: examples/all-options/main.tf
   checksum: 9ece2caccbaad2c1757c3f22efdf0524263828ec0169e071bdd7dbf609db723a
 - filename: examples/with-random-provider/main.tf
@@ -93,13 +95,13 @@ fileignoreconfig:
 - filename: test/fixtures/root/main.tf
   checksum: 0a8d2ebd6a964d9d4299f3324ea1ec94da554109ab78008bb9c066987e18b863
 - filename: examples/all-options/terraform.tfvars.example
-  checksum: 244b9a19555925b7bede1e21fead0c46f99d7486cbf0fc66f3e77636e7ae0b7e
+  checksum: 108bba52493f2087b0473c7a7d7699e2c360d1aaca481c7abf4f19690100253a
 - filename: examples/user-managed-replication-with-keys/terraform.tfvars.example
   checksum: 79f5b2b606dd10da32bc52656e6dc84d1dfdbd99fb97eb28fcde1ec258cffcfa
 - filename: examples/user-managed-replication/main.tf
   checksum: 3d0bc5e4ad597079f7b610f807c4f99b88622089c167c06a8eebba290986e9dc
 - filename: examples/all-options/README.md
-  checksum: 758371447a65e07a77cd3f05587dbd6b4cae25a953579a08769da1f1ae1ac9d3
+  checksum: 2dc780a8f8ff037b8f31410e4ffceb70f8762f1bb4685d89b29cb8ac1a417046
 - filename: test/fixtures/issue-51/main.tf
   checksum: 8137269ccdf2c8a7331362d741f503688eee2aa1fb2d7400a94c16f2cd2bd4ad
 - filename: test/fixtures/examples/all-options/outputs.tf
@@ -120,3 +122,9 @@ fileignoreconfig:
   checksum: 16d3ea66d4928cf49d1c4bd7548cf1229eac6147e6cea5861923244462ad9c6d
 - filename: test/fixtures/examples/user-managed-replication/outputs.tf
   checksum: 9feb5c2c831d2c4c9428764a47f6387f64137a4618af4c63b6f07a7aeac183ab
+- filename: examples/auto-replication-with-key/terraform.tfvars.example
+  checksum: 577e0024d50c1a082885f771532d277fff0d257744f5ff5f6e304b1f312654a8
+- filename: examples/auto-replication-with-key/README.md
+  checksum: 70755383374742276cba85d1419669fc1105ca8eb54240c7ce2052fe41f03aca
+- filename: examples/auto-replication-with-key/main.tf
+  checksum: fa05dae1cfe5adaaa444f7e778845c3334d9b09a3c0ab3de4e8c8185d4b51e72

README.md

@@ -15,7 +15,7 @@ in GCP [Secret Manager](https://cloud.google.com/secret-manager) with Terraform
 Given a project identifier, the module will create a new secret, or update an
 existing secret version, so that it contains the value provided. An optional list
 of IAM user, group, or service account identifiers can be provided and each of
-the identifiers will be granted `roles/secretmanager.secretAccessor` on th
+the identifiers will be granted `roles/secretmanager.secretAccessor` on the secret.
 
 ```hcl
 module "secret" {
@@ -36,7 +36,7 @@ module "secret" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.14.5 |
-| <a name="requirement_google"></a> [google](#requirement\_google) | >= 4.8, <5 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | >= 4.83 |
 
 ## Modules
 
@@ -58,8 +58,10 @@ No modules.
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The GCP project identifier where the secret will be created. | `string` | n/a | yes |
 | <a name="input_secret"></a> [secret](#input\_secret) | The secret payload to store in Secret Manager; if blank or null a versioned secret<br>value will NOT be created and must be populated outside of this module. Binary<br>values should be base64 encoded before use. | `string` | n/a | yes |
 | <a name="input_accessors"></a> [accessors](#input\_accessors) | An optional list of IAM account identifiers that will be granted accessor (read-only)<br>permission to the secret. | `list(string)` | `[]` | no |
+| <a name="input_annotations"></a> [annotations](#input\_annotations) | An optional map of annotation key:value pairs to assign to the secret resources.<br>Default is an empty map. | `map(string)` | `{}` | no |
+| <a name="input_auto_replication_kms_key_name"></a> [auto\_replication\_kms\_key\_name](#input\_auto\_replication\_kms\_key\_name) | An optional Cloud KMS key name to use with Google managed replication. If the value is empty (default), then a Google<br>managed key will be used for encryption of the secret. See `replication` variable for examples. | `string` | `""` | no |
 | <a name="input_labels"></a> [labels](#input\_labels) | An optional map of label key:value pairs to assign to the secret resources.<br>Default is an empty map. | `map(string)` | `{}` | no |
-| <a name="input_replication"></a> [replication](#input\_replication) | An optional map of replication configurations for the secret. If the map is empty<br>(default), then automatic replication will be used for the secret. If the map is<br>not empty, replication will be configured for each key (region) and, optionally,<br>will use the provided Cloud KMS keys.<br><br>NOTE: If Cloud KMS keys are used, a Cloud KMS key must be provided for every<br>region key.<br><br>E.g. to use automatic replication policy (default)<br>replication = {}<br><br>E.g. to force secrets to be replicated only in us-east1 and us-west1 regions,<br>with Google managed encryption keys<br>replication = {<br>  "us-east1" = null<br>  "us-west1" = null<br>}<br><br>E.g. to force secrets to be replicated only in us-east1 and us-west1 regions, but<br>use Cloud KMS keys from each region.<br>replication = {<br>  "us-east1" = { kms\_key\_name = "my-east-key-name" }<br>  "us-west1" = { kms\_key\_name = "my-west-key-name" }<br>} | <pre>map(object({<br>    kms_key_name = string<br>  }))</pre> | `{}` | no |
+| <a name="input_replication"></a> [replication](#input\_replication) | An optional map of replication configurations for the secret. If the map is empty<br>(default), then automatic replication will be used for the secret. If the map is<br>not empty, replication will be configured for each key (region) and, optionally,<br>will use the provided Cloud KMS keys.<br><br>NOTE: If Cloud KMS keys are used, a Cloud KMS key must be provided for every<br>region key.<br><br>E.g. to use automatic replication policy with Google managed keys(default)<br>replication = {}<br><br>E.g. to use automatic replication policy with specific Cloud KMS key,<br>auto\_replication\_kms\_key\_name = "my-global-key-name"<br>replication = {}<br><br>E.g. to force secrets to be replicated only in us-east1 and us-west1 regions,<br>with Google managed encryption keys<br>replication = {<br>  "us-east1" = null<br>  "us-west1" = null<br>}<br><br>E.g. to force secrets to be replicated only in us-east1 and us-west1 regions, but<br>use Cloud KMS keys from each region.<br>replication = {<br>  "us-east1" = { kms\_key\_name = "my-east-key-name" }<br>  "us-west1" = { kms\_key\_name = "my-west-key-name" }<br>} | <pre>map(object({<br>    kms_key_name = string<br>  }))</pre> | `{}` | no |
 
 ## Outputs
 

examples/accessors/main.tf

@@ -5,14 +5,14 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.18"
+      version = ">= 4.83"
     }
   }
 }
 
 module "secret" {
   source     = "memes/secret-manager/google"
-  version    = "2.1.2"
+  version    = "2.2.0"
   project_id = var.project_id
   id         = var.id
   secret     = var.secret

examples/all-options/README.md

@@ -1,6 +1,9 @@
 # Generated Secret with all options
 
-This example shows how to specify every option available.
+This example shows how to specify almost* every available option.
+
+> \* `auto_replication_kms_key_name` is left unspecified since the module will create the secret with user specified
+> encryption replication as determined by the `replication` variable.
 
 ## Example at a glance
 
@@ -18,6 +21,7 @@ This example shows how to specify every option available.
 # Example TF vars file
 project_id = "my-project-id"
 id = "my-secret-id"
+secret = "T0pS3cretP@ssword!"
 replication = {
     "us-east1" = {
         kms_key_name = "projects/my-project-id/locations/us-east1/keyRings/my-east-keyring/cryptoKeys/east-key"
@@ -32,4 +36,9 @@ labels = {
     "cost_center": "product_dev",
     "owner": "jane_at_example_com"
 }
+annotations = {
+    "stage": "dev",
+    "cost_center": "product_dev",
+    "owner": "jane_at_example_com"
+}
 ```

examples/all-options/main.tf

@@ -4,18 +4,19 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.18"
+      version = ">= 4.83"
     }
   }
 }
 
 module "secret" {
   source      = "memes/secret-manager/google"
-  version     = "2.1.2"
+  version     = "2.2.0"
   project_id  = var.project_id
   id          = var.id
   replication = var.replication
   secret      = var.secret
   accessors   = var.accessors
   labels      = var.labels
+  annotations = var.annotations
 }

examples/all-options/terraform.tfvars.example

@@ -1,6 +1,7 @@
 # Example TF vars file
 project_id = "my-project-id"
 id = "my-secret-id"
+secret = "T0pS3cretP@ssword!"
 replication = {
     "us-east1" = {
         kms_key_name = "projects/my-project-id/locations/us-east1/keyRings/my-east-keyring/cryptoKeys/east-key"
@@ -15,3 +16,8 @@ labels = {
     "cost_center": "product_dev",
     "owner": "jane_at_example_com"
 }
+annotations = {
+    "stage": "dev",
+    "cost_center": "product_dev",
+    "owner": "jane_at_example_com"
+}

examples/all-options/variables.tf

@@ -45,3 +45,10 @@ variable "labels" {
 An optional map of label key:value pairs to assign to the secret resources.
 EOD
 }
+
+variable "annotations" {
+  type        = map(string)
+  description = <<EOD
+An optional map of annotation key:value pairs to assign to the secret resources.
+EOD
+}

examples/auto-replication-with-key/README.md

@@ -0,0 +1,24 @@
+# Automatic Replication with
+
+This example shows how to allow Google to automatically manage secret replication across locations, and use a Cloud KMS
+encryption key to use for secret encryption.
+
+## Example at a glance
+
+|Item|Managed by Terraform|Description|
+|----|--------------------|-----------|
+|Access Control||Not managed by example; permissions to read the secret must be specified externally.|
+|Cloud KMS key||Not managed by example; a suitable KMS key for encryption/decryption must be created externally in global location.|
+|Replication|✓|Automatically managed by Secret Manager.|
+|Secret Value||User specified.|
+
+<!-- spell-checker: disable -->
+### Example terraform.tfvars
+
+```properties
+# Example TF vars file
+project_id = "my-project-id"
+id = "my-secret-id"
+secret = "T0pS3cretP@ssword!"
+auto_replication_kms_key_name = "projects/my-project-id/locations/global/keyRings/my-global-keyring/cryptoKeys/global-key"
+```

examples/auto-replication-with-key/main.tf

@@ -0,0 +1,20 @@
+# This file demonstrates applying user-defined replication options with customer
+# managed encryption keys from Cloud KMS.
+terraform {
+  required_version = ">= 0.14.5"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 4.83"
+    }
+  }
+}
+
+module "secret" {
+  source                        = "memes/secret-manager/google"
+  version                       = "2.2.0"
+  project_id                    = var.project_id
+  id                            = var.id
+  secret                        = var.secret
+  auto_replication_kms_key_name = var.auto_replication_kms_key_name
+}

examples/auto-replication-with-key/outputs.tf

@@ -0,0 +1,7 @@
+output "id" {
+  value = module.secret.id
+}
+
+output "secret_id" {
+  value = module.secret.secret_id
+}

examples/auto-replication-with-key/terraform.tfvars.example

@@ -0,0 +1,5 @@
+# Example TF vars file
+project_id = "my-project-id"
+id = "my-secret-id"
+secret = "T0pS3cretP@ssword!"
+auto_replication_kms_key_name = "projects/my-project-id/locations/global/keyRings/my-global-keyring/cryptoKeys/global-key"

examples/auto-replication-with-key/variables.tf

@@ -0,0 +1,27 @@
+variable "project_id" {
+  type        = string
+  description = <<EOD
+The GCP project identifier where the secret will be created.
+EOD
+}
+
+variable "id" {
+  type        = string
+  description = <<EOD
+The secret identifier to create; this value must be unique within the project.
+EOD
+}
+
+variable "auto_replication_kms_key_name" {
+  type        = string
+  description = <<EOD
+The Cloud KMS key name to use with Google managed replication.
+EOD
+}
+
+variable "secret" {
+  type        = string
+  description = <<EOD
+The secret payload to store in Secret Manager.
+EOD
+}

examples/empty-secret-value/main.tf

@@ -5,14 +5,14 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.18"
+      version = ">= 4.83"
     }
   }
 }
 
 module "secret" {
   source     = "memes/secret-manager/google"
-  version    = "2.1.2"
+  version    = "2.2.0"
   project_id = var.project_id
   id         = var.id
   secret     = null

examples/simple/main.tf

@@ -4,14 +4,14 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.18"
+      version = ">= 4.83"
     }
   }
 }
 
 module "secret" {
   source     = "memes/secret-manager/google"
-  version    = "2.1.2"
+  version    = "2.2.0"
   project_id = var.project_id
   id         = var.id
   secret     = var.secret

examples/user-managed-replication-accessors/main.tf

@@ -5,14 +5,14 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.18"
+      version = ">= 4.83"
     }
   }
 }
 
 module "secret" {
   source      = "memes/secret-manager/google"
-  version     = "2.1.2"
+  version     = "2.2.0"
   project_id  = var.project_id
   id          = var.id
   secret      = var.secret

examples/user-managed-replication-with-keys/main.tf

@@ -5,14 +5,14 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.18"
+      version = ">= 4.83"
     }
   }
 }
 
 module "secret" {
   source      = "memes/secret-manager/google"
-  version     = "2.1.2"
+  version     = "2.2.0"
   project_id  = var.project_id
   id          = var.id
   secret      = var.secret

examples/user-managed-replication/main.tf

@@ -4,14 +4,14 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.18"
+      version = ">= 4.83"
     }
   }
 }
 
 module "secret" {
   source      = "memes/secret-manager/google"
-  version     = "2.1.2"
+  version     = "2.2.0"
   project_id  = var.project_id
   id          = var.id
   secret      = var.secret

examples/with-random-provider/main.tf

@@ -5,7 +5,7 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = ">= 4.18"
+      version = ">= 4.83"
     }
     random = {
       source  = "hashicorp/random"
@@ -21,7 +21,7 @@ resource "random_string" "secret" {
   min_upper        = 2
   lower            = true
   min_lower        = 2
-  number           = true
+  numeric          = true
   min_numeric      = 2
   special          = true
   min_special      = 2
@@ -30,7 +30,7 @@ resource "random_string" "secret" {
 
 module "secret" {
   source     = "memes/secret-manager/google"
-  version    = "2.1.2"
+  version    = "2.2.0"
   project_id = var.project_id
   id         = var.id
   secret     = random_string.secret.result