Add option for sanctuary to create secrets in Google Secret Manager
Hello! While working on https://gitlab.developers.cam.ac.uk/uis/devops/devhub/gitlab-deploy/-/issues/425, I tried to use the new sanctuary
tool. In gitlab-deploy
project we currently have no bootstrap project for external secrets and I was going to not create one and use sanctuary instead. This repository is not a regular one, as we need to use secret values in helm chart and k8s objects (all described in terrafrom). So my idea was to use sanctuary to sync 1password secrets with Google SM and then use secret values as data.google_secret_manager_secret_version.RESOURCE_NAME.secret_data
. This concept works, but the problem is that if there is no pre-existing secret in Google SM the tool will fail with the following
[error ] Error processing secret. error_message=Google secrets must be created before being set. secret_name=some-name
So it seems if we want to drop the old approach (the one with bootstrap sub-projects based on our 1password tf module) we need to add secret creation functionality to the sanctuary tool. Otherwise, we need to have bootstrap project to create secrets first, then we need sanctuary to sync secrets and finally logan to run the main project.
So I propose we add some parameter like:
--create
that indicates that secrets (if not found) must be created in a given gcp project.