commerce-platform-public/terraform-modules
4
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
terraform-modules/service-account
History
Florian Heuer 2bf17ea21e feature(iac): improve readme
2025-08-25 10:01:14 +00:00
..
outputs.tf feature(iac): fix service-account module 2025-08-25 10:01:14 +00:00
providers.tf feature(iac): add service-account module 2025-08-25 10:01:14 +00:00
README.md feature(iac): improve readme 2025-08-25 10:01:14 +00:00
service-account.tf feature(iac): fix service-account module 2025-08-25 10:01:14 +00:00
variables.tf feature(iac): add service-account module 2025-08-25 10:01:14 +00:00

README.md

Terraform Module: STACKIT Service Account

This module is designed to create a STACKIT service account, optionally generate a key, and optionally attach it to a server. It is useful for managing service accounts and their associated keys in a secure and repeatable manner.

The purpose of this module is to simplify the creation and management of service accounts in STACKIT, while providing flexibility to generate keys and attach them to servers. It also allows for secure storage of keys using a secrets manager.

Example Usage

module "service-account" {
  source                     = "./service-account" # Or a Git URL "git::https://commerce-platform.git.onstackit.cloud/commerce-platform-public//terraform-modules/service-account"
  stackit_project_id         = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
  service_account_name       = "my-service-account"
  service_account_create_key = true
}

# Save json created to secrets manager
variable "secret_manager_username" {
  description = "username of the secrets manger to store credentials"
  type        = string
  sensitive   = true
}

variable "secret_manager_password" {
  description = "password of the secrets manger to store credentials"
  type        = string
  sensitive   = true
}

module "service_account_key" {
  source                     = "./create-secret" # Or a Git URL "git::https://commerce-platform.git.onstackit.cloud/commerce-platform-public//terraform-modules/create-secret"
  secret_manager_instance_id = local.secret_manager_instance_id
  secret_manager_username    = var.secret_manager_username
  secret_manager_password    = var.secret_manager_password
  secrets_path               = "service-accounts/${module.service-account.service_account_name}"
  secret_data = {
    key_json = module.service-account.service_account_key_json
  }
}

Inputs

Key Description Type Required Default
service_account_name Name of the service account string yes
service_account_create_key Whether to create a service account key bool no false
service_account_public_key Optional: Specifies the public_key (RSA2048 key-pair). If not provided, a certificate from STACKIT will be used to generate a private_key. string no null
service_account_rotate_when_changed Map to force key rotation when changed map(string) no {}
service_account_ttl_days Key validity duration in days. Defaults to 90 number no 90
attach_to_server Whether to attach the service account to a server bool no false
server_id Server ID for attachment string no ""

Notes

  • When creating a key, it is recommended to save it securely using a secrets manager. In the example usage we illustrated how to do that using the create-secret module.
  • The module does not handle key rotation automatically. You can use the service_account_rotate_when_changed input to force key rotation when certain attributes change.
  • The module does not handle server attachment automatically. You can use the attach_to_server and server_id inputs to attach the service account to a server.
  • The module does not handle deletion of service accounts or keys. It is recommended to manage these resources using appropriate Terraform lifecycle configurations or external tools.