sparkfabrik · Stevesibilia · Oct 16, 2024 · Oct 15, 2024 · Oct 15, 2024 · Oct 15, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -20,6 +20,12 @@ Following semver, any non backwards compatible feature implies that the next rel
 
 ## [Unreleased]
 
+## [0.7.0] - 2024-10-15
+
+[Compare with previous version](https://github.com/sparkfabrik/terraform-google-gcp-artifact-registry/compare/0.6.0...0.7.0)
+
+- BREAKING: add support for GCP secret as password for remote repositories. Break backwards compatibility if using `username_password_credentials_password_secret_version` as it now stores the secret version (not the name).
+
 ## [0.6.0] - 2024-10-09
 
 [Compare with previous version](https://github.com/sparkfabrik/terraform-google-gcp-artifact-registry/compare/0.5.0...0.6.0)

diff --git a/main.tf b/main.tf
@@ -33,6 +33,26 @@ locals {
     }
   }
   custom_role_artifact_registry_lister_id = "projects/${var.project_id}/roles/${var.artifact_registry_listers_custom_role_name}"
+  remote_repositories = {
+    for repository_id, repository in var.repositories : repository_id => {
+      repository_id                                         = repository_id
+      username_password_credentials_username                = lookup(repository.remote_repository_config_docker, "username_password_credentials_username", "")
+      username_password_credentials_password_secret_name    = lookup(repository.remote_repository_config_docker, "username_password_credentials_password_secret_name", "")
+      username_password_credentials_password_secret_version = lookup(repository.remote_repository_config_docker, "username_password_credentials_password_secret_version", "latest")
+    }
+    if repository.mode == "REMOTE_REPOSITORY"
+  }
+}
+
+data "google_secret_manager_secret_version" "remote_repository_secrets" {
+  for_each = {
+    for key, value in local.remote_repositories : key => value
+    if alltrue([value.username_password_credentials_username != "", value.username_password_credentials_password_secret_name != ""])
+  }
+
+  project = var.project_id
+  secret  = each.value.username_password_credentials_password_secret_name
+  version = each.value.username_password_credentials_password_secret_version
 }
 
 resource "google_artifact_registry_repository" "repositories" {
@@ -109,12 +129,12 @@ resource "google_artifact_registry_repository" "repositories" {
       disable_upstream_validation = remote_repository_config.value.disable_upstream_validation
 
       dynamic "upstream_credentials" {
-        for_each = remote_repository_config.value.username_password_credentials_username != "" && remote_repository_config.value.username_password_credentials_password_secret_version != "" ? [remote_repository_config.value] : []
+        for_each = remote_repository_config.value.username_password_credentials_username != "" && remote_repository_config.value.username_password_credentials_password_secret_name != "" ? [remote_repository_config.value] : []
 
         content {
           username_password_credentials {
             username                = upstream_credentials.value.username_password_credentials_username
-            password_secret_version = upstream_credentials.value.username_password_credentials_password_secret_version
+            password_secret_version = data.google_secret_manager_secret_version.remote_repository_secrets[each.key].name
           }
         }
       }

diff --git a/variables.tf b/variables.tf
@@ -48,6 +48,7 @@ variable "repositories" {
       custom_repository_uri                                 = string
       disable_upstream_validation                           = optional(bool, false)
       username_password_credentials_username                = optional(string, "")
+      username_password_credentials_password_secret_name    = optional(string, "")
       username_password_credentials_password_secret_version = optional(string, "")
     }), null)
     readers  = optional(list(string), [])
@@ -71,6 +72,11 @@ variable "repositories" {
     condition     = alltrue([for policy in flatten([for repo in var.repositories : [for cp in repo.cleanup_policies : cp]]) : policy.most_recent_versions == {} || policy.most_recent_versions.keep_count == null || policy.most_recent_versions.keep_count >= 0])
     error_message = "Keep count must be a non-negative number."
   }
+
+  validation {
+    condition     = alltrue([for repo in var.repositories : repo.mode == "REMOTE_REPOSITORY" ? lookup(repo, "remote_repository_config_docker", null) != null : true])
+    error_message = "Remote repository configuration is required for the REMOTE_REPOSITORY mode."
+  }
 }
 
 variable "artifact_registry_listers_custom_role_name" {