possibility to use gsm secret for wg private key

modules/gcp/main.tf

@@ -8,11 +8,14 @@ module "wg_configs" {
   clients            = var.clients
   network_cidr       = var.network_cidr
   dns                = var.dns
+  use_gsm            = var.use_gsm
+  gsm_secret         = var.gsm_secret
 }
 
 # Create firewall rules allowing access to the instance
 resource "google_compute_firewall" "this" {
   name        = "${var.name}-firewall-rule"
+  project     = var.project_id
   network     = var.vpc_network
   description = "Wireguard instance inbound/outbound rules"
 
@@ -36,13 +39,15 @@ resource "google_compute_firewall" "this" {
 
 # create static/elastic IP and attach to wireguard server instance
 resource "google_compute_address" "this" {
-  name   = "${var.name}-static-ip-address"
-  region = var.region
+  name    = "${var.name}-static-ip-address"
+  project = var.project_id
+  region  = var.region
 }
 
 # Provision wireguard server instance
 resource "google_compute_instance" "this" {
   name         = var.name
+  project      = var.project_id
   machine_type = var.instance_type
   zone         = var.zone
   boot_disk {
@@ -66,4 +71,26 @@ resource "google_compute_instance" "this" {
   metadata = {
     ssh-keys = join("\n", [for ssh in var.ssh_keys : "${ssh.username}:${ssh.public_key}"])
   }
+
+  dynamic "service_account" {
+    for_each = var.use_gsm ? [1] : []
+    content {
+      email  = google_service_account.this[0].email
+      scopes = ["cloud-platform"]
+    }
+  }
+}
+
+resource "google_service_account" "this" {
+  count        = var.use_gsm ? 1 : 0
+  account_id   = "wireguard-sa"
+  display_name = "WireGuard Service Account"
+  project      = var.project_id
+}
+
+resource "google_project_iam_member" "this" {
+  count   = var.use_gsm ? 1 : 0
+  project = var.project_id
+  role    = "roles/secretmanager.secretAccessor"
+  member  = "serviceAccount:${google_service_account.this[0].email}"
 }

modules/gcp/variables.tf

@@ -3,6 +3,11 @@ variable "name" {
   description = "The name to use of instance/machine"
 }
 
+variable "project_id" {
+  type        = string
+  description = "The project where the resources will get deployed"
+}
+
 variable "vpc_network" {
   type        = string
   description = "The vpc name or self link where wireguard server instance will be created"
@@ -14,9 +19,10 @@ variable "vpc_subnetwork" {
   default     = ""
 }
 
-variable "server_private_key" { # TODO: we probably need to have this set as sensitive
+variable "server_private_key" { 
   type        = string
-  description = "Wireguard server private key, which can be generated using wg cli tool: `wg genkey > privatekey-server`"
+  default     = ""
+  description = "Wireguard server private key, which can be generated using wg cli tool: `wg genkey > privatekey-server`. Required if `use_gsm` flag is disabled"
 }
 
 variable "server_public_key" {
@@ -98,3 +104,15 @@ variable "ingress" {
   default     = ["0.0.0.0/0"] # default to all
   description = "The IPs/CIDRs from where the instance wireguard and ssh port are open to connect"
 }
+
+variable "use_gsm" {
+  type        = bool
+  default     = false
+  description = "The flag to use a secret from gsm for the wireguard server private key"
+}
+
+variable "gsm_secret" {
+  type        = string
+  default     = ""
+  description = "GSM secret name or self link to be used for the wireguard server private key. Required if `use_gsm` flag is enabled. Secret should be of format {'private_key':'value'}."
+}

modules/wg-configs/output.tf

@@ -5,6 +5,8 @@ output "startup_script" {
     server_private_key = var.server_private_key
     server_public_key  = var.server_public_key
     clients            = var.clients
+    use_gsm            = var.use_gsm
+    gsm_secret         = var.gsm_secret
   })
   description = "Wireguard server virtual-machine/instance init scrypt to create all needed configs for server"
 }

modules/wg-configs/templates/wireguard-server-init.sh.tpl

@@ -2,16 +2,23 @@
 
 echo "Wireguard setup started!" > /note.txt
 
-# install wireguard and neded tools
-apt update && apt -y install net-tools wireguard
+# install wireguard and needed tools
+apt update && apt -y install net-tools wireguard jq
 
 # create wireguard server configuration file
 mkdir -p /etc/wireguard
+
+%{ if use_gsm }
+server_private_key=$(gcloud secrets versions access latest --secret="${gsm_secret}" | jq -r .private_key)
+%{ else }
+server_private_key="${server_private_key}"
+%{ endif }
+
 cat > /etc/wireguard/wg0.conf <<- EOF
 [Interface]
 Address = ${network_cidr}
 ListenPort = ${server_port}
-PrivateKey = ${server_private_key}
+PrivateKey = $server_private_key
 PostUp = sysctl -w -q net.ipv4.ip_forward=1
 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ENI -j MASQUERADE
 PostDown = sysctl -w -q net.ipv4.ip_forward=0

modules/wg-configs/variables.tf

@@ -3,8 +3,9 @@ variable "server_public_ip" {
   description = "Wireguard server public static IP"
 }
 
-variable "server_private_key" { # TODO: we probably need to have this set as sensitive
+variable "server_private_key" {
   type        = string
+  default     = ""
   description = "Wireguard server private key, which can be generated using wg cli tool: `wg genkey > privatekey-server`"
 }
 
@@ -54,3 +55,15 @@ variable "ingress" {
   default     = ["0.0.0.0/0"] # default to all
   description = "The IPs/CIDRs from where the instance wireguard and ssh port are open to connect"
 }
+
+variable "use_gsm" {
+  type        = bool
+  default     = false
+  description = "Whether to use a secret from gsm for the wireguard server private key"
+}
+
+variable "gsm_secret" {
+  type        = string
+  default     = ""
+  description = "GSM secret name or self link to be used for the wireguard server private key. Required if use_gsm flag is enabled. Secret should be of format {'private_key':'value'}"
+}