# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: core.cnrm.cloud.google.com/v1alpha1
kind: ServiceMapping
metadata:
  name: secretmanager.cnrm.cloud.google.com
  namespace: cnrm-system
spec:
  name: SecretManager
  version: v1beta1
  serviceHostName: "secretmanager.googleapis.com"
  resources:
    - name: google_secret_manager_secret
      kind: SecretManagerSecret
      idTemplate: projects/{{project}}/secrets/{{secret_id}}
      idTemplateCanBeUsedToMatchResourceName: true
      resourceAvailableInAssetInventory: true
      metadataMapping:
        name: secret_id
        labels: labels
      resourceID:
        targetField: secret_id
      resourceReferences:
        - tfField: replication.user_managed.replicas.customer_managed_encryption.kms_key_name
          description: |-
            Customer Managed Encryption for the secret.
          key: kmsKeyRef
          gvk:
            kind: KMSCryptoKey
            version: v1beta1
            group: kms.cnrm.cloud.google.com
          targetField: self_link
        - tfField: topics.name
          description: |-
            A list of up to 10 Pub/Sub topics to which messages are
            published when control plane operations are called on the secret
            or its versions.
          valueTemplate: "projects/{{project}}/topics/{{value}}"
          key: topicRef
          gvk:
            kind: PubSubTopic
            version: v1beta1
            group: pubsub.cnrm.cloud.google.com
      iamConfig:
        policyName: google_secret_manager_secret_iam_policy
        policyMemberName: google_secret_manager_secret_iam_member
        referenceField:
          name: secret_id
          type: name
        supportsConditions: false
      containers:
        - type: project
          tfField: project
    - name: google_secret_manager_secret_version
      kind: SecretManagerSecretVersion
      # importer is broken -- doesn't break out the project and secret subfields
      idTemplateCanBeUsedToMatchResourceName: false
      resourceAvailableInAssetInventory: true
      serverGeneratedIDField: name
      resourceID:
        targetField: name
        valueTemplate: "{{secret}}/versions/{{value}}"
      resourceReferences:
        - tfField: secret
          description: |-
            Secret Manager secret resource
          key: secretRef
          gvk:
            kind: SecretManagerSecret
            version: v1beta1
            group: secretmanager.cnrm.cloud.google.com
          targetField: name
          parent: true