Added table Add table gcp_secret_manager_secret Closes #592 (#593)

docs/tables/gcp_secret_manager_secret.md

@@ -0,0 +1,116 @@
+---
+title: "Steampipe Table: gcp_secret_manager_secret - Query Google Cloud Platform Secret Manager Secrets using SQL"
+description: "Allows users to query Secret Manager secrets in Google Cloud Platform, providing details about the secrets stored within Secret Manager."
+---
+
+# Table: gcp_secret_manager_secret - Query Google Cloud Platform Secret Manager Secrets using SQL
+
+A Secret Manager Secret in Google Cloud Platform is a secure place to store and manage sensitive information, such as API keys, passwords, certificates, and other sensitive data. Secret Manager provides a central place and single source of truth to manage, access, and audit secrets across Google Cloud.
+
+## Table Usage Guide
+
+The `gcp_secret_manager_secret` table provides insights into secrets stored within the Google Cloud Secret Manager. As a security engineer, you can explore secret-specific details through this table, including the associated project, creation time, expiration time, and other metadata. Utilize it to understand the distribution and lifecycle of secrets for better management and security.
+
+## Examples
+
+### List all secrets in a specific project
+Identify all the secrets stored within a specific Google Cloud project. This is useful for auditing and managing secrets within your project.
+
+```sql+postgres
+select
+  name,
+  project,
+  create_time,
+  expire_time
+from
+  gcp_secret_manager_secret
+where
+  project = 'my-gcp-project';
+```
+
+```sql+sqlite
+select
+  name,
+  project,
+  create_time,
+  expire_time
+from
+  gcp_secret_manager_secret
+where
+  project = 'my-gcp-project';
+```
+
+### Find secrets that are about to expire
+Identify secrets that are nearing their expiration date. This is useful for proactively managing and rotating secrets to maintain security.
+
+```sql+postgres
+select
+  name,
+  project,
+  expire_time
+from
+  gcp_secret_manager_secret
+where
+  expire_time < now() + interval '30 days';
+```
+
+```sql+sqlite
+select
+  name,
+  project,
+  expire_time
+from
+  gcp_secret_manager_secret
+where
+  expire_time < datetime('now', '+30 days');
+```
+
+### Get details of a specific secret
+Retrieve detailed information about a specific secret, including its labels, annotations, and replication policy.
+
+```sql+postgres
+select
+  name,
+  labels,
+  annotations,
+  replication,
+  ttl
+from
+  gcp_secret_manager_secret
+where
+  name = 'my-secret';
+```
+
+```sql+sqlite
+select
+  name,
+  labels,
+  annotations,
+  replication,
+  ttl
+from
+  gcp_secret_manager_secret
+where
+  name = 'my-secret';
+```
+
+### Get user managed replication details of secrets
+Retrieve replication details about the secrets.
+
+```sql+postgres
+select
+  name,
+  create_time,
+  replication -> 'userManaged' -> 'replicas' as user_managed_replicas
+from
+  gcp_secret_manager_secret;
+```
+
+```sql+sqlite
+select
+  name,
+  create_time,
+  json_extract(replication, '$.userManaged.replicas') as user_managed_replicas
+from
+  gcp_secret_manager_secret;
+```

gcp-test/tests/gcp_secret_manager_secret/test-get-expected.json

@@ -0,0 +1,7 @@
+[
+	{
+		"name": "{{ output.resource_name.value }}",
+		"project": "{{ output.project_id.value }}",
+		"title": "{{ output.resource_id.value }}"
+	}
+]

gcp-test/tests/gcp_secret_manager_secret/test-get-query.sql

@@ -0,0 +1,3 @@
+select name, title, project
+from gcp.gcp_secret_manager_secret
+where name = '{{ output.resource_name.value }}'

gcp-test/tests/gcp_secret_manager_secret/test-list-expected.json

@@ -0,0 +1,6 @@
+[
+	{
+		"name": "{{ output.resource_name.value }}",
+		"title": "{{ output.resource_id.value }}"
+	}
+]

gcp-test/tests/gcp_secret_manager_secret/test-list-query.sql

@@ -0,0 +1,3 @@
+select name, title
+from gcp.gcp_secret_manager_secret
+where akas::text = '["{{ output.resource_aka.value }}"]'

gcp-test/tests/gcp_secret_manager_secret/test-not-found-expected.json

@@ -0,0 +1 @@
+[]

gcp-test/tests/gcp_secret_manager_secret/test-not-found-query.sql

@@ -0,0 +1,3 @@
+select name
+from gcp.gcp_secret_manager_secret
+where name = 'dummy-{{ output.resource_name.value }}'

gcp-test/tests/gcp_secret_manager_secret/test-turbot-expected.json

@@ -0,0 +1,6 @@
+[
+	{
+		"akas": ["{{ output.resource_aka.value }}"],
+		"title": "{{ output.resource_id.value }}"
+	}
+]

gcp-test/tests/gcp_secret_manager_secret/test-turbot-query.sql

@@ -0,0 +1,3 @@
+select title, akas
+from gcp.gcp_secret_manager_secret
+where name = '{{ output.resource_name.value }}'

gcp-test/tests/gcp_secret_manager_secret/variables.json

@@ -0,0 +1 @@
+{}

gcp-test/tests/gcp_secret_manager_secret/variables.tf

@@ -0,0 +1,78 @@
+
+variable "resource_name" {
+  type        = string
+  default     = "turbot-test-20200125-create-update"
+  description = "Name of the resource used throughout the test."
+}
+
+variable "gcp_project" {
+  type        = string
+  default     = "parker-aaa"
+  description = "GCP project used for the test."
+}
+
+data "google_project" "current" {}
+
+variable "gcp_region" {
+  type        = string
+  default     = "us-east1"
+  description = "GCP region used for the test."
+}
+
+variable "gcp_zone" {
+  type    = string
+  default = "us-east1-b"
+}
+
+provider "google" {
+  project = var.gcp_project
+  region  = var.gcp_region
+  zone    = var.gcp_zone
+}
+
+data "google_client_config" "current" {}
+
+data "null_data_source" "resource" {
+  inputs = {
+    scope = "gcp://cloudresourcemanager.googleapis.com/projects/${data.google_client_config.current.project}"
+  }
+}
+
+resource "google_secret_manager_secret" "named_test_resource" {
+  secret_id = var.resource_name
+
+  labels = {
+    label = var.resource_name
+  }
+
+  replication {
+    user_managed {
+      replicas {
+        location = "us-central1"
+      }
+      replicas {
+        location = "us-east1"
+      }
+    }
+  }
+}
+
+output "resource_aka" {
+  value = "gcp://secretmanager.googleapis.com/projects/${data.google_project.current.number}/secrets/${var.resource_name}"
+}
+
+output "resource_id" {
+  value = "projects/${data.google_project.current.number}/secrets/${var.resource_name}"
+}
+
+output "resource_name" {
+  value = var.resource_name
+}
+
+output "project_id" {
+  value = var.gcp_project
+}
+
+output "project_number" {
+  value = data.google_project.current.number
+}

gcp/plugin.go

@@ -121,6 +121,7 @@ func Plugin(ctx context.Context) *plugin.Plugin {
 			"gcp_pubsub_subscription":                                 tableGcpPubSubSubscription(ctx),
 			"gcp_pubsub_topic":                                        tableGcpPubSubTopic(ctx),
 			"gcp_redis_instance":                                      tableGcpRedisInstance(ctx),
+			"gcp_secret_manager_secret":                               tableGcpSecretManagerSecret(ctx),
 			"gcp_service_account":                                     tableGcpServiceAccount(ctx),
 			"gcp_service_account_key":                                 tableGcpServiceAccountKey(ctx),
 			"gcp_sql_backup":                                          tableGcpSQLBackup(ctx),

gcp/service.go

@@ -32,6 +32,7 @@ import (
 	"google.golang.org/api/run/v2"
 	"google.golang.org/api/serviceusage/v1"
 	"google.golang.org/api/storage/v1"
+	"google.golang.org/api/secretmanager/v1"
 
 	computeBeta "google.golang.org/api/compute/v0.beta"
 	sqladmin "google.golang.org/api/sqladmin/v1beta4"
@@ -693,3 +694,23 @@ func RedisService(ctx context.Context, d *plugin.QueryData) (*redis.CloudRedisCl
 	d.ConnectionManager.Cache.Set(serviceCacheKey, svc)
 	return svc, nil
 }
+
+func SecretManagerService(ctx context.Context, d *plugin.QueryData) (*secretmanager.Service, error) {
+	// have we already created and cached the service?
+	serviceCacheKey := "RedisService"
+	if cachedData, ok := d.ConnectionManager.Cache.Get(serviceCacheKey); ok {
+		return cachedData.(*secretmanager.Service), nil
+	}
+
+	// To get config arguments from plugin config file
+	opts := setSessionConfig(ctx, d.Connection)
+
+	// so it was not in cache - create service
+	svc, err := secretmanager.NewService(ctx, opts...)
+	if err != nil {
+		return nil, err
+	}
+
+	d.ConnectionManager.Cache.Set(serviceCacheKey, svc)
+	return svc, nil
+}