adding in secret manager binding

Author: damienjburks

terraform/main.tf

@@ -47,6 +47,7 @@ module "gcp_python_fastapi_pipeline" {
   cloudbuild_trigger_name = "gcp-python-fastapi"
   description             = "Cloud Build Trigger for GCP Python FastAPI"
   github_repo_name        = "gcp-python-fastapi"
+  secret_id               = google_secret_manager_secret.snyk_token.id
 
   depends_on = [
     google_artifact_registry_repository.default,

terraform/modules/pipelines/main.tf

@@ -14,14 +14,20 @@ resource "google_project_iam_member" "cloud_build_roles" {
     "roles/storage.admin",
     "roles/logging.logWriter",
     "roles/iam.serviceAccountUser",
-    "roles/secretmanager.admin",
-    "roles/secretmanager.secretAssessor"
+    "roles/secretmanager.admin"
   ])
   project = var.project_id
   role    = each.value
   member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
 }
 
+resource "google_secret_manager_secret_iam_member" "secret_manager_binding" {
+  project   = var.project_id
+  secret_id = var.secret_id
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+}
+
 resource "google_cloudbuild_trigger" "build_trigger" {
   name        = "gh-trigger-${var.cloudbuild_trigger_name}"
   description = var.description

terraform/modules/pipelines/variable.tf

@@ -27,4 +27,9 @@ variable "project_id" {
 variable "region" {
   description = "Region where the Cloud Build trigger will be created"
   type        = string
+}
+
+variable "secret_id" {
+  description = "ID of the secret to be injected into the Cloud Build"
+  type        = string
 }