Skip to content

Commit 057ef1c

Browse files
damienjburksdamienjburks
committed
adding in secret manager binding
1 parent 0599698 commit 057ef1c

File tree

3 files changed

+22
-3
lines changed

3 files changed

+22
-3
lines changed

terraform/main.tf

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,8 @@ resource "google_secret_manager_secret" "snyk_token" {
3535
resource "google_secret_manager_secret_version" "snyk_token_version" {
3636
secret = google_secret_manager_secret.snyk_token.id
3737
secret_data = var.SNYK_TOKEN
38+
39+
depends_on = [google_secret_manager_secret.snyk_token]
3840
}
3941

4042
# Pipelines
@@ -47,6 +49,7 @@ module "gcp_python_fastapi_pipeline" {
4749
cloudbuild_trigger_name = "gcp-python-fastapi"
4850
description = "Cloud Build Trigger for GCP Python FastAPI"
4951
github_repo_name = "gcp-python-fastapi"
52+
secret_id = google_secret_manager_secret.snyk_token.secret_id
5053

5154
depends_on = [
5255
google_artifact_registry_repository.default,

terraform/modules/pipelines/main.tf

Lines changed: 14 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -13,15 +13,26 @@ resource "google_project_iam_member" "cloud_build_roles" {
1313
"roles/source.admin",
1414
"roles/storage.admin",
1515
"roles/logging.logWriter",
16-
"roles/iam.serviceAccountUser",
17-
"roles/secretmanager.admin",
18-
"roles/secretmanager.secretAssessor"
16+
"roles/iam.serviceAccountUser"
1917
])
2018
project = var.project_id
2119
role = each.value
2220
member = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
2321
}
2422

23+
resource "google_secret_manager_secret_iam_binding" "secret_manager_binding" {
24+
for_each = toset([
25+
"roles/secretmanager.secretAccessor",
26+
"roles/secretmanager.admin"
27+
])
28+
29+
project = var.project_id
30+
secret_id = var.secret_id
31+
role = each.value
32+
33+
members = ["serviceAccount:${google_service_account.cloudbuild_service_account.email}"]
34+
}
35+
2536
resource "google_cloudbuild_trigger" "build_trigger" {
2637
name = "gh-trigger-${var.cloudbuild_trigger_name}"
2738
description = var.description

terraform/modules/pipelines/variable.tf

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,4 +27,9 @@ variable "project_id" {
2727
variable "region" {
2828
description = "Region where the Cloud Build trigger will be created"
2929
type = string
30+
}
31+
32+
variable "secret_id" {
33+
description = "ID of the secret to be injected into the Cloud Build"
34+
type = string
3035
}

0 commit comments

Comments
 (0)