adding in secret manager binding

damienjburks · damienjburks · commit 609a1f9f52cd · 2024-12-14T16:25:18.000-06:00
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -35,6 +35,8 @@ resource "google_secret_manager_secret" "snyk_token" {
 resource "google_secret_manager_secret_version" "snyk_token_version" {
   secret      = google_secret_manager_secret.snyk_token.id
   secret_data = var.SNYK_TOKEN
+
+  depends_on = [google_secret_manager_secret.snyk_token]
 }
 
 # Pipelines
@@ -47,6 +49,7 @@ module "gcp_python_fastapi_pipeline" {
   cloudbuild_trigger_name = "gcp-python-fastapi"
   description             = "Cloud Build Trigger for GCP Python FastAPI"
   github_repo_name        = "gcp-python-fastapi"
+  secret_id               = google_secret_manager_secret.snyk_token.secret_id
 
   depends_on = [
     google_artifact_registry_repository.default,
diff --git a/terraform/modules/pipelines/main.tf b/terraform/modules/pipelines/main.tf
@@ -13,15 +13,33 @@ resource "google_project_iam_member" "cloud_build_roles" {
     "roles/source.admin",
     "roles/storage.admin",
     "roles/logging.logWriter",
-    "roles/iam.serviceAccountUser",
-    "roles/secretmanager.admin",
-    "roles/secretmanager.secretAssessor"
+    "roles/iam.serviceAccountUser"
   ])
   project = var.project_id
   role    = each.value
   member  = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
 }
 
+# resource "google_secret_manager_secret_iam_member" "secret_manager_binding" {
+#   project   = var.project_id
+#   secret_id = var.secret_id
+#   role      = "roles/secretmanager.secretAccessor"
+#   member    = "serviceAccount:${google_service_account.cloudbuild_service_account.email}"
+# }
+
+resource "google_project_iam_binding" "secrets" {
+  for_each = toset([
+    "roles/secretmanager.secretAccessor",
+    "roles/secretmanager.admin"
+  ])
+  project = var.project_id
+  role    = each.value
+
+  members = [
+    "serviceAccount:${google_service_account.cloudbuild_service_account.email}",
+  ]
+}
+
 resource "google_cloudbuild_trigger" "build_trigger" {
   name        = "gh-trigger-${var.cloudbuild_trigger_name}"
   description = var.description
diff --git a/terraform/modules/pipelines/variable.tf b/terraform/modules/pipelines/variable.tf
@@ -27,4 +27,9 @@ variable "project_id" {
 variable "region" {
   description = "Region where the Cloud Build trigger will be created"
   type        = string
+}
+
+variable "secret_id" {
+  description = "ID of the secret to be injected into the Cloud Build"
+  type        = string
 }
