Newer
Older
# secrets.tf
# The Cloud Run service accounts need access to the Secret Manager secrets
# to be able to mount them as volumes or envars.
locals {
# List containing Secret Manager secrets IDs used in `var.secrets_volume`
# and `var.secrets_envars`
secret_ids = toset([
for secret in concat(var.secrets_volume, var.secrets_envars) : secret.id
])
}
# Grant the Cloud Run service account "secretmanager.secretAccessor" role
# to be able to access Secret Manager secrets to be mounted as volumes
# or environment variables.
resource "google_secret_manager_secret_iam_member" "secrets_access" {
for_each = local.secret_ids
project = var.project
secret_id = each.key
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${google_service_account.webapp.email}"
}