Merge branch '22-secrets-IAM' into 'master'

Add secretAccessor IAM permissions to Cloud Run Service account Closes #22 See merge request !27

Merge branch '22-secrets-IAM' into 'master'
Add secretAccessor IAM permissions to Cloud Run Service account Closes #22 See merge request !27
a676dbc8 · Wajdi Hajji · e13f2107 · 705afeb1 · a676dbc8 · a676dbc8
Commit a676dbc8 authored 3 years ago by Wajdi Hajji
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

+## [3.1.0] - 2021-06-16
+### Changed
+ - Cloud Run service account is given permissions to access all Secret Manager secrets
+   passed via secrets_envars and secrets_volumes variables.
+
 ## [3.0.0] - 2021-06-08
 ### Added
 - Raised the provider to 3.70, adding the BETA requirement and the capability to

--- a/README.md
+++ b/README.md
@@ -108,10 +108,14 @@ is likely to be whitelisted within firewall configuration that lives outside of

 ## Secrets as Volumes and Env Vars

-Secret Manager IDs can be directly referenced and exposed as environment variables
-and volume mounts (files) in the running container.
+Secret Manager secrets can be as environment variables or volume mounts (files) in the 
+running container.

-At time of writing, the BETA Google Provider must be enabled.
+At time of writing, this requires Cloud Run to run as BETA.
+
+The service account that Cloud Run runs as needs access to the secrets for this feature to work.
+Thus, this module gives `secretAccessor` role to that service account for the secrets passed on
+`secrets_volume` and `secrets_envars`.

 Any number of items in the list is supported and not defining these variables
 when calling this module is acceptable. The path of the mounted file will be

--- a/main.tf
+++ b/main.tf
@@ -201,6 +201,10 @@ resource "google_cloud_run_service" "webapp" {
      metadata[0].annotations["run.googleapis.com/ingress-status"],
    ]
  }
+
+  depends_on = [
+    google_secret_manager_secret_iam_member.secrets_access,
+  ]
 }

 # Allow unauthenticated invocations for the webapp.

--- a/secrets.tf
+++ b/secrets.tf
+# secrets.tf 
+# The Cloud Run service accounts need access to the Secret Manager secrets
+# to be able to mount them as volumes or envars.
+
+locals {
+  # List containing Secret Manager secrets IDs used in `var.secrets_volume`
+  # and `var.secrets_envars`
+  secret_ids = toset([
+    for secret in concat(var.secrets_volume, var.secrets_envars) : secret.id
+  ])
+}
+
+# Grant the Cloud Run service account "secretmanager.secretAccessor" role
+# to be able to access Secret Manager secrets to be mounted as volumes 
+# or environment variables.
+resource "google_secret_manager_secret_iam_member" "secrets_access" {
+  for_each  = local.secret_ids
+  project   = var.project
+  secret_id = each.key
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${google_service_account.webapp.email}"
+}