FAQ | This is a LIVE service | Changelog

Commit a676dbc8 authored by Wajdi Hajji's avatar Wajdi Hajji
Browse files

Merge branch '22-secrets-IAM' into 'master'

Add secretAccessor IAM permissions to Cloud Run Service account

Closes #22

See merge request !27
parents e13f2107 705afeb1
Pipeline #92047 passed with stage
in 47 seconds
......@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [3.1.0] - 2021-06-16
### Changed
- Cloud Run service account is given permissions to access all Secret Manager secrets
passed via secrets_envars and secrets_volumes variables.
## [3.0.0] - 2021-06-08
### Added
- Raised the provider to 3.70, adding the BETA requirement and the capability to
......@@ -108,10 +108,14 @@ is likely to be whitelisted within firewall configuration that lives outside of
## Secrets as Volumes and Env Vars
Secret Manager IDs can be directly referenced and exposed as environment variables
and volume mounts (files) in the running container.
Secret Manager secrets can be as environment variables or volume mounts (files) in the
running container.
At time of writing, the BETA Google Provider must be enabled.
At time of writing, this requires Cloud Run to run as BETA.
The service account that Cloud Run runs as needs access to the secrets for this feature to work.
Thus, this module gives `secretAccessor` role to that service account for the secrets passed on
`secrets_volume` and `secrets_envars`.
Any number of items in the list is supported and not defining these variables
when calling this module is acceptable. The path of the mounted file will be
......@@ -201,6 +201,10 @@ resource "google_cloud_run_service" "webapp" {
depends_on = [
# Allow unauthenticated invocations for the webapp.
# secrets.tf
# The Cloud Run service accounts need access to the Secret Manager secrets
# to be able to mount them as volumes or envars.
locals {
# List containing Secret Manager secrets IDs used in `var.secrets_volume`
# and `var.secrets_envars`
secret_ids = toset([
for secret in concat(var.secrets_volume, var.secrets_envars) : secret.id
# Grant the Cloud Run service account "secretmanager.secretAccessor" role
# to be able to access Secret Manager secrets to be mounted as volumes
# or environment variables.
resource "google_secret_manager_secret_iam_member" "secrets_access" {
for_each = local.secret_ids
project = var.project
secret_id = each.key
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${google_service_account.webapp.email}"
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment