# secrets.tf 
# The Cloud Run service accounts need access to the Secret Manager secrets
# to be able to mount them as volumes or envars.

locals {
  # List containing Secret Manager secrets IDs used in `var.secrets_volume`
  # and `var.secrets_envars`
  secret_ids = toset([
    for secret in concat(var.secrets_volume, var.secrets_envars) : secret.id
  ])
}

# Grant the Cloud Run service account "secretmanager.secretAccessor" role
# to be able to access Secret Manager secrets to be mounted as volumes 
# or environment variables.
resource "google_secret_manager_secret_iam_member" "secrets_access" {
  for_each  = local.secret_ids
  project   = var.project
  secret_id = each.key
  role      = "roles/secretmanager.secretAccessor"
  member    = "serviceAccount:${google_service_account.webapp.email}"
}