Skip to content
This repository has been archived by the owner on Jun 3, 2024. It is now read-only.

[SYM-5417] Support Google Secrets Manager Secrets #4

Merged
merged 2 commits into from
Jan 11, 2024
Merged

[SYM-5417] Support Google Secrets Manager Secrets #4

merged 2 commits into from
Jan 11, 2024

Conversation

llam15
Copy link
Contributor

@llam15 llam15 commented Dec 15, 2023
edited
Loading

Description

Testing

Tested with v1.1.0-alpha2 with the following configuration in sym-staging/gcp-connector

resource "google_secret_manager_secret" "okta_api_key" {
  project = "sym-wif-pools"

  secret_id = "staging_okta-api-key"

  replication {
    auto {}
  }
}

# To apply this module, log in with `gcloud auth application-default login` as admin@compliance.dev
module "gcp_connector" {
  source  = "symopsio/gcp-connector/google"
  version = "1.1.0-alpha2"

  environment              = "sym-staging"
  identity_pool_project_id = "sym-wif-pools"
  gcp_org_id               = "472792873457"

  enable_google_group_management = true

  sym_account_id  = "455753951875" # Staging AWS account
  sym_runtime_arn = "arn:aws:sts::455753951875:assumed-role/phoenix-staging-runtime/phoenix-staging-runtime"

  accessible_secrets = [google_secret_manager_secret.okta_api_key]
}

Output

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # google_secret_manager_secret.okta_api_key will be created
  + resource "google_secret_manager_secret" "okta_api_key" {
      + create_time           = (known after apply)
      + effective_annotations = (known after apply)
      + effective_labels      = (known after apply)
      + expire_time           = (known after apply)
      + id                    = (known after apply)
      + name                  = (known after apply)
      + project               = "sym-wif-pools"
      + secret_id             = "staging_okta-api-key"
      + terraform_labels      = (known after apply)

      + replication {
          + auto {
            }
        }
    }

  # module.gcp_connector.google_project_service.secretmanager_api[0] will be created
  + resource "google_project_service" "secretmanager_api" {
      + disable_dependent_services = false
      + disable_on_destroy         = false
      + id                         = (known after apply)
      + project                    = "sym-wif-pools"
      + service                    = "secretmanager.googleapis.com"
    }

  # module.gcp_connector.google_secret_manager_secret_iam_member.secret_reader["sym-wif-pools/staging_okta-api-key"] will be created
  + resource "google_secret_manager_secret_iam_member" "secret_reader" {
      + etag      = (known after apply)
      + id        = (known after apply)
      + member    = "serviceAccount:sym-integration-sym-staging@sym-wif-pools.iam.gserviceaccount.com"
      + project   = "sym-wif-pools"
      + role      = "roles/secretmanager.secretAccessor"
      + secret_id = "staging_okta-api-key"
    }

Plan: 3 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

google_secret_manager_secret.okta_api_key: Creating...
google_secret_manager_secret.okta_api_key: Creation complete after 0s [id=projects/sym-wif-pools/secrets/staging_okta-api-key]
module.gcp_connector.google_secret_manager_secret_iam_member.secret_reader["sym-wif-pools/staging_okta-api-key"]: Creating...
module.gcp_connector.google_project_service.secretmanager_api[0]: Creating...
module.gcp_connector.google_project_service.secretmanager_api[0]: Creation complete after 4s [id=sym-wif-pools/secretmanager.googleapis.com]
module.gcp_connector.google_secret_manager_secret_iam_member.secret_reader["sym-wif-pools/staging_okta-api-key"]: Creation complete after 5s [id=projects/sym-wif-pools/secrets/staging_okta-api-key/roles/secretmanager.secretAccessor/serviceAccount:sym-integration-sym-staging@sym-wif-pools.iam.gserviceaccount.com]

Apply complete! Resources: 3 added, 0 changed, 0 destroyed.

Tested with a data resource, where the secret is in a different project from the service account

data "google_secret_manager_secret" "different_project_secret" {
  project = "main-project-407214"
  secret_id = "sym_staging-manual-secret"
}

# To apply this module, log in with `gcloud auth application-default login` as admin@compliance.dev
module "gcp_connector" {
  source  = "symopsio/gcp-connector/google"
  version = "1.1.0-alpha2"

  environment              = "sym-staging"
  identity_pool_project_id = "sym-wif-pools"
  gcp_org_id               = "472792873457"

  enable_google_group_management = true

  sym_account_id  = "455753951875" # Staging AWS account
  sym_runtime_arn = "arn:aws:sts::455753951875:assumed-role/phoenix-staging-runtime/phoenix-staging-runtime"

  accessible_secrets = [google_secret_manager_secret.okta_api_key, data.google_secret_manager_secret.different_project_secret]
}
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.gcp_connector.google_secret_manager_secret_iam_member.secret_reader["main-project-407214/sym_staging-manual-secret"] will be created
  + resource "google_secret_manager_secret_iam_member" "secret_reader" {
      + etag      = (known after apply)
      + id        = (known after apply)
      + member    = "serviceAccount:sym-integration-sym-staging@sym-wif-pools.iam.gserviceaccount.com"
      + project   = "main-project-407214"
      + role      = "roles/secretmanager.secretAccessor"
      + secret_id = "sym_staging-manual-secret"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.gcp_connector.google_secret_manager_secret_iam_member.secret_reader["main-project-407214/sym_staging-manual-secret"]: Creating...
module.gcp_connector.google_secret_manager_secret_iam_member.secret_reader["main-project-407214/sym_staging-manual-secret"]: Creation complete after 4s [id=projects/main-project-407214/secrets/sym_staging-manual-secret/roles/secretmanager.secretAccessor/serviceAccount:sym-integration-sym-staging@sym-wif-pools.iam.gserviceaccount.com]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Confirmed that the Sym Service account has the Secrets Accessor Role

Screenshot 2024-01-09 at 3 18 31 PM
Screenshot 2024-01-09 at 3 21 07 PM

@llam15
Copy link
Contributor Author

llam15 commented Dec 15, 2023

Current dependencies on/for this PR:

This stack of pull requests is managed by Graphite.

@llam15 llam15 changed the title Support Google Secrets Manager Secrets [SYM-5417] Support Google Secrets Manager Secrets Jan 9, 2024
@linear Linear
Copy link

linear bot commented Jan 9, 2024

SYM-5417 Update gcp_connector to accept a list of Google Secrets

@llam15 llam15 marked this pull request as ready for review January 9, 2024 20:24
@llam15 llam15 requested a review from a team January 9, 2024 20:24
@llam15 llam15 merged commit 10457db into main Jan 11, 2024
3 checks passed
@llam15 llam15 deleted the leslie/google-secrets branch January 11, 2024 23:41
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Arianna2028 Arianna2028 Arianna2028 approved these changes

@sym-andrewa sym-andrewa sym-andrewa approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@llam15 @Arianna2028 @sym-andrewa