symopsio · llam15 · Jan 11, 2024 · Dec 15, 2023 · Jan 9, 2024
diff --git a/README.md b/README.md
@@ -20,7 +20,11 @@ module "gcp_connector" {
   identity_pool_project_id = "my-project-id"
   gcp_org_id               = "123456789"
 
+  # Enable the Admin SDK API if managing Google Group membership
   enable_google_group_management = true
+
+  # A list of Google Secret Manager secrets to which the Sym Runtime may have read-only access
+  accessible_secrets = [google_secret_manager_secret.okta_api_key]
 }
 ```
 
@@ -64,8 +68,10 @@ No modules.
 | [google_project_service.admin_sdk_api](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource |
 | [google_project_service.iam_api](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource |
 | [google_project_service.resource_manager_api](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource |
+| [google_project_service.secretmanager_api](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource |
 | [google_project_service.service_account_credentials_api](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource |
 | [google_project_service.sts_api](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource |
+| [google_secret_manager_secret_iam_member.secret_reader](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_iam_member) | resource |
 | [google_service_account.sym](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
 | [google_service_account_iam_member.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account_iam_member) | resource |
 | [sym_integration.google_workload_identity_federation](https://registry.terraform.io/providers/symopsio/sym/latest/docs/resources/integration) | resource |
@@ -76,6 +82,7 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_accessible_secrets"></a> [accessible\_secrets](#input\_accessible\_secrets) | A map of google\_secret\_manager\_secret objects to grant the Sym Integration read-only access to. | <pre>list(object({<br>    project   = string<br>    secret_id = string<br>    name      = string<br>  }))</pre> | `[]` | no |
 | <a name="input_enable_google_group_management"></a> [enable\_google\_group\_management](#input\_enable\_google\_group\_management) | A boolean indicating whether to enable the Admin SDK API to allow the Sym Integration to manage Google Group membership. | `bool` | `false` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | An environment qualifier for the resources this module creates, e.g. staging, or prod. | `string` | n/a | yes |
 | <a name="input_gcp_org_id"></a> [gcp\_org\_id](#input\_gcp\_org\_id) | The Organization ID of your Google Cloud Organization | `any` | n/a | yes |

diff --git a/main.tf b/main.tf
@@ -122,6 +122,34 @@ resource "google_project_service" "admin_sdk_api" {
   disable_dependent_services = false
 }
 
+######## Google Secret Manager Secrets Access Resources
+locals {
+  secretmanager_api_count = length(var.accessible_secrets) > 0 ? 1 : 0
+}
+
+# Enable the Secret Manager API in the Workload Identity Pool Project
+resource "google_project_service" "secretmanager_api" {
+  count = local.secretmanager_api_count
+
+  project = data.google_project.sym_integration.project_id
+  service = "secretmanager.googleapis.com"
+
+  disable_on_destroy         = false
+  disable_dependent_services = false
+}
+
+# For each given secret, grant the Sym Service Account the secretAccessor role.
+resource "google_secret_manager_secret_iam_member" "secret_reader" {
+  for_each = { # Can't for-each over a list of objects, so converting it to a map of unique names to secret objects
+    for secret in var.accessible_secrets : "${secret.project}/${secret.secret_id}" => secret
+  }
+
+  project   = each.value.project
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${google_service_account.sym.email}"
+  secret_id = each.value.secret_id
+}
+
 ######## Sym Resources
 
 # Create a sym_integration for the created Google Workload Identity Federation resources.

diff --git a/variables.tf b/variables.tf
@@ -18,6 +18,16 @@ variable "enable_google_group_management" {
   default     = false
 }
 
+variable "accessible_secrets" {
+  description = "A map of google_secret_manager_secret objects to grant the Sym Integration read-only access to."
+  type = list(object({
+    project   = string
+    secret_id = string
+    name      = string
+  }))
+  default = []
+}
+
 variable "sym_account_id" {
   description = "The AWS account ID that can impersonate the created Google service account. Defaults to the Sym Production AWS account ID."
   type        = string