Skip to content

Commit 0b0a748

Browse files
mattmoormattmoor
authored
Allow the CI identity to set things up (#143)
Signed-off-by: Matt Moore <[email protected]>
1 parent 2ac8486 commit 0b0a748

File tree

2 files changed

+12
-0
lines changed

2 files changed

+12
-0
lines changed

modules/configmap/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -81,6 +81,7 @@ No modules.
8181
| [google_secret_manager_secret.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret) | resource |
8282
| [google_secret_manager_secret_iam_binding.authorize-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_iam_binding) | resource |
8383
| [google_secret_manager_secret_version.data](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_version) | resource |
84+
| [google_client_openid_userinfo.me](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_openid_userinfo) | data source |
8485
| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
8586

8687
## Inputs

modules/configmap/main.tf

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,9 @@ resource "google_secret_manager_secret_version" "data" {
2525
// Get a project number for this project ID.
2626
data "google_project" "project" { project_id = var.project_id }
2727

28+
// What identity is deploying this?
29+
data "google_client_openid_userinfo" "me" {}
30+
2831
// Create an alert policy to notify if the secret is accessed by an unauthorized entity.
2932
resource "google_monitoring_alert_policy" "anomalous-secret-access" {
3033
# In the absence of data, incident will auto-close after an hour
@@ -46,10 +49,18 @@ resource "google_monitoring_alert_policy" "anomalous-secret-access" {
4649
filter = <<EOT
4750
protoPayload.serviceName="secretmanager.googleapis.com"
4851
protoPayload.request.name: ("projects/${var.project_id}/secrets/${var.name}/" OR "projects/${data.google_project.project.number}/secrets/${var.name}/")
52+
53+
-- Ignore the identity that is intended to access this.
4954
-(
5055
protoPayload.authenticationInfo.principalEmail="${var.service-account}"
5156
protoPayload.methodName="google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion"
5257
)
58+
59+
-- Ignore the identity as which we set this up.
60+
-(
61+
protoPayload.authenticationInfo.principalEmail="${data.google_client_openid_userinfo.me.email}"
62+
protoPayload.methodName=("google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion" OR "google.cloud.secretmanager.v1.SecretManagerService.GetSecretVersion" OR "google.cloud.secretmanager.v1.SecretManagerService.EnableSecretVersion")
63+
)
5364
EOT
5465
}
5566
}

0 commit comments

Comments
 (0)