Create a new "secret" abstraction. (#150)

Signed-off-by: Matt Moore <[email protected]>

Author: mattmoor

.github/workflows/documentation.yaml

@@ -25,6 +25,7 @@ jobs:
           - prober
           - cron
           - configmap
+          - secret
 
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

modules/configmap/main.tf

@@ -39,11 +39,11 @@ resource "google_monitoring_alert_policy" "anomalous-secret-access" {
     }
   }
 
-  display_name = "Abnormal Secret Access: ${var.name}"
+  display_name = "Abnormal ConfigMap Access: ${var.name}"
   combiner     = "OR"
 
   conditions {
-    display_name = "Abnormal Secret Access: ${var.name}"
+    display_name = "Abnormal ConfigMap Access: ${var.name}"
 
     condition_matched_log {
       filter = <<EOT

modules/secret/README.md

@@ -0,0 +1,101 @@
+# `secret`
+
+This module encapsulates the creation of a Google Secret Manager secret to hold
+sensitive data in a manner that can be used as an environment variable or
+volume with Cloud Run.  Unlike `configmap` this data is considered sensitive and
+so it is NOT loaded directly by this logic, but by an authorized party. Notably,
+the built-in alert policy WILL fire when the authorized party loads new values
+into the secret, this is by design.
+
+```hcl
+module "my-secret" {
+  source = "chainguard-dev/common/infra//modules/secret"
+
+  project_id = var.project_id
+  name       = "my-secret"
+
+  # What the service accessing this configuration will run as.
+  service-account = google_service_account.foo.email
+
+  # What group of identities are authorized to add new secret versions.
+  authorized-adder = "group:[email protected]"
+
+  # Optionally: channels to notify if this secret is manipulated.
+  notification-channels = [ ... ]
+}
+
+module "foo-service" {
+  source     = "chainguard-dev/common/infra//modules/regional-go-service"
+  project_id = var.project_id
+  name       = "foo"
+  regions    = module.networking.regional-networks
+
+  service_account = google_service_account.foo.email
+  containers = {
+    "foo" = {
+      source = {
+        working_dir = path.module
+        importpath  = "./cmd/foo"
+      }
+      ports = [{ container_port = 8080 }]
+      volume_mounts = [{
+        name       = "foo"
+        mount_path = "/var/run/foo/"
+      }]
+    }
+  }
+  volumes = [{
+    name = "foo"
+    secret = {
+      secret = module.my-secret.secret_id
+      items = [{
+        version = "latest"
+        path    = "my-filename"
+      }]
+    }
+  }]
+}
+```
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [google_monitoring_alert_policy.anomalous-secret-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/monitoring_alert_policy) | resource |
+| [google_secret_manager_secret.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret) | resource |
+| [google_secret_manager_secret_iam_binding.authorize-service-access](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_iam_binding) | resource |
+| [google_secret_manager_secret_iam_binding.authorize-version-adder](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret_iam_binding) | resource |
+| [google_client_openid_userinfo.me](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_openid_userinfo) | data source |
+| [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_authorized-adder"></a> [authorized-adder](#input\_authorized-adder) | A member-style representation of the identity authorized to add new secret values (e.g. group:oncall@my-corp.dev). | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | The name to give the secret. | `string` | n/a | yes |
+| <a name="input_notification-channels"></a> [notification-channels](#input\_notification-channels) | The channels to notify if the configuration data is improperly accessed. | `list(string)` | `[]` | no |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | n/a | `string` | n/a | yes |
+| <a name="input_service-account"></a> [service-account](#input\_service-account) | The email of the service account that will access the secret. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_secret_id"></a> [secret\_id](#output\_secret\_id) | The ID of the secret. |
+<!-- END_TF_DOCS -->

modules/secret/main.tf

@@ -0,0 +1,68 @@
+// Create the GCP secret to hold the configuration data.
+resource "google_secret_manager_secret" "this" {
+  secret_id = var.name
+  replication {
+    auto {}
+  }
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+// Only the service account as which the service runs should have access to the secret.
+resource "google_secret_manager_secret_iam_binding" "authorize-service-access" {
+  secret_id = google_secret_manager_secret.this.id
+  role      = "roles/secretmanager.secretAccessor"
+  members   = ["serviceAccount:${var.service-account}"]
+}
+
+// Authorize the specified identity to add new secret values.
+resource "google_secret_manager_secret_iam_binding" "authorize-version-adder" {
+  project   = var.project_id
+  secret_id = google_secret_manager_secret.this.secret_id
+  role      = "roles/secretmanager.secretVersionAdder"
+  members   = [var.authorized-adder]
+}
+
+// Get a project number for this project ID.
+data "google_project" "project" { project_id = var.project_id }
+
+// What identity is deploying this?
+data "google_client_openid_userinfo" "me" {}
+
+// Create an alert policy to notify if the secret is accessed by an unauthorized entity.
+resource "google_monitoring_alert_policy" "anomalous-secret-access" {
+  # In the absence of data, incident will auto-close after an hour
+  alert_strategy {
+    auto_close = "3600s"
+
+    notification_rate_limit {
+      period = "3600s" // re-alert hourly if condition still valid.
+    }
+  }
+
+  display_name = "Abnormal Secret Access: ${var.name}"
+  combiner     = "OR"
+
+  conditions {
+    display_name = "Abnormal Secret Access: ${var.name}"
+
+    condition_matched_log {
+      filter = <<EOT
+      protoPayload.serviceName="secretmanager.googleapis.com"
+      protoPayload.request.name: ("projects/${var.project_id}/secrets/${var.name}/" OR "projects/${data.google_project.project.number}/secrets/${var.name}/")
+
+      -- Ignore the identity that is intended to access this.
+      -(
+        protoPayload.authenticationInfo.principalEmail="${var.service-account}"
+        protoPayload.methodName="google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion"
+      )
+      EOT
+    }
+  }
+
+  notification_channels = var.notification-channels
+
+  enabled = "true"
+  project = var.project_id
+}

modules/secret/outputs.tf

@@ -0,0 +1,4 @@
+output "secret_id" {
+  description = "The ID of the secret."
+  value       = google_secret_manager_secret.this.id
+}

modules/secret/variables.tf

@@ -0,0 +1,24 @@
+variable "project_id" {
+  type = string
+}
+
+variable "name" {
+  description = "The name to give the secret."
+  type        = string
+}
+
+variable "authorized-adder" {
+  description = "A member-style representation of the identity authorized to add new secret values (e.g. group:[email protected])."
+  type        = string
+}
+
+variable "service-account" {
+  description = "The email of the service account that will access the secret."
+  type        = string
+}
+
+variable "notification-channels" {
+  description = "The channels to notify if the configuration data is improperly accessed."
+  type        = list(string)
+  default     = []
+}