feat: Incorporating old terraform config into new tf config (#276)

GoogleCloudPlatform · Dec 15, 2021 · 3abc7e2 · 3abc7e2
1 parent 83d70a0
commit 3abc7e2
Show file tree

Hide file tree

Showing 12 changed files with 96 additions and 619 deletions.
diff --git a/setup.sh b/setup.sh
@@ -69,7 +69,7 @@ terraform apply --auto-approve
 # This allows terraform destroy to run without modifying App Engine.
 # Remove this when App Engine support for terraform destroy is fixed or Firestore has a direct provisioning solution.
 # https://github.com/GoogleCloudPlatform/emblem/issues/217
-terraform state rm google_app_engine_application.stage_app || true
+terraform state rm module.application.google_app_engine_application.main || true
 
 
 ## Prod Project ##

diff --git a/terraform/app/application/main.tf b/terraform/app/application/main.tf
@@ -89,3 +89,9 @@ resource "google_storage_bucket" "sessions" {
   project  = data.google_project.main.project_id
   provider = google
 }
+
+resource "google_storage_bucket_iam_member" "sessions-iam" {
+  bucket = google_storage_bucket.sessions.name
+  role   = "roles/storage.objectAdmin"
+  member = "serviceAccount:${google_service_account.cloud_run_manager.email}"
+}
diff --git a/terraform/app/application/output.tf b/terraform/app/application/output.tf
@@ -1,3 +1,7 @@
 output "project_number" {
   value = data.google_project.main.number
 }
+
+output "cloud_run_manager" {
+  value = google_service_account.cloud_run_manager.email
+}
diff --git a/terraform/app/main.tf b/terraform/app/main.tf
@@ -96,3 +96,29 @@ resource "google_pubsub_topic" "canary" {
   project  = data.google_project.ops.project_id
   provider = google
 }
+
+##
+# Secret Manager IAM Resources
+##
+
+resource "google_secret_manager_secret_iam_member" "secret_access_iam_client_id" {
+  project   = data.google_project.ops.project_id
+  secret_id = data.terraform_remote_state.ops.outputs.secret_ids.client_id
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${module.application.cloud_run_manager}"
+  depends_on = [
+    # Ensure environment setup, specifically Cloud Run Manager service account.
+    module.application
+  ]
+}
+
+resource "google_secret_manager_secret_iam_member" "secret_access_iam_client_secret" {
+  project   = data.google_project.ops.project_id
+  secret_id = data.terraform_remote_state.ops.outputs.secret_ids.client_secret
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${module.application.cloud_run_manager}"
+  depends_on = [
+    # Ensure environment setup, specifically Cloud Run Manager service account.
+    module.application
+  ]
+}
diff --git a/terraform/cloud_build_triggers.tf b/terraform/cloud_build_triggers.tf
diff --git a/terraform/ops.tf b/terraform/ops.tf