Add a configmap abstraction

Signed-off-by: Matt Moore <[email protected]>

.github/workflows/documentation.yaml

@@ -24,6 +24,7 @@ jobs:
           - dashboard/cloudevent-receiver
           - prober
           - cron
+          - configmap
 
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

modules/configmap/README.md

@@ -0,0 +1,46 @@
+# `configmap`
+
+This module encapsulates the creation of a Google Secret Manager secret to hold
+a piece of data in a manner that can be used as an environment variable or
+volume with Cloud Run. As it accepts the data to
+
+DO NOT SUBMIT
+
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [google_cloud_run_v2_service_iam_member.authorize-calls](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_v2_service_iam_member) | resource |
+| [google_cloud_run_v2_service.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/cloud_run_v2_service) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_name"></a> [name](#input\_name) | The name of the Cloud Run service in this region. | `string` | n/a | yes |
+| <a name="input_project_id"></a> [project\_id](#input\_project\_id) | n/a | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | The region in which this Cloud Run service is based. | `string` | n/a | yes |
+| <a name="input_service-account"></a> [service-account](#input\_service-account) | The email of the service account being authorized to invoke the private Cloud Run service. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_uri"></a> [uri](#output\_uri) | The URI of the private Cloud Run service. |
+<!-- END_TF_DOCS -->

modules/configmap/main.tf

@@ -0,0 +1,58 @@
+// Create the GCP secret to hold the configuration data.
+resource "google_secret_manager_secret" "this" {
+  secret_id = var.name
+  replication {
+    auto {}
+  }
+}
+
+// Only the service account as which the service runs should have access to the secret.
+resource "google_secret_manager_secret_iam_binding" "authorize-access" {
+  secret_id = google_secret_manager_secret.this.id
+  role      = "roles/secretmanager.secretAccessor"
+  members   = ["serviceAccount:${var.service-account}"]
+}
+
+// Load the specified data into the secret.
+resource "google_secret_manager_secret_version" "data" {
+  secret      = google_secret_manager_secret.this.name
+  secret_data = var.data
+}
+
+data "google_client_openid_userinfo" "me" {}
+
+resource "google_monitoring_alert_policy" "anomalous-secret-access" {
+  # In the absence of data, incident will auto-close after an hour
+  alert_strategy {
+    auto_close = "3600s"
+
+    notification_rate_limit {
+      period = "3600s" // re-alert hourly if condition still valid.
+    }
+  }
+
+  display_name = "Abnormal Secret Access: ${var.name}"
+  combiner     = "OR"
+
+  conditions {
+    display_name = "Abnormal Secret Access: ${var.name}"
+
+    condition_matched_log {
+      filter = <<EOT
+      protoPayload.serviceName="secretmanager.googleapis.com"
+      protoPayload.request.name: "${google_secret_manager_secret.this.id}/"
+      -(
+        protoPayload.authenticationInfo.principalEmail="${var.service-account}"
+        protoPayload.methodName="google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion"
+      )
+      EOT
+    }
+  }
+
+  notification_channels = var.notification-channels
+
+  enabled = "true"
+  project = var.project_id
+}
+
+

modules/configmap/outputs.tf

@@ -0,0 +1,9 @@
+output "secret_id" {
+  description = "The ID of the secret."
+  value       = google_secret_manager_secret.this.id
+}
+
+output "secret_version_id" {
+  description = "The ID of the secret version."
+  value       = google_secret_manager_secret_version.data.id
+}

modules/configmap/variables.tf

@@ -0,0 +1,24 @@
+variable "project_id" {
+  type = string
+}
+
+variable "name" {
+  description = "The name to give the secret."
+  type        = string
+}
+
+variable "data" {
+  description = "The data to place in the secret."
+  type        = string
+}
+
+variable "service-account" {
+  description = "The email of the service account that will access the secret."
+  type        = string
+}
+
+variable "notification-channels" {
+  description = "The channels to notify if the configuration data is improperly accessed."
+  type        = list(string)
+  default     = []
+}