grant access to mongodb password

relaycorp · Jul 20, 2023 · a6fa2b3 · a6fa2b3
1 parent d8a79db
commit a6fa2b3
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 3 deletions.
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
@@ -9,5 +9,10 @@ module "self" {
   project_id = local.project_id
   region     = local.gcp_region
 
+  mongodb_uri = mongodbatlas_serverless_instance.main.connection_strings_standard_srv
+
+  mongodb_user                    = mongodbatlas_database_user.main.username
+  mongodb_password_secret_version = google_secret_manager_secret_version.mongodb_password.id
+
   depends_on = [google_project_service.services]
 }
diff --git a/examples/basic/mongodb.tf b/examples/basic/mongodb.tf
@@ -28,7 +28,7 @@ resource "random_password" "mongodb_user_password" {
   length = 32
 }
 
-resource "google_secret_manager_secret" "main" {
+resource "google_secret_manager_secret" "mongodb_password" {
   project = local.project_id
 
   secret_id = "awala_endpoint-mongodb_password"
@@ -42,12 +42,18 @@ resource "google_secret_manager_secret" "main" {
   }
 }
 
-resource "google_secret_manager_secret_version" "main" {
-  secret      = google_secret_manager_secret.main.id
+resource "google_secret_manager_secret_version" "mongodb_password" {
+  secret      = google_secret_manager_secret.mongodb_password.id
   secret_data = random_password.mongodb_user_password.result
 }
 
 resource "mongodbatlas_project_ip_access_list" "test" {
   project_id = var.mongodbatlas_project_id
   cidr_block = "0.0.0.0/0"
 }
+
+resource "google_secret_manager_secret_iam_binding" "mongodb_password_reader" {
+  secret_id = google_secret_manager_secret.mongodb_password.secret_id
+  role      = "roles/secretmanager.secretAccessor"
+  members   = ["serviceAccount:${module.self.service_account_email}"]
+}
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,3 @@
+output "service_account_email" {
+  value = google_service_account.endpoint.email
+}
diff --git a/variables.tf b/variables.tf
@@ -18,3 +18,18 @@ variable "kms_protection_level" {
     error_message = "KMS protection level must be either SOFTWARE or HSM"
   }
 }
+
+variable "mongodb_uri" {
+  description = "The MongoDB URI"
+  type        = string
+}
+
+variable "mongodb_user" {
+  description = "The MongoDB username"
+  type        = string
+}
+
+variable "mongodb_password_secret_version" {
+  description = "The id of the Secrets Manager secret version containing the MongoDB password"
+  type        = string
+}