From a6fa2b300f5642bed938cd9352ca17ac21a67a2c Mon Sep 17 00:00:00 2001 From: Gus Narea Date: Thu, 20 Jul 2023 11:59:07 +0100 Subject: [PATCH] grant access to mongodb password --- examples/basic/main.tf | 5 +++++ examples/basic/mongodb.tf | 12 +++++++++--- outputs.tf | 3 +++ variables.tf | 15 +++++++++++++++ 4 files changed, 32 insertions(+), 3 deletions(-) create mode 100644 outputs.tf diff --git a/examples/basic/main.tf b/examples/basic/main.tf index af8d136..1295be3 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -9,5 +9,10 @@ module "self" { project_id = local.project_id region = local.gcp_region + mongodb_uri = mongodbatlas_serverless_instance.main.connection_strings_standard_srv + + mongodb_user = mongodbatlas_database_user.main.username + mongodb_password_secret_version = google_secret_manager_secret_version.mongodb_password.id + depends_on = [google_project_service.services] } diff --git a/examples/basic/mongodb.tf b/examples/basic/mongodb.tf index 64d3ba3..fe6368c 100644 --- a/examples/basic/mongodb.tf +++ b/examples/basic/mongodb.tf @@ -28,7 +28,7 @@ resource "random_password" "mongodb_user_password" { length = 32 } -resource "google_secret_manager_secret" "main" { +resource "google_secret_manager_secret" "mongodb_password" { project = local.project_id secret_id = "awala_endpoint-mongodb_password" @@ -42,8 +42,8 @@ resource "google_secret_manager_secret" "main" { } } -resource "google_secret_manager_secret_version" "main" { - secret = google_secret_manager_secret.main.id +resource "google_secret_manager_secret_version" "mongodb_password" { + secret = google_secret_manager_secret.mongodb_password.id secret_data = random_password.mongodb_user_password.result } @@ -51,3 +51,9 @@ resource "mongodbatlas_project_ip_access_list" "test" { project_id = var.mongodbatlas_project_id cidr_block = "0.0.0.0/0" } + +resource "google_secret_manager_secret_iam_binding" "mongodb_password_reader" { + secret_id = google_secret_manager_secret.mongodb_password.secret_id + role = "roles/secretmanager.secretAccessor" + members = ["serviceAccount:${module.self.service_account_email}"] +} diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 0000000..ff48348 --- /dev/null +++ b/outputs.tf @@ -0,0 +1,3 @@ +output "service_account_email" { + value = google_service_account.endpoint.email +} diff --git a/variables.tf b/variables.tf index 1bda13f..1e48eb3 100644 --- a/variables.tf +++ b/variables.tf @@ -18,3 +18,18 @@ variable "kms_protection_level" { error_message = "KMS protection level must be either SOFTWARE or HSM" } } + +variable "mongodb_uri" { + description = "The MongoDB URI" + type = string +} + +variable "mongodb_user" { + description = "The MongoDB username" + type = string +} + +variable "mongodb_password_secret_version" { + description = "The id of the Secrets Manager secret version containing the MongoDB password" + type = string +}