bring unmanaged GCP resources under Terraform
vault-kms.tf: KMS keyring/key for Vault auto-unseal + vault-unseal SA and IAM bindings — all imported from existing GCP resources. prevent_destroy=true on the crypto key to protect against accidental deletion. unmanaged-secrets.tf: 8 secrets that were referenced by live Cloud Run services but had no TF resource — anthropic-api-key, resend-api-key, supabase-service-key, docuseal-webhook-token, stripe-price-professional, stripe-price-founding, stripe-price-family-child, gitea-runner-token. service-account.tf: 4 manually-created SAs — neuron-workspace-dwd, docuseal-storage, analytics-reader, harmonic-search-console.
This commit is contained in:
@@ -128,3 +128,33 @@ resource "google_cloud_run_v2_service_iam_member" "api_apac_public" {
|
||||
role = "roles/run.invoker"
|
||||
member = "allUsers"
|
||||
}
|
||||
|
||||
# ── Service accounts brought under Terraform management ───────────────────────
|
||||
# Created manually; imported into TF state.
|
||||
|
||||
resource "google_service_account" "neuron_workspace_dwd" {
|
||||
account_id = "neuron-workspace-dwd"
|
||||
display_name = "Neuron Workspace DWD (Gmail access)"
|
||||
description = "Service account for domain-wide delegation to access neuron@neurontechnologies.ai Gmail"
|
||||
project = var.project_id
|
||||
}
|
||||
|
||||
resource "google_service_account" "docuseal_storage" {
|
||||
account_id = "docuseal-storage"
|
||||
display_name = "DocuSeal Storage"
|
||||
description = "Storage backend for DocuSeal document signing platform - read/write access to neuron-docuseal-prod bucket only"
|
||||
project = var.project_id
|
||||
}
|
||||
|
||||
resource "google_service_account" "analytics_reader" {
|
||||
account_id = "analytics-reader"
|
||||
display_name = "Analytics Reader"
|
||||
project = var.project_id
|
||||
}
|
||||
|
||||
resource "google_service_account" "harmonic_search_console" {
|
||||
account_id = "harmonic-search-console"
|
||||
display_name = "Harmonic Framework Search Console"
|
||||
description = "Read-only access to Search Console for harmonic-framework.com"
|
||||
project = var.project_id
|
||||
}
|
||||
|
||||
@@ -0,0 +1,88 @@
|
||||
# ── Secrets brought under Terraform management ────────────────────────────────
|
||||
# These secrets were created manually (via gcloud or out-of-band provisioning)
|
||||
# before the Terraform config was written. Secret values (versions) are NOT
|
||||
# managed by Terraform — they were populated out-of-band and are left intact.
|
||||
# Terraform owns the secret resource (metadata, replication, IAM) only.
|
||||
#
|
||||
# All resources here were imported via `terraform import` — they already exist
|
||||
# in GCP. Do not add version resources unless you intend to rotate the value.
|
||||
|
||||
# ── Marketing / web services ──────────────────────────────────────────────────
|
||||
|
||||
resource "google_secret_manager_secret" "anthropic_api_key" {
|
||||
secret_id = "anthropic-api-key"
|
||||
project = var.project_id
|
||||
|
||||
replication {
|
||||
auto {}
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_secret_manager_secret" "resend_api_key" {
|
||||
secret_id = "resend-api-key"
|
||||
project = var.project_id
|
||||
|
||||
replication {
|
||||
auto {}
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_secret_manager_secret" "supabase_service_key" {
|
||||
secret_id = "supabase-service-key"
|
||||
project = var.project_id
|
||||
|
||||
replication {
|
||||
auto {}
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_secret_manager_secret" "docuseal_webhook_token" {
|
||||
secret_id = "docuseal-webhook-token"
|
||||
project = var.project_id
|
||||
|
||||
replication {
|
||||
auto {}
|
||||
}
|
||||
}
|
||||
|
||||
# ── Stripe price IDs (old naming scheme) ─────────────────────────────────────
|
||||
# These predate the stripe-price-*-plan naming in stripe-billing.tf.
|
||||
# Consumed by marketing-prod-* and accounts-prod-* Cloud Run services.
|
||||
|
||||
resource "google_secret_manager_secret" "stripe_price_professional" {
|
||||
secret_id = "stripe-price-professional"
|
||||
project = var.project_id
|
||||
|
||||
replication {
|
||||
auto {}
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_secret_manager_secret" "stripe_price_founding" {
|
||||
secret_id = "stripe-price-founding"
|
||||
project = var.project_id
|
||||
|
||||
replication {
|
||||
auto {}
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_secret_manager_secret" "stripe_price_family_child" {
|
||||
secret_id = "stripe-price-family-child"
|
||||
project = var.project_id
|
||||
|
||||
replication {
|
||||
auto {}
|
||||
}
|
||||
}
|
||||
|
||||
# ── CI infrastructure ─────────────────────────────────────────────────────────
|
||||
|
||||
resource "google_secret_manager_secret" "gitea_runner_token" {
|
||||
secret_id = "gitea-runner-token"
|
||||
project = var.project_id
|
||||
|
||||
replication {
|
||||
auto {}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,46 @@
|
||||
# ── Vault KMS Auto-Unseal ─────────────────────────────────────────────────────
|
||||
# Vault running on Legion uses GCP KMS for auto-unseal. Configured in:
|
||||
# servers/legion/apps/vault.yaml (seal "gcpckms" block)
|
||||
# Key ring: vault, key: vault-unseal, location: global
|
||||
#
|
||||
# CRITICAL: prevent_destroy = true on the crypto key.
|
||||
# Deleting this key makes Vault permanently sealed — all secrets inaccessible.
|
||||
#
|
||||
# These resources were created manually and are imported into TF state.
|
||||
# Values already exist in GCP — TF is just taking ownership.
|
||||
|
||||
resource "google_kms_key_ring" "vault" {
|
||||
name = "vault"
|
||||
location = "global"
|
||||
project = var.project_id
|
||||
}
|
||||
|
||||
resource "google_kms_crypto_key" "vault_unseal" {
|
||||
name = "vault-unseal"
|
||||
key_ring = google_kms_key_ring.vault.id
|
||||
purpose = "ENCRYPT_DECRYPT"
|
||||
rotation_period = "7776000s" # 90 days
|
||||
|
||||
lifecycle {
|
||||
prevent_destroy = true
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_service_account" "vault_unseal" {
|
||||
account_id = "vault-unseal"
|
||||
display_name = "Vault KMS Auto-Unseal"
|
||||
description = "Service account for Vault auto-unseal via GCP KMS. Used by the Vault pod on Legion."
|
||||
project = var.project_id
|
||||
}
|
||||
|
||||
resource "google_kms_crypto_key_iam_member" "vault_unseal_encrypter_decrypter" {
|
||||
crypto_key_id = google_kms_crypto_key.vault_unseal.id
|
||||
role = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
|
||||
member = "serviceAccount:${google_service_account.vault_unseal.email}"
|
||||
}
|
||||
|
||||
resource "google_kms_crypto_key_iam_member" "vault_unseal_viewer" {
|
||||
crypto_key_id = google_kms_crypto_key.vault_unseal.id
|
||||
role = "roles/cloudkms.viewer"
|
||||
member = "serviceAccount:${google_service_account.vault_unseal.email}"
|
||||
}
|
||||
Reference in New Issue
Block a user