Merge pull request #217 from nitrictech/feature/gcp-secret-access

GCP: update cloud run account permissions.
nitrictech · Oct 18, 2021 · 836f9ed · 836f9ed
2 parents 191582f + 004bd32
commit 836f9ed
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 1 deletion.
diff --git a/packages/plugins/gcp/src/resources/compute.ts b/packages/plugins/gcp/src/resources/compute.ts
@@ -31,6 +31,7 @@ export class NitricComputeCloudRun extends pulumi.ComponentResource {
 	public readonly name: string;
 	public readonly cloudrun: gcp.cloudrun.Service;
 	public readonly url: pulumi.Output<string>;
+	public readonly account: gcp.serviceaccount.Account;
 
 	constructor(name: string, args: NitricComputeCloudRunArgs, opts?: pulumi.ComponentResourceOptions) {
 		super('nitric:func:CloudRun', name, {}, opts);
@@ -42,6 +43,26 @@ export class NitricComputeCloudRun extends pulumi.ComponentResource {
 
 		this.name = source.getName();
 
+		// Create a service account for this cloud run instance
+		this.account = new gcp.serviceaccount.Account(`${name}-acct`, {
+			accountId: `${name}-acct`.substring(0, 30),
+		});
+
+		// Give project editor permissions
+		// FIXME: Trim this down
+		new gcp.projects.IAMMember(`${name}-editor`, {
+			role: 'roles/editor',
+			// Get the cloudrun service account email
+			member: pulumi.interpolate`serviceAccount:${this.account.email}`,
+		});
+
+		// Give secret accessor permissions
+		new gcp.projects.IAMMember(`${name}-secret-access`, {
+			role: 'roles/secretmanager.secretAccessor',
+			// Get the cloudrun service account email
+			member: pulumi.interpolate`serviceAccount:${this.account.email}`,
+		});
+
 		// Deploy the func
 		this.cloudrun = new gcp.cloudrun.Service(
 			source.getName(),
@@ -55,6 +76,7 @@ export class NitricComputeCloudRun extends pulumi.ComponentResource {
 						},
 					},
 					spec: {
+						serviceAccountName: this.account.email,
 						containers: [
 							{
 								image: image.imageUri,

diff --git a/packages/plugins/gcp/src/tasks/down/index.ts b/packages/plugins/gcp/src/tasks/down/index.ts
@@ -83,7 +83,11 @@ export class Down extends Task<void> {
 					.filter((resource) => !nonTargets.includes(resource.type))
 					.map((resource) => resource.urn);
 				if (targets.length > 0) {
-					res = await pulumiStack.destroy({ onOutput: this.update.bind(this), target: targets });
+					res = await pulumiStack.destroy({
+						onOutput: this.update.bind(this),
+						target: targets,
+						targetDependents: true,
+					});
 				}
 			}
 			console.log(res);