From 034d02189e496eb4e09f6dab1ccbc1ffca064af3 Mon Sep 17 00:00:00 2001
From: Gus Narea <gnarea@users.noreply.github.com>
Date: Sat, 28 Nov 2020 12:38:57 +0000
Subject: [PATCH] Vault: Create secret for initial root token

As a workaround until #9 is done
---
 tf-modules/base/gcb.tf   |  1 +
 tf-modules/base/vault.tf | 16 ++++++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/tf-modules/base/gcb.tf b/tf-modules/base/gcb.tf
index 3e0f2151..d0b917a8 100644
--- a/tf-modules/base/gcb.tf
+++ b/tf-modules/base/gcb.tf
@@ -67,6 +67,7 @@ resource "google_cloudbuild_trigger" "main" {
         "VAULT_GCS_BUCKET=${google_storage_bucket.vault.name}",
         "VAULT_KEYBASE_USERNAME=${local.vault.keybase_username}",
         "VAULT_KV_PREFIX=${local.vault.kv_prefix}",
+        "VAULT_ROOT_TOKEN_SECRET_ID=${google_secret_manager_secret.vault_root_token.secret_id}",
 
         "STAN_DB_HOST=${google_sql_database_instance.postgresql.private_ip_address}",
         "STAN_DB_NAME=${google_sql_database.postgresql_stan.name}",
diff --git a/tf-modules/base/vault.tf b/tf-modules/base/vault.tf
index bbd95159..e4eaeaa1 100644
--- a/tf-modules/base/vault.tf
+++ b/tf-modules/base/vault.tf
@@ -86,3 +86,19 @@ module "vault_sa_private_key" {
   accessor_service_account_email = local.gcb_service_account_email
   gcp_labels                     = local.gcp_resource_labels
 }
+
+resource "google_secret_manager_secret" "vault_root_token" {
+  secret_id = "${local.env_full_name}-vault-root-token"
+
+  replication {
+    automatic = true
+  }
+
+  labels = local.gcp_resource_labels
+}
+
+resource "google_secret_manager_secret_iam_binding" "gcb_vault_root_token" {
+  secret_id = google_secret_manager_secret.vault_root_token.secret_id
+  role      = "roles/secretmanager.admin"
+  members   = ["serviceAccount:${local.gcb_service_account_email}"]
+}