From 5b3ee3ad875a41f7e24324ce3ac28428fa0d83b2 Mon Sep 17 00:00:00 2001
From: tuna <tunacinsoy@gmail.com>
Date: Tue, 27 Aug 2024 14:52:32 +0200
Subject: [PATCH] feat: use clustersecretstore, new version for terraform
 binary

---
 .github/workflows/create-cluster.yml                   |  4 ++--
 .../{secret-store.yaml => cluster-secret-store.yaml}   |  2 +-
 terraform/app.tf                                       | 10 +++++-----
 3 files changed, 8 insertions(+), 8 deletions(-)
 rename manifests/argocd/{secret-store.yaml => cluster-secret-store.yaml} (89%)

diff --git a/.github/workflows/create-cluster.yml b/.github/workflows/create-cluster.yml
index 2cf50ed..69e66bb 100644
--- a/.github/workflows/create-cluster.yml
+++ b/.github/workflows/create-cluster.yml
@@ -13,10 +13,10 @@ jobs:
       run: sed -i "s/HEAD/${GITHUB_REF##*/}/g" ../manifests/argocd/apps.yaml
     # Only necessary if we use external-secrets
     - name: Reformat external-secrets manifests
-      run: sed -i "s/SECRET_ACCESS_CREDS_PH/$(echo '${{ secrets.GCP_SM_CREDENTIALS }}' | base64 -w 0)/g" ../manifests/argocd/gcpsm-secret.yaml; sed -i "s/PROJECT_ID_PH/${{ secrets.PROJECT_ID }}/g" ../manifests/argocd/secret-store.yaml
+      run: sed -i "s/SECRET_ACCESS_CREDS_PH/$(echo '${{ secrets.GCP_SM_CREDENTIALS }}' | base64 -w 0)/g" ../manifests/argocd/gcpsm-secret.yaml; sed -i "s/PROJECT_ID_PH/${{ secrets.PROJECT_ID }}/g" ../manifests/argocd/cluster-secret-store.yaml
     - name: Install Terraform
       id: install-terraform
-      run: wget -O terraform.zip https://releases.hashicorp.com/terraform/1.9.4/terraform_1.9.4_linux_amd64.zip && unzip terraform.zip && chmod +x terraform && sudo mv terraform /usr/local/bin
+      run: wget -O terraform.zip https://releases.hashicorp.com/terraform/1.9.5/terraform_1.9.5_linux_amd64.zip && unzip terraform.zip && chmod +x terraform && sudo mv terraform /usr/local/bin
     - name: Apply Terraform
       id: apply-terraform
       # Bucket names have to be unique across gcloud, so it is best practice to add project_id suffix, since it is also unique
diff --git a/manifests/argocd/secret-store.yaml b/manifests/argocd/cluster-secret-store.yaml
similarity index 89%
rename from manifests/argocd/secret-store.yaml
rename to manifests/argocd/cluster-secret-store.yaml
index c313292..1ddcf6d 100644
--- a/manifests/argocd/secret-store.yaml
+++ b/manifests/argocd/cluster-secret-store.yaml
@@ -1,5 +1,5 @@
 apiVersion: external-secrets.io/v1beta1
-# SecretStore is better for isolation compared to ClusterSecretStore
+# SecretStore is better for isolation compared to ClusterSecretStore, however let's stick with this one for the example
 kind: ClusterSecretStore
 metadata:
   name: gcp-backend
diff --git a/terraform/app.tf b/terraform/app.tf
index 4ae45e7..de50d38 100644
--- a/terraform/app.tf
+++ b/terraform/app.tf
@@ -45,16 +45,16 @@ resource "kubectl_manifest" "gcpsm-secret" {
   yaml_body = each.value
 }
 
-# SecretStore resource that uses secret resource to retrieve external secrets
-data "kubectl_file_documents" "secret-store" {
-    content = file("../manifests/argocd/secret-store.yaml")
+# ClusterSecretStore resource uses k8s-secret resource to retrieve application secrets from google cloud secret manager
+data "kubectl_file_documents" "cluster-secret-store" {
+    content = file("../manifests/argocd/cluster-secret-store.yaml")
 }
 
-resource "kubectl_manifest" "secret-store" {
+resource "kubectl_manifest" "cluster-secret-store" {
   depends_on = [
     kubectl_manifest.gcpsm-secret,
   ]
-  for_each  = data.kubectl_file_documents.secret-store.manifests
+  for_each  = data.kubectl_file_documents.cluster-secret-store.manifests
   yaml_body = each.value
 }