fix terraform issues (#92)

mikehelmick · web-flow · commit c3754f0b24fa · 2020-07-01T08:09:02.000-07:00
* update key versions and permissions

* add firebase admin role and trim cert keys
diff --git a/terraform/keys.tf b/terraform/keys.tf
@@ -33,6 +33,10 @@ resource "google_kms_crypto_key" "certificate-signer" {
   }
 }
 
+data "google_kms_crypto_key_version" "certificate-signer-version" {
+  crypto_key = google_kms_crypto_key.certificate-signer.self_link
+}
+
 resource "google_kms_crypto_key" "token-signer" {
   key_ring = google_kms_key_ring.verification.self_link
   name     = "token-signer"
@@ -43,3 +47,7 @@ resource "google_kms_crypto_key" "token-signer" {
     protection_level = "HSM"
   }
 }
+
+data "google_kms_crypto_key_version" "token-signer-version" {
+  crypto_key = google_kms_crypto_key.token-signer.self_link
+}
diff --git a/terraform/service_apiserver.tf b/terraform/service_apiserver.tf
@@ -44,6 +44,12 @@ resource "google_secret_manager_secret_iam_member" "apiserver-db" {
   member    = "serviceAccount:${google_service_account.apiserver.email}"
 }
 
+resource "google_kms_key_ring_iam_member" "kms-signerverifier" {
+  key_ring_id = google_kms_key_ring.verification.self_link
+  role        = "roles/cloudkms.signerVerifier"
+  member      = "serviceAccount:${google_service_account.apiserver.email}"
+}
+
 resource "google_cloud_run_service" "apiserver" {
   name     = "apiserver"
   location = var.region
diff --git a/terraform/service_server.tf b/terraform/service_server.tf
@@ -51,6 +51,12 @@ resource "google_secret_manager_secret_iam_member" "server-csrf" {
   member    = "serviceAccount:${google_service_account.server.email}"
 }
 
+resource "google_project_iam_member" "firebase-admin" {
+  project = var.project
+  role    = "roles/firebaseauth.admin"
+  member  = "serviceAccount:${google_service_account.server.email}"
+}
+
 resource "google_cloud_run_service" "server" {
   name     = "server"
   location = var.region
diff --git a/terraform/services.tf b/terraform/services.tf
@@ -40,7 +40,7 @@ locals {
   }
 
   signing_config = {
-    CERTIFICATE_SIGNING_KEY = google_kms_crypto_key.certificate-signer.self_link
-    TOKEN_SIGNING_KEY       = google_kms_crypto_key.token-signer.self_link
+    CERTIFICATE_SIGNING_KEY = trimprefix(data.google_kms_crypto_key_version.certificate-signer-version.id, "//cloudkms.googleapis.com/v1/")
+    TOKEN_SIGNING_KEY       = trimprefix(data.google_kms_crypto_key_version.token-signer-version.id, "//cloudkms.googleapis.com/v1/")
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,10 @@ resource "google_kms_crypto_key" "certificate-signer" {`
`33`	`33`	`}`
`34`	`34`	`}`
`35`	`35`
	`36`	`+data "google_kms_crypto_key_version" "certificate-signer-version" {`
	`37`	`+ crypto_key = google_kms_crypto_key.certificate-signer.self_link`
	`38`	`+}`
	`39`	`+`
`36`	`40`	`resource "google_kms_crypto_key" "token-signer" {`
`37`	`41`	`key_ring = google_kms_key_ring.verification.self_link`
`38`	`42`	`name = "token-signer"`
`@@ -43,3 +47,7 @@ resource "google_kms_crypto_key" "token-signer" {`
`43`	`47`	`protection_level = "HSM"`
`44`	`48`	`}`
`45`	`49`	`}`
	`50`	`+`
	`51`	`+data "google_kms_crypto_key_version" "token-signer-version" {`
	`52`	`+ crypto_key = google_kms_crypto_key.token-signer.self_link`
	`53`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ locals {`
`40`	`40`	`}`
`41`	`41`
`42`	`42`	`signing_config = {`
`43`		`- CERTIFICATE_SIGNING_KEY = google_kms_crypto_key.certificate-signer.self_link`
`44`		`- TOKEN_SIGNING_KEY = google_kms_crypto_key.token-signer.self_link`
	`43`	`+ CERTIFICATE_SIGNING_KEY = trimprefix(data.google_kms_crypto_key_version.certificate-signer-version.id, "//cloudkms.googleapis.com/v1/")`
	`44`	`+ TOKEN_SIGNING_KEY = trimprefix(data.google_kms_crypto_key_version.token-signer-version.id, "//cloudkms.googleapis.com/v1/")`
`45`	`45`	`}`
`46`	`46`	`}`