Merge pull request #7103 from ameukam/release-bucket-store-hmac-key

Store credentials for Fastly service account

Author: k8s-ci-robot

infra/gcp/terraform/k8s-infra-releases-prod/.terraform.lock.hcl

@@ -33,26 +33,26 @@ resource "google_project" "project" {
 }
 
 module "k8s_releases_prod" {
-  source                   = "../modules/k8s-releases"
-  project_id               = google_project.project.project_id
-  bucket_name              = "767373bbdcb8270361b96548387bf2a9ad0d48758c35"
+  source      = "../modules/k8s-releases"
+  project_id  = google_project.project.project_id
+  bucket_name = "767373bbdcb8270361b96548387bf2a9ad0d48758c35"
 }
 
 resource "google_service_account" "fastly_reader" {
-  project = google_project.project.project_id
-  account_id = "fastly-reader"
+  project     = google_project.project.project_id
+  account_id  = "fastly-reader"
   description = "Used by Fastly for read-only actions against the bucket"
 }
 
 resource "google_storage_hmac_key" "fastly_reader_key" {
-  project = google_project.project.project_id
+  project               = google_project.project.project_id
   service_account_email = google_service_account.fastly_reader.email
 }
 
 resource "google_storage_bucket_iam_member" "fastly_reader" {
   bucket     = module.k8s_releases_prod.bucket_name
-  role = "roles/storage.objectViewer"
-  member = "serviceAccount:${google_service_account.fastly_reader.email}"
+  role       = "roles/storage.objectViewer"
+  member     = "serviceAccount:${google_service_account.fastly_reader.email}"
   depends_on = [module.k8s_releases_prod]
 }
 

infra/gcp/terraform/k8s-infra-releases-prod/main.tf

@@ -0,0 +1,33 @@
+/*
+Copyright 2024 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+module "secrets" {
+  source  = "GoogleCloudPlatform/secret-manager/google"
+  version = "~> 0.3"
+
+  project_id = google_project.project.project_id
+
+  secrets = [
+    {
+      name        = "fastly_reader_sa_access_key"
+      secret_data = google_storage_hmac_key.fastly_reader_key.access_id
+    },
+    {
+      name        = "fastly_reader_sa_secret_key"
+      secret_data = google_storage_hmac_key.fastly_reader_key.secret
+    },
+  ]
+}