Skip to content

Commit

Permalink
Address a number of nits in this module.
Browse files Browse the repository at this point in the history 
1. Create a dedicated service account for delivery (least privilege).  Now the incoming token can only be used to
invoke the job, and the job's tokens can't be used to spawn more jobs (unless granted externally).

2. Restrict the invoker grant from project-level (currently) to just the specific job.

3. Remove the `secretAccessor` grant, which previously granted project-wide secret access(!) instead of access to
the specific secrets being projected as environment variables.

Signed-off-by: Matt Moore <[email protected]>
  • Loading branch information
@mattmoor
mattmoor committed Nov 25, 2023
1 parent df251dd commit 924fca8
Showing 1 changed file with 15 additions and 16 deletions.
31 changes: 15 additions & 16 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,20 @@ resource "google_cloud_run_v2_job" "job" {
}
}

resource "google_service_account" "delivery" {
project = var.project_id
account_id = "${var.name}-dlv"
display_name = "Dedicated service account for invoking ${google_cloud_run_v2_job.job.name}."
}

resource "google_cloud_run_v2_job_iam_binding" "authorize-calls" {
project = var.project_id
location = google_cloud_run_v2_job.job.location
name = google_cloud_run_v2_job.job.name
role = "roles/run.invoker"
member = "serviceAccount:${google_service_account.delivery.email}"
}

resource "google_cloud_scheduler_job" "cron" {
name = "${var.name}-cron"
schedule = var.schedule
Expand All @@ -80,22 +94,7 @@ resource "google_cloud_scheduler_job" "cron" {
uri = "https://${var.region}-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/${var.project_id}/jobs/${google_cloud_run_v2_job.job.name}:run"

oauth_token {
service_account_email = var.service_account
service_account_email = google_service_account.delivery.email
}
}
depends_on = [google_project_iam_member.cron_secretmanager_access]
}

resource "google_project_iam_member" "cron_run_invoker" {
project = var.project_id
role = "roles/run.invoker"
member = "serviceAccount:${var.service_account}"
}

resource "google_project_iam_member" "cron_secretmanager_access" {
count = var.secret_env != {} ? 1 : 0

project = var.project_id
role = "roles/secretmanager.secretAccessor"
member = "serviceAccount:${var.service_account}"
}

0 comments on commit 924fca8

Please sign in to comment.