Google Cloud Secret Manager Setup

Create a Google Secret Manager Manager Secret

The google_secret_manager_secret resource is a Terraform resource that manages Google Secret Manager Secret metadata.

Note: This only declares the secret, but does not populate its value.

resource "google_secret_manager_secret" "my_secret" {
  secret_id = "${local.environment_name}-my-secret"

  replication {
    auto {}
  }
}

Populate the secret value

You can populate the secret in two ways:

  • A plain value
  • A JSON blob

A JSON blob is useful if your values are closely related, such as an Aptible bot username and password. In general, you will want to use the plain value.

For the secret you created above, add a new secret version and populate it with your secret value. See the official GCP documentation for more information.

Connect Sym with Google Cloud

Sym integrates with Google Cloud using Workload Identity Federation, allowing Sym to access Google Cloud resources and make API calls without a service account key.

If you have not yet, declare a gcp_connector module, which will create the resources necessary for the Sym Runtime to impersonate a service account in your Google Cloud environment.

module "gcp_connector" {
  source  = "symopsio/gcp-connector/google"
  version = "~> 1.1"

  environment = local.environment_name

  # Google recommends using a dedicated project for your Workload Identity Pools. Specify that project's ID here.
  # https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#dedicated-project
  identity_pool_project_id = "my-identity-pools"
  gcp_org_id               = "123456789"
}

Grant the Sym Service Account Access to your Google Secrets

For each secret that you wish for the Sym platform to be able to access, pass it into the gcp_connector module's accessible_secrets input.

The accessible_secrets input accepts both google_secret_manager_secret resources and data sources.

module "gcp_connector" {
  source  = "symopsio/gcp-connector/google"
  version = "~> 1.1"

  environment = local.environment_name

  # Google recommends using a dedicated project for your Workload Identity Pools. Specify that project's ID here.
  # https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#dedicated-project
  identity_pool_project_id = "my-identity-pools"
  gcp_org_id               = "123456789"

  # The Sym Service Account will be granted read-only access to each secret in this list.
  # (Specifically, the `roles/secretmanager.secretAccessor` role will be granted on each secret).
  accessible_secrets = [
    google_secret_manager_secret.my_secret,
    data.google_secret_manager_secret.my_other_secret
  ]
}

Declare a sym_secrets Resource

The sym_secrets resource tells Sym how to access your Google Secret Manager.

resource "sym_secrets" "this" {
  name = "${local.environment_name}-gcp-secrets"
  type = "google_secret_manager"

  settings = {
    # This tells Sym to use the Google `sym_integration` declared by the `gcp_connector` module, which
    # contains the credentials required to assume the Service Account created by the module.
    integration_id = module.gcp_connector.sym_integration.id
  }
}

Share the Secret with the Sym Runtime

The sym_secret resource tells Sym how to find a specific secret by providing the source (Google Secret Manager) and the name of the secret, so that Sym knows where to look and what to look for.

The configuration will vary depending on if you populated your secret with a plain value or with a JSON blob.

Plain value

In this case, the Sym Runtime will use the value in your Google Cloud Secret directly.

resource "sym_secret" "my_api_key" {
  # The source of your secrets and the permissions needed to access
  # i.e. Google Secret Manager, access with a Google Service Account.
  source_id = sym_secrets.this.id

  # Name of the key in Google Secret Manager ("projects/{{project}}/secrets/{{secret_id}}";)
  path = google_secret_manager_secret.my_secret.name
}

JSON blob

In this case, the Sym Runtime will parse the value in your Google Secret Manager Secret as JSON and attempt to extract the value defined by the json_key setting.

For example, if your secret was populated with the following:

{
  "username": "[email protected]",
  "password": "EXAMPLE-PASSWORD"
}

You can extract the values as follows:

resource "sym_secret" "bot_username" {
  # The source of your secrets and the permissions needed to access
  # i.e. Google Secret Manager, access with a Google Service Account.
  source_id = sym_secrets.this.id

  # Name of the key in Google Secret Manager ("projects/{{project}}/secrets/{{secret_id}}";)
  path = google_secret_manager_secret.my_secret.name

  settings = {
    json_key = "username"
  }
}

resource "sym_secret" "bot_password" {
  # The source of your secrets and the permissions needed to access
  # i.e. Google Secret Manager, access with a Google Service Account.
  source_id = sym_secrets.this.id

  # Name of the key in Google Secret Manager ("projects/{{project}}/secrets/{{secret_id}}";)
  path = google_secret_manager_secret.my_secret.name

  settings = {
    json_key = "password"
  }
}

Full Configuration Example

module "gcp_connector" {
  source  = "symopsio/gcp-connector/google"
  version = "~> 1.1"

  environment = local.environment_name

  # Google recommends using a dedicated project for your Workload Identity Pools. Specify that project's ID here.
  # https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation#dedicated-project
  identity_pool_project_id = "my-identity-pools"
  gcp_org_id               = "123456789"

  # The Sym Service Account will be granted read-only access to each secret in this list.
  # (Specifically, the `roles/secretmanager.secretAccessor` role will be granted on each secret).
  accessible_secrets = [
    google_secret_manager_secret.my_secret,
    google_secret_manager_secret.my_credentials
  ]
}

############ Plain Value Secret Setup ##############

# An Google Secret Manager Secret to hold your API Key.
# Set the value to the plaintext of your secret.
resource "google_secret_manager_secret" "my_secret" {
  secret_id = "${local.environment_name}-my-secret"

  replication {
    auto {}
  }
}

resource "sym_secret" "my_api_key" {
  # The source of your secrets and the permissions needed to access
  # i.e. Google Secret Manager, access with a Google Service Account.
  source_id = sym_secrets.this.id

  # Name of the key in Google Secret Manager ("projects/{{project}}/secrets/{{secret_id}}";)
  path = google_secret_manager_secret.my_secret.name
}

############ JSON Value Secret Setup ##############

# A Google Secret Manager Secret to hold your credentials. 
# Set the value with a JSON blob, for example: {"username": "foo", "password": "bar"}
resource "google_secret_manager_secret" "my_credentials" {
  secret_id = "${local.environment_name}-my-credentials"

  replication {
    auto {}
  }
}

resource "sym_secret" "bot_username" {
  # The source of your secrets and the permissions needed to access
  # i.e. Google Secret Manager, access with a Google Service Account.
  source_id = sym_secrets.this.id

  # Name of the key in Google Secret Manager ("projects/{{project}}/secrets/{{secret_id}}";)
  path = google_secret_manager_secret.my_credentials.name

  settings = {
    json_key = "username"
  }
}

resource "sym_secret" "bot_password" {
  # The source of your secrets and the permissions needed to access
  # i.e. Google Secret Manager, access with a Google Service Account.
  source_id = sym_secrets.this.id

  # Name of the key in Google Secret Manager ("projects/{{project}}/secrets/{{secret_id}}";)
  path = google_secret_manager_secret.my_credentials.name

  settings = {
    json_key = "password"
  }
}

These secrets can now be used in Sym Integrations to enable Sym Strategies and SDK methods.

Configuring sym_integration Resources

With your sym_secret resources, you can now configure the specific Integration that you require for your Flow and impl.py.