read pwd from gcp SM instead of TF random variable

Signed-off-by: Bob Callaway <[email protected]>
sigstore · Sep 11, 2024 · 3d339fe · 3d339fe
1 parent 8a33f8e
commit 3d339fe
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 11 deletions.
diff --git a/terraform/gcp/modules/mysql/mysql.tf b/terraform/gcp/modules/mysql/mysql.tf
@@ -200,20 +200,11 @@ resource "google_sql_database" "searchindexes" {
   depends_on = [google_sql_database_instance.sigstore]
 }
 
-resource "random_id" "user-password" {
-  keepers = {
-    name = google_sql_database_instance.sigstore.name
-  }
-
-  byte_length = 8
-  depends_on  = [google_sql_database_instance.sigstore]
-}
-
 resource "google_sql_user" "trillian" {
   name       = "trillian"
   project    = var.project_id
   instance   = google_sql_database_instance.sigstore.name
-  password   = random_id.user-password.hex
+  password   = data.google_secret_manager_secret_version_access.mysql-password.secret_data
   host       = "%"
   depends_on = [google_sql_database_instance.sigstore]
 }
@@ -260,3 +251,7 @@ resource "google_secret_manager_secret_version" "mysql-database" {
   secret      = google_secret_manager_secret.mysql-database.id
   secret_data = google_sql_database.trillian.name
 }
+
+data "google_secret_manager_secret_version_access" "mysql-password" {
+  secret = google_secret_manager_secret.mysql-password.id
+}
diff --git a/terraform/gcp/modules/mysql/outputs.tf b/terraform/gcp/modules/mysql/outputs.tf
@@ -40,6 +40,6 @@ output "mysql_user" {
 // MySQL DB password.
 output "mysql_pass" {
   sensitive   = true
-  description = "The Cloud SQL Instance Password (Generated)"
+  description = "The Cloud SQL Instance Password"
   value       = google_sql_user.trillian.password
 }