about summary refs log tree commit diff
path: root/corp/ops/yandex
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2023-06-09T14·52+0300
committertazjin <tazjin@tvl.su>2023-06-10T11·23+0000
commite3778ff6bc97d102aa6d2119e46c174384271f88 (patch)
treeb20d0746d7430deda7b4c52d3fb3a53f6a1c68dc /corp/ops/yandex
parent75ffea3fe688ed8b010467ec726522af6391c102 (diff)
fix(corp/ops): let service account use encryption key r/6258
Change-Id: Idd68e849457ecf600b1d9a318846557adfce8575
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8737
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Diffstat (limited to 'corp/ops/yandex')
-rw-r--r--corp/ops/yandex/rih.tf11
1 files changed, 10 insertions, 1 deletions
diff --git a/corp/ops/yandex/rih.tf b/corp/ops/yandex/rih.tf
index 2db420835a12..fa0243a625c5 100644
--- a/corp/ops/yandex/rih.tf
+++ b/corp/ops/yandex/rih.tf
@@ -94,7 +94,7 @@ resource "yandex_serverless_container" "rih_backend" {
   service_account_id = yandex_iam_service_account.rih_backend.id
 
   image {
-    url = "cr.yandex/crpkcq65tn6bhq6puq2o/rih-backend:9cwnx8jvwjw2ckpqg970p4y7cf74z28j"
+    url = "cr.yandex/crpkcq65tn6bhq6puq2o/rih-backend:dhgw6c4afancx1a3gac6day0bdgd9qhf"
   }
 
   secrets {
@@ -197,6 +197,15 @@ resource "yandex_kms_symmetric_key" "backend_data_key" {
   }
 }
 
+resource "yandex_kms_symmetric_key_iam_binding" "rih_encryption_access" {
+  symmetric_key_id = yandex_kms_symmetric_key.backend_data_key.id
+  role             = "kms.keys.encrypter"
+
+  members = [
+    "serviceAccount:${yandex_iam_service_account.rih_backend.id}"
+  ]
+}
+
 resource "yandex_storage_bucket" "rih_backend_data" {
   access_key = yandex_iam_service_account_static_access_key.rih_sa_static_key.access_key
   secret_key = yandex_iam_service_account_static_access_key.rih_sa_static_key.secret_key