From e3778ff6bc97d102aa6d2119e46c174384271f88 Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Fri, 9 Jun 2023 17:52:41 +0300
Subject: fix(corp/ops): let service account use encryption key

Change-Id: Idd68e849457ecf600b1d9a318846557adfce8575
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8737
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
---
 corp/ops/yandex/rih.tf | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/corp/ops/yandex/rih.tf b/corp/ops/yandex/rih.tf
index 2db420835a..fa0243a625 100644
--- a/corp/ops/yandex/rih.tf
+++ b/corp/ops/yandex/rih.tf
@@ -94,7 +94,7 @@ resource "yandex_serverless_container" "rih_backend" {
   service_account_id = yandex_iam_service_account.rih_backend.id
 
   image {
-    url = "cr.yandex/crpkcq65tn6bhq6puq2o/rih-backend:9cwnx8jvwjw2ckpqg970p4y7cf74z28j"
+    url = "cr.yandex/crpkcq65tn6bhq6puq2o/rih-backend:dhgw6c4afancx1a3gac6day0bdgd9qhf"
   }
 
   secrets {
@@ -197,6 +197,15 @@ resource "yandex_kms_symmetric_key" "backend_data_key" {
   }
 }
 
+resource "yandex_kms_symmetric_key_iam_binding" "rih_encryption_access" {
+  symmetric_key_id = yandex_kms_symmetric_key.backend_data_key.id
+  role             = "kms.keys.encrypter"
+
+  members = [
+    "serviceAccount:${yandex_iam_service_account.rih_backend.id}"
+  ]
+}
+
 resource "yandex_storage_bucket" "rih_backend_data" {
   access_key = yandex_iam_service_account_static_access_key.rih_sa_static_key.access_key
   secret_key = yandex_iam_service_account_static_access_key.rih_sa_static_key.secret_key
-- 
cgit 1.4.1