From e3778ff6bc97d102aa6d2119e46c174384271f88 Mon Sep 17 00:00:00 2001 From: Vincent Ambo Date: Fri, 9 Jun 2023 17:52:41 +0300 Subject: fix(corp/ops): let service account use encryption key Change-Id: Idd68e849457ecf600b1d9a318846557adfce8575 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8737 Reviewed-by: tazjin Tested-by: BuildkiteCI --- corp/ops/yandex/rih.tf | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/corp/ops/yandex/rih.tf b/corp/ops/yandex/rih.tf index 2db420835a12..fa0243a625c5 100644 --- a/corp/ops/yandex/rih.tf +++ b/corp/ops/yandex/rih.tf @@ -94,7 +94,7 @@ resource "yandex_serverless_container" "rih_backend" { service_account_id = yandex_iam_service_account.rih_backend.id image { - url = "cr.yandex/crpkcq65tn6bhq6puq2o/rih-backend:9cwnx8jvwjw2ckpqg970p4y7cf74z28j" + url = "cr.yandex/crpkcq65tn6bhq6puq2o/rih-backend:dhgw6c4afancx1a3gac6day0bdgd9qhf" } secrets { @@ -197,6 +197,15 @@ resource "yandex_kms_symmetric_key" "backend_data_key" { } } +resource "yandex_kms_symmetric_key_iam_binding" "rih_encryption_access" { + symmetric_key_id = yandex_kms_symmetric_key.backend_data_key.id + role = "kms.keys.encrypter" + + members = [ + "serviceAccount:${yandex_iam_service_account.rih_backend.id}" + ] +} + resource "yandex_storage_bucket" "rih_backend_data" { access_key = yandex_iam_service_account_static_access_key.rih_sa_static_key.access_key secret_key = yandex_iam_service_account_static_access_key.rih_sa_static_key.secret_key -- cgit 1.4.1