fix(corp/ops): let service account use encryption key

Change-Id: Idd68e849457ecf600b1d9a318846557adfce8575
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8737
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
This commit is contained in:
Vincent Ambo 2023-06-09 17:52:41 +03:00 committed by tazjin
parent 75ffea3fe6
commit e3778ff6bc

View file

@ -94,7 +94,7 @@ resource "yandex_serverless_container" "rih_backend" {
service_account_id = yandex_iam_service_account.rih_backend.id
image {
url = "cr.yandex/crpkcq65tn6bhq6puq2o/rih-backend:9cwnx8jvwjw2ckpqg970p4y7cf74z28j"
url = "cr.yandex/crpkcq65tn6bhq6puq2o/rih-backend:dhgw6c4afancx1a3gac6day0bdgd9qhf"
}
secrets {
@ -197,6 +197,15 @@ resource "yandex_kms_symmetric_key" "backend_data_key" {
}
}
resource "yandex_kms_symmetric_key_iam_binding" "rih_encryption_access" {
symmetric_key_id = yandex_kms_symmetric_key.backend_data_key.id
role = "kms.keys.encrypter"
members = [
"serviceAccount:${yandex_iam_service_account.rih_backend.id}"
]
}
resource "yandex_storage_bucket" "rih_backend_data" {
access_key = yandex_iam_service_account_static_access_key.rih_sa_static_key.access_key
secret_key = yandex_iam_service_account_static_access_key.rih_sa_static_key.secret_key