From 0d9d43879036e58802836df8a8171811c838cf5d Mon Sep 17 00:00:00 2001
From: Charlie Jones <cjonesy@protonmail.com>
Date: Wed, 14 Jul 2021 15:05:46 -0500
Subject: [PATCH] Fixes to improve compatibility and usability after some
 initial testing (#3)

* Shorten names to prevent length errors in service accounts

* Remove cloud run name hack in favor of random_id keeper

* Fix for secret project number inconsistencies

* Correct dependencies

* Set less restrictive versions

* Give more details in description of slack_webhook_url_secret_id
---
 README.md    | 16 ++++++++--------
 main.tf      | 39 +++++++++++++++++++++------------------
 variables.tf |  4 ++--
 versions.tf  |  6 +++---
 4 files changed, 34 insertions(+), 31 deletions(-)

diff --git a/README.md b/README.md
index e3c235d..34ee480 100644
--- a/README.md
+++ b/README.md
@@ -60,17 +60,17 @@ To skip running the hooks when you commit:
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_google"></a> [google](#requirement\_google) | ~> 3.74 |
-| <a name="requirement_google-beta"></a> [google-beta](#requirement\_google-beta) | ~> 3.74 |
-| <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.1 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | >= 3.20 |
+| <a name="requirement_google-beta"></a> [google-beta](#requirement\_google-beta) | >= 3.30 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | ~> 3.74 |
-| <a name="provider_google-beta"></a> [google-beta](#provider\_google-beta) | ~> 3.74 |
-| <a name="provider_random"></a> [random](#provider\_random) | ~> 3.1 |
+| <a name="provider_google"></a> [google](#provider\_google) | >= 3.20 |
+| <a name="provider_google-beta"></a> [google-beta](#provider\_google-beta) | >= 3.30 |
+| <a name="provider_random"></a> [random](#provider\_random) | >= 2.1 |
 
 ## Modules
 
@@ -94,7 +94,7 @@ No modules.
 | [google_storage_bucket.cloud_build_notifier](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket) | resource |
 | [google_storage_bucket_object.cloud_build_notifier_config](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_object) | resource |
 | [random_id.cloud_build_notifier](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
-| [google_project.slack_webhook_url_secret_project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
+| [random_id.cloud_build_notifier_service](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
 | [google_secret_manager_secret_version.slack_webhook_url](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/secret_manager_secret_version) | data source |
 
 ## Inputs
@@ -106,7 +106,7 @@ No modules.
 | <a name="input_name"></a> [name](#input\_name) | The name to use on all resources created. | `string` | n/a |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | Project ID of the project in which Cloud Build is running. | `string` | n/a |
 | <a name="input_region"></a> [region](#input\_region) | The region in which to deploy the notifier service. | `string` | `"us-central1"` |
-| <a name="input_slack_webhook_url_secret_id"></a> [slack\_webhook\_url\_secret\_id](#input\_slack\_webhook\_url\_secret\_id) | The ID of an existing Google Secret Manager secret, containing a Slack webhook URL. | `string` | n/a |
+| <a name="input_slack_webhook_url_secret_id"></a> [slack\_webhook\_url\_secret\_id](#input\_slack\_webhook\_url\_secret\_id) | The ID of an existing Google Secret Manager secret, containing a Slack webhook URL. This is usually the `id` from the output of a `google_secret_manager_secret` resource. | `string` | n/a |
 | <a name="input_slack_webhook_url_secret_project"></a> [slack\_webhook\_url\_secret\_project](#input\_slack\_webhook\_url\_secret\_project) | The project ID containing the slack\_webhook\_url\_secret\_id. | `string` | n/a |
 
 ## Outputs
diff --git a/main.tf b/main.tf
index 09b109c..9beed3c 100644
--- a/main.tf
+++ b/main.tf
@@ -1,7 +1,7 @@
 # Cloud Build Notifier
 
 locals {
-  base_name = "cbnotify-${var.name}"
+  base_name = "cbn-${var.name}"
 }
 
 
@@ -27,18 +27,12 @@ resource "google_project_service" "apis" {
   disable_dependent_services = true
 }
 
-# Lookup the slack_webhook_url_secret_project so we can access the project number
-data "google_project" "slack_webhook_url_secret_project" {
-  project_id = var.slack_webhook_url_secret_project
-}
-
-
 # ------------------------------------------------------------------------------
 # Secrets
 # ------------------------------------------------------------------------------
 
 data "google_secret_manager_secret_version" "slack_webhook_url" {
-  project = data.google_project.slack_webhook_url_secret_project.number
+  project = var.slack_webhook_url_secret_project
   secret  = var.slack_webhook_url_secret_id
 }
 
@@ -49,7 +43,7 @@ data "google_secret_manager_secret_version" "slack_webhook_url" {
 
 # Create cloud build notifier service account
 resource "google_service_account" "notifier" {
-  account_id = "${local.base_name}-notifier"
+  account_id = "${local.base_name}-nfy"
   project    = var.project_id
 }
 
@@ -68,13 +62,10 @@ resource "google_project_iam_member" "notifier_project_roles" {
 
 # Give the notifier service account access to the secret
 resource "google_secret_manager_secret_iam_member" "notifier_secret_accessor" {
-  secret_id = data.google_secret_manager_secret_version.slack_webhook_url.secret
+  project   = var.slack_webhook_url_secret_project
+  secret_id = var.slack_webhook_url_secret_id
   role      = "roles/secretmanager.secretAccessor"
   member    = "serviceAccount:${google_service_account.notifier.email}"
-
-  depends_on = [
-    google_project_service.apis
-  ]
 }
 
 # Look up the pubsub SA
@@ -93,7 +84,7 @@ resource "google_project_iam_member" "pubsub_project_roles" {
 
 # Create a pub/sub invoker service account
 resource "google_service_account" "pubsub_invoker" {
-  account_id = "${local.base_name}-pubsub"
+  account_id = "${local.base_name}-pbs"
   project    = var.project_id
 }
 
@@ -154,11 +145,18 @@ resource "google_storage_bucket_object" "cloud_build_notifier_config" {
 # Cloud Run
 # ------------------------------------------------------------------------------
 
+resource "random_id" "cloud_build_notifier_service" {
+  # We use a keeper here so we can force cloud run to redeploy on script change.
+  keepers = {
+    script_hash = google_storage_bucket_object.cloud_build_notifier_config.md5hash
+  }
+
+  byte_length = 4
+}
+
 resource "google_cloud_run_service" "cloud_build_notifier" {
   provider = google-beta
-
-  # HACK To make the cloud run job redeploy when the config changes
-  name     = "${local.base_name}-${lower(regex("[0-9A-Za-z]+", google_storage_bucket_object.cloud_build_notifier_config.crc32c))}"
+  name     = "${local.base_name}-${random_id.cloud_build_notifier_service.hex}"
   location = var.region
   project  = var.project_id
 
@@ -190,6 +188,11 @@ resource "google_cloud_run_service" "cloud_build_notifier" {
       metadata.0.annotations,
     ]
   }
+
+  depends_on = [
+    google_project_service.apis["run.googleapis.com"],
+    google_secret_manager_secret_iam_member.notifier_secret_accessor
+  ]
 }
 
 
diff --git a/variables.tf b/variables.tf
index 702e402..39d0961 100644
--- a/variables.tf
+++ b/variables.tf
@@ -8,13 +8,13 @@ variable "name" {
   type        = string
 
   validation {
-    condition     = can(regex("[a-z0-9-]{0,30}", var.name))
+    condition     = can(regex("[a-z0-9-]{0,20}", var.name))
     error_message = "A name must be lowercase letters, numbers, or -."
   }
 }
 
 variable "slack_webhook_url_secret_id" {
-  description = "The ID of an existing Google Secret Manager secret, containing a Slack webhook URL."
+  description = "The ID of an existing Google Secret Manager secret, containing a Slack webhook URL. This is usually the `id` from the output of a `google_secret_manager_secret` resource."
   type        = string
 }
 
diff --git a/versions.tf b/versions.tf
index 704d0b9..bbe3b9e 100644
--- a/versions.tf
+++ b/versions.tf
@@ -3,17 +3,17 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "~> 3.74"
+      version = ">= 3.20"
     }
 
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = "~> 3.74"
+      version = ">= 3.30"
     }
 
     random = {
       source  = "hashicorp/random"
-      version = "~> 3.1"
+      version = ">= 2.1"
     }
   }
 }