From 9755920267bc59b3c66739a317d9e1fe081f5519 Mon Sep 17 00:00:00 2001
From: Bob Callaway <bcallaway@google.com>
Date: Fri, 16 Feb 2024 16:40:12 -0500
Subject: [PATCH] use SA in lieu of a mapped user - argocd

Signed-off-by: Bob Callaway <bcallaway@google.com>
---
 terraform/gcp/modules/argocd/argocd.tf    | 33 +++++++++++++++++------
 terraform/gcp/modules/argocd/variables.tf |  9 +++++--
 2 files changed, 32 insertions(+), 10 deletions(-)

diff --git a/terraform/gcp/modules/argocd/argocd.tf b/terraform/gcp/modules/argocd/argocd.tf
index 1192442fc..8196ba874 100644
--- a/terraform/gcp/modules/argocd/argocd.tf
+++ b/terraform/gcp/modules/argocd/argocd.tf
@@ -102,7 +102,8 @@ resource "helm_release" "argocd" {
 
   depends_on = [
     kubectl_manifest.externalsecret_argocd_ssh,
-    kubectl_manifest.externalsecret_argocd_slack
+    kubectl_manifest.externalsecret_argocd_slack,
+    kubectl_manifest.externalsecret_argocd_oauth_client_credentials
   ]
 }
 
@@ -123,29 +124,35 @@ resource "helm_release" "argocd_apps" {
   ]
 }
 
+# this needs to be manually granted access via admin console
+# - Client ID needs to be enabled for domain-wide delegation
+# - SA needs to be granted "Groups Reader" role
 resource "google_service_account" "argocd-directory-api-sa" {
   account_id   = "argocd-directory-api-sa"
   display_name = "ArgoCD Directory API Service Account"
   project      = var.project_id
 }
 
-resource "kubectl_manifest" "externalsecret_argocd_directory_api_credentials" {
+resource "kubectl_manifest" "externalsecret_argocd_oauth_client_credentials" {
   yaml_body = <<YAML
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
-  name: gcp-external-secret-argocd-directory-api-credentials
+  name: gcp-external-secret-argocd-oauth-client-credentials
   namespace: "${kubernetes_namespace_v1.argocd.metadata[0].name}"
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
     name: gcp-backend
   target:
-    name: argocd-directory-api-credentials
+    name: argocd-oauth-client-credentials
   data:
-  - secretKey: googleAuth.json
+  - secretKey: client-id
     remoteRef:
-      key: "${var.gcp_secret_name_directory_api_credentials}"
+      key: "${google_secret_manager_secret.argocd-oauth-client-id.secret_id}"
+  - secretKey: client-secret
+    remoteRef:
+      key: "${google_secret_manager_secret.argocd-oauth-client-secret.secret_id}"
 YAML
 
   depends_on = [
@@ -153,8 +160,18 @@ YAML
   ]
 }
 
-resource "google_secret_manager_secret" "argocd-directory-api-credentials" {
-  secret_id = var.gcp_secret_name_directory_api_credentials
+resource "google_secret_manager_secret" "argocd-oauth-client-id" {
+  secret_id = var.gcp_secret_name_argocd_oauth_client_id
+  project   = var.project_id
+
+  replication {
+    auto {}
+  }
+  depends_on = [google_project_service.service]
+}
+
+resource "google_secret_manager_secret" "argocd-oauth-client-secret" {
+  secret_id = var.gcp_secret_name_argocd_oauth_client_secret
   project   = var.project_id
 
   replication {
diff --git a/terraform/gcp/modules/argocd/variables.tf b/terraform/gcp/modules/argocd/variables.tf
index 388204807..7822fc4c0 100644
--- a/terraform/gcp/modules/argocd/variables.tf
+++ b/terraform/gcp/modules/argocd/variables.tf
@@ -58,7 +58,12 @@ variable "gcp_secret_name_slack_token" {
   type        = string
 }
 
-variable "gcp_secret_name_directory_api_credentials" {
-  description = "GCP Secret name that holds the SA credentials to access Directory API services."
+variable "gcp_secret_name_argocd_oauth_client_id" {
+  description = "GCP Secret name that holds the OAuth client ID used by ArgoCD's Dex instance."
+  type        = string
+}
+
+variable "gcp_secret_name_argocd_oauth_client_secret" {
+  description = "GCP Secret name that holds the OAuth client secret used by ArgoCD's Dex instance."
   type        = string
 }