We have a slightly confused ordering: the ./scripts/set-plastic-config.sh and ./scripts/set-swarm-config.sh scripts both create secrets in GCPs Secrets Manager, expecting that the agents TF has created corresponding service accounts.
If the user destroys and recreates the agent TF, the recreated service accounts will not automatically gain access to those secrets.
There is no straightforward solution to this. At its core it is an ordering problem. We can either make it play well with scripts before TF, or TF before scripts, but supporting either requires duplicating the IAM granting in both locations.
If we could move the secrets into Vault, then we could sidestep the ordering problems. However, adding Vault to the deployment would be a very heavyweight solution.
We have a slightly confused ordering: the
./scripts/set-plastic-config.shand./scripts/set-swarm-config.shscripts both create secrets in GCPs Secrets Manager, expecting that the agents TF has created corresponding service accounts.If the user destroys and recreates the agent TF, the recreated service accounts will not automatically gain access to those secrets.
There is no straightforward solution to this. At its core it is an ordering problem. We can either make it play well with scripts before TF, or TF before scripts, but supporting either requires duplicating the IAM granting in both locations.
If we could move the secrets into Vault, then we could sidestep the ordering problems. However, adding Vault to the deployment would be a very heavyweight solution.