depot/ops/vault/cfg/lukegbcom-deployer.nix

{ ... }:

{
  resource.vault_gcp_secret_roleset.lukegbcom_deployer = {
    backend = "\${vault_gcp_secret_backend.gcp.path}";
    roleset = "lukegbcom-deployer";
    project = "lukegbcom";
    secret_type = "access_token";
    token_scopes = [
      "https://www.googleapis.com/auth/cloud-platform"
      "https://www.googleapis.com/auth/firebase"
    ];
    binding = [{
      resource = "//cloudresourcemanager.googleapis.com/projects/lukegbcom";
      roles = ["roles/firebasehosting.admin"];
    }];
  };

  my.servers.clouvider-lon01.appPolicies.gitlab-runner = ''
    path "''${vault_gcp_secret_roleset.lukegbcom_deployer.backend}/roleset/''${vault_gcp_secret_roleset.lukegbcom_deployer.roleset}/token" {
      capabilities = ["read"]
    }
  '';
}
lukegbcom: autodeploy using Vault 2022-04-05 21:04:32 +00:00			`{ ... }:`

			`{`
			`resource.vault_gcp_secret_roleset.lukegbcom_deployer = {`
			`backend = "\${vault_gcp_secret_backend.gcp.path}";`
			`roleset = "lukegbcom-deployer";`
			`project = "lukegbcom";`
			`secret_type = "access_token";`
			`token_scopes = [`
			`"https://www.googleapis.com/auth/cloud-platform"`
			`"https://www.googleapis.com/auth/firebase"`
			`];`
			`binding = [{`
			`resource = "//cloudresourcemanager.googleapis.com/projects/lukegbcom";`
			`roles = ["roles/firebasehosting.admin"];`
			`}];`
			`};`

			`my.servers.clouvider-lon01.appPolicies.gitlab-runner = ''`
			`path "''${vault_gcp_secret_roleset.lukegbcom_deployer.backend}/roleset/''${vault_gcp_secret_roleset.lukegbcom_deployer.roleset}/token" {`
			`capabilities = ["read"]`
			`}`
			`'';`
			`}`