Drop service accounts from witness terraform

deployment/live/witness/dev/terragrunt.hcl

@@ -6,8 +6,11 @@ include "root" {
 inputs = merge(
   include.root.locals,
   {
-    witness_docker_image = "us-central1-docker.pkg.dev/checkpoint-distributor/distributor-docker-dev/witness:latest"
     public_witness_config_urls = ["https://raw.githubusercontent.com/transparency-dev/witness-network/refs/heads/main/lists/testing/log-list.1"]
+    witness_docker_image       = "us-central1-docker.pkg.dev/checkpoint-distributor/distributor-docker-dev/witness:latest"
+    witness_secret_name        = "witness_secret_dev"
+    witness_service_account    = "cloudrun-witness-dev-sa@checkpoint-distributor.iam.gserviceaccount.com"
+
     ephemeral = true
   }
 )

deployment/modules/cloudbuild/main.tf

@@ -29,10 +29,10 @@ resource "google_artifact_registry_repository" "distributor_docker" {
 }
 
 locals {
-  artifact_repo = "${var.region}-docker.pkg.dev/${var.project_id}/${google_artifact_registry_repository.distributor_docker.name}"
-  distributor_docker_image  = "${local.artifact_repo}/distributor"
-  witness_docker_image  = "${local.artifact_repo}/witness"
-  feeder_docker_image  = "${local.artifact_repo}/feeder"
+  artifact_repo            = "${var.region}-docker.pkg.dev/${var.project_id}/${google_artifact_registry_repository.distributor_docker.name}"
+  distributor_docker_image = "${local.artifact_repo}/distributor"
+  witness_docker_image     = "${local.artifact_repo}/witness"
+  feeder_docker_image      = "${local.artifact_repo}/feeder"
 }
 
 resource "google_cloudbuild_trigger" "distributor_docker" {

deployment/modules/witness/main.tf

@@ -57,11 +57,12 @@ resource "google_project_service" "cloudrun_api" {
 }
 
 data "google_secret_manager_secret" "witness_secret" {
-  secret_id = "witness_secret_${var.env}"
+  secret_id = var.witness_secret_name
 }
 
 data "google_secret_manager_secret_version" "witness_secret_data" {
-  secret = data.google_secret_manager_secret.witness_secret.id
+  secret  = data.google_secret_manager_secret.witness_secret.id
+  version = 1
 }
 
 # Update service accounts to allow secret access
@@ -105,36 +106,6 @@ locals {
 ###
 ### Set up Cloud Run service
 ###
-resource "google_service_account" "cloudrun_service_account" {
-  account_id   = "cloudrun-witness-${var.env}-sa"
-  display_name = "Service Account for Witness Cloud Run (${var.env})"
-}
-
-resource "google_project_iam_member" "iam_act_as" {
-  project = var.project_id
-  role    = "roles/iam.serviceAccountUser"
-  member  = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
-}
-resource "google_project_iam_member" "iam_metrics_writer" {
-  project = var.project_id
-  role    = "roles/monitoring.metricWriter"
-  member  = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
-}
-resource "google_project_iam_member" "iam_spanner_client" {
-  project = var.project_id
-  role    = "roles/spanner.databaseUser"
-  member  = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
-}
-resource "google_project_iam_member" "iam_service_agent" {
-  project = var.project_id
-  role    = "roles/run.serviceAgent"
-  member  = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
-}
-resource "google_project_iam_member" "iam_secret_accessor" {
-  project = var.project_id
-  role    = "roles/secretmanager.secretAccessor"
-  member  = "serviceAccount:${google_service_account.cloudrun_service_account.email}"
-}
 
 locals {
   public_witness_config_args = formatlist("--public_witness_config_url=%s", var.public_witness_config_urls)
@@ -147,7 +118,16 @@ resource "google_cloud_run_v2_service" "default" {
 
 
   template {
-    service_account = google_service_account.cloudrun_service_account.email
+    ## This Service account will be used for running the Cloud Run service which hosts the witness.
+    ## 
+    ## The service account provided here must be a member of the following roles in order to function properly:
+    ##   "roles/iam.serviceAccountUser"
+    ##   "roles/monitoring.metricWriter"
+    ##   "roles/spanner.databaseUser"
+    ##   "roles/run.serviceAgent"
+    ##   "roles/secretmanager.secretAccessor"
+    service_account = var.witness_service_account
+
     scaling {
       min_instance_count = 1
       max_instance_count = 3
@@ -162,9 +142,9 @@ resource "google_cloud_run_v2_service" "default" {
         "--listen=:8080",
         "--spanner=${local.spanner_db_full}",
         "--signer_private_key_secret_name=${data.google_secret_manager_secret_version.witness_secret_data.name}"
-        ], 
-        local.public_witness_config_args, 
-        var.extra_args)
+        ],
+        local.public_witness_config_args,
+      var.extra_args)
       ports {
         container_port = 8080
       }
@@ -190,11 +170,6 @@ resource "google_cloud_run_v2_service" "default" {
     google_project_service.secretmanager_api,
     google_project_service.cloudrun_api,
     google_project_service.spanner_api,
-    google_project_iam_member.iam_act_as,
-    google_project_iam_member.iam_metrics_writer,
-    google_project_iam_member.iam_spanner_client,
-    google_project_iam_member.iam_service_agent,
-    google_project_iam_member.iam_secret_accessor,
   ]
 
   deletion_protection = !var.ephemeral

deployment/modules/witness/variables.tf

@@ -51,3 +51,13 @@ variable "public_witness_config_urls" {
   type        = list(string)
   default     = []
 }
+
+variable "witness_service_account" {
+  description = "Service account identifier to use when running the witness. Should be in email form: 'email@address'. This service will need to be a member of several IAM roles - see the main.tf for details."
+  type        = string
+}
+
+variable "witness_secret_name" {
+  description = "Secret manager secret name containing the note-formatted key to use for signing checkpoints."
+  type        = string
+}