From da6bdc381352c17630c633532d97ea57e530d29f Mon Sep 17 00:00:00 2001
From: whekin <stanislavkalishin@gmail.com>
Date: Mon, 16 Mar 2026 05:31:38 +0400
Subject: [PATCH] fix(infra): grant GitHub deployer access to webhook secrets

---
 infra/terraform/main.tf | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/infra/terraform/main.tf b/infra/terraform/main.tf
index 94b023f..3b7f557 100644
--- a/infra/terraform/main.tf
+++ b/infra/terraform/main.tf
@@ -97,6 +97,24 @@ resource "google_secret_manager_secret_iam_member" "github_deployer_bot_token_ac
   member    = "serviceAccount:${google_service_account.github_deployer[0].email}"
 }
 
+resource "google_secret_manager_secret_iam_member" "github_deployer_webhook_secret_access" {
+  count = var.create_workload_identity ? 1 : 0
+
+  project   = var.project_id
+  secret_id = var.telegram_webhook_secret_id
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${google_service_account.github_deployer[0].email}"
+}
+
+resource "google_secret_manager_secret_iam_member" "github_deployer_webhook_secret_test_access" {
+  count = var.create_workload_identity ? 1 : 0
+
+  project   = var.project_id
+  secret_id = "${var.telegram_webhook_secret_id}-test"
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${google_service_account.github_deployer[0].email}"
+}
+
 module "bot_api_service" {
   source = "./modules/cloud_run_service"