fix(infra): grant GitHub deployer access to webhook secrets

infra/terraform/main.tf

@@ -97,6 +97,24 @@ resource "google_secret_manager_secret_iam_member" "github_deployer_bot_token_ac
   member    = "serviceAccount:${google_service_account.github_deployer[0].email}"
 }
 
+resource "google_secret_manager_secret_iam_member" "github_deployer_webhook_secret_access" {
+  count = var.create_workload_identity ? 1 : 0
+
+  project   = var.project_id
+  secret_id = var.telegram_webhook_secret_id
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${google_service_account.github_deployer[0].email}"
+}
+
+resource "google_secret_manager_secret_iam_member" "github_deployer_webhook_secret_test_access" {
+  count = var.create_workload_identity ? 1 : 0
+
+  project   = var.project_id
+  secret_id = "${var.telegram_webhook_secret_id}-test"
+  role      = "roles/secretmanager.secretAccessor"
+  member    = "serviceAccount:${google_service_account.github_deployer[0].email}"
+}
+
 module "bot_api_service" {
   source = "./modules/cloud_run_service"