diff --git a/docs/runbooks/first-deploy.md b/docs/runbooks/first-deploy.md index 778de31..8d914ab 100644 --- a/docs/runbooks/first-deploy.md +++ b/docs/runbooks/first-deploy.md @@ -32,6 +32,7 @@ Required in your environment `*.tfvars`: Recommended: - `database_url_secret_id = "database-url"` +- `telegram_bot_token_secret_id = "telegram-bot-token"` - `openai_api_key_secret_id = "openai-api-key"` - optional `supabase_url_secret_id = "supabase-url"` - optional `supabase_publishable_key_secret_id = "supabase-publishable-key"` @@ -141,6 +142,9 @@ For a functional household dev deployment, set `database_url_secret_id = "databa without `DATABASE_URL`, and finance commands, reminders, mini app auth/dashboard, and anonymous feedback remain disabled. +Keep `telegram_bot_token_secret_id = "telegram-bot-token"` aligned with the actual bot token +secret name. CD uses that secret to sync the Telegram command menu after deploy. + ## Phase 4: Configure GitHub CD Populate GitHub repository secrets with the Terraform outputs: @@ -161,6 +165,9 @@ gh secret set DATABASE_URL Set GitHub repository variables if you want to override the defaults used by `.github/workflows/cd.yml`. +- optional `TELEGRAM_BOT_TOKEN_SECRET_ID` + - only needed if your bot token secret name is not `telegram-bot-token` + ## Phase 5: Trigger the First Deployment You have two safe options: diff --git a/docs/runbooks/iac-terraform.md b/docs/runbooks/iac-terraform.md index b3dfc9d..5d5edf3 100644 --- a/docs/runbooks/iac-terraform.md +++ b/docs/runbooks/iac-terraform.md @@ -46,8 +46,12 @@ If you set optional secret IDs such as `database_url_secret_id` or For a functional dev bot, set at least: - `database_url_secret_id = "database-url"` +- `telegram_bot_token_secret_id = "telegram-bot-token"` - optional `openai_api_key_secret_id = "openai-api-key"` +If `create_workload_identity = true`, Terraform also grants the GitHub deploy service account +`secretAccessor` on `telegram_bot_token_secret_id` so CD can sync Telegram commands after deploy. + Keep bot runtime config that is not secret in your `*.tfvars` file: - `bot_household_id` diff --git a/infra/terraform/README.md b/infra/terraform/README.md index d9ca677..b026de8 100644 --- a/infra/terraform/README.md +++ b/infra/terraform/README.md @@ -61,6 +61,9 @@ echo -n "" | gcloud secrets versions add scheduler-shared-secret --data-f If you configure optional secret IDs such as `database_url_secret_id` or `openai_api_key_secret_id`, add versions for those secrets as well. +If GitHub OIDC deploy access is enabled, keep `telegram_bot_token_secret_id` aligned with the +real bot token secret name so CD can read it and sync Telegram commands automatically. + ## Environments Recommended approach: diff --git a/infra/terraform/main.tf b/infra/terraform/main.tf index b84b081..0d17699 100644 --- a/infra/terraform/main.tf +++ b/infra/terraform/main.tf @@ -64,6 +64,15 @@ resource "google_secret_manager_secret_iam_member" "bot_runtime_access" { member = "serviceAccount:${google_service_account.bot_runtime.email}" } +resource "google_secret_manager_secret_iam_member" "github_deployer_bot_token_access" { + count = var.create_workload_identity ? 1 : 0 + + project = var.project_id + secret_id = var.telegram_bot_token_secret_id + role = "roles/secretmanager.secretAccessor" + member = "serviceAccount:${google_service_account.github_deployer[0].email}" +} + module "bot_api_service" { source = "./modules/cloud_run_service" diff --git a/infra/terraform/terraform.tfvars.example b/infra/terraform/terraform.tfvars.example index 5393cd2..433e6a3 100644 --- a/infra/terraform/terraform.tfvars.example +++ b/infra/terraform/terraform.tfvars.example @@ -9,6 +9,7 @@ bot_api_image = "europe-west1-docker.pkg.dev/my-gcp-project/household-bot/bot: mini_app_image = "europe-west1-docker.pkg.dev/my-gcp-project/household-bot/miniapp:latest" database_url_secret_id = "database-url" +telegram_bot_token_secret_id = "telegram-bot-token" openai_api_key_secret_id = "openai-api-key" # supabase_url_secret_id = "supabase-url" # supabase_publishable_key_secret_id = "supabase-publishable-key" diff --git a/package.json b/package.json index eefe6cd..f248aaf 100644 --- a/package.json +++ b/package.json @@ -26,6 +26,8 @@ "infra:fmt": "terraform -chdir=infra/terraform fmt -recursive", "infra:fmt:check": "terraform -chdir=infra/terraform fmt -check -recursive", "infra:validate": "terraform -chdir=infra/terraform init -backend=false && terraform -chdir=infra/terraform validate", + "infra:plan:dev": "terraform -chdir=infra/terraform plan -var-file=dev.tfvars", + "infra:apply:dev": "terraform -chdir=infra/terraform apply -var-file=dev.tfvars", "dev:bot": "bun run --filter @household/bot dev", "dev:miniapp": "bun run --filter @household/miniapp dev", "docker:build:bot": "docker build -f apps/bot/Dockerfile -t household-bot:local .",