feat: Add secret manager import handling to GitHub Actions and PowerShell script

JeanFraga · JeanFraga · commit 48858c091a5c · 2025-05-26T10:57:12.000-04:00
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -48,6 +48,26 @@ jobs:
         run: terraform validate -no-color
         working-directory: ./terraform
 
+      - name: 'Handle Existing Secret Manager Resources'
+        id: import_secrets
+        run: |
+          # Check if the secret exists and try to import it if needed
+          if gcloud secrets describe gemini-api-key --project=${{ secrets.GCP_PROJECT_ID }} >/dev/null 2>&1; then
+            echo "Secret gemini-api-key already exists, attempting to import..."
+            terraform import google_secret_manager_secret.gemini_api_key projects/${{ secrets.GCP_PROJECT_ID }}/secrets/gemini-api-key || echo "Import failed or resource already in state"
+            
+            # Try to import the secret version if it exists
+            VERSION_ID=$(gcloud secrets versions list gemini-api-key --project=${{ secrets.GCP_PROJECT_ID }} --limit=1 --format="value(name)" 2>/dev/null || echo "")
+            if [ ! -z "$VERSION_ID" ]; then
+              echo "Attempting to import secret version..."
+              terraform import google_secret_manager_secret_version.gemini_api_key_version projects/${{ secrets.GCP_PROJECT_ID }}/secrets/gemini-api-key/versions/$VERSION_ID || echo "Version import failed or already in state"
+            fi
+          else
+            echo "Secret gemini-api-key does not exist, will be created by Terraform"
+          fi
+        working-directory: ./terraform
+        continue-on-error: true
+
       - name: 'Terraform Plan'
         id: plan
         run: terraform plan -no-color -input=false -out=tfplan
diff --git a/scripts/handle-secret-import.ps1 b/scripts/handle-secret-import.ps1
@@ -0,0 +1,64 @@
+# PowerShell script to handle Secret Manager import for local development
+# This script mirrors the logic in the GitHub Actions workflow
+
+param(
+    [Parameter(Mandatory=$true)]
+    [string]$ProjectId
+)
+
+Write-Host "Checking for existing Secret Manager resources..." -ForegroundColor Green
+
+# Change to terraform directory
+Set-Location "h:\My Drive\Github\Agentic Data Science\terraform"
+
+try {
+    # Check if the secret exists
+    $secretExists = $false
+    try {
+        gcloud secrets describe gemini-api-key --project=$ProjectId 2>$null
+        if ($LASTEXITCODE -eq 0) {
+            $secretExists = $true
+            Write-Host "Secret 'gemini-api-key' already exists" -ForegroundColor Yellow
+        }
+    }
+    catch {
+        Write-Host "Secret 'gemini-api-key' does not exist" -ForegroundColor Green
+    }
+
+    if ($secretExists) {
+        Write-Host "Attempting to import existing secret..." -ForegroundColor Yellow
+        
+        # Try to import the secret
+        try {
+            terraform import google_secret_manager_secret.gemini_api_key "projects/$ProjectId/secrets/gemini-api-key"
+            Write-Host "Successfully imported secret" -ForegroundColor Green
+        }
+        catch {
+            Write-Host "Secret import failed or resource already in state: $($_.Exception.Message)" -ForegroundColor Yellow
+        }
+
+        # Try to import the secret version
+        try {
+            $versionId = gcloud secrets versions list gemini-api-key --project=$ProjectId --limit=1 --format="value(name)" 2>$null
+            if ($versionId -and $LASTEXITCODE -eq 0) {
+                Write-Host "Attempting to import secret version: $versionId" -ForegroundColor Yellow
+                terraform import google_secret_manager_secret_version.gemini_api_key_version "projects/$ProjectId/secrets/gemini-api-key/versions/$versionId"
+                Write-Host "Successfully imported secret version" -ForegroundColor Green
+            }
+        }
+        catch {
+            Write-Host "Secret version import failed or already in state: $($_.Exception.Message)" -ForegroundColor Yellow
+        }
+    } else {
+        Write-Host "Secret does not exist - Terraform will create it" -ForegroundColor Green
+    }
+
+    Write-Host "`nRunning Terraform plan to check configuration..." -ForegroundColor Green
+    terraform plan -no-color
+
+} catch {
+    Write-Error "Error occurred: $($_.Exception.Message)"
+    exit 1
+}
+
+Write-Host "`nSecret Manager import process completed!" -ForegroundColor Green
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -193,7 +193,10 @@ resource "google_secret_manager_secret" "gemini_api_key" {
     auto {}
   }
   
-  depends_on = [google_project_service.required_apis]
+  depends_on = [
+    google_project_service.required_apis,
+    google_project_iam_member.github_actions_roles
+  ]
 }
 
 # Secret version for Gemini API key

Original file line number	Diff line number	Diff line change
`@@ -193,7 +193,10 @@ resource "google_secret_manager_secret" "gemini_api_key" {`
`193`	`193`	`auto {}`
`194`	`194`	`}`
`195`	`195`
`196`		`- depends_on = [google_project_service.required_apis]`
	`196`	`+ depends_on = [`
	`197`	`+ google_project_service.required_apis,`
	`198`	`+ google_project_iam_member.github_actions_roles`
	`199`	`+ ]`
`197`	`200`	`}`
`198`	`201`
`199`	`202`	`# Secret version for Gemini API key`