move SQL for rekor indices into rekor module, add cloud sql iam user

terraform/gcp/modules/mysql/mysql.tf

@@ -190,14 +190,6 @@ resource "google_sql_database" "trillian" {
   depends_on = [google_sql_database_instance.sigstore]
 }
 
-resource "google_sql_database" "searchindexes" {
-  name       = var.index_db_name
-  project    = var.project_id
-  instance   = google_sql_database_instance.sigstore.name
-  collation  = var.collation
-  depends_on = [google_sql_database_instance.sigstore]
-}
-
 resource "google_sql_user" "trillian" {
   name       = "trillian"
   project    = var.project_id

terraform/gcp/modules/rekor/rekor.tf

@@ -20,6 +20,7 @@ resource "google_project_service" "service" {
     "dns.googleapis.com",      // For configuring DNS records
     "storage.googleapis.com",  // For GCS bucket. roles/storage.admin
     "cloudkms.googleapis.com", // For KMS keyring and crypto key. roles/cloudkms.admin
+    "sqladmin.googleapis.com", // For Cloud SQL. roles/cloudsql.admin
   ])
   project = var.project_id
   service = each.key

terraform/gcp/modules/rekor/service_accounts.tf

@@ -56,13 +56,6 @@ resource "google_service_account_iam_member" "gke_sa_iam_member_rekor_server" {
   depends_on         = [google_service_account.rekor-sa]
 }
 
-resource "google_project_iam_member" "db_admin_member_rekor" {
-  project    = var.project_id
-  role       = "roles/cloudsql.client"
-  member     = "serviceAccount:${google_service_account.rekor-sa.email}"
-  depends_on = [google_service_account.rekor-sa]
-}
-
 resource "google_project_iam_member" "logserver_iam" {
   # // Give rekor permission to export metrics to Stackdriver
   for_each = toset([

terraform/gcp/modules/rekor/sql.tf

@@ -0,0 +1,43 @@
+/**
+ * Copyright 2024 The Sigstore Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "google_sql_database" "searchindexes" {
+  name      = "searchindexes"
+  project   = var.project_id
+  instance  = var.index_database_instance_name
+  collation = "utf8mb3_general_ci"
+}
+
+// be sure to manually GRANT SELECT, INSERT, CREATE privileges for this user
+resource "google_sql_user" "iam_user" {
+  name     = google_service_account.rekor-sa.email
+  instance = var.index_database_instance_name
+  type     = "CLOUD_IAM_SERVICE_ACCOUNT"
+}
+
+resource "google_project_iam_member" "db_admin_member_rekor" {
+  project    = var.project_id
+  role       = "roles/cloudsql.client"
+  member     = "serviceAccount:${google_service_account.rekor-sa.email}"
+  depends_on = [google_service_account.rekor-sa]
+}
+
+resource "google_project_iam_member" "db_iam_auth" {
+  project    = var.project_id
+  role       = "roles/cloudsql.instanceUser"
+  member     = "serviceAccount:${google_service_account.rekor-sa.email}"
+  depends_on = [google_service_account.rekor-sa]
+}

terraform/gcp/modules/rekor/variables.tf

@@ -116,3 +116,8 @@ variable "new_entry_pubsub_consumers" {
   type        = list(string)
   default     = []
 }
+
+variable "index_database_instance_name" {
+  description = "name of SQL database instance used to store index lookups"
+  type        = string
+}

terraform/gcp/modules/sigstore/sigstore.tf

@@ -200,6 +200,10 @@ module "mysql" {
   ]
 }
 
+moved {
+  from = module.mysql.google_sql_database.searchindexes
+  to   = module.rekor.google_sql_database.searchindexes
+}
 
 // Rekor
 module "rekor" {
@@ -231,6 +235,8 @@ module "rekor" {
 
   redis_cluster_memory_size_gb = var.redis_cluster_memory_size_gb
 
+  index_database_instance_name = module.mysql.mysql_instance
+
   depends_on = [
     module.network,
     module.gke-cluster,