daml/infra/data_bucket.tf

# Copyright (c) 2021 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
# SPDX-License-Identifier: Apache-2.0

resource "google_storage_bucket" "data" {
  project = local.project
  name    = "daml-data"
  labels  = local.labels

  # SLA is enough for a cache and is cheaper than MULTI_REGIONAL
  # see https://cloud.google.com/storage/docs/storage-classes
  storage_class = "REGIONAL"

  # Use a normal region since the storage_class is regional
  location = local.region

  versioning {
    enabled = true
  }
}

resource "google_storage_bucket_acl" "data" {
  bucket = google_storage_bucket.data.name

  role_entity = [
    "OWNER:project-owners-${data.google_project.current.number}",
    "OWNER:project-editors-${data.google_project.current.number}",
    "READER:project-viewers-${data.google_project.current.number}",
  ]
}

// allow rw access for CI writer (see writer.tf)
resource "google_storage_bucket_iam_member" "data_create" {
  bucket = google_storage_bucket.data.name

  # https://cloud.google.com/storage/docs/access-control/iam-roles
  role   = "roles/storage.objectCreator"
  member = "serviceAccount:${google_service_account.writer.email}"
}

resource "google_storage_bucket_iam_member" "data_read" {
  bucket = google_storage_bucket.data.name

  # https://cloud.google.com/storage/docs/access-control/iam-roles
  role   = "roles/storage.objectViewer"
  member = "serviceAccount:${google_service_account.writer.email}"
}

// allow read access for appr team, as requested by Moritz
locals {
  appr_team = [
    "user:akshay.shirahatti@digitalasset.com",
    "user:andreas.herrmann@digitalasset.com",
    "user:gary.verhaegen@digitalasset.com",
    "user:moritz.kiefer@digitalasset.com",
    "user:stefano.baghino@digitalasset.com",
    "user:stephen.compall@digitalasset.com",
    "user:victor.mueller@digitalasset.com",
  ]
}

resource "google_storage_bucket_iam_member" "appr" {
  for_each = toset(local.appr_team)
  bucket   = google_storage_bucket.data.name
  role     = "roles/storage.objectViewer"
  member   = each.key
}
update copyright notices for 2021 (#8257) * update copyright notices for 2021 To be merged on 2021-01-01. CHANGELOG_BEGIN CHANGELOG_END * patch-bazel-windows & da-ghc-lib 2021-01-01 21:49:51 +03:00			`# Copyright (c) 2021 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.`
collect historical download data (#2003) 2019-07-04 14:23:51 +03:00			`# SPDX-License-Identifier: Apache-2.0`

			`resource "google_storage_bucket" "data" {`
update Terraform files to match reality (#8780) * fixup terraform config Two changes have happened recently that have invalidated the current Terraform files: 1. The Terraform version has gone through a major, incompatible upgrade (#8190); the required updates for this are reflected in the first commit of this PR. 2. The certificate used to serve [Hoogle](https://hoogle.daml.com) was about to expire, so Edward created a new one and updated the config directly. The second commit in this PR updates the Terraform config to match that new, already-in-prod setting. Note: This PR applies cleanly, as there are no resulting changes in Terraform's perception of the target state from 1, and the change from 2 has already been applied through other channels. CHANGELOG_BEGIN CHANGELOG_END * update hoogle cert 2021-02-08 20:25:04 +03:00			`project = local.project`
collect historical download data (#2003) 2019-07-04 14:23:51 +03:00			`name = "daml-data"`
update Terraform files to match reality (#8780) * fixup terraform config Two changes have happened recently that have invalidated the current Terraform files: 1. The Terraform version has gone through a major, incompatible upgrade (#8190); the required updates for this are reflected in the first commit of this PR. 2. The certificate used to serve [Hoogle](https://hoogle.daml.com) was about to expire, so Edward created a new one and updated the config directly. The second commit in this PR updates the Terraform config to match that new, already-in-prod setting. Note: This PR applies cleanly, as there are no resulting changes in Terraform's perception of the target state from 1, and the change from 2 has already been applied through other channels. CHANGELOG_BEGIN CHANGELOG_END * update hoogle cert 2021-02-08 20:25:04 +03:00			`labels = local.labels`
collect historical download data (#2003) 2019-07-04 14:23:51 +03:00
			`# SLA is enough for a cache and is cheaper than MULTI_REGIONAL`
			`# see https://cloud.google.com/storage/docs/storage-classes`
			`storage_class = "REGIONAL"`

			`# Use a normal region since the storage_class is regional`
update Terraform files to match reality (#8780) * fixup terraform config Two changes have happened recently that have invalidated the current Terraform files: 1. The Terraform version has gone through a major, incompatible upgrade (#8190); the required updates for this are reflected in the first commit of this PR. 2. The certificate used to serve [Hoogle](https://hoogle.daml.com) was about to expire, so Edward created a new one and updated the config directly. The second commit in this PR updates the Terraform config to match that new, already-in-prod setting. Note: This PR applies cleanly, as there are no resulting changes in Terraform's perception of the target state from 1, and the change from 2 has already been applied through other channels. CHANGELOG_BEGIN CHANGELOG_END * update hoogle cert 2021-02-08 20:25:04 +03:00			`location = local.region`
protect GCS bucket items (#7439) Yesterday, a certificate expiration triggered the `patch_bazel_windows` job to run when it shouldn't, and it overrode an artifact we depend on. This was build from the same sources, but the build is not reproducible so we ended up with a hash mismatch. As far as I know, there is no good reason for CI to ever delete or overwrite anything from our GCS buckets, so I'm removing its rights to do so. As an added safety measure, this PR also enables versioning on all non-cache buckets (GCS does not support versioning on buckets with an expiration policy). CHANGELOG_BEGIN CHANGELOG_END 2020-09-18 16:59:23 +03:00
			`versioning {`
			`enabled = true`
			`}`
collect historical download data (#2003) 2019-07-04 14:23:51 +03:00			`}`

			`resource "google_storage_bucket_acl" "data" {`
update Terraform files to match reality (#8780) * fixup terraform config Two changes have happened recently that have invalidated the current Terraform files: 1. The Terraform version has gone through a major, incompatible upgrade (#8190); the required updates for this are reflected in the first commit of this PR. 2. The certificate used to serve [Hoogle](https://hoogle.daml.com) was about to expire, so Edward created a new one and updated the config directly. The second commit in this PR updates the Terraform config to match that new, already-in-prod setting. Note: This PR applies cleanly, as there are no resulting changes in Terraform's perception of the target state from 1, and the change from 2 has already been applied through other channels. CHANGELOG_BEGIN CHANGELOG_END * update hoogle cert 2021-02-08 20:25:04 +03:00			`bucket = google_storage_bucket.data.name`
collect historical download data (#2003) 2019-07-04 14:23:51 +03:00
			`role_entity = [`
			`"OWNER:project-owners-${data.google_project.current.number}",`
			`"OWNER:project-editors-${data.google_project.current.number}",`
			`"READER:project-viewers-${data.google_project.current.number}",`
			`]`
			`}`

			`// allow rw access for CI writer (see writer.tf)`
protect GCS bucket items (#7439) Yesterday, a certificate expiration triggered the `patch_bazel_windows` job to run when it shouldn't, and it overrode an artifact we depend on. This was build from the same sources, but the build is not reproducible so we ended up with a hash mismatch. As far as I know, there is no good reason for CI to ever delete or overwrite anything from our GCS buckets, so I'm removing its rights to do so. As an added safety measure, this PR also enables versioning on all non-cache buckets (GCS does not support versioning on buckets with an expiration policy). CHANGELOG_BEGIN CHANGELOG_END 2020-09-18 16:59:23 +03:00			`resource "google_storage_bucket_iam_member" "data_create" {`
update Terraform files to match reality (#8780) * fixup terraform config Two changes have happened recently that have invalidated the current Terraform files: 1. The Terraform version has gone through a major, incompatible upgrade (#8190); the required updates for this are reflected in the first commit of this PR. 2. The certificate used to serve [Hoogle](https://hoogle.daml.com) was about to expire, so Edward created a new one and updated the config directly. The second commit in this PR updates the Terraform config to match that new, already-in-prod setting. Note: This PR applies cleanly, as there are no resulting changes in Terraform's perception of the target state from 1, and the change from 2 has already been applied through other channels. CHANGELOG_BEGIN CHANGELOG_END * update hoogle cert 2021-02-08 20:25:04 +03:00			`bucket = google_storage_bucket.data.name`
collect historical download data (#2003) 2019-07-04 14:23:51 +03:00
			`# https://cloud.google.com/storage/docs/access-control/iam-roles`
protect GCS bucket items (#7439) Yesterday, a certificate expiration triggered the `patch_bazel_windows` job to run when it shouldn't, and it overrode an artifact we depend on. This was build from the same sources, but the build is not reproducible so we ended up with a hash mismatch. As far as I know, there is no good reason for CI to ever delete or overwrite anything from our GCS buckets, so I'm removing its rights to do so. As an added safety measure, this PR also enables versioning on all non-cache buckets (GCS does not support versioning on buckets with an expiration policy). CHANGELOG_BEGIN CHANGELOG_END 2020-09-18 16:59:23 +03:00			`role = "roles/storage.objectCreator"`
			`member = "serviceAccount:${google_service_account.writer.email}"`
			`}`
add Stefano to appr (#8663) CHANGELOG_BEGIN CHANGELOG_END 2021-01-28 14:11:08 +03:00
protect GCS bucket items (#7439) Yesterday, a certificate expiration triggered the `patch_bazel_windows` job to run when it shouldn't, and it overrode an artifact we depend on. This was build from the same sources, but the build is not reproducible so we ended up with a hash mismatch. As far as I know, there is no good reason for CI to ever delete or overwrite anything from our GCS buckets, so I'm removing its rights to do so. As an added safety measure, this PR also enables versioning on all non-cache buckets (GCS does not support versioning on buckets with an expiration policy). CHANGELOG_BEGIN CHANGELOG_END 2020-09-18 16:59:23 +03:00			`resource "google_storage_bucket_iam_member" "data_read" {`
update Terraform files to match reality (#8780) * fixup terraform config Two changes have happened recently that have invalidated the current Terraform files: 1. The Terraform version has gone through a major, incompatible upgrade (#8190); the required updates for this are reflected in the first commit of this PR. 2. The certificate used to serve [Hoogle](https://hoogle.daml.com) was about to expire, so Edward created a new one and updated the config directly. The second commit in this PR updates the Terraform config to match that new, already-in-prod setting. Note: This PR applies cleanly, as there are no resulting changes in Terraform's perception of the target state from 1, and the change from 2 has already been applied through other channels. CHANGELOG_BEGIN CHANGELOG_END * update hoogle cert 2021-02-08 20:25:04 +03:00			`bucket = google_storage_bucket.data.name`
protect GCS bucket items (#7439) Yesterday, a certificate expiration triggered the `patch_bazel_windows` job to run when it shouldn't, and it overrode an artifact we depend on. This was build from the same sources, but the build is not reproducible so we ended up with a hash mismatch. As far as I know, there is no good reason for CI to ever delete or overwrite anything from our GCS buckets, so I'm removing its rights to do so. As an added safety measure, this PR also enables versioning on all non-cache buckets (GCS does not support versioning on buckets with an expiration policy). CHANGELOG_BEGIN CHANGELOG_END 2020-09-18 16:59:23 +03:00
			`# https://cloud.google.com/storage/docs/access-control/iam-roles`
			`role = "roles/storage.objectViewer"`
collect historical download data (#2003) 2019-07-04 14:23:51 +03:00			`member = "serviceAccount:${google_service_account.writer.email}"`
			`}`
read access to data bucket for appr members (#7422) We've been saving data there but not doing anything with it. Ideally this data would be used by some sort of automated process, but in the meantime (or while developing said processes), having at least some people with read access can help. This is a Standard Change requested by @cocreature. CHANGELOG_BEGIN CHANGELOG_END 2020-09-16 19:25:23 +03:00
			`// allow read access for appr team, as requested by Moritz`
tf: refactor appr var (#10232) Two changes at the Terraform level, both with no impact on the actual GCP state: - There is no reason to make this value a `variable`: variables in Terraforma are meant to be supplied at the CLI. `local` is the right abstraction here (i.e. set in the file directly). - Using an unordered `for_each` set rather than a list so we don't have positional identity, meaning when adding someone at the top we don't need to destroy and recreate everyone else. CHANGELOG_BEGIN CHANGELOG_END 2021-07-09 14:41:46 +03:00			`locals {`
			`appr_team = [`
add akshay to appr team (#10229) CHANGELOG_BEGIN CHANGELOG_END 2021-07-09 13:55:16 +03:00			`"user:akshay.shirahatti@digitalasset.com",`
read access to data bucket for appr members (#7422) We've been saving data there but not doing anything with it. Ideally this data would be used by some sort of automated process, but in the meantime (or while developing said processes), having at least some people with read access can help. This is a Standard Change requested by @cocreature. CHANGELOG_BEGIN CHANGELOG_END 2020-09-16 19:25:23 +03:00			`"user:andreas.herrmann@digitalasset.com",`
			`"user:gary.verhaegen@digitalasset.com",`
			`"user:moritz.kiefer@digitalasset.com",`
add Stefano to appr (#8663) CHANGELOG_BEGIN CHANGELOG_END 2021-01-28 14:11:08 +03:00			`"user:stefano.baghino@digitalasset.com",`
read access to data bucket for appr members (#7422) We've been saving data there but not doing anything with it. Ideally this data would be used by some sort of automated process, but in the meantime (or while developing said processes), having at least some people with read access can help. This is a Standard Change requested by @cocreature. CHANGELOG_BEGIN CHANGELOG_END 2020-09-16 19:25:23 +03:00			`"user:stephen.compall@digitalasset.com",`
add Victor to app-runtime (#9556) CHANGELOG_BEGIN CHANGELOG_END 2021-05-04 14:35:28 +03:00			`"user:victor.mueller@digitalasset.com",`
read access to data bucket for appr members (#7422) We've been saving data there but not doing anything with it. Ideally this data would be used by some sort of automated process, but in the meantime (or while developing said processes), having at least some people with read access can help. This is a Standard Change requested by @cocreature. CHANGELOG_BEGIN CHANGELOG_END 2020-09-16 19:25:23 +03:00			`]`
			`}`
add Stefano to appr (#8663) CHANGELOG_BEGIN CHANGELOG_END 2021-01-28 14:11:08 +03:00
read access to data bucket for appr members (#7422) We've been saving data there but not doing anything with it. Ideally this data would be used by some sort of automated process, but in the meantime (or while developing said processes), having at least some people with read access can help. This is a Standard Change requested by @cocreature. CHANGELOG_BEGIN CHANGELOG_END 2020-09-16 19:25:23 +03:00			`resource "google_storage_bucket_iam_member" "appr" {`
tf: refactor appr var (#10232) Two changes at the Terraform level, both with no impact on the actual GCP state: - There is no reason to make this value a `variable`: variables in Terraforma are meant to be supplied at the CLI. `local` is the right abstraction here (i.e. set in the file directly). - Using an unordered `for_each` set rather than a list so we don't have positional identity, meaning when adding someone at the top we don't need to destroy and recreate everyone else. CHANGELOG_BEGIN CHANGELOG_END 2021-07-09 14:41:46 +03:00			`for_each = toset(local.appr_team)`
			`bucket = google_storage_bucket.data.name`
			`role = "roles/storage.objectViewer"`
			`member = each.key`
read access to data bucket for appr members (#7422) We've been saving data there but not doing anything with it. Ideally this data would be used by some sort of automated process, but in the meantime (or while developing said processes), having at least some people with read access can help. This is a Standard Change requested by @cocreature. CHANGELOG_BEGIN CHANGELOG_END 2020-09-16 19:25:23 +03:00			`}`