daml/infra/binaries.tf

# Copyright (c) 2020 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
# SPDX-License-Identifier: Apache-2.0

resource "google_storage_bucket" "binaries" {
  project = "${local.project}"
  name    = "daml-binaries"
  labels  = "${local.labels}"

  # SLA is enough for a cache and is cheaper than MULTI_REGIONAL
  # see https://cloud.google.com/storage/docs/storage-classes
  storage_class = "REGIONAL"

  # Use a normal region since the storage_class is regional
  location = "${local.region}"
}

resource "google_storage_bucket_acl" "binaries" {
  bucket      = "${google_storage_bucket.binaries.name}"
  default_acl = "publicread"
  role_entity = [
    "OWNER:project-owners-${data.google_project.current.number}",
    "OWNER:project-editors-${data.google_project.current.number}",
    "READER:project-viewers-${data.google_project.current.number}",
    "READER:allUsers",
  ]
}

// allow rw access for CI writer (see writer.tf)
resource "google_storage_bucket_iam_member" "binaries-ci-rw" {
  bucket = "${google_storage_bucket.binaries.name}"

  # https://cloud.google.com/storage/docs/access-control/iam-roles
  role   = "roles/storage.objectAdmin"
  member = "serviceAccount:${google_service_account.writer.email}"
}


output binaries_ip {
  description = "The external IP assigned to the global fowarding rule."
  value       = "${google_compute_global_address.binaries.address}"
}

resource "google_compute_backend_bucket" "binaries" {
  project     = "${local.project}"
  name        = "binaries-backend"
  bucket_name = "${google_storage_bucket.binaries.name}"
  enable_cdn  = true
}

resource "google_compute_global_address" "binaries" {
  project    = "${local.project}"
  name       = "binaries-address"
  ip_version = "IPV4"
}

resource "google_compute_url_map" "binaries" {
  project         = "${local.project}"
  name            = "binaries"
  default_service = "${google_compute_backend_bucket.binaries.self_link}"
}

resource "google_compute_target_http_proxy" "binaries" {
  project = "${local.project}"
  name    = "binaries-http-proxy"
  url_map = "${google_compute_url_map.binaries.self_link}"
}

resource "google_compute_global_forwarding_rule" "binaries-http" {
  project    = "${local.project}"
  name       = "binaries-http"
  target     = "${google_compute_target_http_proxy.binaries.self_link}"
  ip_address = "${google_compute_global_address.binaries.address}"
  port_range = "80"
  depends_on = ["google_compute_global_address.binaries"]
}

resource "google_compute_target_https_proxy" "binaries" {
  project          = "${local.project}"
  name             = "binaries-https-proxy"
  url_map          = "${google_compute_url_map.binaries.self_link}"
  ssl_certificates = ["${local.ssl_certificate}"]
}

resource "google_compute_global_forwarding_rule" "https" {
  project    = "${local.project}"
  name       = "binaries-https"
  target     = "${google_compute_target_https_proxy.binaries.self_link}"
  ip_address = "${google_compute_global_address.binaries.address}"
  port_range = "443"
  depends_on = ["google_compute_global_address.binaries"]
}