digital-asset/daml
1
1
Fork 0
mirror of https://github.com/digital-asset/daml.git synced 2024-09-20 09:17:43 +03:00
Code Issues Projects Releases Wiki Activity
b843117501
daml/infra/data_bucket.tf
Gary Verhaegen e34ac20d23
offboarding Akshay (#12396) 
😿

CHANGELOG_BEGIN
CHANGELOG_END
2022-01-13 14:40:44 +01:00

98 lines
2.9 KiB
HCL
Raw Blame History

# Copyright (c) 2022 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
# SPDX-License-Identifier: Apache-2.0
resource "google_storage_bucket" "data" {
project = local.project
name = "daml-data"
labels = local.labels
# SLA is enough for a cache and is cheaper than MULTI_REGIONAL
# see https://cloud.google.com/storage/docs/storage-classes
storage_class = "REGIONAL"
# Use a normal region since the storage_class is regional
location = local.region
versioning {
enabled = true
}
}
resource "google_storage_bucket_acl" "data" {
bucket = google_storage_bucket.data.name
role_entity = [
"OWNER:project-owners-${data.google_project.current.number}",
"OWNER:project-editors-${data.google_project.current.number}",
"READER:project-viewers-${data.google_project.current.number}",
]
}
// allow rw access for CI writer (see writer.tf)
resource "google_storage_bucket_iam_member" "data_create" {
bucket = google_storage_bucket.data.name
# https://cloud.google.com/storage/docs/access-control/iam-roles
role = "roles/storage.objectCreator"
member = "serviceAccount:${google_service_account.writer.email}"
}
resource "google_storage_bucket_iam_member" "data_read" {
bucket = google_storage_bucket.data.name
# https://cloud.google.com/storage/docs/access-control/iam-roles
role = "roles/storage.objectViewer"
member = "serviceAccount:${google_service_account.writer.email}"
}
// allow read access for appr team, as requested by Moritz
locals {
appr_team = [
"user:gary.verhaegen@digitalasset.com",
"user:moritz.kiefer@digitalasset.com",
"user:stefano.baghino@digitalasset.com",
"user:stephen.compall@digitalasset.com",
"user:victor.mueller@digitalasset.com",
]
}
resource "google_storage_bucket_iam_member" "appr" {
for_each = toset(local.appr_team)
bucket = google_storage_bucket.data.name
role = "roles/storage.objectViewer"
member = each.key
}
resource "google_service_account" "assembly-sas" {
for_each = toset(["canton-read", "assembly-rw"])
account_id = each.key
}
resource "google_project_iam_member" "assembly-read" {
for_each = google_service_account.assembly-sas
project = local.project
role = "roles/storage.objectViewer"
member = "serviceAccount:${each.value.email}"
}
resource "google_project_iam_member" "assembly-write" {
project = local.project
role = "roles/storage.objectCreator"
member = "serviceAccount:${google_service_account.assembly-sas["assembly-rw"].email}"
}
resource "google_service_account_key" "assembly-keys" {
for_each = google_service_account.assembly-sas
service_account_id = each.value.name
// "Arbitrary map of values that, when changed, will trigger a new key to be
// generated."
keepers = {
generated_on = "2022-01-12"
}
}
output "assembly_keys" {
value = { for k, v in google_service_account_key.assembly-keys : k => v.private_key }
}
Reference in New Issue View Git Blame Copy Permalink