mirror of
https://github.com/digital-asset/daml.git
synced 2024-09-20 09:17:43 +03:00
e34ac20d23
😿
CHANGELOG_BEGIN
CHANGELOG_END
98 lines
2.9 KiB
HCL
98 lines
2.9 KiB
HCL
# Copyright (c) 2022 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
resource "google_storage_bucket" "data" {
|
|
project = local.project
|
|
name = "daml-data"
|
|
labels = local.labels
|
|
|
|
# SLA is enough for a cache and is cheaper than MULTI_REGIONAL
|
|
# see https://cloud.google.com/storage/docs/storage-classes
|
|
storage_class = "REGIONAL"
|
|
|
|
# Use a normal region since the storage_class is regional
|
|
location = local.region
|
|
|
|
versioning {
|
|
enabled = true
|
|
}
|
|
}
|
|
|
|
resource "google_storage_bucket_acl" "data" {
|
|
bucket = google_storage_bucket.data.name
|
|
|
|
role_entity = [
|
|
"OWNER:project-owners-${data.google_project.current.number}",
|
|
"OWNER:project-editors-${data.google_project.current.number}",
|
|
"READER:project-viewers-${data.google_project.current.number}",
|
|
]
|
|
}
|
|
|
|
// allow rw access for CI writer (see writer.tf)
|
|
resource "google_storage_bucket_iam_member" "data_create" {
|
|
bucket = google_storage_bucket.data.name
|
|
|
|
# https://cloud.google.com/storage/docs/access-control/iam-roles
|
|
role = "roles/storage.objectCreator"
|
|
member = "serviceAccount:${google_service_account.writer.email}"
|
|
}
|
|
|
|
resource "google_storage_bucket_iam_member" "data_read" {
|
|
bucket = google_storage_bucket.data.name
|
|
|
|
# https://cloud.google.com/storage/docs/access-control/iam-roles
|
|
role = "roles/storage.objectViewer"
|
|
member = "serviceAccount:${google_service_account.writer.email}"
|
|
}
|
|
|
|
// allow read access for appr team, as requested by Moritz
|
|
locals {
|
|
appr_team = [
|
|
"user:gary.verhaegen@digitalasset.com",
|
|
"user:moritz.kiefer@digitalasset.com",
|
|
"user:stefano.baghino@digitalasset.com",
|
|
"user:stephen.compall@digitalasset.com",
|
|
"user:victor.mueller@digitalasset.com",
|
|
]
|
|
}
|
|
|
|
resource "google_storage_bucket_iam_member" "appr" {
|
|
for_each = toset(local.appr_team)
|
|
bucket = google_storage_bucket.data.name
|
|
role = "roles/storage.objectViewer"
|
|
member = each.key
|
|
}
|
|
|
|
resource "google_service_account" "assembly-sas" {
|
|
for_each = toset(["canton-read", "assembly-rw"])
|
|
account_id = each.key
|
|
}
|
|
|
|
resource "google_project_iam_member" "assembly-read" {
|
|
for_each = google_service_account.assembly-sas
|
|
project = local.project
|
|
role = "roles/storage.objectViewer"
|
|
member = "serviceAccount:${each.value.email}"
|
|
}
|
|
|
|
resource "google_project_iam_member" "assembly-write" {
|
|
project = local.project
|
|
role = "roles/storage.objectCreator"
|
|
member = "serviceAccount:${google_service_account.assembly-sas["assembly-rw"].email}"
|
|
}
|
|
|
|
resource "google_service_account_key" "assembly-keys" {
|
|
for_each = google_service_account.assembly-sas
|
|
|
|
service_account_id = each.value.name
|
|
// "Arbitrary map of values that, when changed, will trigger a new key to be
|
|
// generated."
|
|
keepers = {
|
|
generated_on = "2022-01-12"
|
|
}
|
|
}
|
|
|
|
output "assembly_keys" {
|
|
value = { for k, v in google_service_account_key.assembly-keys : k => v.private_key }
|
|
}
|