mirror of
https://github.com/digital-asset/daml.git
synced 2024-09-20 01:07:18 +03:00
cfae2d88f5
* fixup terraform config Two changes have happened recently that have invalidated the current Terraform files: 1. The Terraform version has gone through a major, incompatible upgrade (#8190); the required updates for this are reflected in the first commit of this PR. 2. The certificate used to serve [Hoogle](https://hoogle.daml.com) was about to expire, so Edward created a new one and updated the config directly. The second commit in this PR updates the Terraform config to match that new, already-in-prod setting. Note: This PR applies cleanly, as there are no resulting changes in Terraform's perception of the target state from 1, and the change from 2 has already been applied through other channels. CHANGELOG_BEGIN CHANGELOG_END * update hoogle cert
103 lines
3.3 KiB
HCL
103 lines
3.3 KiB
HCL
# Copyright (c) 2021 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
resource "google_storage_bucket" "binaries" {
|
|
project = local.project
|
|
name = "daml-binaries"
|
|
labels = local.labels
|
|
|
|
# SLA is enough for a cache and is cheaper than MULTI_REGIONAL
|
|
# see https://cloud.google.com/storage/docs/storage-classes
|
|
storage_class = "REGIONAL"
|
|
|
|
# Use a normal region since the storage_class is regional
|
|
location = local.region
|
|
|
|
versioning {
|
|
enabled = true
|
|
}
|
|
}
|
|
|
|
resource "google_storage_bucket_acl" "binaries" {
|
|
bucket = google_storage_bucket.binaries.name
|
|
default_acl = "publicread"
|
|
role_entity = [
|
|
"OWNER:project-owners-${data.google_project.current.number}",
|
|
"OWNER:project-editors-${data.google_project.current.number}",
|
|
"READER:project-viewers-${data.google_project.current.number}",
|
|
"READER:allUsers",
|
|
]
|
|
}
|
|
|
|
// allow rw access for CI writer (see writer.tf)
|
|
resource "google_storage_bucket_iam_member" "binaries-ci-create" {
|
|
bucket = google_storage_bucket.binaries.name
|
|
|
|
# https://cloud.google.com/storage/docs/access-control/iam-roles
|
|
role = "roles/storage.objectCreator"
|
|
member = "serviceAccount:${google_service_account.writer.email}"
|
|
}
|
|
resource "google_storage_bucket_iam_member" "binaries-ci-read" {
|
|
bucket = google_storage_bucket.binaries.name
|
|
|
|
# https://cloud.google.com/storage/docs/access-control/iam-roles
|
|
role = "roles/storage.objectViewer"
|
|
member = "serviceAccount:${google_service_account.writer.email}"
|
|
}
|
|
|
|
|
|
output binaries_ip {
|
|
description = "The external IP assigned to the global fowarding rule."
|
|
value = google_compute_global_address.binaries.address
|
|
}
|
|
|
|
resource "google_compute_backend_bucket" "binaries" {
|
|
project = local.project
|
|
name = "binaries-backend"
|
|
bucket_name = google_storage_bucket.binaries.name
|
|
enable_cdn = true
|
|
}
|
|
|
|
resource "google_compute_global_address" "binaries" {
|
|
project = local.project
|
|
name = "binaries-address"
|
|
ip_version = "IPV4"
|
|
}
|
|
|
|
resource "google_compute_url_map" "binaries" {
|
|
project = local.project
|
|
name = "binaries"
|
|
default_service = google_compute_backend_bucket.binaries.self_link
|
|
}
|
|
|
|
resource "google_compute_target_http_proxy" "binaries" {
|
|
project = local.project
|
|
name = "binaries-http-proxy"
|
|
url_map = google_compute_url_map.binaries.self_link
|
|
}
|
|
|
|
resource "google_compute_global_forwarding_rule" "binaries-http" {
|
|
project = local.project
|
|
name = "binaries-http"
|
|
target = google_compute_target_http_proxy.binaries.self_link
|
|
ip_address = google_compute_global_address.binaries.address
|
|
port_range = "80"
|
|
depends_on = [google_compute_global_address.binaries]
|
|
}
|
|
|
|
resource "google_compute_target_https_proxy" "binaries" {
|
|
project = local.project
|
|
name = "binaries-https-proxy"
|
|
url_map = google_compute_url_map.binaries.self_link
|
|
ssl_certificates = ["https://www.googleapis.com/compute/v1/projects/da-dev-gcp-daml-language/global/sslCertificates/daml-binaries"]
|
|
}
|
|
|
|
resource "google_compute_global_forwarding_rule" "https" {
|
|
project = local.project
|
|
name = "binaries-https"
|
|
target = google_compute_target_https_proxy.binaries.self_link
|
|
ip_address = google_compute_global_address.binaries.address
|
|
port_range = "443"
|
|
depends_on = [google_compute_global_address.binaries]
|
|
}
|