mirror of
https://github.com/digital-asset/daml.git
synced 2024-09-20 01:07:18 +03:00
2a38d03250
Yesterday, a certificate expiration triggered the `patch_bazel_windows` job to run when it shouldn't, and it overrode an artifact we depend on. This was build from the same sources, but the build is not reproducible so we ended up with a hash mismatch. As far as I know, there is no good reason for CI to ever delete or overwrite anything from our GCS buckets, so I'm removing its rights to do so. As an added safety measure, this PR also enables versioning on all non-cache buckets (GCS does not support versioning on buckets with an expiration policy). CHANGELOG_BEGIN CHANGELOG_END
41 lines
1.3 KiB
HCL
41 lines
1.3 KiB
HCL
# Copyright (c) 2020 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
// Setup the Nix bucket + CDN
|
|
locals {
|
|
nix_cache_name = "daml-nix-cache"
|
|
|
|
// see main.tf for additional locals
|
|
}
|
|
|
|
module "nix_cache" {
|
|
source = "./modules/gcp_cdn_bucket"
|
|
|
|
labels = "${local.labels}"
|
|
name = "${local.nix_cache_name}"
|
|
project = "${local.project}"
|
|
region = "${local.region}"
|
|
ssl_certificate = "https://www.googleapis.com/compute/v1/projects/da-dev-gcp-daml-language/global/sslCertificates/nix-cache"
|
|
cache_retention_days = 360
|
|
}
|
|
|
|
// allow rw access for CI writer (see writer.tf)
|
|
resource "google_storage_bucket_iam_member" "nix_cache_writer_create" {
|
|
bucket = "${module.nix_cache.bucket_name}"
|
|
|
|
# https://cloud.google.com/storage/docs/access-control/iam-roles
|
|
role = "roles/storage.objectCreator"
|
|
member = "serviceAccount:${google_service_account.writer.email}"
|
|
}
|
|
resource "google_storage_bucket_iam_member" "nix_cache_writer_read" {
|
|
bucket = "${module.nix_cache.bucket_name}"
|
|
|
|
# https://cloud.google.com/storage/docs/access-control/iam-roles
|
|
role = "roles/storage.objectViewer"
|
|
member = "serviceAccount:${google_service_account.writer.email}"
|
|
}
|
|
|
|
output "nix_cache_ip" {
|
|
value = "${module.nix_cache.external_ip}"
|
|
}
|