forked from digital-asset/daml
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdumps_bucket.tf
49 lines (39 loc) · 1.56 KB
/
dumps_bucket.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# Copyright (c) 2022 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
# SPDX-License-Identifier: Apache-2.0
resource "google_storage_bucket" "dumps" {
project = local.project
name = "daml-dumps"
labels = local.labels
# SLA is enough for a cache and is cheaper than MULTI_REGIONAL
# see https://cloud.google.com/storage/docs/storage-classes
storage_class = "REGIONAL"
# Use a normal region since the storage_class is regional
location = local.region
# Enable versioning in case we accidentally delete/overwrite something
versioning {
enabled = true
}
}
resource "google_storage_bucket_acl" "dumps" {
bucket = google_storage_bucket.dumps.name
role_entity = [
"OWNER:project-owners-${data.google_project.current.number}",
"OWNER:project-editors-${data.google_project.current.number}",
"READER:project-viewers-${data.google_project.current.number}",
"READER:allUsers",
]
default_acl = "publicread"
}
# allow rw access for CI writer (see writer.tf)
resource "google_storage_bucket_iam_member" "dumps_create" {
bucket = google_storage_bucket.dumps.name
# https://cloud.google.com/storage/docs/access-control/iam-roles
role = "roles/storage.objectCreator"
member = "serviceAccount:${google_service_account.writer.email}"
}
resource "google_storage_bucket_iam_member" "dumps_read" {
bucket = google_storage_bucket.dumps.name
# https://cloud.google.com/storage/docs/access-control/iam-roles
role = "roles/storage.objectViewer"
member = "serviceAccount:${google_service_account.writer.email}"
}