forked from digital-asset/daml
-
Notifications
You must be signed in to change notification settings - Fork 0
/
binaries.tf
103 lines (86 loc) · 3.4 KB
/
binaries.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
# Copyright (c) 2023 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
# SPDX-License-Identifier: Apache-2.0
resource "google_storage_bucket" "binaries" {
project = local.project
name = "daml-binaries"
labels = local.labels
# SLA is enough for a cache and is cheaper than MULTI_REGIONAL
# see https://cloud.google.com/storage/docs/storage-classes
storage_class = "REGIONAL"
# Use a normal region since the storage_class is regional
location = local.region
versioning {
enabled = true
}
}
resource "google_storage_bucket_acl" "binaries" {
bucket = google_storage_bucket.binaries.name
default_acl = "publicread"
role_entity = [
"OWNER:project-owners-${data.google_project.current.number}",
"OWNER:project-editors-${data.google_project.current.number}",
"READER:project-viewers-${data.google_project.current.number}",
"READER:allUsers",
]
}
// allow rw access for CI writer (see writer.tf)
resource "google_storage_bucket_iam_member" "binaries-ci-create" {
bucket = google_storage_bucket.binaries.name
# https://cloud.google.com/storage/docs/access-control/iam-roles
role = "roles/storage.objectCreator"
member = "serviceAccount:${google_service_account.writer.email}"
}
resource "google_storage_bucket_iam_member" "binaries-ci-read" {
bucket = google_storage_bucket.binaries.name
# https://cloud.google.com/storage/docs/access-control/iam-roles
role = "roles/storage.objectViewer"
member = "serviceAccount:${google_service_account.writer.email}"
}
output "binaries_ip" {
description = "The external IP assigned to the global fowarding rule."
value = google_compute_global_address.binaries.address
}
resource "google_compute_backend_bucket" "binaries" {
project = local.project
name = "binaries-backend"
bucket_name = google_storage_bucket.binaries.name
enable_cdn = true
}
resource "google_compute_global_address" "binaries" {
project = local.project
name = "binaries-address"
ip_version = "IPV4"
}
resource "google_compute_url_map" "binaries" {
project = local.project
name = "binaries"
default_service = google_compute_backend_bucket.binaries.self_link
}
resource "google_compute_target_http_proxy" "binaries" {
project = local.project
name = "binaries-http-proxy"
url_map = google_compute_url_map.binaries.self_link
}
resource "google_compute_global_forwarding_rule" "binaries-http" {
project = local.project
name = "binaries-http"
target = google_compute_target_http_proxy.binaries.self_link
ip_address = google_compute_global_address.binaries.address
port_range = "80"
depends_on = [google_compute_global_address.binaries]
}
resource "google_compute_target_https_proxy" "binaries" {
project = local.project
name = "binaries-https-proxy"
url_map = google_compute_url_map.binaries.self_link
ssl_certificates = ["https://www.googleapis.com/compute/v1/projects/da-dev-gcp-daml-language/global/sslCertificates/daml-binaries"]
ssl_policy = google_compute_ssl_policy.ssl_policy.self_link
}
resource "google_compute_global_forwarding_rule" "https" {
project = local.project
name = "binaries-https"
target = google_compute_target_https_proxy.binaries.self_link
ip_address = google_compute_global_address.binaries.address
port_range = "443"
depends_on = [google_compute_global_address.binaries]
}