Cloud storage for cdn (#12)

* global configuration for gh_oidc_dev

* scaffold storage module

* initial storage module

* add public access control to google_storage_bucket

* add resume object to storage bucket definition

dev/main.tf

@@ -23,8 +23,8 @@ provider "google" {
 # storage-component.googleapis.com
 # go to https://console.cloud.google.com/apis/dashboard to see the full list of enabled APIs
 module "apis" {
-  source  = "../modules/gcp-apis" # using local modules until I can these are versioned in the main branch of the repo
-  project = var.project_id
+  source   = "../modules/gcp-apis" # using local modules until I can these are versioned in the main branch of the repo
+  project  = var.project_id
   services = [
     "servicenetworking.googleapis.com",
     "sqladmin.googleapis.com",
@@ -52,21 +52,29 @@ module "iam" {
 }
 
 module "client_artifact_repo" {
-  source = "../modules/registry"
+  source     = "../modules/registry"
   # using local modules until I can these are versioned in the main branch of the repo
   repo       = "client"
   region     = var.region
   depends_on = [module.apis]
 }
 
 module "server_artifact_repo" {
-  source = "../modules/registry"
+  source     = "../modules/registry"
   # using local modules until I can these are versioned in the main branch of the repo
   repo       = "server"
   region     = var.region
   depends_on = [module.apis]
 }
 
+module "storage" {
+  source      = "../modules/storage"
+  project_id  = var.project_id
+  environment = var.environment
+  bucket_name = "dpgraham-dev"
+  resume_path = "./README.md"
+}
+
 module "database" {
   source      = "../modules/sql" # using local modules until I can these are versioned in the main branch of the repo
   name        = var.db_name
@@ -76,7 +84,7 @@ module "database" {
   project_id  = var.project_id
   vpc         = module.vpc.network
   #  vpc         = module.vpc.shared_vpc # uncomment if using shared vpc
-  depends_on = [module.apis]
+  depends_on  = [module.apis]
 }
 
 module "frontend-service" {
@@ -88,7 +96,7 @@ module "frontend-service" {
   environment    = "dev"
   connector_cidr = "10.9.0.0/28"
   project        = var.project_id
-  env = [
+  env            = [
     {
       name  = "VITE_API_URL"
       value = "https://${var.domain}/api"
@@ -107,7 +115,7 @@ module "server-service" {
   port           = "8080"
   environment    = var.environment
   depends_on     = [module.apis]
-  env = [
+  env            = [
     {
       name  = "DB_PORT"
       value = "5432"

global/folders.tf → global/folders/main.tf

@@ -5,7 +5,7 @@ module "common" {
   version = "~> 3.2"
 
   parent = "organizations/${var.org_id}"
-  names = [
+  names  = [
     "Common",
   ]
 }
@@ -15,7 +15,7 @@ module "envs" {
   version = "~> 3.2"
 
   parent = "organizations/${var.org_id}"
-  names = [
+  names  = [
     "Production",
     "Non-Production",
     "Development",

global/folders/outputs.tf

@@ -0,0 +1,7 @@
+output "ids" {
+  value = module.envs.ids
+}
+
+output "common_folder_id" {
+  value = module.common.id
+}

global/folders/variables.tf

@@ -0,0 +1,5 @@
+variable "org_id" {
+  description = "The ID of the organization to create the project under"
+  type        = string
+
+}

global/iam.tf

@@ -26,7 +26,7 @@ module "developer-folder-nonprod" {
   version = "~> 7.4"
 
   folders = [
-    module.envs.ids["Non-Production"],
+    module.folders.ids["Non-Production"],
   ]
   bindings = {
     "roles/compute.instanceAdmin.v1" = [
@@ -43,7 +43,7 @@ module "developers-folders-dev" {
   version = "~> 7.4"
 
   folders = [
-    module.envs.ids["Development"],
+    module.folders.ids["Development"],
   ]
   bindings = {
     "roles/compute.instanceAdmin.v1" = [
@@ -75,7 +75,7 @@ module "devops-folder-dev" {
   version = "~> 7.4"
 
   folders = [
-    module.envs.ids["Development"],
+    module.folders.ids["Development"],
   ]
   bindings = {
     "roles/cloudsql.admin" = [
@@ -104,7 +104,7 @@ module "devops-folder-prod" {
   version = "~> 7.4"
 
   folders = [
-    module.envs.ids["Production"],
+    module.folders.ids["Production"],
   ]
   bindings = {
     "roles/cloudsql.admin" = [
@@ -118,6 +118,33 @@ module "devops-folder-prod" {
     ]
   }
 }
+
+
+module "gh_oidc_dev" {
+  source  = "terraform-google-modules/github-actions-runners/google//modules/gh-oidc"
+  version = "3.1.1"
+
+  project_id       = module.dpgraham-com-dev.project_id
+  pool_id          = var.pool_id
+  provider_id      = "github"
+  pool_description = "A pool of identities to be used by GitHub Actions workflow runners"
+  sa_mapping       = {
+    #    "cloud_run_service_account" = {
+    #      sa_name   = google_service_account.cloud_run_sa.name
+    #      attribute = "attribute.repository/${var.github_org}/dpgraham-client"
+    #    }
+    "infra_editor_service_account" = {
+      sa_name   = google_service_account.cloud_infra_sa_dev.name
+      attribute = "attribute.repository/${var.github_org}/dpgraham-infra"
+    }
+  }
+  #  depends_on = [
+  #    google_service_account.cloud_infra_sa_dev
+  #    data.google_service_account.cloud_infra_sa,
+  #  ]
+}
+
+
 ## IAM permissions related to the logging project
 
 #module "projects-iam-2-loggingviewer" {

global/main.tf

@@ -0,0 +1,9 @@
+module "folders" {
+  source = "./folders"
+  org_id = var.org_id
+}
+
+module "iam" {
+  source = "./iam"
+
+}

global/projects.tf

@@ -9,7 +9,7 @@ module "dpgraham-com-prod" {
   name                 = "dpgraham-prod"
   project_id           = "dpgraham-com-prod"
   org_id               = var.org_id
-  folder_id            = module.envs.ids["Production"]
+  folder_id            = module.folders.ids["Production"]
   svpc_host_project_id = module.dpgraham-vpc-host-prod.project_id
   shared_vpc_subnets = [
     google_compute_subnetwork.subnet_prod_east1.id,
@@ -27,7 +27,7 @@ module "dpgraham-com-dev" {
   name                 = "dpgraham-dev"
   project_id           = var.dev_project_id
   org_id               = var.org_id
-  folder_id            = module.envs.ids["Development"]
+  folder_id            = module.folders.ids["Development"]
   svpc_host_project_id = module.dpgraham-vpc-host-nonprod.project_id
   shared_vpc_subnets = [
     google_compute_subnetwork.subnet_dev_east1.id,
@@ -45,7 +45,7 @@ module "dpgraham-vpc-host-prod" {
   name       = "vpc-host-prod"
   project_id = "dpgraham-vpc-host-prod"
   org_id     = var.org_id
-  folder_id  = module.common.id
+  folder_id  = module.folders.common_folder_id
 
   billing_account                = var.billing_account
   enable_shared_vpc_host_project = true
@@ -59,7 +59,7 @@ module "dpgraham-vpc-host-nonprod" {
   name       = "vpc-host-nonprod"
   project_id = "dpgraham-vpc-host-nonprod"
   org_id     = var.org_id
-  folder_id  = module.common.id
+  folder_id  = module.folders.common_folder_id
 
   billing_account                = var.billing_account
   enable_shared_vpc_host_project = true

global/variables.tf

@@ -42,4 +42,16 @@ variable "cloud_infra_sa" {
   description = "The service account for the cloud infra project"
   type        = string
   default     = "infra-deployer"
-}
+}
+
+variable "pool_id" {
+  description = "The Workload Identity Federation pool id for use with GitHub Actions"
+  type        = string
+  default     = "github-actions-pool"
+}
+
+variable "github_org" {
+  description = "The name of the GitHub organization to use for the application"
+  type        = string
+  default     = "dpgraham-com"
+}

modules/sql/main.tf

@@ -20,6 +20,9 @@ resource "google_sql_database_instance" "default" {
   name             = var.name
   project          = var.project_id
   region           = var.region
+  lifecycle {
+    ignore_changes = [settings.0.activation_policy]
+  }
 
   settings {
     activation_policy = "ALWAYS"

modules/storage/main.tf

@@ -0,0 +1,28 @@
+locals {
+  versioning = var.environment == "prod" ? true : false
+}
+
+resource "random_uuid" "storage_uuid" {}
+
+resource "google_storage_bucket" "default" {
+  name                        = "${var.bucket_name}-${random_uuid.storage_uuid.result}"
+  location                    = var.location
+  project                     = var.project_id
+  uniform_bucket_level_access = false
+
+  versioning {
+    enabled = local.versioning
+  }
+}
+
+resource "google_storage_default_object_access_control" "public_access" {
+  bucket = google_storage_bucket.default.name
+  role   = "READER"
+  entity = "allUsers"
+}
+
+resource "google_storage_bucket_object" "resume_folder" {
+  bucket = google_storage_bucket.default.name
+  name   = "resume/resume.md"
+  source = var.resume_path
+}

modules/storage/outputs.tf

@@ -0,0 +1,3 @@
+output "storage_bucket_name" {
+  value = google_storage_bucket.default.name
+}

modules/storage/variables.tf

@@ -0,0 +1,29 @@
+variable "bucket_name" {
+  description = "The name of the S3 bucket to create"
+  type        = string
+}
+
+variable "location" {
+  description = "The GCP region in which to create the bucket"
+  type        = string
+  default     = "US"
+}
+
+variable "project_id" {
+  description = "The GCP project ID in which to create the bucket"
+  type        = string
+}
+
+variable "environment" {
+  description = "The environment in which to create the bucket"
+  type        = string
+  validation {
+    condition     = contains(["dev", "prod"], var.environment)
+    error_message = "Environment must be one of [devel, prod]"
+  }
+}
+
+variable "resume_path" {
+  description = "The path to the resume to upload"
+  type        = string
+}