feat(corp/ops): configure data storage bucket
Note that there doesn't seem to be a TF resource type for the IAM binding between the bucket and the service account itself (other than applying to all buckets in the folder, which I don't want). For this reason I've added the `storage.uploader` IAM binding to the `rih-backend` service account *on the bucket* manually. Change-Id: I9fb06c7857e61dc642d9ea0d89159a0e343dc984 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8728 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
This commit is contained in:
parent
fb7db9b692
commit
eae70200ce
1 changed files with 77 additions and 7 deletions
|
@ -17,7 +17,7 @@ resource "yandex_iam_service_account" "rih_storage_sa" {
|
|||
|
||||
resource "yandex_resourcemanager_folder_iam_member" "rih_sa_storage_editor" {
|
||||
folder_id = local.rih_folder_id
|
||||
role = "storage.editor"
|
||||
role = "storage.admin"
|
||||
member = "serviceAccount:${yandex_iam_service_account.rih_storage_sa.id}"
|
||||
}
|
||||
|
||||
|
@ -78,12 +78,6 @@ resource "yandex_iam_service_account" "rih_backend" {
|
|||
folder_id = local.rih_folder_id
|
||||
}
|
||||
|
||||
resource "yandex_resourcemanager_folder_iam_member" "rih_backend_storage_editor" {
|
||||
folder_id = local.rih_folder_id
|
||||
role = "storage.editor"
|
||||
member = "serviceAccount:${yandex_iam_service_account.rih_backend.id}"
|
||||
}
|
||||
|
||||
resource "yandex_resourcemanager_folder_iam_member" "rih_backend_image_pull" {
|
||||
folder_id = local.rih_folder_id
|
||||
role = "container-registry.images.puller"
|
||||
|
@ -167,3 +161,79 @@ resource "yandex_dns_recordset" "cname_api_russiaishiring_com" {
|
|||
data = [yandex_api_gateway.rih_gateway.domain]
|
||||
ttl = 600
|
||||
}
|
||||
|
||||
# Bucket setup for data receival bucket
|
||||
#
|
||||
# The bucket is set up and controlled by the default storage account,
|
||||
# but a separate key is set up for the rih-backend IAM account which
|
||||
# can only access the information in this bucket.
|
||||
|
||||
resource "yandex_kms_symmetric_key" "backend_data_key" {
|
||||
name = "rih-backend-data-key"
|
||||
default_algorithm = "AES_128"
|
||||
rotation_period = "4380h" # ~6 months
|
||||
|
||||
lifecycle {
|
||||
prevent_destroy = true
|
||||
}
|
||||
}
|
||||
|
||||
resource "yandex_storage_bucket" "rih_backend_data" {
|
||||
access_key = yandex_iam_service_account_static_access_key.rih_sa_static_key.access_key
|
||||
secret_key = yandex_iam_service_account_static_access_key.rih_sa_static_key.secret_key
|
||||
bucket = "rih-backend-data"
|
||||
folder_id = local.rih_folder_id
|
||||
acl = "private"
|
||||
|
||||
versioning {
|
||||
enabled = true
|
||||
}
|
||||
|
||||
server_side_encryption_configuration {
|
||||
rule {
|
||||
apply_server_side_encryption_by_default {
|
||||
kms_master_key_id = yandex_kms_symmetric_key.backend_data_key.id
|
||||
sse_algorithm = "aws:kms"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
lifecycle {
|
||||
prevent_destroy = true
|
||||
}
|
||||
}
|
||||
|
||||
resource "yandex_iam_service_account_static_access_key" "rih_backend_static_key" {
|
||||
service_account_id = yandex_iam_service_account.rih_backend.id
|
||||
description = "RIH backend bucket access key"
|
||||
}
|
||||
|
||||
resource "yandex_lockbox_secret" "rih_backend_storage_key" {
|
||||
name = "rih-backend-storage-key"
|
||||
folder_id = local.rih_folder_id
|
||||
}
|
||||
|
||||
resource "yandex_lockbox_secret_version" "rih_backend_storage_secret" {
|
||||
secret_id = yandex_lockbox_secret.rih_backend_storage_key.id
|
||||
|
||||
entries {
|
||||
key = "access_key"
|
||||
text_value = yandex_iam_service_account_static_access_key.rih_backend_static_key.access_key
|
||||
}
|
||||
|
||||
entries {
|
||||
key = "secret_key"
|
||||
text_value = yandex_iam_service_account_static_access_key.rih_backend_static_key.secret_key
|
||||
}
|
||||
}
|
||||
|
||||
# TODO(tazjin): needs provider update
|
||||
#
|
||||
# resource "yandex_lockbox_secret_iam_binding" "viewer" {
|
||||
# secret_id = yandex_lockbox_secret.rih_backend_storage_key.id
|
||||
# role = "viewer"
|
||||
|
||||
# members = [
|
||||
# "serviceAccount:${yandex_iam_service_account.rih_backend.id}"
|
||||
# ]
|
||||
# }
|
||||
|
|
Loading…
Reference in a new issue