feat(corp/ops): configure data storage bucket

Note that there doesn't seem to be a TF resource type for the IAM binding between the bucket and the service account itself (other than applying to all buckets in the folder, which I don't want). For this reason I've added the `storage.uploader` IAM binding to the `rih-backend` service account *on the bucket* manually. Change-Id: I9fb06c7857e61dc642d9ea0d89159a0e343dc984 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8728 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
2023-06-09 13:47:07 +03:00 · 2023-06-09 13:47:07 +03:00 · eae70200ce
commit eae70200ce
parent fb7db9b692
1 changed files with 77 additions and 7 deletions
--- a/corp/ops/yandex/rih.tf
+++ b/corp/ops/yandex/rih.tf
@ -17,7 +17,7 @@ resource "yandex_iam_service_account" "rih_storage_sa" {

 resource "yandex_resourcemanager_folder_iam_member" "rih_sa_storage_editor" {
  folder_id = local.rih_folder_id
-  role      = "storage.editor"
+  role      = "storage.admin"
  member    = "serviceAccount:${yandex_iam_service_account.rih_storage_sa.id}"
 }

@ -78,12 +78,6 @@ resource "yandex_iam_service_account" "rih_backend" {
  folder_id = local.rih_folder_id
 }

-resource "yandex_resourcemanager_folder_iam_member" "rih_backend_storage_editor" {
-  folder_id = local.rih_folder_id
-  role      = "storage.editor"
-  member    = "serviceAccount:${yandex_iam_service_account.rih_backend.id}"
-}
-
 resource "yandex_resourcemanager_folder_iam_member" "rih_backend_image_pull" {
  folder_id = local.rih_folder_id
  role      = "container-registry.images.puller"
@ -167,3 +161,79 @@ resource "yandex_dns_recordset" "cname_api_russiaishiring_com" {
  data    = [yandex_api_gateway.rih_gateway.domain]
  ttl     = 600
 }
+
+# Bucket setup for data receival bucket
+#
+# The bucket is set up and controlled by the default storage account,
+# but a separate key is set up for the rih-backend IAM account which
+# can only access the information in this bucket.
+
+resource "yandex_kms_symmetric_key" "backend_data_key" {
+  name              = "rih-backend-data-key"
+  default_algorithm = "AES_128"
+  rotation_period   = "4380h" # ~6 months
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "yandex_storage_bucket" "rih_backend_data" {
+  access_key = yandex_iam_service_account_static_access_key.rih_sa_static_key.access_key
+  secret_key = yandex_iam_service_account_static_access_key.rih_sa_static_key.secret_key
+  bucket     = "rih-backend-data"
+  folder_id  = local.rih_folder_id
+  acl        = "private"
+
+  versioning {
+    enabled = true
+  }
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = yandex_kms_symmetric_key.backend_data_key.id
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "yandex_iam_service_account_static_access_key" "rih_backend_static_key" {
+  service_account_id = yandex_iam_service_account.rih_backend.id
+  description        = "RIH backend bucket access key"
+}
+
+resource "yandex_lockbox_secret" "rih_backend_storage_key" {
+  name      = "rih-backend-storage-key"
+  folder_id = local.rih_folder_id
+}
+
+resource "yandex_lockbox_secret_version" "rih_backend_storage_secret" {
+  secret_id = yandex_lockbox_secret.rih_backend_storage_key.id
+
+  entries {
+    key        = "access_key"
+    text_value = yandex_iam_service_account_static_access_key.rih_backend_static_key.access_key
+  }
+
+  entries {
+    key        = "secret_key"
+    text_value = yandex_iam_service_account_static_access_key.rih_backend_static_key.secret_key
+  }
+}
+
+# TODO(tazjin): needs provider update
+#
+# resource "yandex_lockbox_secret_iam_binding" "viewer" {
+#   secret_id = yandex_lockbox_secret.rih_backend_storage_key.id
+#   role = "viewer"
+
+#   members = [
+#     "serviceAccount:${yandex_iam_service_account.rih_backend.id}"
+#   ]
+# }