feat(corp/ops): configure data storage bucket
Note that there doesn't seem to be a TF resource type for the IAM binding between the bucket and the service account itself (other than applying to all buckets in the folder, which I don't want). For this reason I've added the `storage.uploader` IAM binding to the `rih-backend` service account *on the bucket* manually. Change-Id: I9fb06c7857e61dc642d9ea0d89159a0e343dc984 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8728 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
This commit is contained in:
parent
fb7db9b692
commit
eae70200ce
1 changed files with 77 additions and 7 deletions
|
@ -17,7 +17,7 @@ resource "yandex_iam_service_account" "rih_storage_sa" {
|
||||||
|
|
||||||
resource "yandex_resourcemanager_folder_iam_member" "rih_sa_storage_editor" {
|
resource "yandex_resourcemanager_folder_iam_member" "rih_sa_storage_editor" {
|
||||||
folder_id = local.rih_folder_id
|
folder_id = local.rih_folder_id
|
||||||
role = "storage.editor"
|
role = "storage.admin"
|
||||||
member = "serviceAccount:${yandex_iam_service_account.rih_storage_sa.id}"
|
member = "serviceAccount:${yandex_iam_service_account.rih_storage_sa.id}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -78,12 +78,6 @@ resource "yandex_iam_service_account" "rih_backend" {
|
||||||
folder_id = local.rih_folder_id
|
folder_id = local.rih_folder_id
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "yandex_resourcemanager_folder_iam_member" "rih_backend_storage_editor" {
|
|
||||||
folder_id = local.rih_folder_id
|
|
||||||
role = "storage.editor"
|
|
||||||
member = "serviceAccount:${yandex_iam_service_account.rih_backend.id}"
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "yandex_resourcemanager_folder_iam_member" "rih_backend_image_pull" {
|
resource "yandex_resourcemanager_folder_iam_member" "rih_backend_image_pull" {
|
||||||
folder_id = local.rih_folder_id
|
folder_id = local.rih_folder_id
|
||||||
role = "container-registry.images.puller"
|
role = "container-registry.images.puller"
|
||||||
|
@ -167,3 +161,79 @@ resource "yandex_dns_recordset" "cname_api_russiaishiring_com" {
|
||||||
data = [yandex_api_gateway.rih_gateway.domain]
|
data = [yandex_api_gateway.rih_gateway.domain]
|
||||||
ttl = 600
|
ttl = 600
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Bucket setup for data receival bucket
|
||||||
|
#
|
||||||
|
# The bucket is set up and controlled by the default storage account,
|
||||||
|
# but a separate key is set up for the rih-backend IAM account which
|
||||||
|
# can only access the information in this bucket.
|
||||||
|
|
||||||
|
resource "yandex_kms_symmetric_key" "backend_data_key" {
|
||||||
|
name = "rih-backend-data-key"
|
||||||
|
default_algorithm = "AES_128"
|
||||||
|
rotation_period = "4380h" # ~6 months
|
||||||
|
|
||||||
|
lifecycle {
|
||||||
|
prevent_destroy = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "yandex_storage_bucket" "rih_backend_data" {
|
||||||
|
access_key = yandex_iam_service_account_static_access_key.rih_sa_static_key.access_key
|
||||||
|
secret_key = yandex_iam_service_account_static_access_key.rih_sa_static_key.secret_key
|
||||||
|
bucket = "rih-backend-data"
|
||||||
|
folder_id = local.rih_folder_id
|
||||||
|
acl = "private"
|
||||||
|
|
||||||
|
versioning {
|
||||||
|
enabled = true
|
||||||
|
}
|
||||||
|
|
||||||
|
server_side_encryption_configuration {
|
||||||
|
rule {
|
||||||
|
apply_server_side_encryption_by_default {
|
||||||
|
kms_master_key_id = yandex_kms_symmetric_key.backend_data_key.id
|
||||||
|
sse_algorithm = "aws:kms"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
lifecycle {
|
||||||
|
prevent_destroy = true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "yandex_iam_service_account_static_access_key" "rih_backend_static_key" {
|
||||||
|
service_account_id = yandex_iam_service_account.rih_backend.id
|
||||||
|
description = "RIH backend bucket access key"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "yandex_lockbox_secret" "rih_backend_storage_key" {
|
||||||
|
name = "rih-backend-storage-key"
|
||||||
|
folder_id = local.rih_folder_id
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "yandex_lockbox_secret_version" "rih_backend_storage_secret" {
|
||||||
|
secret_id = yandex_lockbox_secret.rih_backend_storage_key.id
|
||||||
|
|
||||||
|
entries {
|
||||||
|
key = "access_key"
|
||||||
|
text_value = yandex_iam_service_account_static_access_key.rih_backend_static_key.access_key
|
||||||
|
}
|
||||||
|
|
||||||
|
entries {
|
||||||
|
key = "secret_key"
|
||||||
|
text_value = yandex_iam_service_account_static_access_key.rih_backend_static_key.secret_key
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# TODO(tazjin): needs provider update
|
||||||
|
#
|
||||||
|
# resource "yandex_lockbox_secret_iam_binding" "viewer" {
|
||||||
|
# secret_id = yandex_lockbox_secret.rih_backend_storage_key.id
|
||||||
|
# role = "viewer"
|
||||||
|
|
||||||
|
# members = [
|
||||||
|
# "serviceAccount:${yandex_iam_service_account.rih_backend.id}"
|
||||||
|
# ]
|
||||||
|
# }
|
||||||
|
|
Loading…
Reference in a new issue