about summary refs log tree commit diff
path: root/ops
diff options
context:
space:
mode:
authorFranck Cuny <franck@fcuny.net>2022-08-10 17:49:50 -0700
committerFranck Cuny <franck@fcuny.net>2022-08-15 17:51:38 -0700
commitda572dabc3c8e6a76c192d47101766044cd293a3 (patch)
treefedb235077193f8bda16d2a041915acd3864b8bc /ops
parentfix(home/terminal): use alacritty's default colors (diff)
downloadworld-da572dabc3c8e6a76c192d47101766044cd293a3.tar.gz
feat(ops/gcp-backups): add terraform configuration for GCP buckets
This terraform configuration is to create the buckets that I'm using for
various buckets. Doing this through the UI is difficult, as there are
too many options, it's easy to have different buckets with different
settings when I need them to be identical, no way to review what the
change is going to look like, etc.

Change-Id: I8ee15939559e7632e2df9d17cfaec75d756930b6
Reviewed-on: https://cl.fcuny.net/c/world/+/713
Tested-by: CI
Reviewed-by: Franck Cuny <franck@fcuny.net>
Diffstat (limited to 'ops')
-rw-r--r--ops/default.nix1
-rw-r--r--ops/gcp-backups/.gitignore3
-rw-r--r--ops/gcp-backups/default.nix20
-rw-r--r--ops/gcp-backups/main.tf164
-rw-r--r--ops/gcp-backups/readme.org5
5 files changed, 193 insertions, 0 deletions
diff --git a/ops/default.nix b/ops/default.nix
index 500f9ec..ec2bc02 100644
--- a/ops/default.nix
+++ b/ops/default.nix
@@ -2,4 +2,5 @@
 
 pkgs.lib.makeScope pkgs.newScope (pkgs: {
   buildkite = pkgs.callPackage ./buildkite { };
+  gcp-backups = pkgs.callPackage ./gcp-backups { };
 })
diff --git a/ops/gcp-backups/.gitignore b/ops/gcp-backups/.gitignore
new file mode 100644
index 0000000..112bb96
--- /dev/null
+++ b/ops/gcp-backups/.gitignore
@@ -0,0 +1,3 @@
+# ignore the various terraform files that are generate. The state is
+# stored in a GCS bucket.
+.terraform*
diff --git a/ops/gcp-backups/default.nix b/ops/gcp-backups/default.nix
new file mode 100644
index 0000000..44252e2
--- /dev/null
+++ b/ops/gcp-backups/default.nix
@@ -0,0 +1,20 @@
+{ pkgs }:
+let
+  terraform = pkgs.terraform.withPlugins (p: [
+    p.google
+  ]);
+in
+pkgs.stdenv.mkDerivation rec {
+  name = "tf-gcp-backups";
+  src = ./.;
+
+  setup = pkgs.writeShellScriptBin "tf-gcp-backups-setup" ''
+    set -ueo pipefail
+
+    cd $(git rev-parse --show-toplevel)/ops/gcp-backups
+
+    ${terraform}/bin/terraform init
+    ${terraform}/bin/terraform plan
+    ${terraform}/bin/terraform apply
+  '';
+}
diff --git a/ops/gcp-backups/main.tf b/ops/gcp-backups/main.tf
new file mode 100644
index 0000000..f12e9cd
--- /dev/null
+++ b/ops/gcp-backups/main.tf
@@ -0,0 +1,164 @@
+locals {
+  terraform_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com"
+}
+
+provider "google" {
+  alias = "impersonation"
+  scopes = [
+    "https://www.googleapis.com/auth/cloud-platform",
+    "https://www.googleapis.com/auth/userinfo.email",
+  ]
+}
+
+data "google_service_account_access_token" "default" {
+  provider               = google.impersonation
+  target_service_account = local.terraform_service_account
+  scopes                 = ["userinfo-email", "cloud-platform"]
+  lifetime               = "1200s"
+}
+
+provider "google" {
+  project         = "fcuny-backups"
+  region          = "us-west1"
+  zone            = "us-west1-c"
+  access_token    = data.google_service_account_access_token.default.access_token
+  request_timeout = "60s"
+}
+
+terraform {
+  backend "gcs" {
+    bucket                      = "world-tf-state"
+    prefix                      = "backups/state"
+    impersonate_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com"
+  }
+}
+
+resource "google_service_account" "restic" {
+  account_id   = "restic"
+  description  = "For backups with restic"
+  display_name = "Restic Service Account"
+}
+
+resource "google_storage_bucket" "archives" {
+  name                        = "fcuny-archives"
+  location                    = "US"
+  storage_class               = "NEARLINE"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = false
+  }
+  lifecycle_rule {
+    action {
+      type          = "SetStorageClass"
+      storage_class = "ARCHIVE"
+    }
+    condition {
+      matches_storage_class = ["NEARLINE"]
+      age                   = 10
+    }
+  }
+}
+
+resource "google_storage_bucket" "backups-systems" {
+  name                        = "fcuny-backups-systems"
+  location                    = "US"
+  storage_class               = "NEARLINE"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = false
+  }
+}
+
+resource "google_storage_bucket_iam_member" "backups-systems" {
+  bucket = google_storage_bucket.backups-systems.name
+  role   = "roles/storage.objectAdmin"
+  member = "serviceAccount:${google_service_account.restic.email}"
+}
+
+resource "google_storage_bucket_iam_binding" "backups-systems-create" {
+  bucket = google_storage_bucket.backups-systems.name
+  role   = "roles/storage.objectCreator"
+  members = [
+    "serviceAccount:${google_service_account.restic.email}",
+  ]
+}
+
+resource "google_storage_bucket_iam_binding" "backups-systems-view" {
+  bucket = google_storage_bucket.backups-systems.name
+  role   = "roles/storage.objectViewer"
+  members = [
+    "serviceAccount:${google_service_account.restic.email}",
+  ]
+}
+
+resource "google_storage_bucket" "backups-users" {
+  name                        = "fcuny-backups-users"
+  location                    = "US"
+  storage_class               = "NEARLINE"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = false
+  }
+}
+
+resource "google_storage_bucket_iam_member" "backups-users" {
+  bucket = google_storage_bucket.backups-users.name
+  role   = "roles/storage.objectAdmin"
+  member = "serviceAccount:${google_service_account.restic.email}"
+}
+
+resource "google_storage_bucket_iam_binding" "backups-users-create" {
+  bucket = google_storage_bucket.backups-users.name
+  role   = "roles/storage.objectCreator"
+  members = [
+    "serviceAccount:${google_service_account.restic.email}",
+  ]
+}
+
+resource "google_storage_bucket_iam_binding" "backups-users-view" {
+  bucket = google_storage_bucket.backups-users.name
+  role   = "roles/storage.objectViewer"
+  members = [
+    "serviceAccount:${google_service_account.restic.email}",
+  ]
+}
+
+resource "google_storage_bucket" "restic" {
+  name                        = "fcuny-restic"
+  location                    = "US"
+  storage_class               = "COLDLINE"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = false
+  }
+  lifecycle_rule {
+    action {
+      type          = "SetStorageClass"
+      storage_class = "ARCHIVE"
+    }
+    condition {
+      matches_storage_class = ["COLDLINE"]
+      age                   = 30
+    }
+  }
+}
+
+resource "google_storage_bucket" "repositories" {
+  name                        = "fcuny-repositories"
+  location                    = "US"
+  storage_class               = "COLDLINE"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = false
+  }
+  lifecycle_rule {
+    action {
+      type          = "SetStorageClass"
+      storage_class = "ARCHIVE"
+    }
+    condition {
+      matches_storage_class = ["COLDLINE"]
+      age                   = 30
+    }
+  }
+}
diff --git a/ops/gcp-backups/readme.org b/ops/gcp-backups/readme.org
new file mode 100644
index 0000000..c0f4288
--- /dev/null
+++ b/ops/gcp-backups/readme.org
@@ -0,0 +1,5 @@
+This terraform configuration set up the various buckets in GCP that I used for different backups.
+
+Run =nix run .#ops.gcp-backups.setup= to apply the configuration.
+
+You might need to run =gcloud auth application-default login= first.