feat(ops/gcp-backups): add terraform configuration for GCP buckets

This terraform configuration is to create the buckets that I'm using for various buckets. Doing this through the UI is difficult, as there are too many options, it's easy to have different buckets with different settings when I need them to be identical, no way to review what the change is going to look like, etc. Change-Id: I8ee15939559e7632e2df9d17cfaec75d756930b6 Reviewed-on: https://cl.fcuny.net/c/world/+/713 Tested-by: CI Reviewed-by: Franck Cuny <franck@fcuny.net>
author: Franck Cuny <franck@fcuny.net> 2022-08-10 17:49:50 -0700
committer: Franck Cuny <franck@fcuny.net> 2022-08-15 17:51:38 -0700
commit: da572dabc3c8e6a76c192d47101766044cd293a3 (patch)
tree: fedb235077193f8bda16d2a041915acd3864b8bc /ops
parent: fix(home/terminal): use alacritty's default colors (diff)
download: world-da572dabc3c8e6a76c192d47101766044cd293a3.tar.gz
5 files changed, 193 insertions, 0 deletions
diff --git a/ops/default.nix b/ops/default.nix
index 500f9ec..ec2bc02 100644
--- a/ops/default.nix
+++ b/ops/default.nix
@@ -2,4 +2,5 @@
 
 pkgs.lib.makeScope pkgs.newScope (pkgs: {
   buildkite = pkgs.callPackage ./buildkite { };
+  gcp-backups = pkgs.callPackage ./gcp-backups { };
 })
diff --git a/ops/gcp-backups/.gitignore b/ops/gcp-backups/.gitignore
new file mode 100644
index 0000000..112bb96
--- /dev/null
+++ b/ops/gcp-backups/.gitignore
@@ -0,0 +1,3 @@
+# ignore the various terraform files that are generate. The state is
+# stored in a GCS bucket.
+.terraform*
diff --git a/ops/gcp-backups/default.nix b/ops/gcp-backups/default.nix
new file mode 100644
index 0000000..44252e2
--- /dev/null
+++ b/ops/gcp-backups/default.nix
@@ -0,0 +1,20 @@
+{ pkgs }:
+let
+  terraform = pkgs.terraform.withPlugins (p: [
+    p.google
+  ]);
+in
+pkgs.stdenv.mkDerivation rec {
+  name = "tf-gcp-backups";
+  src = ./.;
+
+  setup = pkgs.writeShellScriptBin "tf-gcp-backups-setup" ''
+    set -ueo pipefail
+
+    cd $(git rev-parse --show-toplevel)/ops/gcp-backups
+
+    ${terraform}/bin/terraform init
+    ${terraform}/bin/terraform plan
+    ${terraform}/bin/terraform apply
+  '';
+}
diff --git a/ops/gcp-backups/main.tf b/ops/gcp-backups/main.tf
new file mode 100644
index 0000000..f12e9cd
--- /dev/null
+++ b/ops/gcp-backups/main.tf
@@ -0,0 +1,164 @@
+locals {
+  terraform_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com"
+}
+
+provider "google" {
+  alias = "impersonation"
+  scopes = [
+    "https://www.googleapis.com/auth/cloud-platform",
+    "https://www.googleapis.com/auth/userinfo.email",
+  ]
+}
+
+data "google_service_account_access_token" "default" {
+  provider               = google.impersonation
+  target_service_account = local.terraform_service_account
+  scopes                 = ["userinfo-email", "cloud-platform"]
+  lifetime               = "1200s"
+}
+
+provider "google" {
+  project         = "fcuny-backups"
+  region          = "us-west1"
+  zone            = "us-west1-c"
+  access_token    = data.google_service_account_access_token.default.access_token
+  request_timeout = "60s"
+}
+
+terraform {
+  backend "gcs" {
+    bucket                      = "world-tf-state"
+    prefix                      = "backups/state"
+    impersonate_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com"
+  }
+}
+
+resource "google_service_account" "restic" {
+  account_id   = "restic"
+  description  = "For backups with restic"
+  display_name = "Restic Service Account"
+}
+
+resource "google_storage_bucket" "archives" {
+  name                        = "fcuny-archives"
+  location                    = "US"
+  storage_class               = "NEARLINE"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = false
+  }
+  lifecycle_rule {
+    action {
+      type          = "SetStorageClass"
+      storage_class = "ARCHIVE"
+    }
+    condition {
+      matches_storage_class = ["NEARLINE"]
+      age                   = 10
+    }
+  }
+}
+
+resource "google_storage_bucket" "backups-systems" {
+  name                        = "fcuny-backups-systems"
+  location                    = "US"
+  storage_class               = "NEARLINE"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = false
+  }
+}
+
+resource "google_storage_bucket_iam_member" "backups-systems" {
+  bucket = google_storage_bucket.backups-systems.name
+  role   = "roles/storage.objectAdmin"
+  member = "serviceAccount:${google_service_account.restic.email}"
+}
+
+resource "google_storage_bucket_iam_binding" "backups-systems-create" {
+  bucket = google_storage_bucket.backups-systems.name
+  role   = "roles/storage.objectCreator"
+  members = [
+    "serviceAccount:${google_service_account.restic.email}",
+  ]
+}
+
+resource "google_storage_bucket_iam_binding" "backups-systems-view" {
+  bucket = google_storage_bucket.backups-systems.name
+  role   = "roles/storage.objectViewer"
+  members = [
+    "serviceAccount:${google_service_account.restic.email}",
+  ]
+}
+
+resource "google_storage_bucket" "backups-users" {
+  name                        = "fcuny-backups-users"
+  location                    = "US"
+  storage_class               = "NEARLINE"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = false
+  }
+}
+
+resource "google_storage_bucket_iam_member" "backups-users" {
+  bucket = google_storage_bucket.backups-users.name
+  role   = "roles/storage.objectAdmin"
+  member = "serviceAccount:${google_service_account.restic.email}"
+}
+
+resource "google_storage_bucket_iam_binding" "backups-users-create" {
+  bucket = google_storage_bucket.backups-users.name
+  role   = "roles/storage.objectCreator"
+  members = [
+    "serviceAccount:${google_service_account.restic.email}",
+  ]
+}
+
+resource "google_storage_bucket_iam_binding" "backups-users-view" {
+  bucket = google_storage_bucket.backups-users.name
+  role   = "roles/storage.objectViewer"
+  members = [
+    "serviceAccount:${google_service_account.restic.email}",
+  ]
+}
+
+resource "google_storage_bucket" "restic" {
+  name                        = "fcuny-restic"
+  location                    = "US"
+  storage_class               = "COLDLINE"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = false
+  }
+  lifecycle_rule {
+    action {
+      type          = "SetStorageClass"
+      storage_class = "ARCHIVE"
+    }
+    condition {
+      matches_storage_class = ["COLDLINE"]
+      age                   = 30
+    }
+  }
+}
+
+resource "google_storage_bucket" "repositories" {
+  name                        = "fcuny-repositories"
+  location                    = "US"
+  storage_class               = "COLDLINE"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = false
+  }
+  lifecycle_rule {
+    action {
+      type          = "SetStorageClass"
+      storage_class = "ARCHIVE"
+    }
+    condition {
+      matches_storage_class = ["COLDLINE"]
+      age                   = 30
+    }
+  }
+}
diff --git a/ops/gcp-backups/readme.org b/ops/gcp-backups/readme.org
new file mode 100644
index 0000000..c0f4288
--- /dev/null
+++ b/ops/gcp-backups/readme.org
@@ -0,0 +1,5 @@
+This terraform configuration set up the various buckets in GCP that I used for different backups.
+
+Run =nix run .#ops.gcp-backups.setup= to apply the configuration.
+
+You might need to run =gcloud auth application-default login= first.
author	Franck Cuny <franck@fcuny.net>	2022-08-10 17:49:50 -0700
committer	Franck Cuny <franck@fcuny.net>	2022-08-15 17:51:38 -0700
commit	da572dabc3c8e6a76c192d47101766044cd293a3 (patch)
tree	fedb235077193f8bda16d2a041915acd3864b8bc /ops
parent	fix(home/terminal): use alacritty's default colors (diff)
download	world-da572dabc3c8e6a76c192d47101766044cd293a3.tar.gz