about summary refs log tree commit diff
path: root/ops/gcp-backups/main.tf
diff options
context:
space:
mode:
Diffstat (limited to 'ops/gcp-backups/main.tf')
-rw-r--r--ops/gcp-backups/main.tf164
1 files changed, 164 insertions, 0 deletions
diff --git a/ops/gcp-backups/main.tf b/ops/gcp-backups/main.tf
new file mode 100644
index 0000000..f12e9cd
--- /dev/null
+++ b/ops/gcp-backups/main.tf
@@ -0,0 +1,164 @@
+locals {
+  terraform_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com"
+}
+
+provider "google" {
+  alias = "impersonation"
+  scopes = [
+    "https://www.googleapis.com/auth/cloud-platform",
+    "https://www.googleapis.com/auth/userinfo.email",
+  ]
+}
+
+data "google_service_account_access_token" "default" {
+  provider               = google.impersonation
+  target_service_account = local.terraform_service_account
+  scopes                 = ["userinfo-email", "cloud-platform"]
+  lifetime               = "1200s"
+}
+
+provider "google" {
+  project         = "fcuny-backups"
+  region          = "us-west1"
+  zone            = "us-west1-c"
+  access_token    = data.google_service_account_access_token.default.access_token
+  request_timeout = "60s"
+}
+
+terraform {
+  backend "gcs" {
+    bucket                      = "world-tf-state"
+    prefix                      = "backups/state"
+    impersonate_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com"
+  }
+}
+
+resource "google_service_account" "restic" {
+  account_id   = "restic"
+  description  = "For backups with restic"
+  display_name = "Restic Service Account"
+}
+
+resource "google_storage_bucket" "archives" {
+  name                        = "fcuny-archives"
+  location                    = "US"
+  storage_class               = "NEARLINE"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = false
+  }
+  lifecycle_rule {
+    action {
+      type          = "SetStorageClass"
+      storage_class = "ARCHIVE"
+    }
+    condition {
+      matches_storage_class = ["NEARLINE"]
+      age                   = 10
+    }
+  }
+}
+
+resource "google_storage_bucket" "backups-systems" {
+  name                        = "fcuny-backups-systems"
+  location                    = "US"
+  storage_class               = "NEARLINE"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = false
+  }
+}
+
+resource "google_storage_bucket_iam_member" "backups-systems" {
+  bucket = google_storage_bucket.backups-systems.name
+  role   = "roles/storage.objectAdmin"
+  member = "serviceAccount:${google_service_account.restic.email}"
+}
+
+resource "google_storage_bucket_iam_binding" "backups-systems-create" {
+  bucket = google_storage_bucket.backups-systems.name
+  role   = "roles/storage.objectCreator"
+  members = [
+    "serviceAccount:${google_service_account.restic.email}",
+  ]
+}
+
+resource "google_storage_bucket_iam_binding" "backups-systems-view" {
+  bucket = google_storage_bucket.backups-systems.name
+  role   = "roles/storage.objectViewer"
+  members = [
+    "serviceAccount:${google_service_account.restic.email}",
+  ]
+}
+
+resource "google_storage_bucket" "backups-users" {
+  name                        = "fcuny-backups-users"
+  location                    = "US"
+  storage_class               = "NEARLINE"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = false
+  }
+}
+
+resource "google_storage_bucket_iam_member" "backups-users" {
+  bucket = google_storage_bucket.backups-users.name
+  role   = "roles/storage.objectAdmin"
+  member = "serviceAccount:${google_service_account.restic.email}"
+}
+
+resource "google_storage_bucket_iam_binding" "backups-users-create" {
+  bucket = google_storage_bucket.backups-users.name
+  role   = "roles/storage.objectCreator"
+  members = [
+    "serviceAccount:${google_service_account.restic.email}",
+  ]
+}
+
+resource "google_storage_bucket_iam_binding" "backups-users-view" {
+  bucket = google_storage_bucket.backups-users.name
+  role   = "roles/storage.objectViewer"
+  members = [
+    "serviceAccount:${google_service_account.restic.email}",
+  ]
+}
+
+resource "google_storage_bucket" "restic" {
+  name                        = "fcuny-restic"
+  location                    = "US"
+  storage_class               = "COLDLINE"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = false
+  }
+  lifecycle_rule {
+    action {
+      type          = "SetStorageClass"
+      storage_class = "ARCHIVE"
+    }
+    condition {
+      matches_storage_class = ["COLDLINE"]
+      age                   = 30
+    }
+  }
+}
+
+resource "google_storage_bucket" "repositories" {
+  name                        = "fcuny-repositories"
+  location                    = "US"
+  storage_class               = "COLDLINE"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = false
+  }
+  lifecycle_rule {
+    action {
+      type          = "SetStorageClass"
+      storage_class = "ARCHIVE"
+    }
+    condition {
+      matches_storage_class = ["COLDLINE"]
+      age                   = 30
+    }
+  }
+}
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-10-17 06:19:49 +0000