diff options
Diffstat (limited to 'ops/gcp-backups/main.tf')
-rw-r--r-- | ops/gcp-backups/main.tf | 164 |
1 files changed, 164 insertions, 0 deletions
diff --git a/ops/gcp-backups/main.tf b/ops/gcp-backups/main.tf new file mode 100644 index 0000000..f12e9cd --- /dev/null +++ b/ops/gcp-backups/main.tf @@ -0,0 +1,164 @@ +locals { + terraform_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com" +} + +provider "google" { + alias = "impersonation" + scopes = [ + "https://www.googleapis.com/auth/cloud-platform", + "https://www.googleapis.com/auth/userinfo.email", + ] +} + +data "google_service_account_access_token" "default" { + provider = google.impersonation + target_service_account = local.terraform_service_account + scopes = ["userinfo-email", "cloud-platform"] + lifetime = "1200s" +} + +provider "google" { + project = "fcuny-backups" + region = "us-west1" + zone = "us-west1-c" + access_token = data.google_service_account_access_token.default.access_token + request_timeout = "60s" +} + +terraform { + backend "gcs" { + bucket = "world-tf-state" + prefix = "backups/state" + impersonate_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com" + } +} + +resource "google_service_account" "restic" { + account_id = "restic" + description = "For backups with restic" + display_name = "Restic Service Account" +} + +resource "google_storage_bucket" "archives" { + name = "fcuny-archives" + location = "US" + storage_class = "NEARLINE" + uniform_bucket_level_access = true + versioning { + enabled = false + } + lifecycle_rule { + action { + type = "SetStorageClass" + storage_class = "ARCHIVE" + } + condition { + matches_storage_class = ["NEARLINE"] + age = 10 + } + } +} + +resource "google_storage_bucket" "backups-systems" { + name = "fcuny-backups-systems" + location = "US" + storage_class = "NEARLINE" + uniform_bucket_level_access = true + versioning { + enabled = false + } +} + +resource "google_storage_bucket_iam_member" "backups-systems" { + bucket = google_storage_bucket.backups-systems.name + role = "roles/storage.objectAdmin" + member = "serviceAccount:${google_service_account.restic.email}" +} + +resource "google_storage_bucket_iam_binding" "backups-systems-create" { + bucket = google_storage_bucket.backups-systems.name + role = "roles/storage.objectCreator" + members = [ + "serviceAccount:${google_service_account.restic.email}", + ] +} + +resource "google_storage_bucket_iam_binding" "backups-systems-view" { + bucket = google_storage_bucket.backups-systems.name + role = "roles/storage.objectViewer" + members = [ + "serviceAccount:${google_service_account.restic.email}", + ] +} + +resource "google_storage_bucket" "backups-users" { + name = "fcuny-backups-users" + location = "US" + storage_class = "NEARLINE" + uniform_bucket_level_access = true + versioning { + enabled = false + } +} + +resource "google_storage_bucket_iam_member" "backups-users" { + bucket = google_storage_bucket.backups-users.name + role = "roles/storage.objectAdmin" + member = "serviceAccount:${google_service_account.restic.email}" +} + +resource "google_storage_bucket_iam_binding" "backups-users-create" { + bucket = google_storage_bucket.backups-users.name + role = "roles/storage.objectCreator" + members = [ + "serviceAccount:${google_service_account.restic.email}", + ] +} + +resource "google_storage_bucket_iam_binding" "backups-users-view" { + bucket = google_storage_bucket.backups-users.name + role = "roles/storage.objectViewer" + members = [ + "serviceAccount:${google_service_account.restic.email}", + ] +} + +resource "google_storage_bucket" "restic" { + name = "fcuny-restic" + location = "US" + storage_class = "COLDLINE" + uniform_bucket_level_access = true + versioning { + enabled = false + } + lifecycle_rule { + action { + type = "SetStorageClass" + storage_class = "ARCHIVE" + } + condition { + matches_storage_class = ["COLDLINE"] + age = 30 + } + } +} + +resource "google_storage_bucket" "repositories" { + name = "fcuny-repositories" + location = "US" + storage_class = "COLDLINE" + uniform_bucket_level_access = true + versioning { + enabled = false + } + lifecycle_rule { + action { + type = "SetStorageClass" + storage_class = "ARCHIVE" + } + condition { + matches_storage_class = ["COLDLINE"] + age = 30 + } + } +} |