diff options
Diffstat (limited to 'ops')
-rw-r--r-- | ops/default.nix | 5 | ||||
-rw-r--r-- | ops/gcp-backups/.gitignore | 3 | ||||
-rw-r--r-- | ops/gcp-backups/default.nix | 28 | ||||
-rw-r--r-- | ops/gcp-backups/main.tf | 164 | ||||
-rw-r--r-- | ops/gcp-backups/readme.org | 5 | ||||
-rwxr-xr-x | ops/tf-gcs-init/tf-gcs-init.sh | 105 |
6 files changed, 0 insertions, 310 deletions
diff --git a/ops/default.nix b/ops/default.nix deleted file mode 100644 index f06e40e..0000000 --- a/ops/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ pkgs }: - -pkgs.lib.makeScope pkgs.newScope (pkgs: { - gcp-backups = pkgs.callPackage ./gcp-backups { }; -}) diff --git a/ops/gcp-backups/.gitignore b/ops/gcp-backups/.gitignore deleted file mode 100644 index 112bb96..0000000 --- a/ops/gcp-backups/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -# ignore the various terraform files that are generate. The state is -# stored in a GCS bucket. -.terraform* diff --git a/ops/gcp-backups/default.nix b/ops/gcp-backups/default.nix deleted file mode 100644 index 0e9ed07..0000000 --- a/ops/gcp-backups/default.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ pkgs }: -let - terraform = pkgs.terraform.withPlugins (p: [ - p.google - ]); -in -pkgs.stdenv.mkDerivation rec { - name = "tf-gcp-backups"; - src = ./.; - - init = pkgs.writeShellScriptBin "tf-gcp-backups-init" '' - set -ueo pipefail - cd $(git rev-parse --show-toplevel)/ops/gcp-backups - ${terraform}/bin/terraform init - ''; - - plan = pkgs.writeShellScriptBin "tf-gcp-backups-plan" '' - set -ueo pipefail - cd $(git rev-parse --show-toplevel)/ops/gcp-backups - ${terraform}/bin/terraform plan - ''; - - apply = pkgs.writeShellScriptBin "tf-gcp-backups-apply" '' - set -ueo pipefail - cd $(git rev-parse --show-toplevel)/ops/gcp-backups - ${terraform}/bin/terraform apply - ''; -} diff --git a/ops/gcp-backups/main.tf b/ops/gcp-backups/main.tf deleted file mode 100644 index f12e9cd..0000000 --- a/ops/gcp-backups/main.tf +++ /dev/null @@ -1,164 +0,0 @@ -locals { - terraform_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com" -} - -provider "google" { - alias = "impersonation" - scopes = [ - "https://www.googleapis.com/auth/cloud-platform", - "https://www.googleapis.com/auth/userinfo.email", - ] -} - -data "google_service_account_access_token" "default" { - provider = google.impersonation - target_service_account = local.terraform_service_account - scopes = ["userinfo-email", "cloud-platform"] - lifetime = "1200s" -} - -provider "google" { - project = "fcuny-backups" - region = "us-west1" - zone = "us-west1-c" - access_token = data.google_service_account_access_token.default.access_token - request_timeout = "60s" -} - -terraform { - backend "gcs" { - bucket = "world-tf-state" - prefix = "backups/state" - impersonate_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com" - } -} - -resource "google_service_account" "restic" { - account_id = "restic" - description = "For backups with restic" - display_name = "Restic Service Account" -} - -resource "google_storage_bucket" "archives" { - name = "fcuny-archives" - location = "US" - storage_class = "NEARLINE" - uniform_bucket_level_access = true - versioning { - enabled = false - } - lifecycle_rule { - action { - type = "SetStorageClass" - storage_class = "ARCHIVE" - } - condition { - matches_storage_class = ["NEARLINE"] - age = 10 - } - } -} - -resource "google_storage_bucket" "backups-systems" { - name = "fcuny-backups-systems" - location = "US" - storage_class = "NEARLINE" - uniform_bucket_level_access = true - versioning { - enabled = false - } -} - -resource "google_storage_bucket_iam_member" "backups-systems" { - bucket = google_storage_bucket.backups-systems.name - role = "roles/storage.objectAdmin" - member = "serviceAccount:${google_service_account.restic.email}" -} - -resource "google_storage_bucket_iam_binding" "backups-systems-create" { - bucket = google_storage_bucket.backups-systems.name - role = "roles/storage.objectCreator" - members = [ - "serviceAccount:${google_service_account.restic.email}", - ] -} - -resource "google_storage_bucket_iam_binding" "backups-systems-view" { - bucket = google_storage_bucket.backups-systems.name - role = "roles/storage.objectViewer" - members = [ - "serviceAccount:${google_service_account.restic.email}", - ] -} - -resource "google_storage_bucket" "backups-users" { - name = "fcuny-backups-users" - location = "US" - storage_class = "NEARLINE" - uniform_bucket_level_access = true - versioning { - enabled = false - } -} - -resource "google_storage_bucket_iam_member" "backups-users" { - bucket = google_storage_bucket.backups-users.name - role = "roles/storage.objectAdmin" - member = "serviceAccount:${google_service_account.restic.email}" -} - -resource "google_storage_bucket_iam_binding" "backups-users-create" { - bucket = google_storage_bucket.backups-users.name - role = "roles/storage.objectCreator" - members = [ - "serviceAccount:${google_service_account.restic.email}", - ] -} - -resource "google_storage_bucket_iam_binding" "backups-users-view" { - bucket = google_storage_bucket.backups-users.name - role = "roles/storage.objectViewer" - members = [ - "serviceAccount:${google_service_account.restic.email}", - ] -} - -resource "google_storage_bucket" "restic" { - name = "fcuny-restic" - location = "US" - storage_class = "COLDLINE" - uniform_bucket_level_access = true - versioning { - enabled = false - } - lifecycle_rule { - action { - type = "SetStorageClass" - storage_class = "ARCHIVE" - } - condition { - matches_storage_class = ["COLDLINE"] - age = 30 - } - } -} - -resource "google_storage_bucket" "repositories" { - name = "fcuny-repositories" - location = "US" - storage_class = "COLDLINE" - uniform_bucket_level_access = true - versioning { - enabled = false - } - lifecycle_rule { - action { - type = "SetStorageClass" - storage_class = "ARCHIVE" - } - condition { - matches_storage_class = ["COLDLINE"] - age = 30 - } - } -} diff --git a/ops/gcp-backups/readme.org b/ops/gcp-backups/readme.org deleted file mode 100644 index c0f4288..0000000 --- a/ops/gcp-backups/readme.org +++ /dev/null @@ -1,5 +0,0 @@ -This terraform configuration set up the various buckets in GCP that I used for different backups. - -Run =nix run .#ops.gcp-backups.setup= to apply the configuration. - -You might need to run =gcloud auth application-default login= first. diff --git a/ops/tf-gcs-init/tf-gcs-init.sh b/ops/tf-gcs-init/tf-gcs-init.sh deleted file mode 100755 index 95d4d7e..0000000 --- a/ops/tf-gcs-init/tf-gcs-init.sh +++ /dev/null @@ -1,105 +0,0 @@ -#!/usr/bin/env bash - -# This script creates a bucket in GCS that will be used to store -# terraform state. It also creates a service account 'terraform' to -# perform the actions. It ensures the admin of the account can -# impersonate the 'terraform' service account, so we don't need to -# generate keys. The roles for the SA are also set. - -set -u -set -e -set -o pipefail - -# I'm the admin of the project -GCP_ADMIN_ACCOUNT="franck.cuny@gmail.com" - -# this is the main project that is used for "core" infra -GCP_PROJECT="fcuny-homelab" -GCP_PROJECTS="$(gcloud projects list --format 'value(projectId)')" -GCS_LOCATION="us-west1" -GCS_BUCKET_NAME="world-tf-state" -GCP_SERVICE_ACCOUNT_NAME="terraform" -GCP_SERVICE_ACCOUNT="${GCP_SERVICE_ACCOUNT_NAME}@${GCP_PROJECT}.iam.gserviceaccount.com" -GCP_SERVICE_ACCOUNT_ROLES=( - "roles/editor" - "roles/owner" -) - -function bucket:exist() { - if gsutil ls gs://"${1}" &>/dev/null; then - true - else - false - fi -} - -function bucket() { - if ! bucket:exist "${GCS_BUCKET_NAME}"; then - echo "creating GCS bucket $GCS_BUCKET_NAME ..." - ( - set -x - gsutil mb -p ${GCP_PROJECT} -l ${GCS_LOCATION} gs://${GCS_BUCKET_NAME} - gsutil versioning set on gs://${GCS_BUCKET_NAME} - ) - else - echo "GCS bucket $GCS_BUCKET_NAME already created" - fi -} - -function service_account:exist() { - if gcloud iam service-accounts describe "${1}" &>/dev/null; then - true - else - false - fi -} - -function service_account() { - if ! service_account:exist "${GCP_SERVICE_ACCOUNT}"; then - echo "creating service account ..." - ( - set -x - gcloud iam service-accounts create "${GCP_SERVICE_ACCOUNT_NAME}" --display-name="Terraform Service Account" - ) - else - echo "service account already created" - fi -} - -function service_account:has_role() { - [[ $(gcloud projects get-iam-policy "${1}" --flatten=bindings --filter="bindings.members=serviceAccount:${2} AND bindings.role=$3" 2>/dev/null | wc -l) -ne 0 ]] -} - -function service_account:admins_token_creator() { - [[ $(gcloud --project="${1}" iam service-accounts get-iam-policy ${GCP_SERVICE_ACCOUNT} --flatten=bindings --filter="bindings.members=user:${GCP_ADMIN_ACCOUNT} AND bindings.role=roles/iam.serviceAccountTokenCreator" 2>/dev/null | wc -l) -ne 0 ]] -} - -function roles() { - for project in $GCP_PROJECTS; do - for role in "${GCP_SERVICE_ACCOUNT_ROLES[@]}"; do - if ! service_account:has_role "${project}" "${GCP_SERVICE_ACCOUNT}" "${role}" ; then - echo "granting ${role##*/} role to service account for project ${project} ..." - ( - set -x - gcloud projects add-iam-policy-binding "${project}" --member="serviceAccount:${GCP_SERVICE_ACCOUNT}" --role="${role}" - ) 1>/dev/null - else - echo "service account already has ${role##*/} role for project ${project}" - fi - done - - if ! service_account:admins_token_creator "${project}" ; then - echo "adding AccountTokenCreator role to admin account for project ${project} ..." - ( - set -x - gcloud --project="${project}" iam service-accounts add-iam-policy-binding "${GCP_SERVICE_ACCOUNT}" --member user:${GCP_ADMIN_ACCOUNT} --role="roles/iam.serviceAccountTokenCreator" - ) 1>/dev/null - else - echo "admin account has already AccountTokenCreator role for project ${project}" - fi - done -} - -bucket -service_account -roles |