From da572dabc3c8e6a76c192d47101766044cd293a3 Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Wed, 10 Aug 2022 17:49:50 -0700
Subject: feat(ops/gcp-backups): add terraform configuration for GCP buckets

This terraform configuration is to create the buckets that I'm using for
various buckets. Doing this through the UI is difficult, as there are
too many options, it's easy to have different buckets with different
settings when I need them to be identical, no way to review what the
change is going to look like, etc.

Change-Id: I8ee15939559e7632e2df9d17cfaec75d756930b6
Reviewed-on: https://cl.fcuny.net/c/world/+/713
Tested-by: CI
Reviewed-by: Franck Cuny <franck@fcuny.net>
---
 ops/gcp-backups/.gitignore  |   3 +
 ops/gcp-backups/default.nix |  20 ++++++
 ops/gcp-backups/main.tf     | 164 ++++++++++++++++++++++++++++++++++++++++++++
 ops/gcp-backups/readme.org  |   5 ++
 4 files changed, 192 insertions(+)
 create mode 100644 ops/gcp-backups/.gitignore
 create mode 100644 ops/gcp-backups/default.nix
 create mode 100644 ops/gcp-backups/main.tf
 create mode 100644 ops/gcp-backups/readme.org

(limited to 'ops/gcp-backups')

diff --git a/ops/gcp-backups/.gitignore b/ops/gcp-backups/.gitignore
new file mode 100644
index 0000000..112bb96
--- /dev/null
+++ b/ops/gcp-backups/.gitignore
@@ -0,0 +1,3 @@
+# ignore the various terraform files that are generate. The state is
+# stored in a GCS bucket.
+.terraform*
diff --git a/ops/gcp-backups/default.nix b/ops/gcp-backups/default.nix
new file mode 100644
index 0000000..44252e2
--- /dev/null
+++ b/ops/gcp-backups/default.nix
@@ -0,0 +1,20 @@
+{ pkgs }:
+let
+  terraform = pkgs.terraform.withPlugins (p: [
+    p.google
+  ]);
+in
+pkgs.stdenv.mkDerivation rec {
+  name = "tf-gcp-backups";
+  src = ./.;
+
+  setup = pkgs.writeShellScriptBin "tf-gcp-backups-setup" ''
+    set -ueo pipefail
+
+    cd $(git rev-parse --show-toplevel)/ops/gcp-backups
+
+    ${terraform}/bin/terraform init
+    ${terraform}/bin/terraform plan
+    ${terraform}/bin/terraform apply
+  '';
+}
diff --git a/ops/gcp-backups/main.tf b/ops/gcp-backups/main.tf
new file mode 100644
index 0000000..f12e9cd
--- /dev/null
+++ b/ops/gcp-backups/main.tf
@@ -0,0 +1,164 @@
+locals {
+  terraform_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com"
+}
+
+provider "google" {
+  alias = "impersonation"
+  scopes = [
+    "https://www.googleapis.com/auth/cloud-platform",
+    "https://www.googleapis.com/auth/userinfo.email",
+  ]
+}
+
+data "google_service_account_access_token" "default" {
+  provider               = google.impersonation
+  target_service_account = local.terraform_service_account
+  scopes                 = ["userinfo-email", "cloud-platform"]
+  lifetime               = "1200s"
+}
+
+provider "google" {
+  project         = "fcuny-backups"
+  region          = "us-west1"
+  zone            = "us-west1-c"
+  access_token    = data.google_service_account_access_token.default.access_token
+  request_timeout = "60s"
+}
+
+terraform {
+  backend "gcs" {
+    bucket                      = "world-tf-state"
+    prefix                      = "backups/state"
+    impersonate_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com"
+  }
+}
+
+resource "google_service_account" "restic" {
+  account_id   = "restic"
+  description  = "For backups with restic"
+  display_name = "Restic Service Account"
+}
+
+resource "google_storage_bucket" "archives" {
+  name                        = "fcuny-archives"
+  location                    = "US"
+  storage_class               = "NEARLINE"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = false
+  }
+  lifecycle_rule {
+    action {
+      type          = "SetStorageClass"
+      storage_class = "ARCHIVE"
+    }
+    condition {
+      matches_storage_class = ["NEARLINE"]
+      age                   = 10
+    }
+  }
+}
+
+resource "google_storage_bucket" "backups-systems" {
+  name                        = "fcuny-backups-systems"
+  location                    = "US"
+  storage_class               = "NEARLINE"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = false
+  }
+}
+
+resource "google_storage_bucket_iam_member" "backups-systems" {
+  bucket = google_storage_bucket.backups-systems.name
+  role   = "roles/storage.objectAdmin"
+  member = "serviceAccount:${google_service_account.restic.email}"
+}
+
+resource "google_storage_bucket_iam_binding" "backups-systems-create" {
+  bucket = google_storage_bucket.backups-systems.name
+  role   = "roles/storage.objectCreator"
+  members = [
+    "serviceAccount:${google_service_account.restic.email}",
+  ]
+}
+
+resource "google_storage_bucket_iam_binding" "backups-systems-view" {
+  bucket = google_storage_bucket.backups-systems.name
+  role   = "roles/storage.objectViewer"
+  members = [
+    "serviceAccount:${google_service_account.restic.email}",
+  ]
+}
+
+resource "google_storage_bucket" "backups-users" {
+  name                        = "fcuny-backups-users"
+  location                    = "US"
+  storage_class               = "NEARLINE"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = false
+  }
+}
+
+resource "google_storage_bucket_iam_member" "backups-users" {
+  bucket = google_storage_bucket.backups-users.name
+  role   = "roles/storage.objectAdmin"
+  member = "serviceAccount:${google_service_account.restic.email}"
+}
+
+resource "google_storage_bucket_iam_binding" "backups-users-create" {
+  bucket = google_storage_bucket.backups-users.name
+  role   = "roles/storage.objectCreator"
+  members = [
+    "serviceAccount:${google_service_account.restic.email}",
+  ]
+}
+
+resource "google_storage_bucket_iam_binding" "backups-users-view" {
+  bucket = google_storage_bucket.backups-users.name
+  role   = "roles/storage.objectViewer"
+  members = [
+    "serviceAccount:${google_service_account.restic.email}",
+  ]
+}
+
+resource "google_storage_bucket" "restic" {
+  name                        = "fcuny-restic"
+  location                    = "US"
+  storage_class               = "COLDLINE"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = false
+  }
+  lifecycle_rule {
+    action {
+      type          = "SetStorageClass"
+      storage_class = "ARCHIVE"
+    }
+    condition {
+      matches_storage_class = ["COLDLINE"]
+      age                   = 30
+    }
+  }
+}
+
+resource "google_storage_bucket" "repositories" {
+  name                        = "fcuny-repositories"
+  location                    = "US"
+  storage_class               = "COLDLINE"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = false
+  }
+  lifecycle_rule {
+    action {
+      type          = "SetStorageClass"
+      storage_class = "ARCHIVE"
+    }
+    condition {
+      matches_storage_class = ["COLDLINE"]
+      age                   = 30
+    }
+  }
+}
diff --git a/ops/gcp-backups/readme.org b/ops/gcp-backups/readme.org
new file mode 100644
index 0000000..c0f4288
--- /dev/null
+++ b/ops/gcp-backups/readme.org
@@ -0,0 +1,5 @@
+This terraform configuration set up the various buckets in GCP that I used for different backups.
+
+Run =nix run .#ops.gcp-backups.setup= to apply the configuration.
+
+You might need to run =gcloud auth application-default login= first.
-- 
cgit 1.4.1