locals { terraform_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com" } provider "google" { alias = "impersonation" scopes = [ "https://www.googleapis.com/auth/cloud-platform", "https://www.googleapis.com/auth/userinfo.email", ] } data "google_service_account_access_token" "default" { provider = google.impersonation target_service_account = local.terraform_service_account scopes = ["userinfo-email", "cloud-platform"] lifetime = "1200s" } provider "google" { project = "fcuny-backups" region = "us-west1" zone = "us-west1-c" access_token = data.google_service_account_access_token.default.access_token request_timeout = "60s" } terraform { backend "gcs" { bucket = "world-tf-state" prefix = "backups/state" impersonate_service_account = "terraform@fcuny-homelab.iam.gserviceaccount.com" } } resource "google_service_account" "restic" { account_id = "restic" description = "For backups with restic" display_name = "Restic Service Account" } resource "google_storage_bucket" "archives" { name = "fcuny-archives" location = "US" storage_class = "NEARLINE" uniform_bucket_level_access = true versioning { enabled = false } lifecycle_rule { action { type = "SetStorageClass" storage_class = "ARCHIVE" } condition { matches_storage_class = ["NEARLINE"] age = 10 } } } resource "google_storage_bucket" "backups-systems" { name = "fcuny-backups-systems" location = "US" storage_class = "NEARLINE" uniform_bucket_level_access = true versioning { enabled = false } } resource "google_storage_bucket_iam_member" "backups-systems" { bucket = google_storage_bucket.backups-systems.name role = "roles/storage.objectAdmin" member = "serviceAccount:${google_service_account.restic.email}" } resource "google_storage_bucket_iam_binding" "backups-systems-create" { bucket = google_storage_bucket.backups-systems.name role = "roles/storage.objectCreator" members = [ "serviceAccount:${google_service_account.restic.email}", ] } resource "google_storage_bucket_iam_binding" "backups-systems-view" { bucket = google_storage_bucket.backups-systems.name role = "roles/storage.objectViewer" members = [ "serviceAccount:${google_service_account.restic.email}", ] } resource "google_storage_bucket" "backups-users" { name = "fcuny-backups-users" location = "US" storage_class = "NEARLINE" uniform_bucket_level_access = true versioning { enabled = false } } resource "google_storage_bucket_iam_member" "backups-users" { bucket = google_storage_bucket.backups-users.name role = "roles/storage.objectAdmin" member = "serviceAccount:${google_service_account.restic.email}" } resource "google_storage_bucket_iam_binding" "backups-users-create" { bucket = google_storage_bucket.backups-users.name role = "roles/storage.objectCreator" members = [ "serviceAccount:${google_service_account.restic.email}", ] } resource "google_storage_bucket_iam_binding" "backups-users-view" { bucket = google_storage_bucket.backups-users.name role = "roles/storage.objectViewer" members = [ "serviceAccount:${google_service_account.restic.email}", ] } resource "google_storage_bucket" "restic" { name = "fcuny-restic" location = "US" storage_class = "COLDLINE" uniform_bucket_level_access = true versioning { enabled = false } lifecycle_rule { action { type = "SetStorageClass" storage_class = "ARCHIVE" } condition { matches_storage_class = ["COLDLINE"] age = 30 } } } resource "google_storage_bucket" "repositories" { name = "fcuny-repositories" location = "US" storage_class = "COLDLINE" uniform_bucket_level_access = true versioning { enabled = false } lifecycle_rule { action { type = "SetStorageClass" storage_class = "ARCHIVE" } condition { matches_storage_class = ["COLDLINE"] age = 30 } } }