...

fullstaq-ruby · Jul 21, 2024 · 8e0a293 · 8e0a293
1 parent fa03474
commit 8e0a293
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 28 deletions.
diff --git a/terraform/ci_artifacts_bucket.tf b/terraform/ci_artifacts_bucket.tf
diff --git a/terraform/ci_storage.tf b/terraform/ci_storage.tf
@@ -56,6 +56,12 @@ resource "azurerm_role_assignment" "server-edition-ci-artifacts-owned-by-infra-m
   principal_id         = data.azuread_group.infra-maintainers.id
 }
 
+resource "azurerm_role_assignment" "server-edition-ci-artifacts-writable-by-github-ci-test" {
+  scope                = azurerm_storage_container.server-edition-ci-artifacts.resource_manager_id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = azuread_service_principal.server-edition-github-ci-test.id
+}
+
 
 resource "azurerm_storage_container" "server-edition-ci-cache" {
   name                  = "server-edition-ci-cache"
@@ -68,3 +74,39 @@ resource "azurerm_role_assignment" "server-edition-ci-cache-owned-by-infra-maint
   role_definition_name = "Storage Blob Data Owner"
   principal_id         = data.azuread_group.infra-maintainers.id
 }
+
+resource "azurerm_role_assignment" "server-edition-ci-cache-writable-by-github-ci-test" {
+  scope                = azurerm_storage_container.server-edition-ci-cache.resource_manager_id
+  role_definition_name = "Storage Blob Data Contributor"
+  principal_id         = azuread_service_principal.server-edition-github-ci-test.id
+}
+
+
+resource "google_storage_bucket" "server-edition-ci-artifacts" {
+  depends_on                  = [google_project_service.storage-api]
+  name                        = "${var.gcloud_bucket_prefix}-server-edition-ci-artifacts"
+  force_destroy               = true
+  uniform_bucket_level_access = true
+  location                    = var.gcloud_storage_location_preferred_by_github_runners
+
+  lifecycle_rule {
+    condition {
+      age = "30"
+    }
+    action {
+      type = "Delete"
+    }
+  }
+}
+
+resource "google_storage_bucket_iam_binding" "server-edition-ci-artifacts-public-viewable" {
+  bucket  = google_storage_bucket.server-edition-ci-artifacts.self_link
+  role    = "roles/storage.objectViewer"
+  members = ["allUsers"]
+}
+
+resource "google_storage_bucket_iam_binding" "server-edition-ci-artifacts-writable-by-ci-cd" {
+  bucket  = google_storage_bucket.server-edition-ci-artifacts.self_link
+  role    = "roles/storage.objectAdmin"
+  members = ["serviceAccount:${google_service_account.server-edition-ci-bot.email}"]
+}