Remote states access for k8s-infra-oncall

[ameukam]

Members of k8s-infra-oncall@kubernetes.io should be able to apply Terraform changes once there are merged. This is not currently the case.
They'll need write access to the bucket k8s-infra-clusters-terraform so they can push modified state to the remote backend when they run terraform apply.

/area access
/priority backlog
/wg k8s-infra
/assign @spiffxp @thockin

[spiffxp]

Good point! Thank you for bumping into this.

I think it would be cleaner if we used a different bucket.

This way we can use iam at the bucket level, instead of per-object ACLs, to ensure that k8s-infra-prow-oncall doesn't accidentally blow away the aaa cluster

[spiffxp]

/remove-priority backlog
/priority important-soon
/sig testing
/area prow
/milestone v1.21

[thockin]

Aaron: "different" from what?

Agree with the goal, though

[spiffxp]

Different from using gs://k8s-infra-clusters-terraform as a catchall bucket.

Within kubernetes-public

• gs://k8s-infra-terraform-prow
• gs://k8s-infra-terraform-aaa (or org, or something)

Trying to think toward what this would look like if we started moving projects into folders within the org, and granting permissions within those folders.

[spiffxp]

Similar issue: my non-org-admin k8s-infra-prow-oncall account can't actually run ./infra/gcp/prow/ensure-e2e-projects.sh

Ensuring e2e projects exist and are appropriately configured
  Ensuring e2e project exists and is appropriately configured: k8s-infra-e2e-gce-project
    ERROR: (gcloud.beta.billing.projects.link) User [spiffxp@gmail.com] does not have permission to access projects instance [k8s-infra-e2e-gce-project] (or it may not exist): The caller does not have permission

(I'll break this out, this issue should be kept to terraform, but that's the direction I'm headed)

[ameukam]

/milestone v1.22

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale

[ameukam]

Some progress were made by @spiffxp since the issue is open. See #1743 for more details

/remove-lifecycle stale
/lifecycle frozen

[spiffxp]

/close
#1952 setup separate GCS buckets for different groupings of terraform resources, one of which was gs://k8s-infra-tf-prow-clusters, which k8s-infra-prow-oncall@kubernetes.io has full access to. I think that fits the scope of this issue

I'll use a separate issue to keep track of "must be able to run ensure-e2e-projects.sh"

[k8s-ci-robot]

@spiffxp: Closing this issue.

In response to this:

/close
#1952 setup separate GCS buckets for different groupings of terraform resources, one of which was gs://k8s-infra-tf-prow-clusters, which k8s-infra-prow-oncall@kubernetes.io has full access to. I think that fits the scope of this issue

I'll use a separate issue to keep track of "must be able to run ensure-e2e-projects.sh"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.